[ Sasha's backport helper bot ] Hi, The upstream commit SHA1 provided is correct: be84f32bb2c981ca670922e047cdde1488b233de WARNING: Author mismatch between patch and upstream commit: Backport author: libo.chen.cn@xxxxxxxxxxxxxxxxx Commit author: Stefan Berger <stefanb@xxxxxxxxxxxxx> Status in newer kernel trees: 6.12.y | Present (exact SHA1) 6.6.y | Present (different SHA1: dd431c3ac1fc) 6.1.y | Present (different SHA1: 7fb374981e31) 5.15.y | Not found Note: The patch differs from the upstream commit: --- 1: be84f32bb2c98 ! 1: fd4816135a9e5 ima: Fix use-after-free on a dentry's dname.name @@ Metadata ## Commit message ## ima: Fix use-after-free on a dentry's dname.name + [ Upstream commit be84f32bb2c981ca670922e047cdde1488b233de ] + ->d_name.name can change on rename and the earlier value can be freed; there are conditions sufficient to stabilize it (->d_lock on dentry, ->d_lock on its parent, ->i_rwsem exclusive on the parent's inode, @@ Commit message Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> Signed-off-by: Stefan Berger <stefanb@xxxxxxxxxxxxx> Signed-off-by: Mimi Zohar <zohar@xxxxxxxxxxxxx> + Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> + Signed-off-by: Libo Chen <libo.chen.cn@xxxxxxxxxxxxx> ## security/integrity/ima/ima_api.c ## -@@ security/integrity/ima/ima_api.c: int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file, +@@ security/integrity/ima/ima_api.c: int ima_collect_measurement(struct integrity_iint_cache *iint, const char *audit_cause = "failed"; struct inode *inode = file_inode(file); struct inode *real_inode = d_real_inode(file_dentry(file)); - const char *filename = file->f_path.dentry->d_name.name; - struct ima_max_digest_data hash; + struct name_snapshot filename; - struct kstat stat; int result = 0; int length; -@@ security/integrity/ima/ima_api.c: int ima_collect_measurement(struct ima_iint_cache *iint, struct file *file, + void *tmpbuf; +@@ security/integrity/ima/ima_api.c: int ima_collect_measurement(struct integrity_iint_cache *iint, if (file->f_flags & O_DIRECT) audit_cause = "failed(directio)"; @@ security/integrity/ima/ima_api.c: int ima_collect_measurement(struct ima_iint_ca } return result; } -@@ security/integrity/ima/ima_api.c: void ima_audit_measurement(struct ima_iint_cache *iint, +@@ security/integrity/ima/ima_api.c: void ima_audit_measurement(struct integrity_iint_cache *iint, */ const char *ima_d_path(const struct path *path, char **pathbuf, char *namebuf) { @@ security/integrity/ima/ima_api.c: const char *ima_d_path(const struct path *path } if (!pathname) { -- strscpy(namebuf, path->dentry->d_name.name, NAME_MAX); +- strlcpy(namebuf, path->dentry->d_name.name, NAME_MAX); + take_dentry_name_snapshot(&filename, path->dentry); + strscpy(namebuf, filename.name.name, NAME_MAX); + release_dentry_name_snapshot(&filename); --- Results of testing on various branches: | Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.15.y | Success | Success |