From: Sasha Levin <sashal@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
"Radim Krčmář" <rkrcmar@redhat.com>,
kvm@vger.kernel.org,
"Linus Torvalds" <torvalds@linux-foundation.org>
Subject: Re: [PATCH AUTOSEL 4.19 40/57] kvm: properly check debugfs dentry before using it
Date: Wed, 3 Apr 2019 12:16:06 -0400 [thread overview]
Message-ID: <20190403161606.GB16241@sasha-vm> (raw)
In-Reply-To: <20190330054350.GB23655@kroah.com>
On Sat, Mar 30, 2019 at 06:43:50AM +0100, Greg Kroah-Hartman wrote:
>On Fri, Mar 29, 2019 at 09:28:33PM -0400, Sasha Levin wrote:
>> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>>
>> [ Upstream commit 8ed0579c12b2fe56a1fac2f712f58fc26c1dc49b ]
>>
>> debugfs can now report an error code if something went wrong instead of
>> just NULL. So if the return value is to be used as a "real" dentry, it
>> needs to be checked if it is an error before dereferencing it.
>>
>> This is now happening because of ff9fb72bc077 ("debugfs: return error
>> values, not NULL"). syzbot has found a way to trigger multiple debugfs
>> files attempting to be created, which fails, and then the error code
>> gets passed to dentry_path_raw() which obviously does not like it.
>>
>> Reported-by: Eric Biggers <ebiggers@kernel.org>
>> Reported-and-tested-by: syzbot+7857962b4d45e602b8ad@syzkaller.appspotmail.com
>> Cc: "Radim Krčmář" <rkrcmar@redhat.com>
>> Cc: kvm@vger.kernel.org
>> Acked-by: Paolo Bonzini <pbonzini@redhat.com>
>> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
>> Signed-off-by: Sasha Levin <sashal@kernel.org>
>> ---
>> virt/kvm/kvm_main.c | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c
>> index c436d95fd7aa..fb74f994cb63 100644
>> --- a/virt/kvm/kvm_main.c
>> +++ b/virt/kvm/kvm_main.c
>> @@ -3912,7 +3912,7 @@ static void kvm_uevent_notify_change(unsigned int type, struct kvm *kvm)
>> }
>> add_uevent_var(env, "PID=%d", kvm->userspace_pid);
>>
>> - if (kvm->debugfs_dentry) {
>> + if (!IS_ERR_OR_NULL(kvm->debugfs_dentry)) {
>> char *tmp, *p = kmalloc(PATH_MAX, GFP_KERNEL);
>>
>> if (p) {
>> --
>> 2.19.1
>>
>
>Same thing here, this was a 5.0-only thing, no need for it to be
>backported, please drop it from all trees.
Dropped, thanks!
--
Thanks,
Sasha
next prev parent reply other threads:[~2019-04-03 16:16 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-30 1:27 [PATCH AUTOSEL 4.19 01/57] drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up Sasha Levin
2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 02/57] gpio: pxa: handle corner case of unprobed device Sasha Levin
2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 03/57] rsi: improve kernel thread handling to fix kernel panic Sasha Levin
2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 04/57] f2fs: fix to avoid NULL pointer dereference on se->discard_map Sasha Levin
2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 05/57] 9p: do not trust pdu content for stat item size Sasha Levin
2019-03-30 1:27 ` [PATCH AUTOSEL 4.19 06/57] 9p locks: add mount option for lock retry interval Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 07/57] ASoC: Fix UBSAN warning at snd_soc_get/put_volsw_sx() Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 08/57] f2fs: fix to do sanity check with current segment number Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 09/57] netfilter: xt_cgroup: shrink size of v2 path Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 10/57] serial: uartps: console_setup() can't be placed to init section Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 11/57] powerpc/pseries: Remove prrn_work workqueue Sasha Levin
2019-03-30 1:28 ` Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 12/57] media: au0828: cannot kfree dev before usb disconnect Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 13/57] Bluetooth: Fix debugfs NULL pointer dereference Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 14/57] HID: i2c-hid: override HID descriptors for certain devices Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 15/57] pinctrl: core: make sure strcmp() doesn't get a null parameter Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 16/57] ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 17/57] usbip: fix vhci_hcd controller counting Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 18/57] ACPI / SBS: Fix GPE storm on recent MacBookPro's Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 19/57] HID: usbhid: Add quirk for Redragon/Dragonrise Seymur 2 Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 20/57] KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 21/57] compiler.h: update definition of unreachable() Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 22/57] netfilter: nf_flow_table: remove flowtable hook flush routine in netns exit routine Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 23/57] f2fs: cleanup dirty pages if recover failed Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 24/57] net: stmmac: Set OWN bit for jumbo frames Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 25/57] cifs: fallback to older infolevels on findfirst queryinfo retry Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 26/57] kernel: hung_task.c: disable on suspend Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 27/57] platform/x86: Add Intel AtomISP2 dummy / power-management driver Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 28/57] nvme-pci: fix conflicting p2p resource adds Sasha Levin
2019-03-30 1:28 ` Sasha Levin
2019-04-01 17:36 ` Heitke, Kenneth
2019-04-01 17:36 ` Heitke, Kenneth
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 29/57] drm/ttm: Fix bo_global and mem_global kfree error Sasha Levin
2019-03-30 1:28 ` Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 30/57] ALSA: hda: fix front speakers on Huawei MBXP Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 31/57] ACPI: EC / PM: Disable non-wakeup GPEs for suspend-to-idle Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 32/57] net/rds: fix warn in rds_message_alloc_sgs Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 33/57] blk-mq: protect debugfs_create_files() from failures Sasha Levin
2019-03-30 5:43 ` Greg Kroah-Hartman
2019-04-03 16:17 ` Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 34/57] xfrm: destroy xfrm_state synchronously on net exit path Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 35/57] crypto: sha256/arm - fix crash bug in Thumb2 build Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 36/57] crypto: sha512/arm " Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 37/57] net: ip6_gre: fix possible NULL pointer dereference in ip6erspan_set_version Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 38/57] iommu/dmar: Fix buffer overflow during PCI bus notification Sasha Levin
2019-03-30 1:28 ` Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 39/57] scsi: core: Avoid that system resume triggers a kernel warning Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 40/57] kvm: properly check debugfs dentry before using it Sasha Levin
2019-03-30 5:43 ` Greg Kroah-Hartman
2019-04-03 16:16 ` Sasha Levin [this message]
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 41/57] soc/tegra: pmc: Drop locking from tegra_powergate_is_powered() Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 42/57] ext4: prohibit fstrim in norecovery mode Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 43/57] lkdtm: Print real addresses Sasha Levin
2019-03-30 1:28 ` [PATCH AUTOSEL 4.19 44/57] lkdtm: Add tests for NULL pointer dereference Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190403161606.GB16241@sasha-vm \
--to=sashal@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=kvm@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=rkrcmar@redhat.com \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.