From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Al Viro <viro@zeniv.linux.org.uk>,
"Sasha Levin (Microsoft)" <sashal@kernel.org>
Subject: [PATCH 5.0 057/122] debugfs: fix use-after-free on symlink traversal
Date: Mon, 6 May 2019 16:31:55 +0200 [thread overview]
Message-ID: <20190506143100.115753154@linuxfoundation.org> (raw)
In-Reply-To: <20190506143054.670334917@linuxfoundation.org>
[ Upstream commit 93b919da64c15b90953f96a536e5e61df896ca57 ]
symlink body shouldn't be freed without an RCU delay. Switch debugfs to
->destroy_inode() and use of call_rcu(); free both the inode and symlink
body in the callback. Similar to solution for bpf, only here it's even
more obvious that ->evict_inode() can be dropped.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
---
fs/debugfs/inode.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git a/fs/debugfs/inode.c b/fs/debugfs/inode.c
index 29c68c5d44d5..c4a4fc6f1a95 100644
--- a/fs/debugfs/inode.c
+++ b/fs/debugfs/inode.c
@@ -163,19 +163,24 @@ static int debugfs_show_options(struct seq_file *m, struct dentry *root)
return 0;
}
-static void debugfs_evict_inode(struct inode *inode)
+static void debugfs_i_callback(struct rcu_head *head)
{
- truncate_inode_pages_final(&inode->i_data);
- clear_inode(inode);
+ struct inode *inode = container_of(head, struct inode, i_rcu);
if (S_ISLNK(inode->i_mode))
kfree(inode->i_link);
+ free_inode_nonrcu(inode);
+}
+
+static void debugfs_destroy_inode(struct inode *inode)
+{
+ call_rcu(&inode->i_rcu, debugfs_i_callback);
}
static const struct super_operations debugfs_super_operations = {
.statfs = simple_statfs,
.remount_fs = debugfs_remount,
.show_options = debugfs_show_options,
- .evict_inode = debugfs_evict_inode,
+ .destroy_inode = debugfs_destroy_inode,
};
static void debugfs_release_dentry(struct dentry *dentry)
--
2.20.1
next prev parent reply other threads:[~2019-05-06 14:35 UTC|newest]
Thread overview: 134+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-06 14:30 [PATCH 5.0 000/122] 5.0.14-stable review Greg Kroah-Hartman
2019-05-06 14:30 ` [PATCH 5.0 001/122] selftests/seccomp: Prepare for exclusive seccomp flags Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 002/122] seccomp: Make NEW_LISTENER and TSYNC flags exclusive Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 003/122] ARC: memset: fix build with L1_CACHE_SHIFT != 6 Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 004/122] iwlwifi: fix driver operation for 5350 Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 005/122] mwifiex: Make resume actually do something useful again on SDIO cards Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 006/122] mtd: rawnand: marvell: Clean the controller state before each operation Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 007/122] mac80211: dont attempt to rename ERR_PTR() debugfs dirs Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 008/122] i2c: synquacer: fix enumeration of slave devices Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 009/122] i2c: imx: correct the method of getting private data in notifier_call Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 010/122] i2c: Prevent runtime suspend of adapter when Host Notify is required Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 011/122] ALSA: hda/realtek - Add new Dell platform for headset mode Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 012/122] ALSA: hda/realtek - Fixed Dell AIO speaker noise Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 013/122] ALSA: hda/realtek - Apply the fixup for ASUS Q325UAR Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 014/122] USB: yurex: Fix protection fault after device removal Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 015/122] USB: w1 ds2490: Fix bug caused by improper use of altsetting array Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 016/122] USB: dummy-hcd: Fix failure to give back unlinked URBs Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 017/122] usb: usbip: fix isoc packet num validation in get_pipe Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 018/122] USB: core: Fix unterminated string returned by usb_string() Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 019/122] USB: core: Fix bug caused by duplicate interface PM usage counter Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 020/122] KVM: lapic: Disable timer advancement if adaptive tuning goes haywire Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 021/122] KVM: x86: Consider LAPIC TSC-Deadline timer expired if deadline too short Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 022/122] KVM: lapic: Track lapic timer advance per vCPU Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 023/122] KVM: lapic: Allow user to disable adaptive tuning of timer advancement Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 024/122] KVM: lapic: Convert guest TSC to host time domain if necessary Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 025/122] arm64: dts: rockchip: fix rk3328-roc-cc gmac2io tx/rx_delay Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 026/122] HID: Increase maximum report size allowed by hid_field_extract() Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 027/122] HID: logitech: check the return value of create_singlethread_workqueue Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 028/122] HID: debug: fix race condition with between rdesc_show() and device removal Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 029/122] rtc: cros-ec: Fail suspend/resume if wake IRQ cant be configured Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 030/122] rtc: sh: Fix invalid alarm warning for non-enabled alarm Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 031/122] ARM: OMAP2+: add missing of_node_put after of_device_is_available Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 032/122] batman-adv: Reduce claim hash refcnt only for removed entry Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 033/122] batman-adv: Reduce tt_local " Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 034/122] batman-adv: Reduce tt_global " Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 035/122] batman-adv: fix warning in function batadv_v_elp_get_throughput Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 036/122] ARM: dts: rockchip: Fix gpu opp node names for rk3288 Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 037/122] reset: meson-audio-arb: Fix missing .owner setting of reset_controller_dev Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 038/122] ARM: dts: Fix dcan clkctrl clock for am3 Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 039/122] i40e: fix i40e_ptp_adjtime when given a negative delta Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 040/122] igb: Fix WARN_ONCE on runtime suspend Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 041/122] ixgbe: fix mdio bus registration Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 042/122] i40e: fix WoL support check Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 043/122] riscv: fix accessing 8-byte variable from RV32 Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 044/122] HID: quirks: Fix keyboard + touchpad on Lenovo Miix 630 Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 045/122] net: hns3: fix compile error Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 046/122] xdp: fix cpumap redirect SKB creation bug Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 047/122] net/mlx5: E-Switch, Protect from invalid memory access in offload fdb table Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 048/122] net/mlx5: E-Switch, Fix esw manager vport indication for more vport commands Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 049/122] bonding: show full hw address in sysfs for slave entries Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 050/122] net: stmmac: use correct DMA buffer size in the RX descriptor Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 051/122] net: stmmac: ratelimit RX error logs Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 052/122] net: stmmac: dont stop NAPI processing when dropping a packet Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 053/122] net: stmmac: dont overwrite discard_frame status Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 054/122] net: stmmac: fix dropping of multi-descriptor RX frames Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 055/122] net: stmmac: dont log oversized frames Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 056/122] jffs2: fix use-after-free on symlink traversal Greg Kroah-Hartman
2019-05-06 14:31 ` Greg Kroah-Hartman [this message]
2019-05-06 14:31 ` [PATCH 5.0 058/122] mfd: twl-core: Disable IRQ while suspended Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 059/122] block: use blk_free_flush_queue() to free hctx->fq in blk_mq_init_hctx Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 060/122] rtc: da9063: set uie_unsupported when relevant Greg Kroah-Hartman
2019-05-06 14:31 ` [PATCH 5.0 061/122] HID: input: add mapping for Assistant key Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 062/122] vfio/pci: use correct format characters Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 063/122] scsi: core: add new RDAC LENOVO/DE_Series device Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 064/122] scsi: storvsc: Fix calculation of sub-channel count Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 065/122] arm/mach-at91/pm : fix possible object reference leak Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 066/122] blk-mq: do not reset plug->rq_count before the list is sorted Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 067/122] arm64: fix wrong check of on_sdei_stack in nmi context Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 068/122] net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw() Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 069/122] net: hns: Use NAPI_POLL_WEIGHT for hns driver Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 070/122] net: hns: Fix probabilistic memory overwrite when HNS driver initialized Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 071/122] net: hns: fix ICMP6 neighbor solicitation messages discard problem Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 072/122] net: hns: Fix WARNING when remove HNS driver with SMMU enabled Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 073/122] libcxgb: fix incorrect ppmax calculation Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 074/122] KVM: SVM: prevent DBG_DECRYPT and DBG_ENCRYPT overflow Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 075/122] kmemleak: powerpc: skip scanning holes in the .bss section Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 076/122] hugetlbfs: fix memory leak for resv_map Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 077/122] sh: fix multiple function definition build errors Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 078/122] null_blk: prevent crash from bad home_node value Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 079/122] xsysace: Fix error handling in ace_setup Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 080/122] fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 081/122] ARM: orion: dont use using 64-bit DMA masks Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 082/122] ARM: iop: " Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 083/122] perf/x86/amd: Update generic hardware cache events for Family 17h Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 084/122] Bluetooth: btusb: request wake pin with NOAUTOEN Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 085/122] Bluetooth: mediatek: fix up an error path to restore bdev->tx_state Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 086/122] clk: qcom: Add missing freq for usb30_master_clk on 8998 Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 087/122] usb: dwc3: Reset num_trbs after skipping Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 088/122] staging: iio: adt7316: allow adt751x to use internal vref for all dacs Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 089/122] staging: iio: adt7316: fix the dac read calculation Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 090/122] staging: iio: adt7316: fix handling of dac high resolution option Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 091/122] staging: iio: adt7316: fix the dac write calculation Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 092/122] scsi: hisi_sas: Fix to only call scsi_get_prot_op() for non-NULL scsi_cmnd Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 093/122] scsi: RDMA/srpt: Fix a credit leak for aborted commands Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 094/122] ASoC: Intel: bytcr_rt5651: Revert "Fix DMIC map headsetmic mapping" Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 095/122] ASoC: rsnd: gen: fix SSI9 4/5/6/7 busif related register address Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 096/122] ASoC: sunxi: sun50i-codec-analog: Rename hpvcc regulator supply to cpvdd Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 097/122] ASoC: wm_adsp: Correct handling of compressed streams that restart Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 098/122] ASoC: dpcm: skip missing substream while applying symmetry Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 099/122] ASoC: stm32: fix sai driver name initialisation Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 100/122] KVM: VMX: Save RSI to an unused output in the vCPU-run asm blob Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 101/122] KVM: nVMX: Remove a rogue "rax" clobber from nested_vmx_check_vmentry_hw() Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 102/122] kvm: vmx: Fix typos in vmentry/vmexit control setting Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 103/122] KVM: lapic: Check for in-kernel LAPIC before deferencing apic pointer Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 104/122] platform/x86: intel_pmc_core: Fix PCH IP name Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 105/122] platform/x86: intel_pmc_core: Handle CFL regmap properly Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 106/122] IB/core: Unregister notifier before freeing MAD security Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 107/122] IB/core: Fix potential memory leak while creating MAD agents Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 108/122] IB/core: Destroy QP if XRC QP fails Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 109/122] Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 110/122] Input: stmfts - acknowledge that setting brightness is a blocking call Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 111/122] gpio: mxc: add check to return defer probe if clock tree NOT ready Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 112/122] selinux: avoid silent denials in permissive mode under RCU walk Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 113/122] selinux: never allow relabeling on context mounts Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 114/122] mac80211: Honor SW_CRYPTO_CONTROL for unicast keys in AP VLAN mode Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 115/122] powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 116/122] x86/mce: Improve error message when kernel cannot recover, p2 Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 117/122] clk: x86: Add system specific quirk to mark clocks as critical Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 118/122] x86/mm/KASLR: Fix the size of the direct mapping section Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 119/122] x86/mm: Fix a crash with kmemleak_scan() Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 120/122] x86/mm/tlb: Revert "x86/mm: Align TLB invalidation info" Greg Kroah-Hartman
2019-05-06 14:32 ` [PATCH 5.0 121/122] i2c: i2c-stm32f7: Fix SDADEL minimum formula Greg Kroah-Hartman
2019-05-06 14:33 ` [PATCH 5.0 122/122] media: v4l2: i2c: ov7670: Fix PLL bypass register values Greg Kroah-Hartman
2019-05-07 7:18 ` [PATCH 5.0 000/122] 5.0.14-stable review Naresh Kamboju
2019-05-07 13:04 ` Greg Kroah-Hartman
2019-05-07 12:45 ` Jon Hunter
2019-05-07 13:04 ` Greg Kroah-Hartman
2019-05-07 16:27 ` kernelci.org bot
2019-05-07 18:39 ` Guenter Roeck
2019-05-07 18:58 ` Greg Kroah-Hartman
2019-05-07 20:19 ` shuah
2019-05-08 6:36 ` Greg Kroah-Hartman
2019-05-08 0:56 ` Kelsey Skunberg
2019-05-08 6:36 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190506143100.115753154@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).