[thirdparty/kernel/stable-queue.git] / queue-4.4 / autofs-drop-dentry-reference-only-when-it-is-never-u.patch

From baefe25c3c47559cfca0782102ccc0029decf850 Mon Sep 17 00:00:00 2001
From: Pan Bian <bianpan2016@163.com>
Date: Fri, 1 Feb 2019 14:21:26 -0800
Subject: autofs: drop dentry reference only when it is never used

[ Upstream commit 63ce5f552beb9bdb41546b3a26c4374758b21815 ]

autofs_expire_run() calls dput(dentry) to drop the reference count of
dentry.  However, dentry is read via autofs_dentry_ino(dentry) after
that.  This may result in a use-free-bug.  The patch drops the reference
count of dentry only when it is never used.

Link: http://lkml.kernel.org/r/154725122396.11260.16053424107144453867.stgit@pluto-themaw-net
Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Ian Kent <raven@themaw.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/autofs4/expire.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
index 7a5a598a2d94..0d8b9c4f27f2 100644
--- a/fs/autofs4/expire.c
+++ b/fs/autofs4/expire.c
@@ -560,7 +560,6 @@ int autofs4_expire_run(struct super_block *sb,
 	pkt.len = dentry->d_name.len;
 	memcpy(pkt.name, dentry->d_name.name, pkt.len);
 	pkt.name[pkt.len] = '\0';
-	dput(dentry);
 
 	if ( copy_to_user(pkt_p, &pkt, sizeof(struct autofs_packet_expire)) )
 		ret = -EFAULT;
@@ -573,6 +572,8 @@ int autofs4_expire_run(struct super_block *sb,
 	complete_all(&ino->expire_complete);
 	spin_unlock(&sbi->fs_lock);
 
+	dput(dentry);
+
 	return ret;
 }
 
-- 
2.19.1
Commit	Line	Data
1981af9d SL	1	From baefe25c3c47559cfca0782102ccc0029decf850 Mon Sep 17 00:00:00 2001
	2	From: Pan Bian <bianpan2016@163.com>
	3	Date: Fri, 1 Feb 2019 14:21:26 -0800
	4	Subject: autofs: drop dentry reference only when it is never used
	5
	6	[ Upstream commit 63ce5f552beb9bdb41546b3a26c4374758b21815 ]
	7
	8	autofs_expire_run() calls dput(dentry) to drop the reference count of
	9	dentry. However, dentry is read via autofs_dentry_ino(dentry) after
	10	that. This may result in a use-free-bug. The patch drops the reference
	11	count of dentry only when it is never used.
	12
	13	Link: http://lkml.kernel.org/r/154725122396.11260.16053424107144453867.stgit@pluto-themaw-net
	14	Signed-off-by: Pan Bian <bianpan2016@163.com>
	15	Signed-off-by: Ian Kent <raven@themaw.net>
	16	Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
	17	Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
	18	Signed-off-by: Sasha Levin <sashal@kernel.org>
	19	---
	20	fs/autofs4/expire.c \| 3 ++-
	21	1 file changed, 2 insertions(+), 1 deletion(-)
	22
	23	diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
	24	index 7a5a598a2d94..0d8b9c4f27f2 100644
	25	--- a/fs/autofs4/expire.c
	26	+++ b/fs/autofs4/expire.c
	27	@@ -560,7 +560,6 @@ int autofs4_expire_run(struct super_block *sb,
	28	pkt.len = dentry->d_name.len;
	29	memcpy(pkt.name, dentry->d_name.name, pkt.len);
	30	pkt.name[pkt.len] = '\0';
	31	- dput(dentry);
	32
	33	if ( copy_to_user(pkt_p, &pkt, sizeof(struct autofs_packet_expire)) )
	34	ret = -EFAULT;
	35	@@ -573,6 +572,8 @@ int autofs4_expire_run(struct super_block *sb,
	36	complete_all(&ino->expire_complete);
	37	spin_unlock(&sbi->fs_lock);
	38
	39	+ dput(dentry);
	40	+
	41	return ret;
	42	}
	43
	44	--
	45	2.19.1
	46