+++ /dev/null
-From c0eb027e5aef70b71e5a38ee3e264dc0b497f343 Mon Sep 17 00:00:00 2001
-From: Linus Torvalds <torvalds@linux-foundation.org>
-Date: Sun, 2 Apr 2017 17:10:08 -0700
-Subject: vfs: don't do RCU lookup of empty pathnames
-
-From: Linus Torvalds <torvalds@linux-foundation.org>
-
-commit c0eb027e5aef70b71e5a38ee3e264dc0b497f343 upstream.
-
-Normal pathname lookup doesn't allow empty pathnames, but using
-AT_EMPTY_PATH (with name_to_handle_at() or fstatat(), for example) you
-can trigger an empty pathname lookup.
-
-And not only is the RCU lookup in that case entirely unnecessary
-(because we'll obviously immediately finalize the end result), it is
-actively wrong.
-
-Why? An empth path is a special case that will return the original
-'dirfd' dentry - and that dentry may not actually be RCU-free'd,
-resulting in a potential use-after-free if we were to initialize the
-path lazily under the RCU read lock and depend on complete_walk()
-finalizing the dentry.
-
-Found by syzkaller and KASAN.
-
-Reported-by: Dmitry Vyukov <dvyukov@google.com>
-Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
-Acked-by: Al Viro <viro@zeniv.linux.org.uk>
-Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-Cc: Eric Biggers <ebiggers3@gmail.com>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- fs/namei.c | 3 +++
- 1 file changed, 3 insertions(+)
-
---- a/fs/namei.c
-+++ b/fs/namei.c
-@@ -1851,6 +1851,9 @@ static int path_init(int dfd, const char
- {
- int retval = 0;
-
-+ if (!*s)
-+ flags &= ~LOOKUP_RCU;
-+
- nd->last_type = LAST_ROOT; /* if there are only slashes... */
- nd->flags = flags | LOOKUP_JUMPED;
- nd->depth = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
