--- /dev/null
+From c0eb027e5aef70b71e5a38ee3e264dc0b497f343 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sun, 2 Apr 2017 17:10:08 -0700
+Subject: vfs: don't do RCU lookup of empty pathnames
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit c0eb027e5aef70b71e5a38ee3e264dc0b497f343 upstream.
+
+Normal pathname lookup doesn't allow empty pathnames, but using
+AT_EMPTY_PATH (with name_to_handle_at() or fstatat(), for example) you
+can trigger an empty pathname lookup.
+
+And not only is the RCU lookup in that case entirely unnecessary
+(because we'll obviously immediately finalize the end result), it is
+actively wrong.
+
+Why? An empth path is a special case that will return the original
+'dirfd' dentry - and that dentry may not actually be RCU-free'd,
+resulting in a potential use-after-free if we were to initialize the
+path lazily under the RCU read lock and depend on complete_walk()
+finalizing the dentry.
+
+Found by syzkaller and KASAN.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Eric Biggers <ebiggers3@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1851,6 +1851,9 @@ static int path_init(int dfd, const char
+ {
+ int retval = 0;
+
++ if (!*s)
++ flags &= ~LOOKUP_RCU;
++
+ nd->last_type = LAST_ROOT; /* if there are only slashes... */
+ nd->flags = flags | LOOKUP_JUMPED;
+ nd->depth = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
