--- /dev/null
+From d124b2c53c7bee6569d2a2d0b18b4a1afde00134 Mon Sep 17 00:00:00 2001
+From: Eric Biggers <ebiggers@google.com>
+Date: Mon, 9 Oct 2017 12:40:00 -0700
+Subject: FS-Cache: fix dereference of NULL user_key_payload
+
+From: Eric Biggers <ebiggers@google.com>
+
+commit d124b2c53c7bee6569d2a2d0b18b4a1afde00134 upstream.
+
+When the file /proc/fs/fscache/objects (available with
+CONFIG_FSCACHE_OBJECT_LIST=y) is opened, we request a user key with
+description "fscache:objlist", then access its payload. However, a
+revoked key has a NULL payload, and we failed to check for this.
+request_key() *does* skip revoked keys, but there is still a window
+where the key can be revoked before we access its payload.
+
+Fix it by checking for a NULL payload, treating it like a key which was
+already revoked at the time it was requested.
+
+Fixes: 4fbf4291aa15 ("FS-Cache: Allow the current state of all objects to be dumped")
+Reviewed-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Eric Biggers <ebiggers@google.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/fscache/object-list.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/fscache/object-list.c
++++ b/fs/fscache/object-list.c
+@@ -330,6 +330,13 @@ static void fscache_objlist_config(struc
+ rcu_read_lock();
+
+ confkey = key->payload.data;
++ if (!confkey) {
++ /* key was revoked */
++ rcu_read_unlock();
++ key_put(key);
++ goto no_config;
++ }
++
+ buf = confkey->data;
+
+ for (len = confkey->datalen - 1; len >= 0; len--) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
