git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From e9eb47d199f56aa893dff7ffe8194fce632b4131 Mon Sep 17 00:00:00 2001
   2 From: Sasha Levin <sashal@kernel.org>
   3 Date: Tue, 3 Nov 2020 16:33:07 +0000
   4 Subject: afs: Fix incorrect freeing of the ACL passed to the YFS ACL store op
   5
   6 From: David Howells <dhowells@redhat.com>
   7
   8 [ Upstream commit f4c79144edd8a49ffca8fa737a31d606be742a34 ]
   9
  10 The cleanup for the yfs_store_opaque_acl2_operation calls the wrong
  11 function to destroy the ACL content buffer.  It's an afs_acl struct, not
  12 a yfs_acl struct - and the free function for latter may pass invalid
  13 pointers to kfree().
  14
  15 Fix this by using the afs_acl_put() function.  The yfs_acl_put()
  16 function is then no longer used and can be removed.
  17
  18         general protection fault, probably for non-canonical address 0x7ebde00000000: 0000 [#1] SMP PTI
  19         ...
  20         RIP: 0010:compound_head+0x0/0x11
  21         ...
  22         Call Trace:
  23          virt_to_cache+0x8/0x51
  24          kfree+0x5d/0x79
  25          yfs_free_opaque_acl+0x16/0x29
  26          afs_put_operation+0x60/0x114
  27          __vfs_setxattr+0x67/0x72
  28          __vfs_setxattr_noperm+0x66/0xe9
  29          vfs_setxattr+0x67/0xce
  30          setxattr+0x14e/0x184
  31          __do_sys_fsetxattr+0x66/0x8f
  32          do_syscall_64+0x2d/0x3a
  33          entry_SYSCALL_64_after_hwframe+0x44/0xa9
  34
  35 Fixes: e49c7b2f6de7 ("afs: Build an abstraction around an "operation" concept")
  36 Signed-off-by: David Howells <dhowells@redhat.com>
  37 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  38 Signed-off-by: Sasha Levin <sashal@kernel.org>
  39 ---
  40  fs/afs/xattr.c | 7 +------
  41  1 file changed, 1 insertion(+), 6 deletions(-)
  42
  43 diff --git a/fs/afs/xattr.c b/fs/afs/xattr.c
  44 index 38884d6c57cdc..95c573dcda116 100644
  45 --- a/fs/afs/xattr.c
  46 +++ b/fs/afs/xattr.c
  47 @@ -148,11 +148,6 @@ static const struct xattr_handler afs_xattr_afs_acl_handler = {
  48         .set    = afs_xattr_set_acl,
  49  };
  50
  51 -static void yfs_acl_put(struct afs_operation *op)
  52 -{
  53 -       yfs_free_opaque_acl(op->yacl);
  54 -}
  55 -
  56  static const struct afs_operation_ops yfs_fetch_opaque_acl_operation = {
  57         .issue_yfs_rpc  = yfs_fs_fetch_opaque_acl,
  58         .success        = afs_acl_success,
  59 @@ -246,7 +241,7 @@ error:
  60  static const struct afs_operation_ops yfs_store_opaque_acl2_operation = {
  61         .issue_yfs_rpc  = yfs_fs_store_opaque_acl2,
  62         .success        = afs_acl_success,
  63 -       .put            = yfs_acl_put,
  64 +       .put            = afs_acl_put,
  65  };
  66
  67  /*
  68 --
  69 2.27.0
  70