From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 21 Feb 2018 09:39:53 +0000 (+0100)
Subject: 3.18-stable patches
X-Git-Tag: v4.15.5~12
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=25b71588e1bceed86d9465481b5c992a2ab12c6c;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	vfs-don-t-do-rcu-lookup-of-empty-pathnames.patch
---

diff --git a/queue-3.18/series b/queue-3.18/series
index c4e6ee49cc1..d4b0e482678 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -13,3 +13,4 @@ console-dummy-leave-.con_font_get-set-to-null.patch
 btrfs-fix-deadlock-in-run_delalloc_nocow.patch
 btrfs-fix-crash-due-to-not-cleaning-up-tree-log-block-s-dirty-bits.patch
 alsa-seq-fix-racy-pool-initializations.patch
+vfs-don-t-do-rcu-lookup-of-empty-pathnames.patch
diff --git a/queue-3.18/vfs-don-t-do-rcu-lookup-of-empty-pathnames.patch b/queue-3.18/vfs-don-t-do-rcu-lookup-of-empty-pathnames.patch
new file mode 100644
index 00000000000..95d01d71cfd
--- /dev/null
+++ b/queue-3.18/vfs-don-t-do-rcu-lookup-of-empty-pathnames.patch
@@ -0,0 +1,48 @@
+From c0eb027e5aef70b71e5a38ee3e264dc0b497f343 Mon Sep 17 00:00:00 2001
+From: Linus Torvalds <torvalds@linux-foundation.org>
+Date: Sun, 2 Apr 2017 17:10:08 -0700
+Subject: vfs: don't do RCU lookup of empty pathnames
+
+From: Linus Torvalds <torvalds@linux-foundation.org>
+
+commit c0eb027e5aef70b71e5a38ee3e264dc0b497f343 upstream.
+
+Normal pathname lookup doesn't allow empty pathnames, but using
+AT_EMPTY_PATH (with name_to_handle_at() or fstatat(), for example) you
+can trigger an empty pathname lookup.
+
+And not only is the RCU lookup in that case entirely unnecessary
+(because we'll obviously immediately finalize the end result), it is
+actively wrong.
+
+Why? An empth path is a special case that will return the original
+'dirfd' dentry - and that dentry may not actually be RCU-free'd,
+resulting in a potential use-after-free if we were to initialize the
+path lazily under the RCU read lock and depend on complete_walk()
+finalizing the dentry.
+
+Found by syzkaller and KASAN.
+
+Reported-by: Dmitry Vyukov <dvyukov@google.com>
+Reported-by: Vegard Nossum <vegard.nossum@gmail.com>
+Acked-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Eric Biggers <ebiggers3@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/namei.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/fs/namei.c
++++ b/fs/namei.c
+@@ -1851,6 +1851,9 @@ static int path_init(int dfd, const char
+ {
+ 	int retval = 0;
+ 
++	if (!*s)
++		flags &= ~LOOKUP_RCU;
++
+ 	nd->last_type = LAST_ROOT; /* if there are only slashes... */
+ 	nd->flags = flags | LOOKUP_JUMPED;
+ 	nd->depth = 0;