From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 3 Sep 2023 08:45:13 +0000 (+0200)
Subject: 5.10-stable patches
X-Git-Tag: v6.5.2~28
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c47f27cfd300da62f0d4137b6f91235dd7a6c270;p=thirdparty%2Fkernel%2Fstable-queue.git

5.10-stable patches

added patches:
	configfs-fix-a-race-in-configfs_lookup.patch
---

diff --git a/queue-5.10/configfs-fix-a-race-in-configfs_lookup.patch b/queue-5.10/configfs-fix-a-race-in-configfs_lookup.patch
new file mode 100644
index 00000000000..d2d8b5a1c83
--- /dev/null
+++ b/queue-5.10/configfs-fix-a-race-in-configfs_lookup.patch
@@ -0,0 +1,48 @@
+From c42dd069be8dfc9b2239a5c89e73bbd08ab35de0 Mon Sep 17 00:00:00 2001
+From: Sishuai Gong <sishuai@purdue.edu>
+Date: Wed, 25 Aug 2021 07:52:20 +0200
+Subject: configfs: fix a race in configfs_lookup()
+
+From: Sishuai Gong <sishuai@purdue.edu>
+
+commit c42dd069be8dfc9b2239a5c89e73bbd08ab35de0 upstream.
+
+When configfs_lookup() is executing list_for_each_entry(),
+it is possible that configfs_dir_lseek() is calling list_del().
+Some unfortunate interleavings of them can cause a kernel NULL
+pointer dereference error
+
+Thread 1                  Thread 2
+//configfs_dir_lseek()    //configfs_lookup()
+list_del(&cursor->s_sibling);
+                         list_for_each_entry(sd, ...)
+
+Fix this by grabbing configfs_dirent_lock in configfs_lookup()
+while iterating ->s_children.
+
+Signed-off-by: Sishuai Gong <sishuai@purdue.edu>
+Signed-off-by: Christoph Hellwig <hch@lst.de>
+Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/configfs/dir.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/configfs/dir.c
++++ b/fs/configfs/dir.c
+@@ -479,6 +479,7 @@ static struct dentry * configfs_lookup(s
+ 	if (!configfs_dirent_is_ready(parent_sd))
+ 		goto out;
+ 
++	spin_lock(&configfs_dirent_lock);
+ 	list_for_each_entry(sd, &parent_sd->s_children, s_sibling) {
+ 		if (sd->s_type & CONFIGFS_NOT_PINNED) {
+ 			const unsigned char * name = configfs_get_name(sd);
+@@ -491,6 +492,7 @@ static struct dentry * configfs_lookup(s
+ 			break;
+ 		}
+ 	}
++	spin_unlock(&configfs_dirent_lock);
+ 
+ 	if (!found) {
+ 		/*
diff --git a/queue-5.10/series b/queue-5.10/series
index 915f8b31b3b..c5f78753087 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -11,3 +11,4 @@ usb-chipidea-imx-improve-logic-if-samsung-picophy-parameter-is-0.patch
 hid-wacom-remove-the-battery-when-the-ekr-is-off.patch
 staging-rtl8712-fix-race-condition.patch
 bluetooth-btsdio-fix-use-after-free-bug-in-btsdio_remove-due-to-race-condition.patch
+configfs-fix-a-race-in-configfs_lookup.patch