From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 8 Sep 2024 10:03:36 +0000 (+0200)
Subject: 6.10-stable patches
X-Git-Tag: v4.19.322~143
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d81f0c200cefd7d77c77b6cabaaf52348bebfa6c;p=thirdparty%2Fkernel%2Fstable-queue.git

6.10-stable patches

added patches:
	libfs-fix-get_stashed_dentry.patch
	series
---

diff --git a/queue-6.10/libfs-fix-get_stashed_dentry.patch b/queue-6.10/libfs-fix-get_stashed_dentry.patch
new file mode 100644
index 00000000000..ca4429d1b78
--- /dev/null
+++ b/queue-6.10/libfs-fix-get_stashed_dentry.patch
@@ -0,0 +1,55 @@
+From 4e32c25b58b945f976435bbe51f39b32d714052e Mon Sep 17 00:00:00 2001
+From: Christian Brauner <brauner@kernel.org>
+Date: Fri, 6 Sep 2024 18:22:22 +0200
+Subject: libfs: fix get_stashed_dentry()
+
+From: Christian Brauner <brauner@kernel.org>
+
+commit 4e32c25b58b945f976435bbe51f39b32d714052e upstream.
+
+get_stashed_dentry() tries to optimistically retrieve a stashed dentry
+from a provided location.  It needs to ensure to hold rcu lock before it
+dereference the stashed location to prevent UAF issues.  Use
+rcu_dereference() instead of READ_ONCE() it's effectively equivalent
+with some lockdep bells and whistles and it communicates clearly that
+this expects rcu protection.
+
+Link: https://lore.kernel.org/r/20240906-vfs-hotfix-5959800ffa68@brauner
+Fixes: 07fd7c329839 ("libfs: add path_from_stashed()")
+Reported-by: syzbot+f82b36bffae7ef78b6a7@syzkaller.appspotmail.com
+Fixes: syzbot+f82b36bffae7ef78b6a7@syzkaller.appspotmail.com
+Reported-by: syzbot+cbe4b96e1194b0e34db6@syzkaller.appspotmail.com
+Fixes: syzbot+cbe4b96e1194b0e34db6@syzkaller.appspotmail.com
+Signed-off-by: Christian Brauner <brauner@kernel.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/libfs.c |    6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/fs/libfs.c
++++ b/fs/libfs.c
+@@ -2043,12 +2043,12 @@ struct timespec64 simple_inode_init_ts(s
+ }
+ EXPORT_SYMBOL(simple_inode_init_ts);
+ 
+-static inline struct dentry *get_stashed_dentry(struct dentry *stashed)
++static inline struct dentry *get_stashed_dentry(struct dentry **stashed)
+ {
+ 	struct dentry *dentry;
+ 
+ 	guard(rcu)();
+-	dentry = READ_ONCE(stashed);
++	dentry = rcu_dereference(*stashed);
+ 	if (!dentry)
+ 		return NULL;
+ 	if (!lockref_get_not_dead(&dentry->d_lockref))
+@@ -2145,7 +2145,7 @@ int path_from_stashed(struct dentry **st
+ 	const struct stashed_operations *sops = mnt->mnt_sb->s_fs_info;
+ 
+ 	/* See if dentry can be reused. */
+-	path->dentry = get_stashed_dentry(*stashed);
++	path->dentry = get_stashed_dentry(stashed);
+ 	if (path->dentry) {
+ 		sops->put_data(data);
+ 		goto out_path;
diff --git a/queue-6.10/series b/queue-6.10/series
new file mode 100644
index 00000000000..1a67ef4ab3a
--- /dev/null
+++ b/queue-6.10/series
@@ -0,0 +1 @@
+libfs-fix-get_stashed_dentry.patch