Skip to main content

Browse the archive

Revision 073c516ff73557a8f7315066856c04b50383ac34 authored by Cong Wang on 19 April 2017, 22:11:00 UTC, committed by Linus Torvalds on 19 April 2017, 22:56:24 UTC 
nsfs: mark dentry with DCACHE_RCUACCESS
 
Andrey reported a use-after-free in __ns_get_path():

  spin_lock include/linux/spinlock.h:299 [inline]
  lockref_get_not_dead+0x19/0x80 lib/lockref.c:179
  __ns_get_path+0x197/0x860 fs/nsfs.c:66
  open_related_ns+0xda/0x200 fs/nsfs.c:143
  sock_ioctl+0x39d/0x440 net/socket.c:1001
  vfs_ioctl fs/ioctl.c:45 [inline]
  do_vfs_ioctl+0x1bf/0x1780 fs/ioctl.c:685
  SYSC_ioctl fs/ioctl.c:700 [inline]
  SyS_ioctl+0x8f/0xc0 fs/ioctl.c:691

We are under rcu read lock protection at that point:

        rcu_read_lock();
        d = atomic_long_read(&ns->stashed);
        if (!d)
                goto slow;
        dentry = (struct dentry *)d;
        if (!lockref_get_not_dead(&dentry->d_lockref))
                goto slow;
        rcu_read_unlock();

but don't use a proper RCU API on the free path, therefore a parallel
__d_free() could free it at the same time.  We need to mark the stashed
dentry with DCACHE_RCUACCESS so that __d_free() will be called after all
readers leave RCU.

Fixes: e149ed2b805f ("take the targets of /proc/*/ns/* symlinks to separate fs")
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Andrew Morton <akpm@linux-foundation.org>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 80d136e
History
File Mode Size
partitions
Kconfig -rw-r--r-- 5.6 KB
Kconfig.iosched -rw-r--r-- 1.7 KB
Makefile -rw-r--r-- 1.2 KB
badblocks.c -rw-r--r-- 14.5 KB
bio-integrity.c -rw-r--r-- 14.3 KB
bio.c -rw-r--r-- 51.0 KB
blk-cgroup.c -rw-r--r-- 36.0 KB
blk-core.c -rw-r--r-- 92.7 KB
blk-exec.c -rw-r--r-- 3.0 KB
blk-flush.c -rw-r--r-- 16.7 KB
blk-integrity.c -rw-r--r-- 12.3 KB
blk-ioc.c -rw-r--r-- 10.9 KB
blk-lib.c -rw-r--r-- 9.8 KB
blk-map.c -rw-r--r-- 5.9 KB
blk-merge.c -rw-r--r-- 19.7 KB
blk-mq-cpumap.c -rw-r--r-- 2.3 KB
blk-mq-debugfs.c -rw-r--r-- 18.1 KB
blk-mq-pci.c -rw-r--r-- 1.5 KB
blk-mq-sched.c -rw-r--r-- 13.9 KB
blk-mq-sched.h -rw-r--r-- 4.1 KB
blk-mq-sysfs.c -rw-r--r-- 7.9 KB
blk-mq-tag.c -rw-r--r-- 11.0 KB
blk-mq-tag.h -rw-r--r-- 2.3 KB
blk-mq-virtio.c -rw-r--r-- 1.7 KB
blk-mq.c -rw-r--r-- 70.7 KB
blk-mq.h -rw-r--r-- 5.0 KB
blk-settings.c -rw-r--r-- 28.9 KB
blk-softirq.c -rw-r--r-- 4.3 KB
blk-stat.c -rw-r--r-- 5.9 KB
blk-stat.h -rw-r--r-- 1.1 KB
blk-sysfs.c -rw-r--r-- 23.2 KB
blk-tag.c -rw-r--r-- 10.0 KB
blk-throttle.c -rw-r--r-- 42.7 KB
blk-timeout.c -rw-r--r-- 5.9 KB
blk-wbt.c -rw-r--r-- 17.6 KB
blk-wbt.h -rw-r--r-- 3.9 KB
blk-zoned.c -rw-r--r-- 7.6 KB
blk.h -rw-r--r-- 9.8 KB
bounce.c -rw-r--r-- 5.8 KB
bsg-lib.c -rw-r--r-- 6.7 KB
bsg.c -rw-r--r-- 22.9 KB
cfq-iosched.c -rw-r--r-- 127.2 KB
cmdline-parser.c -rw-r--r-- 4.9 KB
compat_ioctl.c -rw-r--r-- 20.7 KB
deadline-iosched.c -rw-r--r-- 11.2 KB
elevator.c -rw-r--r-- 26.8 KB
genhd.c -rw-r--r-- 45.2 KB
ioctl.c -rw-r--r-- 15.0 KB
ioprio.c -rw-r--r-- 5.2 KB
mq-deadline.c -rw-r--r-- 13.2 KB
noop-iosched.c -rw-r--r-- 2.6 KB
opal_proto.h -rw-r--r-- 9.3 KB
partition-generic.c -rw-r--r-- 16.6 KB
scsi_ioctl.c -rw-r--r-- 19.8 KB
sed-opal.c -rw-r--r-- 57.9 KB
t10-pi.c -rw-r--r-- 4.8 KB
back to top