1. 20 Apr, 2017 1 commit
  2. 19 Apr, 2017 1 commit
    • Sergei Shtylyov's avatar
      sh_eth: unmap DMA buffers when freeing rings · 1debdc8f
      Sergei Shtylyov authored
      The DMA API debugging (when enabled) causes:
      
      WARNING: CPU: 0 PID: 1445 at lib/dma-debug.c:519 add_dma_entry+0xe0/0x12c
      DMA-API: exceeded 7 overlapping mappings of cacheline 0x01b2974d
      
      to be  printed after repeated initialization of the Ether device, e.g.
      suspend/resume or 'ifconfig' up/down. This is because DMA buffers mapped
      using dma_map_single() in sh_eth_ring_format() and sh_eth_start_xmit() are
      never unmapped. Resolve this problem by unmapping the buffers when freeing
      the descriptor  rings;  in order  to do it right, we'd have to add an extra
      parameter to sh_eth_txfree() (we rename this function to sh_eth_tx_free(),
      while at it).
      
      Based on the commit a47b70ea ("ravb: unmap descriptors when freeing
      rings").
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1debdc8f
  3. 18 Apr, 2017 9 commits
  4. 17 Apr, 2017 15 commits
    • Linus Torvalds's avatar
      Merge branch 'parisc-4.11-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · 20bb78f6
      Linus Torvalds authored
      Pull parisc fix from Helge Deller:
       "One patch which fixes get_user() for 64-bit values on 32-bit kernels.
      
        Up to now we lost the upper 32-bits of the returned 64-bit value"
      
      * 'parisc-4.11-5' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: Fix get_user() for 64-bit value on 32-bit kernel
      20bb78f6
    • Namhyung Kim's avatar
      ftrace: Fix function pid filter on instances · d879d0b8
      Namhyung Kim authored
      When function tracer has a pid filter, it adds a probe to sched_switch
      to track if current task can be ignored.  The probe checks the
      ftrace_ignore_pid from current tr to filter tasks.  But it misses to
      delete the probe when removing an instance so that it can cause a crash
      due to the invalid tr pointer (use-after-free).
      
      This is easily reproducible with the following:
      
        # cd /sys/kernel/debug/tracing
        # mkdir instances/buggy
        # echo $$ > instances/buggy/set_ftrace_pid
        # rmdir instances/buggy
      
        ============================================================================
        BUG: KASAN: use-after-free in ftrace_filter_pid_sched_switch_probe+0x3d/0x90
        Read of size 8 by task kworker/0:1/17
        CPU: 0 PID: 17 Comm: kworker/0:1 Tainted: G    B           4.11.0-rc3  #198
        Call Trace:
         dump_stack+0x68/0x9f
         kasan_object_err+0x21/0x70
         kasan_report.part.1+0x22b/0x500
         ? ftrace_filter_pid_sched_switch_probe+0x3d/0x90
         kasan_report+0x25/0x30
         __asan_load8+0x5e/0x70
         ftrace_filter_pid_sched_switch_probe+0x3d/0x90
         ? fpid_start+0x130/0x130
         __schedule+0x571/0xce0
         ...
      
      To fix it, use ftrace_clear_pids() to unregister the probe.  As
      instance_rmdir() already updated ftrace codes, it can just free the
      filter safely.
      
      Link: http://lkml.kernel.org/r/20170417024430.21194-2-namhyung@kernel.org
      
      Fixes: 0c8916c3 ("tracing: Add rmdir to remove multibuffer instances")
      Cc: Ingo Molnar <mingo@kernel.org>
      Cc: stable@vger.kernel.org
      Reviewed-by: default avatarMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: default avatarNamhyung Kim <namhyung@kernel.org>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      d879d0b8
    • David S. Miller's avatar
      Merge branch 'bpf-fixes' · acf167f3
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      Two BPF fixes
      
      The set fixes cb_access and xdp_adjust_head bits in struct bpf_prog,
      that are used for requirement checks on the program rather than f.e.
      heuristics. Thus, for tail calls, we cannot make any assumptions and
      are forced to set them.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      acf167f3
    • Daniel Borkmann's avatar
      bpf: fix checking xdp_adjust_head on tail calls · c2002f98
      Daniel Borkmann authored
      Commit 17bedab2 ("bpf: xdp: Allow head adjustment in XDP prog")
      added the xdp_adjust_head bit to the BPF prog in order to tell drivers
      that the program that is to be attached requires support for the XDP
      bpf_xdp_adjust_head() helper such that drivers not supporting this
      helper can reject the program. There are also drivers that do support
      the helper, but need to check for xdp_adjust_head bit in order to move
      packet metadata prepended by the firmware away for making headroom.
      
      For these cases, the current check for xdp_adjust_head bit is insufficient
      since there can be cases where the program itself does not use the
      bpf_xdp_adjust_head() helper, but tail calls into another program that
      uses bpf_xdp_adjust_head(). As such, the xdp_adjust_head bit is still
      set to 0. Since the first program has no control over which program it
      calls into, we need to assume that bpf_xdp_adjust_head() helper is used
      upon tail calls. Thus, for the very same reasons in cb_access, set the
      xdp_adjust_head bit to 1 when the main program uses tail calls.
      
      Fixes: 17bedab2 ("bpf: xdp: Allow head adjustment in XDP prog")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Cc: Martin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2002f98
    • Daniel Borkmann's avatar
      bpf: fix cb access in socket filter programs on tail calls · 6b1bb01b
      Daniel Borkmann authored
      Commit ff936a04 ("bpf: fix cb access in socket filter programs")
      added a fix for socket filter programs such that in i) AF_PACKET the
      20 bytes of skb->cb[] area gets zeroed before use in order to not leak
      data, and ii) socket filter programs attached to TCP/UDP sockets need
      to save/restore these 20 bytes since they are also used by protocol
      layers at that time.
      
      The problem is that bpf_prog_run_save_cb() and bpf_prog_run_clear_cb()
      only look at the actual attached program to determine whether to zero
      or save/restore the skb->cb[] parts. There can be cases where the
      actual attached program does not access the skb->cb[], but the program
      tail calls into another program which does access this area. In such
      a case, the zero or save/restore is currently not performed.
      
      Since the programs we tail call into are unknown at verification time
      and can dynamically change, we need to assume that whenever the attached
      program performs a tail call, that later programs could access the
      skb->cb[], and therefore we need to always set cb_access to 1.
      
      Fixes: ff936a04 ("bpf: fix cb access in socket filter programs")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6b1bb01b
    • Florian Westphal's avatar
      ipv6: drop non loopback packets claiming to originate from ::1 · 0aa8c13e
      Florian Westphal authored
      We lack a saddr check for ::1. This causes security issues e.g. with acls
      permitting connections from ::1 because of assumption that these originate
      from local machine.
      
      Assuming a source address of ::1 is local seems reasonable.
      RFC4291 doesn't allow such a source address either, so drop such packets.
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0aa8c13e
    • David S. Miller's avatar
      Merge branch 'mediatek-tx-bugs' · 71947f0f
      David S. Miller authored
      Sean Wang says:
      
      ====================
      mediatek: Fix crash caused by reporting inconsistent skb->len to BQL
      
      Changes since v1:
      - fix inconsistent enumeration which easily causes the potential bug
      
      The series fixes kernel BUG caused by inconsistent SKB length reported
      into BQL. The reason for inconsistent length comes from hardware BUG which
      results in different port number carried on the TXD within the lifecycle of
      SKB. So patch 2) is proposed for use a software way to track which port
      the SKB involving instead of hardware way. And patch 1) is given for another
      issue I found which causes TXD and SKB inconsistency that is not expected
      in the initial logic, so it is also being corrected it in the series.
      
      The log for the kernel BUG caused by the issue is posted as below.
      
      [  120.825955] kernel BUG at ... lib/dynamic_queue_limits.c:26!
      [  120.837684] Internal error: Oops - BUG: 0 [#1] SMP ARM
      [  120.842778] Modules linked in:
      [  120.845811] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.11.0-rc1-191576-gdbcef47 #35
      [  120.853488] Hardware name: Mediatek Cortex-A7 (Device Tree)
      [  120.859012] task: c1007480 task.stack: c1000000
      [  120.863510] PC is at dql_completed+0x108/0x17c
      [  120.867915] LR is at 0x46
      [  120.870512] pc : [<c03c19c8>]    lr : [<00000046>]    psr: 80000113
      [  120.870512] sp : c1001d58  ip : c1001d80  fp : c1001d7c
      [  120.881895] r10: 0000003e  r9 : df6b3400  r8 : 0ed86506
      [  120.887075] r7 : 00000001  r6 : 00000001  r5 : 0ed8654c  r4 : df0135d8
      [  120.893546] r3 : 00000001  r2 : df016800  r1 : 0000fece  r0 : df6b3480
      [  120.900018] Flags: Nzcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
      [  120.907093] Control: 10c5387d  Table: 9e27806a  DAC: 00000051
      [  120.912789] Process swapper/0 (pid: 0, stack limit = 0xc1000218)
      [  120.918744] Stack: (0xc1001d58 to 0xc1002000)
      
      ....
      
      121.085331] 1fc0: 00000000 c0a52a28 00000000 c10855d4 c1003c58 c0a52a24 c100885c 8000406a
      [  121.093444] 1fe0: 410fc073 00000000 00000000 c1001ff8 8000807c c0a009cc 00000000 00000000
      [  121.101575] [<c03c19c8>] (dql_completed) from [<c04cb010>] (mtk_napi_tx+0x1d0/0x37c)
      [  121.109263] [<c04cb010>] (mtk_napi_tx) from [<c05e28cc>] (net_rx_action+0x24c/0x3b8)
      [  121.116951] [<c05e28cc>] (net_rx_action) from [<c010152c>] (__do_softirq+0xe4/0x35c)
      [  121.124638] [<c010152c>] (__do_softirq) from [<c012a624>] (irq_exit+0xe8/0x150)
      [  121.131895] [<c012a624>] (irq_exit) from [<c017750c>] (__handle_domain_irq+0x70/0xc4)
      [  121.139666] [<c017750c>] (__handle_domain_irq) from [<c0101404>] (gic_handle_irq+0x58/0x9c)
      [  121.147953] [<c0101404>] (gic_handle_irq) from [<c010e18c>] (__irq_svc+0x6c/0x90)
      [  121.155373] Exception stack(0xc1001ef8 to 0xc1001f40)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      71947f0f
    • Sean Wang's avatar
      net: ethernet: mediatek: fix inconsistency of port number carried in TXD · 134d2152
      Sean Wang authored
      Fix port inconsistency on TXD due to hardware BUG that would cause
      different port number is carried on the same TXD between tx_map()
      and tx_unmap() with the iperf test. It would cause confusing BQL
      logic which leads to kernel panic when dual GMAC runs concurrently.
      Signed-off-by: default avatarSean Wang <sean.wang@mediatek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      134d2152
    • Sean Wang's avatar
      net: ethernet: mediatek: fix inconsistency between TXD and the used buffer · 81d2dd09
      Sean Wang authored
      Fix inconsistency between the TXD descriptor and the used buffer that
      would cause unexpected logic at mtk_tx_unmap() during skb housekeeping.
      Signed-off-by: default avatarSean Wang <sean.wang@mediatek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      81d2dd09
    • Grygorii Strashko's avatar
      net: phy: micrel: fix crash when statistic requested for KSZ9031 phy · bfe72442
      Grygorii Strashko authored
      Now the command:
      	ethtool --phy-statistics eth0
      will cause system crash with meassage "Unable to handle kernel NULL pointer
      dereference at virtual address 00000010" from:
      
       (kszphy_get_stats) from [<c069f1d8>] (ethtool_get_phy_stats+0xd8/0x210)
       (ethtool_get_phy_stats) from [<c06a0738>] (dev_ethtool+0x5b8/0x228c)
       (dev_ethtool) from [<c06b5484>] (dev_ioctl+0x3fc/0x964)
       (dev_ioctl) from [<c0679f7c>] (sock_ioctl+0x170/0x2c0)
       (sock_ioctl) from [<c02419d4>] (do_vfs_ioctl+0xa8/0x95c)
       (do_vfs_ioctl) from [<c02422c4>] (SyS_ioctl+0x3c/0x64)
       (SyS_ioctl) from [<c0107d60>] (ret_fast_syscall+0x0/0x44)
      
      The reason: phy_driver structure for KSZ9031 phy has no .probe() callback
      defined. As result, struct phy_device *phydev->priv pointer will not be
      initializes (null).
      This issue will affect also following phys:
       KSZ8795, KSZ886X, KSZ8873MLL, KSZ9031, KSZ9021, KSZ8061, KS8737
      
      Fix it by:
      - adding .probe() = kszphy_probe() callback to KSZ9031, KSZ9021
      phys. The kszphy_probe() can be re-used as it doesn't do any phy specific
      settings.
      - removing statistic callbacks from other phys (KSZ8795, KSZ886X,
      KSZ8873MLL, KSZ8061, KS8737) as they doesn't have corresponding
      statistic counters.
      
      Fixes: 2b2427d0 ("phy: micrel: Add ethtool statistics counters")
      Signed-off-by: default avatarGrygorii Strashko <grygorii.strashko@ti.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bfe72442
    • David Ahern's avatar
      net: vrf: Fix setting NLM_F_EXCL flag when adding l3mdev rule · 426c87ca
      David Ahern authored
      Only need 1 l3mdev FIB rule. Fix setting NLM_F_EXCL in the nlmsghdr.
      
      Fixes: 1aa6c4f6 ("net: vrf: Add l3mdev rules on first device create")
      Signed-off-by: default avatarDavid Ahern <dsa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      426c87ca
    • George Cherian's avatar
      net: thunderx: Fix set_max_bgx_per_node for 81xx rgx · b47a57a2
      George Cherian authored
      Add the PCI_SUBSYS_DEVID_81XX_RGX and use the same to set
      the max bgx per node count.
      
      This fixes the issue intoduced by following commit
      78aacb6f net: thunderx: Fix invalid mac addresses for node1 interfaces
      With this commit the max_bgx_per_node for 81xx is set as 2 instead of 3
      because of which num_vfs is always calculated as zero.
      Signed-off-by: default avatarGeorge Cherian <george.cherian@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b47a57a2
    • Willem de Bruijn's avatar
      net-timestamp: avoid use-after-free in ip_recv_error · 1862d620
      Willem de Bruijn authored
      Syzkaller reported a use-after-free in ip_recv_error at line
      
          info->ipi_ifindex = skb->dev->ifindex;
      
      This function is called on dequeue from the error queue, at which
      point the device pointer may no longer be valid.
      
      Save ifindex on enqueue in __skb_complete_tx_timestamp, when the
      pointer is valid or NULL. Store it in temporary storage skb->cb.
      
      It is safe to reference skb->dev here, as called from device drivers
      or dev_queue_xmit. The exception is when called from tcp_ack_tstamp;
      in that case it is NULL and ifindex is set to 0 (invalid).
      
      Do not return a pktinfo cmsg if ifindex is 0. This maintains the
      current behavior of not returning a cmsg if skb->dev was NULL.
      
      On dequeue, the ipv4 path will cast from sock_exterr_skb to
      in_pktinfo. Both have ifindex as their first element, so no explicit
      conversion is needed. This is by design, introduced in commit
      0b922b7a ("net: original ingress device index in PKTINFO"). For
      ipv6 ip6_datagram_support_cmsg converts to in6_pktinfo.
      
      Fixes: 829ae9d6 ("net-timestamp: allow reading recv cmsg on errqueue with origin tstamp")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1862d620
    • WANG Cong's avatar
      ipv4: fix a deadlock in ip_ra_control · 1215e51e
      WANG Cong authored
      Similar to commit 87e9f031
      ("ipv4: fix a potential deadlock in mcast getsockopt() path"),
      there is a deadlock scenario for IP_ROUTER_ALERT too:
      
             CPU0                    CPU1
             ----                    ----
        lock(rtnl_mutex);
                                     lock(sk_lock-AF_INET);
                                     lock(rtnl_mutex);
        lock(sk_lock-AF_INET);
      
      Fix this by always locking RTNL first on all setsockopt() paths.
      
      Note, after this patch ip_ra_lock is no longer needed either.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1215e51e
    • Bert Kenward's avatar
      sfc: limit the number of receive queues · 271a8b42
      Bert Kenward authored
      The number of rx queues is determined by the rss_cpus parameter
      or the cpu topology. If that is higher than EFX_MAX_RX_QUEUES the
      driver can corrupt state.
      
      Fixes: 8ceee660 ("New driver "sfc" for Solarstorm SFC4000 controller.")
      Signed-off-by: default avatarBert Kenward <bkenward@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      271a8b42
  5. 16 Apr, 2017 9 commits
  6. 15 Apr, 2017 5 commits
    • Linus Torvalds's avatar
      Merge branch 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · d5ff0814
      Linus Torvalds authored
      Pull nvdimm fixes from Dan Williams:
       "A small crop of lockdep, sleeping while atomic, and other fixes /
        band-aids in advance of the full-blown reworks targeting the next
        merge window. The largest change here is "libnvdimm: fix blk free
        space accounting" which deletes a pile of buggy code that better
        testing would have caught before merging. The next change that is
        borderline too big for a late rc is switching the device-dax locking
        from rcu to srcu, I couldn't think of a smaller way to make that fix.
      
        The __copy_user_nocache fix will have a full replacement in 4.12 to
        move those pmem special case considerations into the pmem driver. The
        "libnvdimm: band aid btt vs clear poison locking" commit admits that
        our error clearing support for btt went in broken, so we just disable
        it in 4.11 and -stable. A replacement / full fix is in the pipeline
        for 4.12
      
        Some of these would have been caught earlier had DEBUG_ATOMIC_SLEEP
        been enabled on my development station. I wonder if we should have:
      
            config DEBUG_ATOMIC_SLEEP
              default PROVE_LOCKING
      
        ...since I mistakenly thought I got both with PROVE_LOCKING=y.
      
        These have received a build success notification from the 0day robot,
        and some have appeared in a -next release with no reported issues"
      
      * 'libnvdimm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        x86, pmem: fix broken __copy_user_nocache cache-bypass assumptions
        device-dax: switch to srcu, fix rcu_read_lock() vs pte allocation
        libnvdimm: band aid btt vs clear poison locking
        libnvdimm: fix reconfig_mutex, mmap_sem, and jbd2_handle lockdep splat
        libnvdimm: fix blk free space accounting
        acpi, nfit, libnvdimm: fix interleave set cookie calculation (64-bit comparison)
      d5ff0814
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 403a39f8
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "This is seven small fixes which are all for user visible issues that
        fortunately only occur in rare circumstances.
      
        The most serious is the sr one in which QEMU can cause us to read
        beyond the end of a buffer (I don't think it's exploitable, but just
        in case).
      
        The next is the sd capacity fix which means all non 512 byte sector
        drives greater than 2TB fail to be correctly sized.
      
        The rest are either in new drivers (qedf) or on error legs"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: ipr: do not set DID_PASSTHROUGH on CHECK CONDITION
        scsi: aacraid: fix PCI error recovery path
        scsi: sd: Fix capacity calculation with 32-bit sector_t
        scsi: qla2xxx: Add fix to read correct register value for ISP82xx.
        scsi: qedf: Fix crash due to unsolicited FIP VLAN response.
        scsi: sr: Sanity check returned mode data
        scsi: sd: Consider max_xfer_blocks if opt_xfer_blocks is unusable
      403a39f8
    • Linus Torvalds's avatar
      Merge branch 'parisc-4.11-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux · be84a46c
      Linus Torvalds authored
      Pull parisc fix from Helge Deller:
       "Mikulas Patocka fixed a few bugs in our new pa_memcpy() assembler
        function, e.g. one bug made the kernel unbootable if source and
        destination address are the same"
      
      * 'parisc-4.11-4' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
        parisc: fix bugs in pa_memcpy
      be84a46c
    • Martin Brandenburg's avatar
      orangefs: free superblock when mount fails · 1ec1688c
      Martin Brandenburg authored
      Otherwise lockdep says:
      
      [ 1337.483798] ================================================
      [ 1337.483999] [ BUG: lock held when returning to user space! ]
      [ 1337.484252] 4.11.0-rc6 #19 Not tainted
      [ 1337.484423] ------------------------------------------------
      [ 1337.484626] mount/14766 is leaving the kernel with locks still held!
      [ 1337.484841] 1 lock held by mount/14766:
      [ 1337.485017]  #0:  (&type->s_umount_key#33/1){+.+.+.}, at: [<ffffffff8124171f>] sget_userns+0x2af/0x520
      
      Caught by xfstests generic/413 which tried to mount with the unsupported
      mount option dax.  Then xfstests generic/422 ran sync which deadlocks.
      Signed-off-by: default avatarMartin Brandenburg <martin@omnibond.com>
      Acked-by: default avatarMike Marshall <hubcap@omnibond.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      1ec1688c
    • Linus Torvalds's avatar
      vfs: don't do RCU lookup of empty pathnames · c0eb027e
      Linus Torvalds authored
      Normal pathname lookup doesn't allow empty pathnames, but using
      AT_EMPTY_PATH (with name_to_handle_at() or fstatat(), for example) you
      can trigger an empty pathname lookup.
      
      And not only is the RCU lookup in that case entirely unnecessary
      (because we'll obviously immediately finalize the end result), it is
      actively wrong.
      
      Why? An empth path is a special case that will return the original
      'dirfd' dentry - and that dentry may not actually be RCU-free'd,
      resulting in a potential use-after-free if we were to initialize the
      path lazily under the RCU read lock and depend on complete_walk()
      finalizing the dentry.
      
      Found by syzkaller and KASAN.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Reported-by: default avatarVegard Nossum <vegard.nossum@gmail.com>
      Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      c0eb027e