15 Oct, 2020

1 commit

• 09cad0754   fs: fix NULL dereference due to data race in prepend_path() ... Browse Code »

  Fix data race in prepend_path() with re-reading mnt->mnt_ns twice
  without holding the lock.

  is_mounted() does check for NULL, but is_anon_ns(mnt->mnt_ns) might
  re-read the pointer again which could be NULL already, if in between
  reads one of kern_unmount()/kern_unmount_array()/umount_tree() sets
  mnt->mnt_ns to NULL.

  This is seen in production with the following stack trace:

  BUG: kernel NULL pointer dereference, address: 0000000000000048
  ...
  RIP: 0010:prepend_path.isra.4+0x1ce/0x2e0
  Call Trace:
  d_path+0xe6/0x150
  proc_pid_readlink+0x8f/0x100
  vfs_readlink+0xf8/0x110
  do_readlinkat+0xfd/0x120
  __x64_sys_readlinkat+0x1a/0x20
  do_syscall_64+0x42/0x110
  entry_SYSCALL_64_after_hwframe+0x44/0xa9

  Fixes: f2683bd8d5bd ("[PATCH] fix d_absolute_path() interplay with fsmount()")
  Signed-off-by: Andrii Nakryiko
  Reviewed-by: Josef Bacik
  Cc: Alexander Viro
  Signed-off-by: Linus Torvalds

  Andrii Nakryiko

  2020-10-15 05:54:45 +0800  

31 Aug, 2019

1 commit

• f2683bd8d   [PATCH] fix d_absolute_path() interplay with fsmount() ... Browse Code »

  stuff in anon namespace should be treated as unattached.

  Signed-off-by: Al Viro

  Al Viro

  2019-08-31 07:31:09 +0800  

21 May, 2019

1 commit

• 7e5f7bb08   unexport simple_dname() ... Browse Code »

  Signed-off-by: Al Viro

  Al Viro

  2019-05-21 15:23:41 +0800  

30 Mar, 2018

1 commit

• 7a5cf791a   split d_path() and friends into a separate file ... Browse Code »

  Those parts of fs/dcache.c are pretty much self-contained.

  Signed-off-by: Al Viro

  Al Viro

  2018-03-30 03:07:46 +0800