linux.git/fs/d_path.c, branch v5.10 Linux kernel source tree fs: fix NULL dereference due to data race in prepend_path() 2020-10-14T21:54:45+00:00 Andrii Nakryiko andrii@kernel.org 2020-10-14T20:45:28+00:00 09cad07547445bf3a41683e4d3abcd154c123ef5 Fix data race in prepend_path() with re-reading mnt->mnt_ns twice without holding the lock. is_mounted() does check for NULL, but is_anon_ns(mnt->mnt_ns) might re-read the pointer again which could be NULL already, if in between reads one of kern_unmount()/kern_unmount_array()/umount_tree() sets mnt->mnt_ns to NULL. This is seen in production with the following stack trace: BUG: kernel NULL pointer dereference, address: 0000000000000048 ... RIP: 0010:prepend_path.isra.4+0x1ce/0x2e0 Call Trace: d_path+0xe6/0x150 proc_pid_readlink+0x8f/0x100 vfs_readlink+0xf8/0x110 do_readlinkat+0xfd/0x120 __x64_sys_readlinkat+0x1a/0x20 do_syscall_64+0x42/0x110 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: f2683bd8d5bd ("[PATCH] fix d_absolute_path() interplay with fsmount()") Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Reviewed-by: Josef Bacik <josef@toxicpanda.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 
Fix data race in prepend_path() with re-reading mnt->mnt_ns twice
without holding the lock.

is_mounted() does check for NULL, but is_anon_ns(mnt->mnt_ns) might
re-read the pointer again which could be NULL already, if in between
reads one of kern_unmount()/kern_unmount_array()/umount_tree() sets
mnt->mnt_ns to NULL.

This is seen in production with the following stack trace:

  BUG: kernel NULL pointer dereference, address: 0000000000000048
  ...
  RIP: 0010:prepend_path.isra.4+0x1ce/0x2e0
  Call Trace:
    d_path+0xe6/0x150
    proc_pid_readlink+0x8f/0x100
    vfs_readlink+0xf8/0x110
    do_readlinkat+0xfd/0x120
    __x64_sys_readlinkat+0x1a/0x20
    do_syscall_64+0x42/0x110
    entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: f2683bd8d5bd ("[PATCH] fix d_absolute_path() interplay with fsmount()")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
[PATCH] fix d_absolute_path() interplay with fsmount() 2019-08-30T23:31:09+00:00 Al Viro viro@zeniv.linux.org.uk 2019-08-30T23:31:09+00:00 f2683bd8d5bdebb929f05ae26ce6d9b578927ce5 stuff in anon namespace should be treated as unattached. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
stuff in anon namespace should be treated as unattached.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
unexport simple_dname() 2019-05-21T07:23:41+00:00 Al Viro viro@zeniv.linux.org.uk 2019-05-20T12:44:57+00:00 7e5f7bb08b8cefd3a7e8961861f47fe1f0e830d4 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
split d_path() and friends into a separate file 2018-03-29T19:07:46+00:00 Al Viro viro@zeniv.linux.org.uk 2018-03-06T00:15:50+00:00 7a5cf791a747640adb2a1b5e3838321b26953a23 Those parts of fs/dcache.c are pretty much self-contained. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 
Those parts of fs/dcache.c are pretty much self-contained.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>