mirror/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
35425ea2492175fd39f6116481fe98b2b3ddd4ca
linux/fs
History
Chao Yu 35425ea249 ecryptfs: avoid to access NULL pointer when write metadata in xattr 
Christopher Head 2014-06-28 05:26:20 UTC described:
"I tried to reproduce this on 3.12.21. Instead, when I do "echo hello > foo"
in an ecryptfs mount with ecryptfs_xattr specified, I get a kernel crash:

BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
PGD d7840067 PUD b2c3c067 PMD 0
Oops: 0002 [#1] SMP
Modules linked in: nvidia(PO)
CPU: 3 PID: 3566 Comm: bash Tainted: P           O 3.12.21-gentoo-r1 #2
Hardware name: ASUSTek Computer Inc. G60JX/G60JX, BIOS 206 03/15/2010
task: ffff8801948944c0 ti: ffff8800bad70000 task.ti: ffff8800bad70000
RIP: 0010:[<ffffffff8110eb39>]  [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
RSP: 0018:ffff8800bad71c10  EFLAGS: 00010246
RAX: 00000000000181a4 RBX: ffff880198648480 RCX: 0000000000000000
RDX: 0000000000000004 RSI: ffff880172010450 RDI: 0000000000000000
RBP: ffff880198490e40 R08: 0000000000000000 R09: 0000000000000000
R10: ffff880172010450 R11: ffffea0002c51e80 R12: 0000000000002000
R13: 000000000000001a R14: 0000000000000000 R15: ffff880198490e40
FS:  00007ff224caa700(0000) GS:ffff88019fcc0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000bb07f000 CR4: 00000000000007e0
Stack:
ffffffff811826e8 ffff8800a39d8000 0000000000000000 000000000000001a
ffff8800a01d0000 ffff8800a39d8000 ffffffff81185fd5 ffffffff81082c2c
00000001a39d8000 53d0abbc98490e40 0000000000000037 ffff8800a39d8220
Call Trace:
[<ffffffff811826e8>] ? ecryptfs_setxattr+0x40/0x52
[<ffffffff81185fd5>] ? ecryptfs_write_metadata+0x1b3/0x223
[<ffffffff81082c2c>] ? should_resched+0x5/0x23
[<ffffffff8118322b>] ? ecryptfs_initialize_file+0xaf/0xd4
[<ffffffff81183344>] ? ecryptfs_create+0xf4/0x142
[<ffffffff810f8c0d>] ? vfs_create+0x48/0x71
[<ffffffff810f9c86>] ? do_last.isra.68+0x559/0x952
[<ffffffff810f7ce7>] ? link_path_walk+0xbd/0x458
[<ffffffff810fa2a3>] ? path_openat+0x224/0x472
[<ffffffff810fa7bd>] ? do_filp_open+0x2b/0x6f
[<ffffffff81103606>] ? __alloc_fd+0xd6/0xe7
[<ffffffff810ee6ab>] ? do_sys_open+0x65/0xe9
[<ffffffff8157d022>] ? system_call_fastpath+0x16/0x1b
RIP  [<ffffffff8110eb39>] fsstack_copy_attr_all+0x2/0x61
RSP <ffff8800bad71c10>
CR2: 0000000000000000
---[ end trace df9dba5f1ddb8565 ]---"

If we create a file when we mount with ecryptfs_xattr_metadata option, we will
encounter a crash in this path:
->ecryptfs_create
  ->ecryptfs_initialize_file
    ->ecryptfs_write_metadata
      ->ecryptfs_write_metadata_to_xattr
        ->ecryptfs_setxattr
          ->fsstack_copy_attr_all
It's because our dentry->d_inode used in fsstack_copy_attr_all is NULL, and it
will be initialized when ecryptfs_initialize_file finish.

So we should skip copying attr from lower inode when the value of ->d_inode is
invalid.

Signed-off-by: Chao Yu <chao2.yu@samsung.com>
Cc: stable@vger.kernel.org # v3.2+: b59db43 eCryptfs: Prevent file create race condition
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
2014-10-05 23:51:43 -05:00
..
9p
consolidate simple ->d_delete() instances
2013-11-15 22:04:17 -05:00
adfs
adfs: delayed freeing of sbi
2013-10-24 23:43:27 -04:00
affs
remove obsolete references to powertweak
2013-11-27 20:34:32 -08:00
afs
Merge branch 'fscache' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs into linux-next
2013-10-28 19:36:46 -04:00
autofs4
autofs4: make freeing sbi rcu-delayed
2013-10-24 23:43:27 -04:00
befs
befs: split symlink iops in two - for short and long symlinks resp.
2013-10-24 23:34:50 -04:00
bfs
truncate: drop 'oldsize' truncate_pagecache() parameter
2013-09-12 15:38:02 -07:00
btrfs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs
2013-12-12 15:25:10 -08:00
cachefiles
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-11-13 15:34:18 +09:00
ceph
Merge branch 'for-linus-bugs' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client
2013-11-26 18:02:46 -08:00
cifs
[CIFS] Do not use btrfs refcopy ioctl for SMB2 copy offload
2013-11-25 09:50:31 -06:00
coda
coda_revalidate_inode(): switch to passing inode...
2013-11-09 00:16:21 -05:00
configfs
configfs: fix race between dentry put and lookup
2013-11-21 16:42:27 -08:00
cramfs
cramfs: mark as obsolete
2013-11-13 12:09:12 +09:00
debugfs
debugfs: use list_next_entry() in debugfs_remove_recursive()
2013-11-13 12:09:24 +09:00
devpts
devpts: plug the memory leak in kill_sb
2013-11-13 12:09:36 +09:00
dlm
genetlink: only pass array to genl_register_family_with_ops()
2013-11-19 16:39:05 -05:00
ecryptfs
ecryptfs: avoid to access NULL pointer when write metadata in xattr
2014-10-05 23:51:43 -05:00
efivarfs
consolidate simple ->d_delete() instances
2013-11-15 22:04:17 -05:00
efs
efs: iget_locked() doesn't return an ERR_PTR()
2013-08-24 12:10:22 -04:00
exofs
truncate: drop 'oldsize' truncate_pagecache() parameter
2013-09-12 15:38:02 -07:00
exportfs
exportfs: fix quadratic behavior in filehandle lookup
2013-11-09 00:16:38 -05:00
ext2
ext2: Fix fs corruption in ext2_get_xip_mem()
2013-11-05 11:26:47 +01:00
ext3
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2013-11-13 15:25:47 +09:00
ext4
Merge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
2013-11-14 17:19:58 +09:00
f2fs
f2fs: issue more large discard command
2013-11-11 09:36:32 +09:00
fat
fat: rcu-delay unloading nls and freeing sbi
2013-10-24 23:43:28 -04:00
freevxfs
[readdir] convert freevxfs
2013-06-29 12:56:53 +04:00
fscache
Merge branch 'for-3.13/core' of git://git.kernel.dk/linux-block
2013-11-14 12:08:14 +09:00
fuse
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-11-13 15:34:18 +09:00
gfs2
GFS2: Fix ref count bug relating to atomic_open
2013-11-21 18:47:57 +00:00
hfs
fs/hfs/btree.h: remove duplicate defines
2013-11-13 12:09:32 +09:00
hfsplus
block: submit_bio_wait() conversions
2013-11-24 16:33:41 -07:00
hostfs
consolidate simple ->d_delete() instances
2013-11-15 22:04:17 -05:00
hpfs
locks: break delegations on any attribute modification
2013-11-09 00:16:44 -05:00
hppfs
clean up scary strncpy(dst, src, strlen(src)) uses
2013-07-03 16:07:41 -07:00
hugetlbfs
cope with potentially long ->d_dname() output for shmem/hugetlb
2013-08-24 12:10:17 -04:00
isofs
isofs: don't pass dentry to isofs_hash{i,}_common()
2013-10-24 23:34:59 -04:00
jbd
jbd: Revert "jbd: remove dependency on __GFP_NOFAIL"
2013-10-31 20:37:15 +01:00
jbd2
jbd2: Fix endian mixing problems in the checksumming code
2013-08-28 14:59:58 -04:00
jffs2
jffs2: do not support the MLC nand
2013-10-27 16:27:07 -07:00
jfs
Merge tag 'jfs-3.12' of git://github.com/kleikamp/linux-shaggy
2013-10-22 09:01:11 +01:00
lockd
LOCKD: Don't call utsname()->nodename from nlmclnt_setlockargs
2013-08-05 15:03:46 -04:00
logfs
block: submit_bio_wait() conversions
2013-11-24 16:33:41 -07:00
minix
fs/minix: Drop dependency on H8300
2013-09-16 18:20:25 -07:00
ncpfs
ncpfs: rcu-delay unload_nls() and freeing ncp_server
2013-10-24 23:43:28 -04:00
nfs
Merge tag 'nfs-for-3.13-3' of git://git.linux-nfs.org/projects/trondmy/linux-nfs
2013-12-05 13:05:48 -08:00
nfs_common
nfsd
nfsd: when reusing an existing repcache entry, unhash it first
2013-12-10 20:34:44 -05:00
nilfs2
nilfs2: fix issue with race condition of competition between segments for dirty blocks
2013-09-30 14:31:02 -07:00
nls
notify
fsnotify: update comments concerning locking scheme
2013-07-09 10:33:20 -07:00
ntfs
iget/iget5: don't bother with ->i_lock until we find a match
2013-11-09 00:16:31 -05:00
ocfs2
tree-wide: use reinit_completion instead of INIT_COMPLETION
2013-11-15 09:32:21 +09:00
omfs
truncate: drop 'oldsize' truncate_pagecache() parameter
2013-09-12 15:38:02 -07:00
openpromfs
[readdir] convert openpromfs
2013-06-29 12:56:32 +04:00
proc
procfs: also fix proc_reg_get_unmapped_area() for !MMU case
2013-12-12 18:19:26 -08:00
pstore
pstore: Remove the messages related to compression failure
2013-09-16 09:28:29 -07:00
qnx4
qnx4: i_sb is never NULL
2013-11-09 00:16:32 -05:00
qnx6
[readdir] convert qnx6
2013-06-29 12:56:39 +04:00
quota
genetlink: make multicast groups const, prevent abuse
2013-11-19 16:39:06 -05:00
ramfs
initmpfs: move rootfs code from fs/ramfs/ to init/
2013-09-11 15:59:37 -07:00
reiserfs
reiserfs: fix race with flush_used_journal_lists and flush_journal_list
2013-09-24 11:24:21 +02:00
romfs
[readdir] convert romfs
2013-06-29 12:56:29 +04:00
squashfs
Squashfs: fix failure to unlock pages on decompress error
2013-11-24 01:02:50 +00:00
sysfs
Revert "sysfs: handle duplicate removal attempts in sysfs_remove_group()"
2013-11-27 09:44:55 -08:00
sysv
sysv: Add forgotten superblock lock init for v7 fs
2013-09-29 22:02:02 -04:00
ubifs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-11-13 15:34:18 +09:00
udf
udf: fix for pathetic mount times in case of invalid file system
2013-10-18 22:39:07 +02:00
ufs
truncate: drop 'oldsize' truncate_pagecache() parameter
2013-09-12 15:38:02 -07:00
xfs
xfs: growfs overruns AGFL buffer on V4 filesystems
2013-12-10 10:04:27 -06:00
aio.c
Merge git://git.kvack.org/~bcrl/aio-next
2013-12-06 08:32:59 -08:00
anon_inodes.c
... and kill anon_inode_getfile_private()
2013-11-09 00:16:28 -05:00
attr.c
locks: break delegations on any attribute modification
2013-11-09 00:16:44 -05:00
bad_inode.c
[readdir] ->readdir() is gone
2013-06-29 12:57:04 +04:00
binfmt_aout.c
dump_skip(): dump_seek() replacement taking coredump_params
2013-11-09 00:16:26 -05:00
binfmt_elf_fdpic.c
elf{,_fdpic} coredump: get rid of pointless if (siginfo->si_signo)
2013-11-09 00:16:30 -05:00
binfmt_elf.c
elf{,_fdpic} coredump: get rid of pointless if (siginfo->si_signo)
2013-11-09 00:16:30 -05:00
binfmt_em86.c
file->f_op is never NULL...
2013-10-24 23:34:54 -04:00
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c
Merge branch 'for-3.12/core' of git://git.kernel.dk/linux-block
2013-09-22 15:00:11 -07:00
bio.c
bio: fix argument of __bio_add_page() for max_sectors > 0xffff
2013-11-18 12:31:27 -07:00
block_dev.c
Merge tag 'writeback-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/wfg/linux
2013-09-13 23:06:40 -04:00
buffer.c
fs: buffer: move allocation failure loop into the allocator
2013-10-16 21:35:53 -07:00
char_dev.c
Merge branch 'for-3.13/core' of git://git.kernel.dk/linux-block
2013-11-14 12:08:14 +09:00
compat_binfmt_elf.c
compat_ioctl.c
file->f_op is never NULL...
2013-10-24 23:34:54 -04:00
compat.c
[readdir] constify ->actor
2013-06-29 12:57:05 +04:00
coredump.c
dump_emit(): use __kernel_write(), not vfs_write()
2013-11-15 22:04:09 -05:00
coredump.h
dcache.c
dcache: allow word-at-a-time name hashing with big-endian CPUs
2013-12-12 10:39:01 -08:00
dcookies.c
direct-io.c
direct-io: Use return from cmpxchg to decide of assignment happened
2013-09-09 10:47:42 -07:00
drop_caches.c
shrinker: add node awareness
2013-09-10 18:56:31 -04:00
eventfd.c
eventpoll.c
epoll: drop EPOLLWAKEUP if PM_SLEEP is disabled
2013-12-03 15:35:52 +01:00
exec.c
Merge git://git.infradead.org/users/eparis/audit
2013-11-21 19:18:14 -08:00
fcntl.c
file->f_op is never NULL...
2013-10-24 23:34:54 -04:00
fhandle.c
file_table.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-11-13 15:34:18 +09:00
file.c
filesystems.c
fs_struct.c
seqcount: Add lockdep functionality to seqcount/seqlock structures
2013-11-06 12:40:26 +01:00
fs-writeback.c
Merge branch 'akpm' (patches from Andrew Morton)
2013-11-13 15:45:43 +09:00
generic_acl.c
inode.c
locks: break delegations on any attribute modification
2013-11-09 00:16:44 -05:00
internal.h
get rid of s_files and files_lock
2013-11-09 00:16:20 -05:00
ioctl.c
file->f_op is never NULL...
2013-10-24 23:34:54 -04:00
ioprio.c
Kconfig
Kconfig.binfmt
libfs.c
consolidate simple ->d_delete() instances
2013-11-15 22:04:17 -05:00
locks.c
locks: missing unlock on error in generic_add_lease()
2013-11-13 07:30:53 -05:00
Makefile
mbcache.c
fs: convert fs shrinkers to new scan/count API
2013-09-10 18:56:31 -04:00
mount.h
RCU'd vfsmounts
2013-11-09 00:16:19 -05:00
mpage.c
namei.c
dcache: allow word-at-a-time name hashing with big-endian CPUs
2013-12-12 10:39:01 -08:00
namespace.c
RCU'd vfsmounts
2013-11-09 00:16:19 -05:00
no-block.c
open.c
locks: break delegations on any attribute modification
2013-11-09 00:16:44 -05:00
pipe.c
vfs: fix subtle use-after-free of pipe_inode_info
2013-12-02 09:44:51 -08:00
pnode.c
split __lookup_mnt() in two functions
2013-10-24 23:35:00 -04:00
pnode.h
vfs: Don't copy mount bind mounts of /proc/<pid>/ns/mnt between namespaces
2013-08-26 18:42:15 -07:00
posix_acl.c
proc_namespace.c
don't bother with vfsmount_lock in mounts_poll()
2013-10-24 23:34:59 -04:00
read_write.c
file->f_op is never NULL...
2013-10-24 23:34:54 -04:00
readdir.c
file->f_op is never NULL...
2013-10-24 23:34:54 -04:00
select.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-11-13 15:34:18 +09:00
seq_file.c
seq_file: always clear m->count when we free m->buf
2013-11-18 19:07:53 -08:00
signalfd.c
splice.c
file->f_op is never NULL...
2013-10-24 23:34:54 -04:00
stack.c
stat.c
vfs: split out vfs_getattr_nosec
2013-11-09 00:16:31 -05:00
statfs.c
vfs: allow O_PATH file descriptors for fstatfs()
2013-10-12 13:12:31 -07:00
super.c
get rid of s_files and files_lock
2013-11-09 00:16:20 -05:00
sync.c
Merge branch 'akpm' (patches from Andrew Morton)
2013-11-13 15:45:43 +09:00
timerfd.c
timerfd: Add alarm timers
2013-05-29 12:57:34 -07:00
utimes.c
locks: break delegations on any attribute modification
2013-11-09 00:16:44 -05:00
xattr_acl.c
xattr.c