Techwizz/kernel-fxtec-pro1x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
kernel-fxtec-pro1x/fs
History
Sahitya Tummala d3fc4a2330 configfs: Fix use-after-free when accessing sd->s_dentry 
In the vfs_statx() context, during path lookup, the dentry gets
added to sd->s_dentry via configfs_attach_attr(). In the end,
vfs_statx() kills the dentry by calling path_put(), which invokes
configfs_d_iput(). Ideally, this dentry must be removed from
sd->s_dentry but it doesn't if the sd->s_count >= 3. As a result,
sd->s_dentry is holding reference to a stale dentry pointer whose
memory is already freed up. This results in use-after-free issue,
when this stale sd->s_dentry is accessed later in
configfs_readdir() path.

This issue can be easily reproduced, by running the LTP test case -
sh fs_racer_file_list.sh /config

Change-Id: I5ac8556837bbdf2e5d0540516efb106ec53d7536
Fixes: 76ae281f63 ('configfs: fix race between dentry put and lookup')
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
2019-01-10 02:07:26 -08:00
..
9p v9fs_dir_readdir: fix double-free on p9stat_read error 2018-12-01 09:37:27 +01:00
adfs adfs: use timespec64 for time conversion 2018-08-22 10:52:51 -07:00
affs affs: fix potential memory leak when parsing option 'prefix' 2018-05-28 12:36:41 +02:00
afs Merge remote-tracking branch 'origin_4.19/tmp-0567d2f' into msm-4.19 2018-12-20 17:43:16 -08:00
autofs Merge branch 'akpm' (patches from Andrew) 2018-08-22 12:34:08 -07:00
befs fix a series of Documentation/ broken file name references 2018-06-15 18:10:01 -03:00
bfs bfs: add sanity check at bfs_fill_super() 2018-12-01 09:37:27 +01:00
btrfs btrfs: tree-checker: Don't check max block group size as current max chunk size limit is unreliable 2018-12-08 12:59:10 +01:00
cachefiles cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) 2018-10-18 11:32:21 +02:00
ceph ceph: quota: fix null pointer dereference in quota check 2018-11-27 16:13:05 +01:00
cifs cifs: Fix separator when building path from dentry 2018-12-13 09:16:20 +01:00
coda vfs: change inode times to use struct timespec64 2018-06-05 16:57:31 -07:00
configfs configfs: Fix use-after-free when accessing sd->s_dentry 2019-01-10 02:07:26 -08:00
cramfs Cramfs: fix abad comparison when wrap-arounds occur 2018-11-13 11:08:55 -08:00
crypto FROMGIT: fscrypt: add Adiantum support 2018-12-05 09:48:15 -08:00
debugfs Revert "debugfs: inode: debugfs_create_dir uses mode permission from parent" 2018-06-12 20:52:16 -07:00
devpts devpts: Convert to new IDA API 2018-08-21 23:54:17 -04:00
dlm treewide: Use array_size() in vmalloc() 2018-06-12 16:19:22 -07:00
ecryptfs Merge branch 'fixes' of https://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs into aio-base 2018-05-26 09:16:25 +02:00
efivarfs efivars: Call guid_parse() against guid_t type of variable 2018-07-22 14:13:44 +02:00
efs
exofs Merge remote-tracking branch 'origin_4.19/tmp-0567d2f' into msm-4.19 2018-12-20 17:43:16 -08:00
exportfs ovl: do not try to reconnect a disconnected origin dentry 2018-04-12 12:04:49 +02:00
ext2 ext2: fix potential use after free 2018-12-05 19:32:11 +01:00
ext4 Merge LTS tag v4.19.3 into msm-kona 2018-12-06 03:08:31 -08:00
f2fs Merge 4.20-rc1-4.19 into android-4.19 2018-12-13 10:43:12 -08:00
fat fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() 2018-10-13 09:31:03 +02:00
freevxfs freevxfs_lookup(): use d_splice_alias() 2018-05-22 14:27:51 -04:00
fscache fscache: Fix out of bound read in long cookie keys 2018-10-18 11:32:21 +02:00
fuse Merge LTS tag v4.19.3 into msm-kona 2018-12-06 03:08:31 -08:00
gfs2 Merge remote-tracking branch 'origin_4.19/tmp-0567d2f' into msm-4.19 2018-12-20 17:43:16 -08:00
hfs hfs: prevent btree data loss on root split 2018-11-27 16:12:59 +01:00
hfsplus hfsplus: prevent btree data loss on root split 2018-11-27 16:12:59 +01:00
hostfs vfs: discard ATTR_ATTR_FLAG 2018-08-17 16:20:28 -07:00
hpfs hpfs: remove unnecessary checks on the value of r when assigning error code 2018-08-25 12:42:33 -07:00
hugetlbfs mm: zero out the vma in vma_init() 2018-08-22 10:52:44 -07:00
isofs isofs: reject hardware sector size > 2048 bytes 2018-08-21 11:37:41 +02:00
jbd2 jbd2: fix use after free in jbd2_log_do_checkpoint() 2018-11-13 11:08:43 -08:00
jffs2 jffs2: free jffs2_sb_info through jffs2_kill_sb() 2018-11-13 11:08:16 -08:00
jfs Just one jfs patch for 4.19 2018-08-15 22:47:23 -07:00
kernfs Driver core patches for 4.19-rc1 2018-08-18 11:44:53 -07:00
lockd lockd: fix access beyond unterminated strings in prints 2018-11-13 11:08:49 -08:00
minix minix_lookup: use d_splice_alias() 2018-05-22 14:27:52 -04:00
nfs Merge remote-tracking branch 'origin_4.19/tmp-0567d2f' into msm-4.19 2018-12-20 17:43:16 -08:00
nfs_common net: Drop pernet_operations::async 2018-03-27 13:18:09 -04:00
nfsd nfsd: COPY and CLONE operations require the saved filehandle to be set 2018-11-21 09:19:23 +01:00
nilfs2 nilfs2: convert to SPDX license tags 2018-09-04 16:45:02 -07:00
nls
notify This is the 4.19.6 stable release 2018-12-06 09:32:46 +01:00
ntfs ntfs: mft: remove VLA usage 2018-08-17 16:20:27 -07:00
ocfs2 ocfs2: free up write context when direct IO failed 2018-11-21 09:19:18 +01:00
omfs omfs_lookup(): report IO errors, use d_splice_alias() 2018-05-22 14:27:58 -04:00
openpromfs openpromfs: switch to d_splice_alias() 2018-05-22 14:27:57 -04:00
orangefs orangefs: remove redundant pointer orangefs_inode 2018-08-14 12:07:14 -04:00
overlayfs ovl: automatically enable redirect_dir on metacopy=on 2018-11-21 09:19:13 +01:00
proc proc: Add files for specifying scheduling related per-task attributes 2019-01-02 11:57:52 -08:00
pstore pstore/ram: Fix failure-path memory leak in ramoops_init 2018-09-30 10:15:41 -07:00
qnx4 qnx4_lookup: use d_splice_alias() 2018-05-22 14:27:52 -04:00
qnx6 qnx6_lookup: switch to d_splice_alias() 2018-05-22 14:27:54 -04:00
quota fs/quota: Fix spectre gadget in do_quotactl 2018-08-22 18:17:48 +02:00
ramfs
reiserfs reiserfs: propagate errors from fill_with_dentries() properly 2018-11-27 16:12:59 +01:00
romfs romfs_lookup: switch to d_splice_alias() 2018-05-22 14:27:55 -04:00
sdcardfs Merge remote-tracking branch 'origin_4.19/tmp-0567d2f' into msm-4.19 2018-12-20 17:43:16 -08:00
squashfs Squashfs: Compute expected length from inode size rather than block length 2018-08-02 09:34:02 -07:00
sysfs Driver core patches for 4.19-rc1 2018-08-18 11:44:53 -07:00
sysv fs/sysv/inode.c: use ktime_get_real_seconds() for superblock stamp 2018-08-22 10:52:51 -07:00
tracefs tracefs: Annotate tracefs_ops with __ro_after_init 2018-07-31 11:32:44 -04:00
ubifs ubifs: Fix WARN_ON logic in exit path 2018-10-13 11:05:02 +02:00
udf udf: Allow mounting volumes with incorrect identification strings 2018-12-05 19:32:06 +01:00
ufs fs/ufs: use ktime_get_real_seconds for sb and cg timestamps 2018-08-17 16:20:27 -07:00
xfs xfs: fix data corruption w/ unaligned reflink ranges 2018-10-06 11:44:39 +10:00
aio.c Merge branch 'work.aio' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-08-13 20:56:23 -07:00
anon_inodes.c anon_inode_getfile(): switch to alloc_file_pseudo() 2018-07-12 10:04:27 -04:00
attr.c ANDROID: vfs: Add permission2 for filesystems with per mount permissions 2018-12-05 09:48:14 -08:00
bad_inode.c get rid of 'opened' argument of ->atomic_open() - part 3 2018-07-12 10:04:20 -04:00
binfmt_aout.c exec: introduce finalize_exec() before start_thread() 2018-04-11 10:28:37 -07:00
binfmt_elf.c Here are the main MIPS changes for 4.19. 2018-08-13 19:24:32 -07:00
binfmt_elf_fdpic.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
binfmt_em86.c
binfmt_flat.c exec: introduce finalize_exec() before start_thread() 2018-04-11 10:28:37 -07:00
binfmt_misc.c turn filp_clone_open() into inline wrapper for dentry_open() 2018-07-10 23:29:03 -04:00
binfmt_script.c
block_dev.c for-4.19/block-20180812 2018-08-14 10:23:25 -07:00
buffer.c notifier: Remove notifier header file wherever not used 2018-08-30 12:56:40 +02:00
char_dev.c block, char_dev: Use correct format specifier for unsigned ints 2018-03-15 17:59:24 +01:00
compat.c ncpfs: remove compat functionality 2018-06-05 19:23:26 +02:00
compat_binfmt_elf.c
compat_ioctl.c media: dvb/audio.h: get rid of unused APIs 2018-07-30 16:21:49 -04:00
coredump.c ANDROID: vfs: Add setattr2 for filesystems with per mount permissions 2018-12-05 09:48:13 -08:00
d_path.c ANDROID: fs: Export d_absolute_path 2018-08-28 17:10:42 +05:30
dax.c dax: Avoid losing wakeup in dax_lock_mapping_entry 2018-12-01 09:37:34 +01:00
dcache.c fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() 2018-08-17 16:20:28 -07:00
dcookies.c fs: add do_lookup_dcookie() helper; remove in-kernel call to syscall 2018-04-02 20:15:39 +02:00
direct-io.c fs: fix lost error code in dio_complete 2018-12-05 19:32:08 +01:00
drop_caches.c
eventfd.c Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL 2018-06-28 10:40:47 -07:00
eventpoll.c ANDROID: fs: epoll: use freezable blocking call 2018-12-05 09:48:11 -08:00
exec.c ANDROID: vfs: Add permission2 for filesystems with per mount permissions 2018-12-05 09:48:14 -08:00
fcntl.c signal: Don't send signals to tasks that don't exist 2018-08-15 23:03:20 -05:00
fhandle.c
file.c fs: add ksys_close() wrapper; remove in-kernel calls to sys_close() 2018-04-02 20:16:00 +02:00
file_table.c overlayfs update for 4.19 2018-08-21 18:19:09 -07:00
filesystems.c proc: introduce proc_create_single{,_data} 2018-05-16 07:23:35 +02:00
fs-writeback.c bdi: Fix oops in wb_workfn() 2018-05-03 16:11:37 -06:00
fs_pin.c
fs_struct.c ANDROID: sdcardfs: Enable modular sdcardfs 2018-12-05 09:48:13 -08:00
inode.c Merge LTS tag v4.19.3 into msm-kona 2018-12-06 03:08:31 -08:00
internal.h ANDROID: fs: Restore vfs_path_lookup() export 2018-12-05 09:48:14 -08:00
ioctl.c vfs: fix FIGETBSZ ioctl on an overlayfs file 2018-11-21 09:19:14 +01:00
iomap.c iomap: set page dirty after partial delalloc on mkwrite 2018-09-29 13:51:01 +10:00
Kconfig ANDROID: sdcardfs: Add sdcardfs filesystem 2018-12-05 09:48:14 -08:00
Kconfig.binfmt kconfig: move the "Executable file formats" menu to fs/Kconfig.binfmt 2018-08-02 08:06:55 +09:00
libfs.c fs, dax: prepare for dax-specific address_space_operations 2018-03-30 11:34:55 -07:00
locks.c overlayfs update for 4.19 2018-08-21 18:19:09 -07:00
Makefile ANDROID: sdcardfs: Add sdcardfs filesystem 2018-12-05 09:48:14 -08:00
mbcache.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
mount.h
mpage.c ANDROID: fs: FS tracepoints to track IO. 2018-12-05 09:48:12 -08:00
namei.c ANDROID: vfs: Add permission2 for filesystems with per mount permissions 2018-12-05 09:48:14 -08:00
namespace.c Merge LTS tag v4.19.3 into msm-kona 2018-12-06 03:08:31 -08:00
no-block.c
nsfs.c
open.c ANDROID: vfs: Add permission2 for filesystems with per mount permissions 2018-12-05 09:48:14 -08:00
pipe.c Merge branch 'work.open3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-08-13 19:58:36 -07:00
pnode.c ANDROID: mnt: Add filesystem private data to mount points 2018-12-05 09:48:13 -08:00
pnode.h ANDROID: mnt: Add filesystem private data to mount points 2018-12-05 09:48:13 -08:00
posix_acl.c
proc_namespace.c ANDROID: vfs: Allow filesystems to access their private mount data 2018-12-05 09:48:13 -08:00
read_write.c ANDROID: sdcardfs: Enable modular sdcardfs 2018-12-05 09:48:13 -08:00
readdir.c fs: add ksys_getdents64() helper; remove in-kernel calls to sys_getdents64() 2018-04-02 20:16:02 +02:00
select.c Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL 2018-06-28 10:40:47 -07:00
seq_file.c fs/seq_file.c: simplify seq_file iteration code and interface 2018-08-17 16:20:28 -07:00
signalfd.c Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-06-16 16:21:50 +09:00
splice.c Merge branch 'work.compat' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-06-16 16:21:50 +09:00
stack.c
stat.c fs: add do_readlinkat() helper; remove internal call to sys_readlinkat() 2018-04-02 20:15:34 +02:00
statfs.c kernel: add kcompat_sys_{f,}statfs64() 2018-07-12 14:49:48 +01:00
super.c ANDROID: vfs: Allow filesystems to access their private mount data 2018-12-05 09:48:13 -08:00
sync.c ANDROID: taskstats: track fsync syscalls 2018-12-05 09:48:12 -08:00
timerfd.c Merge branch 'work.aio' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-08-13 20:56:23 -07:00
userfaultfd.c This is the 4.19.7 stable release 2018-12-06 10:34:09 +01:00
utimes.c ANDROID: vfs: Add setattr2 for filesystems with per mount permissions 2018-12-05 09:48:13 -08:00
xattr.c ANDROID: vfs: Add permission2 for filesystems with per mount permissions 2018-12-05 09:48:14 -08:00