| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 2 Jan 2024 21:07:31 -0500
From: Steven Rostedt <rostedt@...dmis.org>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: LKML <linux-kernel@...r.kernel.org>, Masami Hiramatsu
<mhiramat@...nel.org>, Mathieu Desnoyers <mathieu.desnoyers@...icios.com>
Subject: [GIT PULL] tracing: Final fixes for v6.7
Linus,
tracing fixes for v6.7-rc8:
- Fix a NULL kernel dereference in set_gid() on tracefs mounting.
When tracefs is mounted with "gid=1000", it will update the existing
dentries to have the new gid. The tracefs_inode which is retrieved
by a container_of(dentry->d_inode) has flags to see if the inode
belongs to the eventfs system.
The issue that was fixed was if getdents() was called on tracefs
that was previously mounted, and was not closed. It will leave
a "cursor dentry" in the subdirs list of the current dentries that
set_gid() walks. On a remount of tracefs, the container_of(dentry->d_inode)
will dereference a NULL pointer and cause a crash when referenced.
Simply have a check for dentry->d_inode to see if it is NULL and if
so, skip that entry.
- Fix the bits of the eventfs_inode structure. The "is_events" bit
was taken from the nr_entries field, but the nr_entries field wasn't
updated to be 30 bits and was still 31. Including the "is_freed" bit
this would use 33 bits which would make the structure use another
integer for just one bit.
Please pull the latest trace-v6.7-rc8 tree, which can be found at:
git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace.git
trace-v6.7-rc8
Tag SHA1: 268dc78680a450c2207c0af35e0e367ff07b25eb
Head SHA1: fd56cd5f6d76e93356d9520cf9dabffe1e3d1aa0
Steven Rostedt (Google) (2):
tracefs: Check for dentry->d_inode exists in set_gid()
eventfs: Fix bitwise fields for "is_events"
----
fs/tracefs/inode.c | 4 ++++
fs/tracefs/internal.h | 2 +-
2 files changed, 5 insertions(+), 1 deletion(-)
---------------------------
diff --git a/fs/tracefs/inode.c b/fs/tracefs/inode.c
index 62524b20964e..bc86ffdb103b 100644
--- a/fs/tracefs/inode.c
+++ b/fs/tracefs/inode.c
@@ -215,6 +215,10 @@ static void set_gid(struct dentry *parent, kgid_t gid)
struct dentry *dentry = list_entry(tmp, struct dentry, d_child);
next = tmp->next;
+ /* Note, getdents() can add a cursor dentry with no inode */
+ if (!dentry->d_inode)
+ continue;
+
spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);
change_gid(dentry, gid);
diff --git a/fs/tracefs/internal.h b/fs/tracefs/internal.h
index 899e447778ac..42bdeb471a07 100644
--- a/fs/tracefs/internal.h
+++ b/fs/tracefs/internal.h
@@ -63,7 +63,7 @@ struct eventfs_inode {
};
unsigned int is_freed:1;
unsigned int is_events:1;
- unsigned int nr_entries:31;
+ unsigned int nr_entries:30;
};
static inline struct tracefs_inode *get_tracefs(const struct inode *inode)
Powered by blists - more mailing lists