Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 51987aff authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 

Pull vfs fixes from Al Viro:

 - a couple of ->i_link use-after-free fixes

 - regression fix for wrong errno on absent device name in mount(2)
   (this cycle stuff)

 - ancient UFS braino in large GID handling on Solaris UFS images (bogus
   cut'n'paste from large UID handling; wrong field checked to decide
   whether we should look at old (16bit) or new (32bit) field)

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
  Abort file_remove_privs() for non-reg. files
  [fix] get rid of checking for absent device name in vfs_get_tree()
  apparmorfs: fix use-after-free on symlink traversal
  securityfs: fix use-after-free on symlink traversal
parents 6203838d 4e903604

fs/inode.c

+7 −2
Original line number Diff line number Diff line
@@ -1817,8 +1817,13 @@ int file_remove_privs(struct file *file) 
	int kill;

	int error = 0;



	/* Fast path for nothing security related */

	if (IS_NOSEC(inode))

	/*

	 * Fast path for nothing security related.

	 * As well for non-regular files, e.g. blkdev inodes.

	 * For example, blkdev_write_iter() might get here

	 * trying to remove privs which it is not allowed to.

	 */

	if (IS_NOSEC(inode) || !S_ISREG(inode->i_mode))

		return 0;



	kill = dentry_needs_remove_privs(dentry);

fs/super.c

+0 −5
Original line number Diff line number Diff line
@@ -1467,11 +1467,6 @@ int vfs_get_tree(struct fs_context *fc) 
	struct super_block *sb;

	int error;



	if (fc->fs_type->fs_flags & FS_REQUIRES_DEV && !fc->source) {

		errorf(fc, "Filesystem requires source device");

		return -ENOENT;

	}



	if (fc->root)

		return -EBUSY;

fs/ufs/util.h

+1 −1
Original line number Diff line number Diff line
@@ -229,7 +229,7 @@ ufs_get_inode_gid(struct super_block *sb, struct ufs_inode *inode) 
	case UFS_UID_44BSD:

		return fs32_to_cpu(sb, inode->ui_u3.ui_44.ui_gid);

	case UFS_UID_EFT:

		if (inode->ui_u1.oldids.ui_suid == 0xFFFF)

		if (inode->ui_u1.oldids.ui_sgid == 0xFFFF)

			return fs32_to_cpu(sb, inode->ui_u3.ui_sun.ui_gid);

		/* Fall through */

	default:

security/apparmor/apparmorfs.c

+9 −4
Original line number Diff line number Diff line
@@ -123,17 +123,22 @@ static int aafs_show_path(struct seq_file *seq, struct dentry *dentry) 
	return 0;

}



static void aafs_evict_inode(struct inode *inode)

static void aafs_i_callback(struct rcu_head *head)

{

	truncate_inode_pages_final(&inode->i_data);

	clear_inode(inode);

	struct inode *inode = container_of(head, struct inode, i_rcu);

	if (S_ISLNK(inode->i_mode))

		kfree(inode->i_link);

	free_inode_nonrcu(inode);

}



static void aafs_destroy_inode(struct inode *inode)

{

	call_rcu(&inode->i_rcu, aafs_i_callback);

}



static const struct super_operations aafs_super_ops = {

	.statfs = simple_statfs,

	.evict_inode = aafs_evict_inode,

	.destroy_inode = aafs_destroy_inode,

	.show_path = aafs_show_path,

};

security/inode.c

+9 −4
Original line number Diff line number Diff line
@@ -27,17 +27,22 @@ 
static struct vfsmount *mount;

static int mount_count;



static void securityfs_evict_inode(struct inode *inode)

static void securityfs_i_callback(struct rcu_head *head)

{

	truncate_inode_pages_final(&inode->i_data);

	clear_inode(inode);

	struct inode *inode = container_of(head, struct inode, i_rcu);

	if (S_ISLNK(inode->i_mode))

		kfree(inode->i_link);

	free_inode_nonrcu(inode);

}



static void securityfs_destroy_inode(struct inode *inode)

{

	call_rcu(&inode->i_rcu, securityfs_i_callback);

}



static const struct super_operations securityfs_super_operations = {

	.statfs		= simple_statfs,

	.evict_inode	= securityfs_evict_inode,

	.destroy_inode	= securityfs_destroy_inode,

};



static int fill_super(struct super_block *sb, void *data, int silent)