torvalds/linux
3
0
Fork 0
mirror of git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git synced 2026-04-08 23:49:14 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
4210030d8bc4834fcb774babc458d02a2432ee76
linux/fs
History
Christian Schoenebeck 3f61ac7c65 fs/9p: fix NULL pointer dereference on mkdir 
When a 9p tree was mounted with option 'posixacl', parent directory had a
default ACL set for its subdirectories, e.g.:

  setfacl -m default:group:simpsons:rwx parentdir

then creating a subdirectory crashed 9p client, as v9fs_fid_add() call in
function v9fs_vfs_mkdir_dotl() sets the passed 'fid' pointer to NULL
(since dafbe68973) even though the subsequent v9fs_set_create_acl() call
expects a valid non-NULL 'fid' pointer:

  [   37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000
  ...
  [   37.322338] Call Trace:
  [   37.323043]  <TASK>
  [   37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
  [   37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714)
  [   37.325532] ? search_module_extables (kernel/module/main.c:3733)
  [   37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet
  [   37.328006] ? search_bpf_extables (kernel/bpf/core.c:804)
  [   37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538)
  [   37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574)
  [   37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet
  [   37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p
  [   37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p
  [   37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p
  [   37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p
  [   37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p
  [   37.338590] vfs_mkdir (fs/namei.c:4313)
  [   37.339535] do_mkdirat (fs/namei.c:4336)
  [   37.340465] __x64_sys_mkdir (fs/namei.c:4354)
  [   37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)
  [   37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)

Fix this by simply swapping the sequence of these two calls in
v9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before
v9fs_fid_add().

Fixes: dafbe68973 ("9p fid refcount: cleanup p9_fid_put calls")
Reported-by: syzbot+5b667f9a1fee4ba3775a@syzkaller.appspotmail.com
Signed-off-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Message-ID: <E1tsiI6-002iMG-Kh@kylie.crudebyte.com>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
2025-03-17 07:03:11 +09:00
..
9p
fs/9p: fix NULL pointer dereference on mkdir
2025-03-17 07:03:11 +09:00
adfs
Merge patch series "adfs, affs, befs, hfs, hfsplus: convert to new mount api"
2024-10-08 14:41:53 +02:00
affs
Merge patch series "adfs, affs, befs, hfs, hfsplus: convert to new mount api"
2024-10-08 14:41:53 +02:00
afs
afs: Fix merge preference rule failure condition
2025-01-09 17:21:41 +01:00
autofs
autofs: fix thinko in validate_dev_ioctl()
2024-10-28 13:16:56 +01:00
bcachefs
Merge tag 'mm-nonmm-stable-2024-11-24-02-05' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2024-11-25 16:09:48 -08:00
befs
befs: convert befs to use the new mount api
2024-09-18 11:44:43 +02:00
bfs
fs: Convert aops->write_begin to take a folio
2024-08-07 11:33:21 +02:00
btrfs
Merge tag 'for-6.13-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
2025-01-16 08:54:33 -08:00
cachefiles
cachefiles: Parse the "secctx" immediately
2024-12-20 22:07:56 +01:00
ceph
ceph: allocate sparse_ext map only for sparse reads
2024-12-16 23:25:44 +01:00
coda
coda: use param->file for FSCONFIG_SET_FD
2024-08-19 13:45:03 +02:00
configfs
configfs: improve item creation performance
2024-11-14 07:45:20 +01:00
cramfs
Merge tag 'vfs-6.11.module.description' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2024-07-15 11:14:59 -07:00
crypto
Merge tag 'random-6.13-rc1-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/crng/random
2024-11-19 10:43:44 -08:00
debugfs
fs: debugfs: fix open proxy for unsafe files
2025-01-10 09:41:53 +01:00
devpts
dlm
dlm: fix dlm_recover_members refcount on error
2024-11-18 10:05:57 -06:00
ecryptfs
Merge tag 'vfs-6.13.ecryptfs.mount.api' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2024-11-26 13:39:02 -08:00
efivarfs
Merge tag 'efi-fixes-for-v6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi
2024-12-15 15:33:41 -08:00
efs
efs: fix the efs new mount api implementation
2024-10-15 15:58:36 +02:00
erofs
erofs: use buffered I/O for file-backed mounts by default
2024-12-16 21:02:07 +08:00
exfat
exfat: fix the infinite loop in __exfat_free_cluster()
2024-12-31 17:51:21 +09:00
exportfs
fs: prepare for "explicit connectable" file handles
2024-11-15 11:34:57 +01:00
ext2
Merge tag 'vfs-6.12.file' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2024-09-16 09:14:02 +02:00
ext4
Merge tag 'ext4_for_linus-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4
2024-11-18 16:32:58 -08:00
f2fs
Merge tag 'f2fs-for-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jaegeuk/f2fs
2024-11-26 12:50:58 -08:00
fat
fat: fix uninitialized variable
2024-10-17 00:28:06 -07:00
freevxfs
freevxfs: Replace one-element array with flexible array member
2024-11-06 10:42:06 +01:00
fuse
Merge tag 'fuse-fixes-6.13-rc7' of ssh://gitolite.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse
2025-01-07 15:43:07 +01:00
gfs2
Merge tag 'gfs2-for-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2
2024-11-26 12:34:50 -08:00
hfs
hfs: Sanity check the root record
2024-12-02 15:32:19 +01:00
hfsplus
Merge tag 'vfs-6.13.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2024-11-18 09:35:30 -08:00
hostfs
hostfs: Fix the NULL vs IS_ERR() bug for __filemap_get_folio()
2024-11-15 20:55:32 +01:00
hpfs
hpfs: convert hpfs to use the new mount api
2024-10-08 14:41:53 +02:00
hugetlbfs
mm: use aligned address in clear_gigantic_page()
2024-12-18 19:04:42 -08:00
iomap
iomap: avoid avoid truncating 64-bit offset to 32 bits
2025-01-09 16:09:20 +01:00
isofs
isofs: avoid memory leak in iocharset
2024-11-06 20:24:41 +01:00
jbd2
jbd2: flush filesystem device before updating tail sequence
2024-12-04 12:00:05 +01:00
jffs2
jffs2: Fix rtime decompressor
2024-12-05 12:31:40 +01:00
jfs
Merge tag 'jfs-6.13' of github.com:kleikamp/linux-shaggy
2024-11-21 09:59:59 -08:00
kernfs
lockd
Merge tag 'nfsd-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
2024-11-26 12:59:30 -08:00
minix
buffer: Convert __block_write_begin() to take a folio
2024-08-07 11:33:36 +02:00
netfs
netfs: Fix read-retry for fs with no ->prepare_read()
2025-01-09 17:20:04 +01:00
nfs
Merge tag 'vfs-6.13-rc7.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2025-01-06 10:26:39 -08:00
nfs_common
nfs_common: must not hold RCU while calling nfsd_file_put_local
2024-11-18 20:23:12 -05:00
nfsd
Merge tag 'nfsd-6.13-1' of git://git.kernel.org/pub/scm/linux/kernel/git/cel/linux
2024-12-23 12:16:15 -08:00
nilfs2
nilfs2: fix buffer head leaks in calls to truncate_inode_pages()
2024-12-18 19:04:45 -08:00
nls
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
notify
fs: relax assertions on failure to encode file handles
2024-12-19 15:18:27 +01:00
ntfs3
fs/ntfs3: Accumulated refactoring changes
2024-11-01 11:19:53 +03:00
ocfs2
ocfs2: check dir i_size in ocfs2_find_entry
2025-01-15 21:15:44 -08:00
omfs
fs: Convert aops->write_begin to take a folio
2024-08-07 11:33:21 +02:00
openpromfs
openpromfs: add missing MODULE_DESCRIPTION() macro
2024-06-20 09:46:01 +02:00
orangefs
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
overlayfs
ovl: support encoding fid from inode with no alias
2025-01-06 15:43:55 +01:00
proc
fs/proc: fix softlockup in __read_vmcore (part 2)
2025-01-12 19:03:38 -08:00
pstore
Get rid of 'remove_new' relic from platform driver struct
2024-12-01 15:12:43 -08:00
qnx4
qnx6
fs/qnx6: Fix building with GCC 15
2024-12-03 10:40:36 +01:00
quota
quota: flush quota_release_work upon quota writeback
2024-11-26 22:54:00 +01:00
ramfs
romfs
romfs: fix romfs_read_folio()
2024-08-21 22:32:58 +02:00
smb
smb: client: fix double free of TCP_Server_Info::hostname
2025-01-15 16:56:06 -06:00
squashfs
Squashfs: fix variable overflow in squashfs_readpage_block
2024-10-30 20:14:12 -07:00
sysfs
sysfs: bin_attribute: add const read/write callback variants
2024-11-05 14:00:28 +01:00
sysv
buffer: Convert __block_write_begin() to take a folio
2024-08-07 11:33:36 +02:00
tests
execve: Move KUnit tests to tests/ subdirectory
2024-07-22 18:25:47 -07:00
tracefs
tracing: Fix tracefs mount options
2024-11-01 08:38:14 -04:00
ubifs
Merge tag 'ubifs-for-linus-6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/ubifs
2024-11-30 10:32:47 -08:00
udf
udf: Verify inode link counts before performing rename
2024-11-26 22:54:24 +01:00
ufs
ufs: ufs_sb_private_info: remove unused s_{2,3}apb fields
2024-11-12 19:02:12 -05:00
unicode
Revert "unicode: Don't special case ignorable code points"
2024-12-11 14:11:23 -08:00
vboxsf
fs: Convert aops->write_end to take a folio
2024-08-07 11:32:02 +02:00
verity
fsverity: expose verified fsverity built-in signatures to LSMs
2024-08-20 14:03:18 -04:00
xfs
xfs: lock dquot buffer before detaching dquot from b_li_list
2025-01-10 10:12:48 +01:00
zonefs
Merge tag 'zonefs-6.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs
2024-10-02 12:02:15 -07:00
aio.c
Merge tag 'timers-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2024-11-19 16:35:06 -08:00
anon_inodes.c
attr.c
fs: handle delegated timestamps in setattr_copy_mgtime
2024-10-10 10:20:51 +02:00
backing-file.c
fs/backing_file: fix wrong argument in callback
2024-11-26 18:13:29 +01:00
bad_inode.c
binfmt_elf_fdpic.c
Revert "fs: don't block i_writecount during exec"
2024-11-27 12:51:30 +01:00
binfmt_elf.c
Revert "fs: don't block i_writecount during exec"
2024-11-27 12:51:30 +01:00
binfmt_flat.c
move asm/unaligned.h to linux/unaligned.h
2024-10-02 17:23:23 -04:00
binfmt_misc.c
Revert "fs: don't block i_writecount during exec"
2024-11-27 12:51:30 +01:00
binfmt_script.c
bpf_fs_kfuncs.c
bpf: Add kfunc bpf_get_dentry_xattr() to read xattr from dentry
2024-08-07 11:26:54 -07:00
buffer.c
Merge tag 'mm-stable-2024-11-18-19-27' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2024-11-23 09:58:07 -08:00
char_dev.c
fs: Reorganize kerneldoc parameter names
2024-10-22 11:16:57 +02:00
compat_binfmt_elf.c
binfmt_elf: Wire up AT_HWCAP3 at AT_HWCAP4
2024-10-17 18:38:49 +01:00
coredump.c
coredump: add cond_resched() to dump_user_range
2024-10-22 11:16:58 +02:00
d_path.c
dax.c
fsdax: dax_unshare_iter needs to copy entire blocks
2024-10-07 13:51:47 +02:00
dcache.c
Merge tag 'mm-stable-2024-11-18-19-27' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2024-11-23 09:58:07 -08:00
direct-io.c
fs/direct-io: Remove linux/prefetch.h include
2024-08-19 13:45:02 +02:00
drop_caches.c
sysctl: treewide: constify the ctl_table argument of proc_handlers
2024-07-24 20:59:29 +02:00
eventfd.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
eventpoll.c
Merge tag 'net-next-6.13' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next
2024-11-21 08:28:08 -08:00
exec.c
Revert "fs: don't block i_writecount during exec"
2024-11-27 12:51:30 +01:00
fcntl.c
fs: require inode_owner_or_capable for F_SET_RW_HINT
2024-11-25 15:16:49 +01:00
fhandle.c
Merge tag 'vfs-6.13.exportfs' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2024-11-26 13:26:15 -08:00
file_table.c
Merge branch 'work.fdtable' into vfs.file
2024-10-30 09:58:02 +01:00
file.c
fs: fix missing declaration of init_files
2024-12-17 13:38:46 +01:00
filesystems.c
fs_context.c
fs_parser.c
Merge tag 'vfs-6.13.ovl' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs
2024-11-18 10:45:06 -08:00
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c
Merge patch series "two little writeback cleanups v2"
2024-11-13 14:08:34 +01:00
fsopen.c
fdget(), more trivial conversions
2024-11-03 01:28:06 -05:00
init.c
inode.c
Merge tag 'mm-stable-2024-11-18-19-27' of git://git.kernel.org/pub/scm/linux/kernel/git/akpm/mm
2024-11-23 09:58:07 -08:00
internal.h
Merge tag 'pull-statx' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2024-11-18 14:54:10 -08:00
ioctl.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
Kconfig
reiserfs: The last commit
2024-10-21 16:29:38 +02:00
Kconfig.binfmt
exec: Add KUnit test for bprm_stack_limits()
2024-06-19 13:13:55 -07:00
kernel_read_file.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
libfs.c
Merge tag 'pull-statx' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2024-11-18 14:54:10 -08:00
locks.c
fdget(), more trivial conversions
2024-11-03 01:28:06 -05:00
Makefile
reiserfs: The last commit
2024-10-21 16:29:38 +02:00
mbcache.c
mnt_idmapping.c
Merge tag 'fuse-update-6.12' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse
2024-09-24 15:29:42 -07:00
mount.h
fs: kill MNT_ONRB
2025-01-09 16:58:50 +01:00
mpage.c
fs/writeback: convert wbc_account_cgroup_owner to take a folio
2024-10-28 13:26:54 +01:00
namei.c
Merge tag 'pull-xattr' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2024-11-18 12:44:25 -08:00
namespace.c
Merge tag 'vfs-6.14-rc7.mount.fixes'
2025-01-09 17:03:21 +01:00
nsfs.c
[tree-wide] finally take no_llseek out
2024-09-27 08:18:43 -07:00
open.c
Merge tag 'fsnotify_for_v6.13-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2024-11-21 09:55:45 -08:00
pidfs.c
pidfd: add ioctl to retrieve pid info
2024-10-24 13:54:51 +02:00
pipe.c
[tree-wide] finally take no_llseek out
2024-09-27 08:18:43 -07:00
pnode.c
pnode.h
posix_acl.c
acl: Annotate struct posix_acl with __counted_by()
2024-10-22 11:16:59 +02:00
proc_namespace.c
fs: rename show_mnt_opts -> show_vfsmnt_opts
2024-06-28 14:36:43 +02:00
read_write.c
Merge tag 'pull-fd' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2024-11-18 12:24:06 -08:00
readdir.c
introduce "fd_pos" class, convert fdget_pos() users to it.
2024-11-03 01:28:06 -05:00
remap_range.c
convert vfs_dedupe_file_range().
2024-11-03 01:28:07 -05:00
select.c
do_pollfd(): convert to CLASS(fd)
2024-11-03 01:28:07 -05:00
seq_file.c
fs: Reorganize kerneldoc parameter names
2024-10-22 11:16:57 +02:00
signalfd.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
splice.c
fdget(), more trivial conversions
2024-11-03 01:28:06 -05:00
stack.c
stat.c
Merge tag 'pull-statx' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2024-11-18 14:54:10 -08:00
statfs.c
fdget_raw() users: switch to CLASS(fd_raw)
2024-11-03 01:28:06 -05:00
super.c
fs/super.c: introduce get_tree_bdev_flags()
2024-10-21 14:30:26 +02:00
sync.c
fdget(), trivial conversions
2024-11-03 01:28:06 -05:00
sysctls.c
timerfd.c
Merge tag 'timers-core-2024-11-18' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2024-11-19 16:35:06 -08:00
userfaultfd.c
fork: do not invoke uffd on fork if error occurs
2024-10-28 21:40:38 -07:00
utimes.c
fdget(), more trivial conversions
2024-11-03 01:28:06 -05:00
xattr.c
xattr: remove redundant check on variable err
2024-11-06 13:00:01 -05:00