Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull misc vfs fixes from Al Viro: "Several assorted fixes. I still think that audit ->d_name race is better fixed this way for the benefit of backports, with any possibly fancier variants done on top of it" * 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: dump_common_audit_data(): fix racy accesses to ->d_name iov_iter: fix the uaccess area in copy_compat_iovec_from_user umount(2): move the flag validity checks first
This commit is contained in:
commit
a527a2b32d
@ -1713,8 +1713,6 @@ static int can_umount(const struct path *path, int flags)
|
||||
{
|
||||
struct mount *mnt = real_mount(path->mnt);
|
||||
|
||||
if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))
|
||||
return -EINVAL;
|
||||
if (!may_mount())
|
||||
return -EPERM;
|
||||
if (path->dentry != path->mnt->mnt_root)
|
||||
@ -1728,6 +1726,7 @@ static int can_umount(const struct path *path, int flags)
|
||||
return 0;
|
||||
}
|
||||
|
||||
// caller is responsible for flags being sane
|
||||
int path_umount(struct path *path, int flags)
|
||||
{
|
||||
struct mount *mnt = real_mount(path->mnt);
|
||||
@ -1749,6 +1748,10 @@ static int ksys_umount(char __user *name, int flags)
|
||||
struct path path;
|
||||
int ret;
|
||||
|
||||
// basic validity checks done first
|
||||
if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))
|
||||
return -EINVAL;
|
||||
|
||||
if (!(flags & UMOUNT_NOFOLLOW))
|
||||
lookup_flags |= LOOKUP_FOLLOW;
|
||||
ret = user_path_at(AT_FDCWD, name, lookup_flags, &path);
|
||||
|
@ -1658,7 +1658,7 @@ static int copy_compat_iovec_from_user(struct iovec *iov,
|
||||
(const struct compat_iovec __user *)uvec;
|
||||
int ret = -EFAULT, i;
|
||||
|
||||
if (!user_access_begin(uvec, nr_segs * sizeof(*uvec)))
|
||||
if (!user_access_begin(uiov, nr_segs * sizeof(*uiov)))
|
||||
return -EFAULT;
|
||||
|
||||
for (i = 0; i < nr_segs; i++) {
|
||||
|
@ -275,7 +275,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
|
||||
struct inode *inode;
|
||||
|
||||
audit_log_format(ab, " name=");
|
||||
spin_lock(&a->u.dentry->d_lock);
|
||||
audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
|
||||
spin_unlock(&a->u.dentry->d_lock);
|
||||
|
||||
inode = d_backing_inode(a->u.dentry);
|
||||
if (inode) {
|
||||
@ -293,8 +295,9 @@ static void dump_common_audit_data(struct audit_buffer *ab,
|
||||
dentry = d_find_alias(inode);
|
||||
if (dentry) {
|
||||
audit_log_format(ab, " name=");
|
||||
audit_log_untrustedstring(ab,
|
||||
dentry->d_name.name);
|
||||
spin_lock(&dentry->d_lock);
|
||||
audit_log_untrustedstring(ab, dentry->d_name.name);
|
||||
spin_unlock(&dentry->d_lock);
|
||||
dput(dentry);
|
||||
}
|
||||
audit_log_format(ab, " dev=");
|
||||
|
Loading…
Reference in New Issue
Block a user