Commit a527a2b3 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge branch 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 

Pull misc vfs fixes from Al Viro:
 "Several assorted fixes.

  I still think that audit ->d_name race is better fixed this way for
  the benefit of backports, with any possibly fancier variants done on
  top of it"

* 'fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  dump_common_audit_data(): fix racy accesses to ->d_name
  iov_iter: fix the uaccess area in copy_compat_iovec_from_user
  umount(2): move the flag validity checks first
parents feb889fb d36a1dd9

fs/namespace.c

+5 −2
Original line number Diff line number Diff line
@@ -1713,8 +1713,6 @@ static int can_umount(const struct path *path, int flags) 
{

	struct mount *mnt = real_mount(path->mnt);



	if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))

		return -EINVAL;

	if (!may_mount())

		return -EPERM;

	if (path->dentry != path->mnt->mnt_root)
@@ -1728,6 +1726,7 @@ static int can_umount(const struct path *path, int flags) 
	return 0;

}



// caller is responsible for flags being sane

int path_umount(struct path *path, int flags)

{

	struct mount *mnt = real_mount(path->mnt);
@@ -1749,6 +1748,10 @@ static int ksys_umount(char __user *name, int flags) 
	struct path path;

	int ret;



	// basic validity checks done first

	if (flags & ~(MNT_FORCE | MNT_DETACH | MNT_EXPIRE | UMOUNT_NOFOLLOW))

		return -EINVAL;



	if (!(flags & UMOUNT_NOFOLLOW))

		lookup_flags |= LOOKUP_FOLLOW;

	ret = user_path_at(AT_FDCWD, name, lookup_flags, &path);

lib/iov_iter.c

+1 −1
Original line number Diff line number Diff line
@@ -1658,7 +1658,7 @@ static int copy_compat_iovec_from_user(struct iovec *iov, 
		(const struct compat_iovec __user *)uvec;

	int ret = -EFAULT, i;



	if (!user_access_begin(uvec, nr_segs * sizeof(*uvec)))

	if (!user_access_begin(uiov, nr_segs * sizeof(*uiov)))

		return -EFAULT;



	for (i = 0; i < nr_segs; i++) {

security/lsm_audit.c

+5 −2
Original line number Diff line number Diff line
@@ -275,7 +275,9 @@ static void dump_common_audit_data(struct audit_buffer *ab, 
		struct inode *inode;



		audit_log_format(ab, " name=");

		spin_lock(&a->u.dentry->d_lock);

		audit_log_untrustedstring(ab, a->u.dentry->d_name.name);

		spin_unlock(&a->u.dentry->d_lock);



		inode = d_backing_inode(a->u.dentry);

		if (inode) {
@@ -293,8 +295,9 @@ static void dump_common_audit_data(struct audit_buffer *ab, 
		dentry = d_find_alias(inode);

		if (dentry) {

			audit_log_format(ab, " name=");

			audit_log_untrustedstring(ab,

					 dentry->d_name.name);

			spin_lock(&dentry->d_lock);

			audit_log_untrustedstring(ab, dentry->d_name.name);

			spin_unlock(&dentry->d_lock);

			dput(dentry);

		}

		audit_log_format(ab, " dev=");