FAILED: patch "[PATCH] ovl: fix missing negative dentry check in ovl_rename()" failed to apply to 4.4-stable tree
The patch below does not apply to the 4.4-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From a295aef603e109a47af355477326bd41151765b6 Mon Sep 17 00:00:00 2001
From: Zheng Liang zhengliang6@huawei.com Date: Fri, 24 Sep 2021 09:16:27 +0800 Subject: [PATCH] ovl: fix missing negative dentry check in ovl_rename()
The following reproducer
mkdir lower upper work merge touch lower/old touch lower/new mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge rm merge/new mv merge/old merge/new & unlink upper/new
may result in this race:
PROCESS A: rename("merge/old", "merge/new"); overwrite=true,ovl_lower_positive(old)=true, ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE
PROCESS B: unlink("upper/new");
PROCESS A: lookup newdentry in new_upperdir call vfs_rename() with negative newdentry and RENAME_EXCHANGE
Fix by adding the missing check for negative newdentry.
Signed-off-by: Zheng Liang zhengliang6@huawei.com Fixes: e9be9d5e76e3 ("overlay filesystem") Cc: stable@vger.kernel.org # v3.18 Signed-off-by: Miklos Szeredi mszeredi@redhat.com
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c index 1fefb2b8960e..93c7c267de93 100644 --- a/fs/overlayfs/dir.c +++ b/fs/overlayfs/dir.c @@ -1219,9 +1219,13 @@ static int ovl_rename(struct user_namespace *mnt_userns, struct inode *olddir, goto out_dput; } } else { - if (!d_is_negative(newdentry) && - (!new_opaque || !ovl_is_whiteout(newdentry))) - goto out_dput; + if (!d_is_negative(newdentry)) { + if (!new_opaque || !ovl_is_whiteout(newdentry)) + goto out_dput; + } else { + if (flags & RENAME_EXCHANGE) + goto out_dput; + } }
if (olddentry == trap)
From: Zheng Liang zhengliang6@huawei.com
From: Zheng Liang zhengliang6@huawei.com
commit a295aef603e109a47af355477326bd41151765b6 upstream.
The following reproducer
mkdir lower upper work merge touch lower/old touch lower/new mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge rm merge/new mv merge/old merge/new & unlink upper/new
may result in this race:
PROCESS A: rename("merge/old", "merge/new"); overwrite=true,ovl_lower_positive(old)=true, ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE
PROCESS B: unlink("upper/new");
PROCESS A: lookup newdentry in new_upperdir call vfs_rename() with negative newdentry and RENAME_EXCHANGE
Fix by adding the missing check for negative newdentry.
Signed-off-by: Zheng Liang zhengliang6@huawei.com Fixes: e9be9d5e76e3 ("overlay filesystem") Cc: stable@vger.kernel.org # v3.18 Signed-off-by: Miklos Szeredi mszeredi@redhat.com Reference: CVE-2021-20321 Signed-off-by: Masami Ichikawa(CIP) masami.ichikawa@cybertrust.co.jp --- fs/overlayfs/dir.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c index eedacae889b9..80bf0ab52e81 100644 --- a/fs/overlayfs/dir.c +++ b/fs/overlayfs/dir.c @@ -824,9 +824,13 @@ static int ovl_rename2(struct inode *olddir, struct dentry *old, } } else { new_create = true; - if (!d_is_negative(newdentry) && - (!new_opaque || !ovl_is_whiteout(newdentry))) - goto out_dput; + if (!d_is_negative(newdentry)) { + if (!new_opaque || !ovl_is_whiteout(newdentry)) + goto out_dput; + } else { + if (flags & RENAME_EXCHANGE) + goto out_dput; + } }
if (olddentry == trap)
On Fri, Oct 22, 2021 at 09:16:05AM +0900, Masami Ichikawa(CIP) wrote:
From: Zheng Liang zhengliang6@huawei.com
From: Zheng Liang zhengliang6@huawei.com
commit a295aef603e109a47af355477326bd41151765b6 upstream.
The following reproducer
mkdir lower upper work merge touch lower/old touch lower/new mount -t overlay overlay -olowerdir=lower,upperdir=upper,workdir=work merge rm merge/new mv merge/old merge/new & unlink upper/new
may result in this race:
PROCESS A: rename("merge/old", "merge/new"); overwrite=true,ovl_lower_positive(old)=true, ovl_dentry_is_whiteout(new)=true -> flags |= RENAME_EXCHANGE
PROCESS B: unlink("upper/new");
PROCESS A: lookup newdentry in new_upperdir call vfs_rename() with negative newdentry and RENAME_EXCHANGE
Fix by adding the missing check for negative newdentry.
Signed-off-by: Zheng Liang zhengliang6@huawei.com Fixes: e9be9d5e76e3 ("overlay filesystem") Cc: stable@vger.kernel.org # v3.18 Signed-off-by: Miklos Szeredi mszeredi@redhat.com Reference: CVE-2021-20321 Signed-off-by: Masami Ichikawa(CIP) masami.ichikawa@cybertrust.co.jp
fs/overlayfs/dir.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c index eedacae889b9..80bf0ab52e81 100644 --- a/fs/overlayfs/dir.c +++ b/fs/overlayfs/dir.c @@ -824,9 +824,13 @@ static int ovl_rename2(struct inode *olddir, struct dentry *old, } } else { new_create = true;
if (!d_is_negative(newdentry) &&(!new_opaque || !ovl_is_whiteout(newdentry)))goto out_dput;
if (!d_is_negative(newdentry)) {if (!new_opaque || !ovl_is_whiteout(newdentry))goto out_dput;} else {if (flags & RENAME_EXCHANGE)goto out_dput;}if (olddentry == trap) -- 2.33.0
Now queued up for 4.4.y, thanks!
greg k-h
linux-stable-mirror@lists.linaro.org
-
Greg KH -
gregkh@linuxfoundation.org
-
Masami Ichikawa(CIP)