Skip to content

GitLab

Switch branch/tag
History Find file
Clone
memcg: fix possible use-after-free in memcg_write_event_control()
Tejun Heo authored 
commit 4a7ba45b upstream.

memcg_write_event_control() accesses the dentry->d_name of the specified
control fd to route the write call.  As a cgroup interface file can't be
renamed, it's safe to access d_name as long as the specified file is a
regular cgroup file.  Also, as these cgroup interface files can't be
removed before the directory, it's safe to access the parent too.

Prior to 347c4a87 ("memcg: remove cgroup_event->cft"), there was a
call to __file_cft() which verified that the specified file is a regular
cgroupfs file before further accesses.  The cftype pointer returned from
__file_cft() was no longer necessary and the commit inadvertently dropped
the file type check with it allowing any file to slip through.  With the
invarients broken, the d_name and parent accesses can now race against
renames and removals of arbitrary files and cause use-after-free's.

Fix the bug by resurrecting the file t...
aad8bbd1
Name Last commit Last update
Documentation docs: update mediator contact information in CoC doc
LICENSES LICENSES/dual/CC-BY-4.0: Git rid of "smart quotes"
arch Revert "ARM: dts: imx7: Fix NAND controller size-cells"
block block, bfq: fix null pointer dereference in bfq_bio_bfqg()
certs certs/blacklist_hashes.c: fix const confusion in certs blacklist
crypto crypto: akcipher - default implementation for setting a private key
drivers media: v4l2-dv-timings.c: fix too strict blanking sanity checks
fs cifs: fix use-after-free caused by invalid pointer `hostname`
include memcg: fix possible use-after-free in memcg_write_event_control()
init init/Kconfig: fix CC_HAS_ASM_GOTO_TIED_OUTPUT test with dash
ipc ipc/sem: Fix dangling sem_array access in semtimedop race
kernel memcg: fix possible use-after-free in memcg_write_event_control()
lib Kconfig.debug: provide a little extra FRAME_WARN leeway when KASAN is enabled
mm memcg: fix possible use-after-free in memcg_write_event_control()
net 9p/xen: check logical size for buffer size
samples samples/landlock: Format with clang-format
scripts scripts/faddr2line: Fix regression in name resolution on ppc64le
security capabilities: fix potential memleak on error path from vfs_getxattr_alloc()
sound ASoC: soc-pcm: Add NULL check in BE reparenting
tools selftests/net: Find nettest in current directory
usr usr/include/Makefile: add linux/nfc.h to the compile-test coverage
virt kvm: Add support for arch compat vm ioctls
.clang-format clang-format: Update with the latest for_each macro list
.cocciconfig scripts: add Linux .cocciconfig for coccinelle
.get_maintainer.ignore Opt out of scripts/get_maintainer.pl
.gitattributes .gitattributes: use 'dts' diff driver for dts files
.gitignore .gitignore: ignore only top-level modules.builtin
.mailmap mailmap: add Andrej Shadura
COPYING COPYING: state that all contributions really are covered by this file
CREDITS MAINTAINERS: Move Daniel Drake to credits
Kbuild kbuild: rename hostprogs-y/always to hostprogs/always-y
Kconfig kbuild: ensure full rebuild when the compiler is updated
MAINTAINERS Input: goodix - add a goodix.h header file
Makefile Linux 5.15.82
README Drop all 00-INDEX files from Documentation/
README
Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.