summaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorWill Deacon <will.deacon@arm.com>2013-08-21 18:24:47 +0100
committerEric Van Hensbergen <ericvh@gmail.com>2013-08-26 10:28:46 -0500
commit50192abe02929586111fb33f216060a9341875f1 (patch)
treec766629c78fc8410eb452e018b0ba4b629141a3e /include/net
parente0d6cb9cd3a3ac8a3b8e5b22b83c4f8619786f22 (diff)
downloadlinux-50192abe02929586111fb33f216060a9341875f1.tar.gz
linux-50192abe02929586111fb33f216060a9341875f1.tar.bz2
linux-50192abe02929586111fb33f216060a9341875f1.zip
fs/9p: avoid accessing utsname after namespace has been torn down
During trinity fuzzing in a kvmtool guest, I stumbled across the following: Unable to handle kernel NULL pointer dereference at virtual address 00000004 PC is at v9fs_file_do_lock+0xc8/0x1a0 LR is at v9fs_file_do_lock+0x48/0x1a0 [<c01e2ed0>] (v9fs_file_do_lock+0xc8/0x1a0) from [<c0119154>] (locks_remove_flock+0x8c/0x124) [<c0119154>] (locks_remove_flock+0x8c/0x124) from [<c00d9bf0>] (__fput+0x58/0x1e4) [<c00d9bf0>] (__fput+0x58/0x1e4) from [<c0044340>] (task_work_run+0xac/0xe8) [<c0044340>] (task_work_run+0xac/0xe8) from [<c002e36c>] (do_exit+0x6bc/0x8d8) [<c002e36c>] (do_exit+0x6bc/0x8d8) from [<c002e674>] (do_group_exit+0x3c/0xb0) [<c002e674>] (do_group_exit+0x3c/0xb0) from [<c002e6f8>] (__wake_up_parent+0x0/0x18) I believe this is due to an attempt to access utsname()->nodename, after exit_task_namespaces() has been called, leaving current->nsproxy->uts_ns as NULL and causing the above dereference. A similar issue was fixed for lockd in 9a1b6bf818e7 ("LOCKD: Don't call utsname()->nodename from nlmclnt_setlockargs"), so this patch attempts something similar for 9pfs. Cc: Eric Van Hensbergen <ericvh@gmail.com> Cc: Ron Minnich <rminnich@sandia.gov> Cc: Latchesar Ionkov <lucho@ionkov.net> Cc: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/9p/client.h5
1 files changed, 5 insertions, 0 deletions
diff --git a/include/net/9p/client.h b/include/net/9p/client.h
index 4c7c01a73911..c38a005bd0cf 100644
--- a/include/net/9p/client.h
+++ b/include/net/9p/client.h
@@ -26,6 +26,8 @@
#ifndef NET_9P_CLIENT_H
#define NET_9P_CLIENT_H
+#include <linux/utsname.h>
+
/* Number of requests per row */
#define P9_ROW_MAXTAG 255
@@ -134,6 +136,7 @@ struct p9_req_t {
* @tagpool - transaction id accounting for session
* @reqs - 2D array of requests
* @max_tag - current maximum tag id allocated
+ * @name - node name used as client id
*
* The client structure is used to keep track of various per-client
* state that has been instantiated.
@@ -164,6 +167,8 @@ struct p9_client {
struct p9_idpool *tagpool;
struct p9_req_t *reqs[P9_ROW_MAXTAG];
int max_tag;
+
+ char name[__NEW_UTS_LEN + 1];
};
/**