Received: by 10.223.185.116 with SMTP id b49csp5631480wrg; Tue, 27 Feb 2018 17:37:28 -0800 (PST) X-Google-Smtp-Source: AH8x224b3Wk33K6ZJ3QT9TzQi1HSATcKZCGeC+haYj3sIuFDOCFALJqZE5gMPz3iTodqfKOKOHpt X-Received: by 2002:a17:902:b109:: with SMTP id q9-v6mr16434351plr.340.1519781848332; Tue, 27 Feb 2018 17:37:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519781848; cv=none; d=google.com; s=arc-20160816; b=FVEKz6UrTzfr4q1JA+6+9ztoZH6Z989+BuKJBHtWTHFNg+A9buQnLWUM2Y5koBWa84 0KlcOeanMyRQYK7CRvpVGC4cBVnXd3svPNnqKxdIkD7E2Bk6RVtTO8SsOPilhpAqKLg0 vQnNIqCIHAV1gX7ImDs6pEWaQSz3ZJVPZKMZmAXPxu0qIE50AEe6bHltz4Bkag6CB5ug lwj19Ngttsy1GTv5J8KoyhfJrBKKYvNEnZwAQ0RZrmgocVSoXseRl0hTdFxlK0KfIA1Z padZtJTQttlomgbdqYS7u6+vsCMnW+qwPl838DAwM3mHSFNABA51LBC0iY695jwWz8B1 88JQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :arc-authentication-results; bh=eHMe08aO2UCvDQlW4NGq+Dh/B3jaTPeBrF54BQwtrw0=; b=R2266qEsdim9p48ucipALHuIjLvP6f2bIuhTKRwOUGkizWUL0X8tjSClipE9o0Zcio 9WIj32j0QUVhbjQrPWpchH7807E+S1RMlKdyZHoF5Y1ulXusNc1SaeMTxRzW5Aw1SExe vJ6kVOyUeFCR8J/ksLc2UzApeibCF808GAIAkAxkVzsP8ouE11wlHgOtzjFWceKIZVHS pGARUwgia0f2+QasspQRV2yPL4zD8MOiLnZWZr4SgfDu7NuDTKozkFVj4xTtGvC97B+f 8dbtHl6bA9um39FNyaNOr9fcGCgeVrerviPDh4ytYvGsHivfNuOnVw+CrmJNjcqX6HtC ZmJg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e15si288771pgv.204.2018.02.27.17.37.13; Tue, 27 Feb 2018 17:37:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751883AbeB1BfT (ORCPT + 99 others); Tue, 27 Feb 2018 20:35:19 -0500 Received: from hs01.dk-develop.de ([213.136.71.231]:46816 "EHLO hs01.dk-develop.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751825AbeB1BfL (ORCPT ); Tue, 27 Feb 2018 20:35:11 -0500 Received: from danilo-linux.fritz.box (ipbcc13fda.dynamic.kabel-deutschland.de [188.193.63.218]) by hs01.dk-develop.de (Postfix) with ESMTPSA id 6FEEC1320D2B; Wed, 28 Feb 2018 02:35:14 +0100 (CET) From: Danilo Krummrich To: mcgrof@kernel.org, keescook@chromium.org, akpm@linux-foundation.org Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, Danilo Krummrich , stable@vger.kernel.org Subject: [PATCH v3 1/2] fs/sysctl: fix potential page fault while unregistering sysctl table Date: Wed, 28 Feb 2018 02:35:05 +0100 Message-Id: <20180228013506.4915-1-danilokrummrich@dk-develop.de> X-Mailer: git-send-email 2.14.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org proc_sys_link_fill_cache() does not take currently unregistering sysctl tables into account, which might result into a page fault in sysctl_follow_link() - add a check to fix it. This bug has been present since v3.4. Fixes: 0e47c99d7fe25 ("sysctl: Replace root_list with links between sysctl_table_sets") Cc: stable@vger.kernel.org Acked-by: Kees Cook Signed-off-by: Danilo Krummrich --- v2: removed empty line between between sysctl_head_grab and IS_ERR v3: extend commit message, add tags and cc stable --- fs/proc/proc_sysctl.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c index c5cbbdff3c3d..82ac5f682b73 100644 --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c @@ -707,7 +707,10 @@ static bool proc_sys_link_fill_cache(struct file *file, struct ctl_table *table) { bool ret = true; + head = sysctl_head_grab(head); + if (IS_ERR(head)) + return false; if (S_ISLNK(table->mode)) { /* It is not an error if we can not follow the link ignore it */ -- 2.14.1