ceph: fix a race with rename() in ceph_mdsc_build_path() - kernel

diff options

author	Al Viro <[email protected]>	2025-02-15 04:37:58 +0000
committer	Al Viro <[email protected]>	2025-06-17 21:58:14 +0000
commit	0d2da2561bdeb459b6c540c2417a15c1f8732e6a (patch)
tree	ace92e44f378939e3cdcb75911e7de708a129d2e /drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c
parent	prep for ceph_encode_encrypted_fname() fixes (diff)
download	kernel-0d2da2561bdeb459b6c540c2417a15c1f8732e6a.tar.gz kernel-0d2da2561bdeb459b6c540c2417a15c1f8732e6a.zip

ceph: fix a race with rename() in ceph_mdsc_build_path()

Lift copying the name into callers of ceph_encode_encrypted_dname() that do not have it already copied; ceph_encode_encrypted_fname() disappears. That fixes a UAF in ceph_mdsc_build_path() - while the initial copy of plaintext into buf is done under ->d_lock, we access the original name again in ceph_encode_encrypted_fname() and that is done without any locking. With ceph_encode_encrypted_dname() using the stable copy the problem goes away. Tested-by: Viacheslav Dubeyko <[email protected]> Reviewed-by: Viacheslav Dubeyko <[email protected]> Signed-off-by: Al Viro <[email protected]>

Diffstat (limited to 'drivers/gpu/drm/amd/amdgpu/amdgpu_debugfs.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: