diff options
| author |   Eric Biggers <ebiggers@google.com> | 2020-01-23 20:15:49 -0800 |
|---|---|---|
| committer |   Jaegeuk Kim <jaegeuk@kernel.org> | 2020-01-24 10:04:09 -0800 |
| commit | 80f2388afa6ef985f9c5c228e36705c4d4db4756 (patch) | |
| tree | 1e895395075dd074b38d1f1387a2e40c8301f0db /Documentation | |
| parent | f2fs: fix dcache lookup of !casefolded directories (diff) | |
| download | linux-dev-80f2388afa6ef985f9c5c228e36705c4d4db4756.tar.xz linux-dev-80f2388afa6ef985f9c5c228e36705c4d4db4756.zip | |
f2fs: fix race conditions in ->d_compare() and ->d_hash()
Since ->d_compare() and ->d_hash() can be called in RCU-walk mode,
->d_parent and ->d_inode can be concurrently modified, and in
particular, ->d_inode may be changed to NULL. For f2fs_d_hash() this
resulted in a reproducible NULL dereference if a lookup is done in a
directory being deleted, e.g. with:
int main()
{
if (fork()) {
for (;;) {
mkdir("subdir", 0700);
rmdir("subdir");
}
} else {
for (;;)
access("subdir/file", 0);
}
}
... or by running the 't_encrypted_d_revalidate' program from xfstests.
Both repros work in any directory on a filesystem with the encoding
feature, even if the directory doesn't actually have the casefold flag.
I couldn't reproduce a crash in f2fs_d_compare(), but it appears that a
similar crash is possible there.
Fix these bugs by reading ->d_parent and ->d_inode using READ_ONCE() and
falling back to the case sensitive behavior if the inode is NULL.
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Fixes: 2c2eb7a300cd ("f2fs: Support case-insensitive file name lookups")
Cc: <stable@vger.kernel.org> # v5.4+
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Diffstat (limited to 'Documentation')
0 files changed, 0 insertions, 0 deletions