diff options
| author | Eric Biggers <[email protected]> | 2020-01-24 04:12:34 +0000 |
|---|---|---|
| committer | Theodore Ts'o <[email protected]> | 2020-01-25 03:35:03 +0000 |
| commit | ec772f01307a2c06ebf6cdd221e6b518a71ddae7 (patch) | |
| tree | 9bfe61fd04467699009cc4094ee7d473c3e2dcfb /drivers/mtd/lpddr/lpddr_cmds.c | |
| parent | ext4: make dioread_nolock the default (diff) | |
| download | kernel-ec772f01307a2c06ebf6cdd221e6b518a71ddae7.tar.gz kernel-ec772f01307a2c06ebf6cdd221e6b518a71ddae7.zip | |
ext4: fix race conditions in ->d_compare() and ->d_hash()
Since ->d_compare() and ->d_hash() can be called in RCU-walk mode,
->d_parent and ->d_inode can be concurrently modified, and in
particular, ->d_inode may be changed to NULL. For ext4_d_hash() this
resulted in a reproducible NULL dereference if a lookup is done in a
directory being deleted, e.g. with:
int main()
{
if (fork()) {
for (;;) {
mkdir("subdir", 0700);
rmdir("subdir");
}
} else {
for (;;)
access("subdir/file", 0);
}
}
... or by running the 't_encrypted_d_revalidate' program from xfstests.
Both repros work in any directory on a filesystem with the encoding
feature, even if the directory doesn't actually have the casefold flag.
I couldn't reproduce a crash in ext4_d_compare(), but it appears that a
similar crash is possible there.
Fix these bugs by reading ->d_parent and ->d_inode using READ_ONCE() and
falling back to the case sensitive behavior if the inode is NULL.
Reported-by: Al Viro <[email protected]>
Fixes: b886ee3e778e ("ext4: Support case-insensitive file name lookups")
Cc: <[email protected]> # v5.2+
Signed-off-by: Eric Biggers <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Theodore Ts'o <[email protected]>
Diffstat (limited to 'drivers/mtd/lpddr/lpddr_cmds.c')
0 files changed, 0 insertions, 0 deletions