| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 12 Mar 2020 11:42:39 +0100
From: Christoph Hellwig <hch@....de>
To: David Howells <dhowells@...hat.com>
Cc: mbobrowski@...browski.org, darrick.wong@...cle.com, jack@...e.cz,
hch@....de, linux-ext4@...r.kernel.org, linux-xfs@...r.kernel.org,
linux-fsdevel@...r.kernel.org
Subject: Re: Is ext4_dio_read_iter() broken? - and xfs_file_dio_aio_read()
On Thu, Mar 12, 2020 at 10:07:57AM +0000, David Howells wrote:
> David Howells <dhowells@...hat.com> wrote:
>
> > Is ext4_dio_read_iter() broken? It calls:
> >
> > file_accessed(iocb->ki_filp);
> >
> > at the end of the function - but surely iocb should be expected to have been
> > freed when iocb->ki_complete() was called?
The iocb is refcounted and only completed when the refcount hits zero,
and an extra reference is held until the submission has completed.
Take a look at iocb_put().
> I think it's actually worse than that. You also can't call
> inode_unlock_shared(inode) because you no longer own a ref on the inode since
> ->ki_complete() is expected to call fput() on iocb->ki_filp.
the file reference also hold an inode reference.
>
> Yes, you own a shared lock on it, but unless somewhere along the
> fput-dput-iput chain the inode lock is taken exclusively, the inode can be
> freed whilst you're still holding the lock.
>
> Oh - and ext4_dax_read_iter() is also similarly broken.
In addition to that DAX never executes asynchronously.
> And xfs_file_dio_aio_read() appears to be broken as it touches the inode after
> calling iomap_dio_rw() to unlock it.
Same as above.
Powered by blists - more mailing lists