lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20110626004234.GB11013@ZenIV.linux.org.uk>
Date:	Sun, 26 Jun 2011 01:42:34 +0100
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Sage Weil <sage@...dream.net>
Cc:	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: WTF is ceph_lookup_open() doing with nd->intent.open.file?

ceph_lookup_open() does the following:

        struct file *file = nd->intent.open.file;
        struct inode *parent_inode = get_dentry_parent_inode(file->f_dentry);

Note that at this point nd->intent.open.file is going to have NULL ->f_dentry.
What's more, we end up calling ceph_init_file() on that struct file.  If
open(2) fails *after* the call of that sucker, we'll end up leaking
from ceph_file_cachep, since ->release() will *not* be called - VFS will
have no damn indication that it needs to.  Not that calling ->i_fop->open()
on something without ->f_op (and ->f_dentry, and...) would be a good idea...

What is that code supposed to do, anyway?  Looks like a bastardized
variant of the atomic open tricks NFS is pulling off, without the
proper use of lookup_instantiate_filp()...  The thing is,
lookup_instantiate_filp() takes care to set ->f_path.dentry, which is
what distinguishes struct file that had been through ->open() from
ones that had not.  So no ->release() for you...

Moreover, what would you expect to set ->f_dentry by the time you call
->lookup()?  Looks like you expect that parent_inode to be the directory
you are doing lookup in, so why not use the dir argument of ceph_lookup_open()?
While we are at it, what's "locked_dir" and what is it for?  AFAICS,
nothing has ever looked at it - not since the mainline merge...

Either I'm seriously confused, or that code is...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ