lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <alpine.LSU.2.00.1107171356480.3175@sister.anvils>
Date:	Sun, 17 Jul 2011 14:03:44 -0700 (PDT)
From:	Hugh Dickins <hughd@...gle.com>
To:	Al Viro <viro@...iv.linux.org.uk>
cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	Andrew Morton <akpm@...ux-foundation.org>,
	Nick Piggin <npiggin@...nel.dk>, linux-kernel@...r.kernel.org,
	linux-fsdevel@...r.kernel.org
Subject: [PATCH] vfs: fix race in rcu lookup of pruned dentry

Since the RCU dcache lookup came in, on five occasions a "cp -a" in my dual
kbuild swapping tests has failed because a source file vanished momentarily
e.g. cp: cannot open `/usr/src/linux/include/linux/cramfs_fs.h' for reading:
No such file or directory

That -ENOENT in walk_component: isn't it assuming we found a negative
dentry, before reaching the read_seqcount_retry which complete_walk
(or nameidata_drop_rcu_last before 3.0) would use to confirm a successful
lookup?  And can't memory pressure prune a dentry, coming to dentry_kill
which __d_drops to unhash before dentry_iput resets d_inode to NULL, but
the dentry_rcuwalk_barrier between those is ineffective if the other end
ignores the seqcount?

Move !inode -ENOENT checks from walk_component down into do_lookup,
adding read_seqcount_retry confirmation in the RCU case.  And use
path_put_conditional instead of path_to_nameidata (a reverse way of
doing the same) in the non-RCU case, to match the error case just above.

Signed-off-by: Hugh Dickins <hughd@...gle.com>
Cc: stable@...nel.org
---
I think I now have a faster script (four slightly staggered "cp -a"s of
kernel source, run in limited memory) to reproduce this in hours rather
than weeks; but I'm still calibrating that, cannot yet say whether this
patch fixes it.  Sending patch on ahead in case it's obvious to you.

 fs/namei.c |   16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

--- 3.0-git/fs/namei.c	2011-07-15 19:40:03.269867213 -0700
+++ linux/fs/namei.c	2011-07-17 10:08:17.586475293 -0700
@@ -1173,7 +1173,10 @@ static int do_lookup(struct nameidata *n
 			goto unlazy;
 		if (unlikely(path->dentry->d_flags & DCACHE_NEED_AUTOMOUNT))
 			goto unlazy;
-		return 0;
+		if (*inode)
+			return 0;
+		if (!read_seqcount_retry(&dentry->d_seq, nd->seq))
+			return -ENOENT;
 unlazy:
 		if (unlazy_walk(nd, dentry))
 			return -ECHILD;
@@ -1223,6 +1226,10 @@ retry:
 		return err;
 	}
 	*inode = path->dentry->d_inode;
+	if (!*inode) {
+		path_put_conditional(path, nd);
+		return -ENOENT;
+	}
 	return 0;
 }
 
@@ -1276,15 +1283,10 @@ static inline int walk_component(struct
 	if (unlikely(type != LAST_NORM))
 		return handle_dots(nd, type);
 	err = do_lookup(nd, name, path, &inode);
-	if (unlikely(err)) {
+	if (err) {
 		terminate_walk(nd);
 		return err;
 	}
-	if (!inode) {
-		path_to_nameidata(path, nd);
-		terminate_walk(nd);
-		return -ENOENT;
-	}
 	if (unlikely(inode->i_op->follow_link) && follow) {
 		if (nd->flags & LOOKUP_RCU) {
 			if (unlikely(unlazy_walk(nd, path->dentry))) {
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ