| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 18 Jul 2011 12:04:11 -0700 (PDT) From: Hugh Dickins <hughd@...gle.com> To: Linus Torvalds <torvalds@...ux-foundation.org> cc: Al Viro <viro@...iv.linux.org.uk>, Andrew Morton <akpm@...ux-foundation.org>, Nick Piggin <npiggin@...nel.dk>, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH] vfs: fix race in rcu lookup of pruned dentry On Mon, 18 Jul 2011, Linus Torvalds wrote: > On Sun, Jul 17, 2011 at 11:31 PM, Linus Torvalds > <torvalds@...ux-foundation.org> wrote: > > > > Now, I do agree that maybe that case simply should check the dentry > > sequence count. I wish all cases did. Hugh patch did that. But the > > reason I dislike Hugh's patch is that when I say "I wish they all > > did", I mean that I dislike the special casing. And Hugh's patch just > > adds *more* special casing for that NULL entry - I'd wish we just > > always did it regardless of whether it was NULL or not. > > Btw, looking at that, I think Hugh's patch is wrong. It does > > if (!read_seqcount_retry(&dentry->d_seq, nd->seq)) > > but that's after we've done the __follow_mount_rcu() that may actually > have changed "nd->seq" to the mount-point inode (and has changed > path->dentry to match it). Yes, my patch is wrong there. I started out with if (!read_seqcount_retry(&dentry->d_seq, seq); but seeing __follow_mount_rcu() updates inode and nd->seq, I changed to if (!read_seqcount_retry(&dentry->d_seq, nd->seq); missing the obvious, that it's changing path->dentry when it updates nd->seq. > > Now, it only does it if inode is NULL, so I guess it doesn't matter, > but it's the kind of inconsistency that I think is really dangerous, > because it basically compares incompatible sequence numbers. Yes, it's simply wrong. > > Also, looking at that whole mount-point traversal sequence, it looks > like __follow_mount_rcu() will happily totally ignore the old sequence > number when it replaces it with the mount-point sequence number. So it > looks to me that we have a case where we miss the sequence number > check that can happen with a positive dentry too! Al has commented on that. I'd feel more confident with a patch like yours, and corrected final check in mine (if we used mine at all) if (!read_seqcount_retry(&path->dentry->d_seq, nd->seq); but ignore me, I'm easily confused by mounts ;) Hugh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists