lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:	Mon, 11 Aug 2014 15:37:07 +0100
From:	David Howells <>
To:	Miklos Szeredi <>
Subject: Race in ovl_copy_up()?

Hi Miklos,

Looking at the following:

	int ovl_copy_up(struct dentry *dentry)
		int err;

		err = 0;
		while (!err) {
			struct dentry *next;
			struct dentry *parent;
			struct path lowerpath;
			struct kstat stat;
			enum ovl_path_type type = ovl_path_type(dentry);

			if (type != OVL_PATH_LOWER)

			next = dget(dentry);
			/* find the topmost dentry not yet copied up */
			for (;;) {
				parent = dget_parent(next);

				type = ovl_path_type(parent);
				if (type != OVL_PATH_LOWER)

				next = parent;

			ovl_path_lower(next, &lowerpath);
			err = vfs_getattr(&lowerpath, &stat);
			if (!err)
				err = ovl_copy_up_one(parent, next, &lowerpath, &stat);


		return err;

In the for-loop in the middle, if you ascend any levels at all, how are you
protected from racing with copy-ups taking place on those more rootwards

I can see ovl_copy_up_one() using lock_rename() on the workdir and upperdir,
but there's no relevant lock on the overlayfs fs.  You stepped out of the lock
the VFS caller holds when you ascended.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists