lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Sun, 12 Oct 2014 05:37:37 +0100
From:	Al Viro <>
To:	Eric Biggers <>
Subject: Re: fs/namei.c: Misuse of sequence counts?

On Sat, Oct 11, 2014 at 11:01:42PM -0500, Eric Biggers wrote:
> On Sun, Oct 12, 2014 at 01:12:59AM +0100, Al Viro wrote:
> > 
> > Huh?  What's to guarantee that dentry hasn't become negative since the
> > moment we'd fetched the seqcount?  _That_ is the problem we are dealing
> > with here - link_path_walk() relies on nd->inode being non-NULL.
> Hmm, I guess that makes sense.  So the code is actually verifying that the inode
> is still the inode that was referenced from the current or root directory when
> nd->path was set.  But couldn't the problem also be solved by setting nd->inode
> directly in the fs->seq retry loops?

Gets clumsy in set_root_rcu() - you do *not* want it to bugger nd->inode
when done by follow_dotdot_rcu(), so we'd need either some indication which
caller it is, or something like struct inode **inode in argument list,
with NULL passed from follow_dotdot_rcu(), while path_init() would give
it &nd->inode...

Doable, but unpleasant.  And the price of that check is trivial - after all,
in case we *don't* bugger off immediately, we have that ->d_seq in cache -
we'd fetched it just before.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists