lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Thu, 7 May 2015 19:13:35 +0100 From: Al Viro <viro@...IV.linux.org.uk> To: Steven Rostedt <rostedt@...dmis.org> Cc: David Howells <dhowells@...hat.com>, LKML <linux-kernel@...r.kernel.org>, linux-fsdevel@...r.kernel.org Subject: Re: [PATCH] VFS: Add back check for !inode in walk_component() On Thu, May 07, 2015 at 01:39:35PM -0400, Steven Rostedt wrote: > I had them printed in my previous traces. The flags were 0x200088, and > they were 0 just before the call. Not dentry->d_flags, nd->flags. Most interesting part is bit 6 in those (LOOKUP_RCU, 0x40). As for creation... I think I see what might be going on: A: finds a negative dentry, picks NULL ->d_inode from it and whatever ->d_seq it had. B: d_instantiate(): sets ->d_inode non-NULL, ->d_flags accordingly and bumps ->d_seq. A: fetches ->d_flags, sees non-negative, assumes ->d_inode is non-NULL. In reality, the last assumption should've been "->d_inode is non-NULL or we have a stale ->d_seq and will end up discarding that fscker anyway". Hmm... Smells like we ought to a) in lookup_fast() turn if (read_seqcount_retry(&dentry->d_seq, seq)) return -ECHILD; into if (unlikely(d_is_negative(dentry))) { if (read_seqcount_retry(&dentry->d_seq, seq)) return -ECHILD; else return -ENOENT; } if (read_seqcount_retry(&dentry->d_seq, seq)) return -ECHILD; and if (likely(!err)) *inode = path->dentry->d_inode; into if (likely(!err)) { *inode = path->dentry->d_inode; if (unlikely(d_is_negative(dentry))) { path_to_nameidata(path, nd); err = -ENOENT; } } b) in walk_component() and do_last():finish_lookup move the d_is_negative() checks a bit up - into the body of preceding if () in the former and just prior to the finish_lookup: in the latter. AFAICS, the rest of d_is_negative() in fs/namei.c doesn't suffer that kind of problem... -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists