lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Thu, 7 May 2015 19:13:35 +0100
From:	Al Viro <viro@...IV.linux.org.uk>
To:	Steven Rostedt <rostedt@...dmis.org>
Cc:	David Howells <dhowells@...hat.com>,
	LKML <linux-kernel@...r.kernel.org>,
	linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH] VFS: Add back check for !inode in walk_component()

On Thu, May 07, 2015 at 01:39:35PM -0400, Steven Rostedt wrote:
> I had them printed in my previous traces. The flags were 0x200088, and
> they were 0 just before the call.

Not dentry->d_flags, nd->flags.  Most interesting part is bit 6 in those
(LOOKUP_RCU, 0x40).

As for creation...  I think I see what might be going on:

A: finds a negative dentry, picks NULL ->d_inode from it and whatever
->d_seq it had.
B: d_instantiate(): sets ->d_inode non-NULL, ->d_flags accordingly and
bumps ->d_seq.
A: fetches ->d_flags, sees non-negative, assumes ->d_inode is non-NULL.

In reality, the last assumption should've been "->d_inode is non-NULL or
we have a stale ->d_seq and will end up discarding that fscker anyway".

Hmm...  Smells like we ought to
a) in lookup_fast() turn
                if (read_seqcount_retry(&dentry->d_seq, seq))
                        return -ECHILD;
into
		if (unlikely(d_is_negative(dentry))) {
			if (read_seqcount_retry(&dentry->d_seq, seq))
				return -ECHILD;
			else
				return -ENOENT;
		}
		if (read_seqcount_retry(&dentry->d_seq, seq))
			return -ECHILD;
and
        if (likely(!err))
                *inode = path->dentry->d_inode;
into
	if (likely(!err)) {
                *inode = path->dentry->d_inode;
		if (unlikely(d_is_negative(dentry))) {
			path_to_nameidata(path, nd);
			err = -ENOENT;
		}
	}
b) in walk_component() and do_last():finish_lookup move the d_is_negative()
checks a bit up - into the body of preceding if () in the former and just
prior to the finish_lookup: in the latter.

AFAICS, the rest of d_is_negative() in fs/namei.c doesn't suffer that kind
of problem...
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists