| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 20 Oct 2017 20:39:03 +1100
From: NeilBrown <neilb@...e.com>
To: Al Viro <viro@...IV.linux.org.uk>
Cc: lkml <linux-kernel@...r.kernel.org>,
Goldwyn Rodrigues <rgoldwyn@...e.de>
Subject: Re: [VFS PATCH] constify more dcache.h inlined helpers.
On Fri, Oct 20 2017, Al Viro wrote:
> On Fri, Oct 20, 2017 at 11:41:17AM +1100, NeilBrown wrote:
>> On Wed, Aug 02 2017, NeilBrown wrote:
>>
>> > Many of the inlines in dcache.h were changed to accept
>> > const struct pointers in commit f0d3b3ded999 ("constify dcache.c
>> > inlined helpers where possible").
>> > This patch allows 'const' in a couple that were added since then.
>> >
>> > Signed-off-by: NeilBrown <neilb@...e.com>
>>
>> Ping ... should I be sending this somewhere else? Is there a problem
>> with it?
>
> Nothing, just slipped through the cracks; July and August had been
> insane (move from nc.us to ma.us after well over a decade in one
> apartment; 'nuff said...)
>
> Applied.
Great, thanks!
Something else that might have slipped through the cracks
is the following. There have been a few different patches for
this issue floating around including at
https://patchwork.kernel.org/patch/9455345/
and
https://patchwork.kernel.org/patch/9944661/
I think this approach is best, though adding that 'moving' arg to
___d_drop() isn't the most elegant thing I've ever done.
Thoughts?
Thanks,
NeilBrown
From: NeilBrown <neilb@...e.com>
Date: Fri, 8 Sep 2017 16:03:42 +1000
Subject: [PATCH] VFS: close race between getcwd() and d_move()
d_move() will call __d_drop() and then __d_rehash()
on the dentry being moved. This creates a small window
when the dentry appears to be unhashed. Many tests
of d_unhashed() are made under ->d_lock and so are safe
from racing with this window, but some aren't.
In particular, getcwd() calls d_unlinked() (which calls
d_unhashed()) without d_lock protection, so it can race.
This races has been seen in practice with lustre, which uses d_move() as
part of name lookup. See:
https://jira.hpdd.intel.com/browse/LU-9735
It could race with a regular rename(), and result in ENOENT instead
of either the 'before' or 'after' name.
We could fix this race by taking d_lock an rechecking when
d_unhashed() reports true. Alternately when can remove the window,
which is the approach this patch takes.
When __d_drop and __d_rehash are used to move a dentry, an extra
flag is passed which causes d_hash.pprev to not be cleared, and
to not be tested.
Signed-off-by: NeilBrown <neilb@...e.com>
---
fs/dcache.c | 31 ++++++++++++++++++++-----------
1 file changed, 20 insertions(+), 11 deletions(-)
diff --git a/fs/dcache.c b/fs/dcache.c
index f90141387f01..3d1f14c6c306 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -469,8 +469,11 @@ static void dentry_lru_add(struct dentry *dentry)
* reason (NFS timeouts or autofs deletes).
*
* __d_drop requires dentry->d_lock.
+ * ___d_drop takes an extra @moving argument.
+ * If true, d_hash.pprev is not cleared, so there is no transient d_unhashed()
+ * state.
*/
-void __d_drop(struct dentry *dentry)
+static void inline ___d_drop(struct dentry *dentry, bool moving)
{
if (!d_unhashed(dentry)) {
struct hlist_bl_head *b;
@@ -486,12 +489,18 @@ void __d_drop(struct dentry *dentry)
hlist_bl_lock(b);
__hlist_bl_del(&dentry->d_hash);
- dentry->d_hash.pprev = NULL;
+ if (likely(!moving))
+ dentry->d_hash.pprev = NULL;
hlist_bl_unlock(b);
/* After this call, in-progress rcu-walk path lookup will fail. */
write_seqcount_invalidate(&dentry->d_seq);
}
}
+
+void __d_drop(struct dentry *dentry)
+{
+ ___d_drop(dentry, false);
+}
EXPORT_SYMBOL(__d_drop);
void d_drop(struct dentry *dentry)
@@ -2378,10 +2387,10 @@ void d_delete(struct dentry * dentry)
}
EXPORT_SYMBOL(d_delete);
-static void __d_rehash(struct dentry *entry)
+static void __d_rehash(struct dentry *entry, bool moving)
{
struct hlist_bl_head *b = d_hash(entry->d_name.hash);
- BUG_ON(!d_unhashed(entry));
+ BUG_ON(!moving && !d_unhashed(entry));
hlist_bl_lock(b);
hlist_bl_add_head_rcu(&entry->d_hash, b);
hlist_bl_unlock(b);
@@ -2397,7 +2406,7 @@ static void __d_rehash(struct dentry *entry)
void d_rehash(struct dentry * entry)
{
spin_lock(&entry->d_lock);
- __d_rehash(entry);
+ __d_rehash(entry, false);
spin_unlock(&entry->d_lock);
}
EXPORT_SYMBOL(d_rehash);
@@ -2571,7 +2580,7 @@ static inline void __d_add(struct dentry *dentry, struct inode *inode)
raw_write_seqcount_end(&dentry->d_seq);
fsnotify_update_flags(dentry);
}
- __d_rehash(dentry);
+ __d_rehash(dentry, false);
if (dir)
end_dir_add(dir, n);
spin_unlock(&dentry->d_lock);
@@ -2633,7 +2642,7 @@ struct dentry *d_exact_alias(struct dentry *entry, struct inode *inode)
alias = NULL;
} else {
__dget_dlock(alias);
- __d_rehash(alias);
+ __d_rehash(alias, false);
spin_unlock(&alias->d_lock);
}
spin_unlock(&inode->i_lock);
@@ -2819,8 +2828,8 @@ static void __d_move(struct dentry *dentry, struct dentry *target,
/* unhash both */
/* __d_drop does write_seqcount_barrier, but they're OK to nest. */
- __d_drop(dentry);
- __d_drop(target);
+ ___d_drop(dentry, true);
+ ___d_drop(target, exchange);
/* Switch the names.. */
if (exchange)
@@ -2829,9 +2838,9 @@ static void __d_move(struct dentry *dentry, struct dentry *target,
copy_name(dentry, target);
/* rehash in new place(s) */
- __d_rehash(dentry);
+ __d_rehash(dentry, true);
if (exchange)
- __d_rehash(target);
+ __d_rehash(target, true);
/* ... and switch them in the tree */
if (IS_ROOT(dentry)) {
--
2.14.0.rc0.dirty
Download attachment "signature.asc" of type "application/pgp-signature" (833 bytes)
Powered by blists - more mailing lists