lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 17 Jul 2021 21:25:46 +0800 (GMT+08:00)
From:   李扬韬 <frank.li@...o.com>
To:     Chao Yu <chao@...nel.org>
Cc:     jaegeuk@...nel.org, linux-kernel@...r.kernel.org,
        linux-f2fs-devel@...ts.sourceforge.net
Subject: Re:Re: [f2fs-dev] [PATCH] f2fs: fix ctx->pos in f2fs_read_inline_dir()

HI Chao,

From: Chao Yu <chao@...nel.org>
Date: 2021-07-17 16:56:01
To:  Yangtao Li <frank.li@...o.com>,jaegeuk@...nel.org
Cc:  linux-kernel@...r.kernel.org,linux-f2fs-devel@...ts.sourceforge.net
Subject: Re: [f2fs-dev] [PATCH] f2fs: fix ctx->pos in f2fs_read_inline_dir()>On 2021/7/17 11:49, Yangtao Li wrote:
>> I recently found a case where de->name_len is 0 in f2fs_fill_dentries() easily reproduced,
>> and finally set the fsck flag.
>> 
>> Thread A					Thread B
>> 
>> f2fs_readdir
>> 	f2fs_read_inline_dir
>> 		ctx->pos = d.max
>> 						f2fs_add_dentry
>> 							f2fs_add_inline_entry
>> 								do_convert_inline_dir
>> 							f2fs_add_regular_entry
>> f2fs_readdir
>> 	f2fs_fill_dentries
>> 		set_sbi_flag(sbi, SBI_NEED_FSCK)
>> 
>> Process A opens the folder, and has been reading without closing it. During this period,
>> Process B created a file under the folder (occupying multiple f2fs_dir_entry, exceeding
>> the d.max of the inline dir). After creation, process A uses the d.max of inline dir to
>> read it again, and it will read that de->name_len is 0.
>
>Nice catch!
>
>> 
>> And returning early in f2fs_read_inline_dir will cause the process to be unable to see
>> the changes before reopening the file.
>> 
>> So don't return early and remove the modification of ctx->pos in f2fs_read_inline_dir().
>> 
>> Signed-off-by: Yangtao Li <frank.li@...o.com>
>> ---
>>   fs/f2fs/inline.c | 5 -----
>>   1 file changed, 5 deletions(-)
>> 
>> diff --git a/fs/f2fs/inline.c b/fs/f2fs/inline.c
>> index 56a20d5c15da..fc6551139a3d 100644
>> --- a/fs/f2fs/inline.c
>> +++ b/fs/f2fs/inline.c
>> @@ -729,9 +729,6 @@ int f2fs_read_inline_dir(struct file *file, struct dir_context *ctx,
>>   
>>   	make_dentry_ptr_inline(inode, &d, inline_dentry);
>>   
>> -	if (ctx->pos == d.max)
>> -		return 0;
>> -
>>   	ipage = f2fs_get_node_page(F2FS_I_SB(inode), inode->i_ino);
>>   	if (IS_ERR(ipage))
>>   		return PTR_ERR(ipage);
>> @@ -747,8 +744,6 @@ int f2fs_read_inline_dir(struct file *file, struct dir_context *ctx,
>>   	make_dentry_ptr_inline(inode, &d, inline_dentry);
>>   
>>   	err = f2fs_fill_dentries(ctx, &d, 0, fstr);
>
>After this function, ctx->pos will point to start position of first free slot after
>last dir_entry, we can't guarantee that the free slot won't be used in above race
>condition, right?
>
>Moreover, w/o inline conversion, the race condition still can happen as below, right?
>
>dir_entry1: A
>dir_entry2: B
>dir_entry3: C
>free slot: _
>
>Before:
>AAAABBBB___
>         ^
>Thread B delete dir_entry2, and create dir_entry3.
>
>After:
>AAAACCCCC__
>         ^

Taking into account the above situations, I think this case where de->name_len is 0 in f2fs_fill_dentries()
should be normal and there is no way to avoid it. Maybe we shouldn't set fsck flag at this time?
Because the file system is not damaged.

MBR / Yangtao

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ