| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251217084704.2323682-1-mjguzik@gmail.com>
Date: Wed, 17 Dec 2025 09:47:04 +0100
From: Mateusz Guzik <mjguzik@...il.com>
To: brauner@...nel.org
Cc: viro@...iv.linux.org.uk,
jack@...e.cz,
linux-kernel@...r.kernel.org,
linux-fsdevel@...r.kernel.org,
clm@...a.com,
Mateusz Guzik <mjguzik@...il.com>
Subject: [PATCH v2] fs: make sure to fail try_to_unlazy() and try_to_unlazy() for LOOKUP_CACHED
Otherwise the slowpath can be taken by the caller, defeating the flag.
This regressed after calls to legitimize_links() started being
conditionally elided and stems from the routine always failing
after seeing the flag, regardless if there were any links.
In order to address both the bug and the weird semantics make it illegal
to call legitimize_links() with LOOKUP_CACHED and handle the problem at
the two callsites.
Pull up ->depth = 0 to drop_links() to avoid repeating it in the
callers.
One remaining weirdness is terminate_walk() walking the symlink stack
after drop_links().
Fixes: 7c179096e77eca21 ("fs: add predicts based on nd->depth")
Reported-by: Chris Mason <clm@...a.com>
Signed-off-by: Mateusz Guzik <mjguzik@...il.com>
---
v2:
- handle terminate_walk looking at nd->depth after drop_links
fs/namei.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/fs/namei.c b/fs/namei.c
index bf0f66f0e9b9..69d0aa9ad2a8 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -774,6 +774,7 @@ static void drop_links(struct nameidata *nd)
do_delayed_call(&last->done);
clear_delayed_call(&last->done);
}
+ nd->depth = 0;
}
static void leave_rcu(struct nameidata *nd)
@@ -785,12 +786,13 @@ static void leave_rcu(struct nameidata *nd)
static void terminate_walk(struct nameidata *nd)
{
- if (unlikely(nd->depth))
+ int depth = nd->depth;
+ if (unlikely(depth))
drop_links(nd);
if (!(nd->flags & LOOKUP_RCU)) {
int i;
path_put(&nd->path);
- for (i = 0; i < nd->depth; i++)
+ for (i = 0; i < depth; i++)
path_put(&nd->stack[i].link);
if (nd->state & ND_ROOT_GRABBED) {
path_put(&nd->root);
@@ -799,7 +801,7 @@ static void terminate_walk(struct nameidata *nd)
} else {
leave_rcu(nd);
}
- nd->depth = 0;
+ VFS_BUG_ON(nd->depth);
nd->path.mnt = NULL;
nd->path.dentry = NULL;
}
@@ -830,11 +832,9 @@ static inline bool legitimize_path(struct nameidata *nd,
static bool legitimize_links(struct nameidata *nd)
{
int i;
- if (unlikely(nd->flags & LOOKUP_CACHED)) {
- drop_links(nd);
- nd->depth = 0;
- return false;
- }
+
+ VFS_BUG_ON(nd->flags & LOOKUP_CACHED);
+
for (i = 0; i < nd->depth; i++) {
struct saved *last = nd->stack + i;
if (unlikely(!legitimize_path(nd, &last->link, last->seq))) {
@@ -883,6 +883,10 @@ static bool try_to_unlazy(struct nameidata *nd)
BUG_ON(!(nd->flags & LOOKUP_RCU));
+ if (unlikely(nd->flags & LOOKUP_CACHED)) {
+ drop_links(nd);
+ goto out1;
+ }
if (unlikely(nd->depth && !legitimize_links(nd)))
goto out1;
if (unlikely(!legitimize_path(nd, &nd->path, nd->seq)))
@@ -918,6 +922,10 @@ static bool try_to_unlazy_next(struct nameidata *nd, struct dentry *dentry)
int res;
BUG_ON(!(nd->flags & LOOKUP_RCU));
+ if (unlikely(nd->flags & LOOKUP_CACHED)) {
+ drop_links(nd);
+ goto out2;
+ }
if (unlikely(nd->depth && !legitimize_links(nd)))
goto out2;
res = __legitimize_mnt(nd->path.mnt, nd->m_seq);
--
2.48.1
Powered by blists - more mailing lists