archive mirror
 help / color / mirror / Atom feed
From: Rob Landley <>
To: Filipe Manana <>
Cc:, enh <>
Subject: Re: Endless readdir() loop on btrfs.
Date: Sun, 13 Aug 2023 11:43:53 -0500	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On 8/13/23 06:37, Filipe Manana wrote:
> On Sun, Aug 13, 2023 at 12:04 AM Rob Landley <> wrote:
>> Would anyone like to comment on:
>> which resulted from:
>> and just got re-reported as:
>> The issue is that modifications to the directory during a getdents()
>> deterministically append the modified entry to the getdents(), which means
>> directory traversal is never guaranteed to end, which seems like a denial of
>> service attack waiting to happen.
>> This is not a problem on ext4 or tmpfs or vfat or the various flash filesystems,
>> where readdir() reliably completes. This is a btrfs-specific problem.
>> I can try to add a CONFIG_BTRFS_BUG optional workaround comparing the dev:inode
>> pair of returned entries to filter out ones I've already seen, but can I
>> reliably stop at the first duplicate or do I have to continue to see if there's
>> more I haven't seen yet? (I dunno what your return order is.) If some OTHER
>> process is doing a "while true; do mv a b; mv b a; done" loop in a directory,
>> that could presumably pin any OTHER process doing a naieve readdir() loop over
>> that directory, hence denial of service...
> I've just sent a fix for this, it's at:
> Thanks for the report.

Tested-by: Rob Landley <>

Worked for me. Specifically, using mkroot in toybox 0.8.10 to build a tiny qemu
test system:

$ mkroot/ CROSS=x86_64 LINUX=~/linux/btrfs-patched KEXTRA=BTRFS_FS
$ cd root/x86_64
$ truncate -s 1g btrfs.img
$ mkfs.btrfs btrfs.img
$ ./ -hda btrfs.img
# wget
# chmod +x btrfs-test-static
# grep btrfs /proc/mounts # just confirming
# mkdir /mnt/sub
# cd /mnt/sub
# for i in {1..1000}; do touch $i; done
# /btrfs-test-static
# exit

The test program completed normally after 1000 files.

Thank you kindly,


      reply	other threads:[~2023-08-13 16:41 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-08-12 21:52 Endless readdir() loop on btrfs Rob Landley
2023-08-13 11:37 ` Filipe Manana
2023-08-13 16:43   ` Rob Landley [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).