linux-fsdevel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [RFC][PATCH] affs_lookup(): close a race with affs_remove_link()
@ 2018-05-13 16:00 Al Viro
  2018-05-21 13:29 ` David Sterba
  0 siblings, 1 reply; 2+ messages in thread
From: Al Viro @ 2018-05-13 16:00 UTC (permalink / raw)
  To: linux-fsdevel; +Cc: David Sterba

[#fixes unless somebody yells; -stable fodder and yes, it _is_ that old -
all way back to 2001]

we unlock the directory hash too early - if we are looking at secondary
link and primary (in another directory) gets removed just as we unlock,
we could have the old primary moved in place of the secondary, leaving
us to look into freed entry (and leaving our dentry with ->d_fsdata
pointing to a freed entry).

Cc: stable@vger.kernel.org # 2.4.4+
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/fs/affs/namei.c b/fs/affs/namei.c
index d8aa0ae3d037..1ed0fa4c4d48 100644
--- a/fs/affs/namei.c
+++ b/fs/affs/namei.c
@@ -206,9 +206,10 @@ affs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags)
 
 	affs_lock_dir(dir);
 	bh = affs_find_entry(dir, dentry);
-	affs_unlock_dir(dir);
-	if (IS_ERR(bh))
+	if (IS_ERR(bh)) {
+		affs_unlock_dir(dir);
 		return ERR_CAST(bh);
+	}
 	if (bh) {
 		u32 ino = bh->b_blocknr;
 
@@ -222,10 +223,13 @@ affs_lookup(struct inode *dir, struct dentry *dentry, unsigned int flags)
 		}
 		affs_brelse(bh);
 		inode = affs_iget(sb, ino);
-		if (IS_ERR(inode))
+		if (IS_ERR(inode)) {
+			affs_unlock_dir(dir);
 			return ERR_CAST(inode);
+		}
 	}
 	d_add(dentry, inode);
+	affs_unlock_dir(dir);
 	return NULL;
 }
 

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [RFC][PATCH] affs_lookup(): close a race with affs_remove_link()
  2018-05-13 16:00 [RFC][PATCH] affs_lookup(): close a race with affs_remove_link() Al Viro
@ 2018-05-21 13:29 ` David Sterba
  0 siblings, 0 replies; 2+ messages in thread
From: David Sterba @ 2018-05-21 13:29 UTC (permalink / raw)
  To: Al Viro; +Cc: linux-fsdevel

On Sun, May 13, 2018 at 05:00:40PM +0100, Al Viro wrote:
> [#fixes unless somebody yells; -stable fodder and yes, it _is_ that old -
> all way back to 2001]
> 
> we unlock the directory hash too early - if we are looking at secondary
> link and primary (in another directory) gets removed just as we unlock,
> we could have the old primary moved in place of the secondary, leaving
> us to look into freed entry (and leaving our dentry with ->d_fsdata
> pointing to a freed entry).
> 
> Cc: stable@vger.kernel.org # 2.4.4+
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Sorry for the delay. As far as my limited knowledge of the AFFS code
goes, this change looks ok. You can add my

Acked-by: David Sterba <dsterba@suse.com>

and please take it through the vfs tree. Thanks.

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2018-05-21 13:32 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-05-13 16:00 [RFC][PATCH] affs_lookup(): close a race with affs_remove_link() Al Viro
2018-05-21 13:29 ` David Sterba

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).