Re: vfat: Broken case-insensitive support for UTF-8

[Al Viro <viro@zeniv.linux.org.uk>]

On Mon, Jan 20, 2020 at 07:30:40AM +0000, Al Viro wrote:

> <checks ext4>
> Yup, that bug is there as well, all right.  Look:
> #ifdef CONFIG_UNICODE
> static int ext4_d_compare(const struct dentry *dentry, unsigned int len,
>                           const char *str, const struct qstr *name)
> {
>         struct qstr qstr = {.name = str, .len = len };
>         struct inode *inode = dentry->d_parent->d_inode;
> 
>         if (!IS_CASEFOLDED(inode) || !EXT4_SB(inode->i_sb)->s_encoding) {
> 
> Guess what happens if your (lockless) call of ->d_compare() runs
> into the following sequence:
> CPU1:	ext4_d_compare() fetches ->d_parent
> CPU1:	takes a hardware interrupt
> CPU2:	dentry gets evicted by memory pressure; so is its parent, since
> it was the only thing that used to keep it pinned.  Eviction of the parent
> calls dentry_unlink_inode() on the parent, which zeroes its ->d_inode.
> CPU1:	comes back
> CPU1:	fetches parent's ->d_inode and gets NULL
> CPU1:	oopses on null pointer dereference.
> 
> It's not impossible to hit.  Note that e.g. vfat_cmpi() is not vulnerable
> to that problem - ->d_sb is stable and both the superblock and ->nls_io
> freeing is RCU-delayed.
> 
> I hadn't checked ->d_compare() instances for a while; somebody needs to
> do that again, by the look of it.  The above definitely is broken;
> no idea how many other instaces had grown such bugs...

f2fs one also has the same bug.  Anyway, I'm going down right now, will
check the rest tomorrow morning...