* [PATCH] dcache: fix locking bug in __dentry_path()
@ 2014-01-24 10:21 Denys Vlasenko
2014-01-24 12:24 ` Al Viro
0 siblings, 1 reply; 3+ messages in thread
From: Denys Vlasenko @ 2014-01-24 10:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Denys Vlasenko, Al Viro
If given buffer size is zero, we forget to rcu_read_unlock()
on error path.
Cc: linux-kernel@vger.kernel.org
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
---
fs/dcache.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/dcache.c b/fs/dcache.c
index cb4a106..24a01fc 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -3127,8 +3127,11 @@ restart:
end = buf + buflen;
len = buflen;
prepend(&end, &len, "\0", 1);
- if (buflen < 1)
+ if (buflen < 1) {
+ if (!(seq & 1))
+ rcu_read_unlock();
goto Elong;
+ }
/* Get '/' right */
retval = end-1;
*retval = '/';
--
1.8.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] dcache: fix locking bug in __dentry_path()
2014-01-24 10:21 [PATCH] dcache: fix locking bug in __dentry_path() Denys Vlasenko
@ 2014-01-24 12:24 ` Al Viro
2014-01-24 13:42 ` Denys Vlasenko
0 siblings, 1 reply; 3+ messages in thread
From: Al Viro @ 2014-01-24 12:24 UTC (permalink / raw)
To: Denys Vlasenko; +Cc: linux-kernel
On Fri, Jan 24, 2014 at 11:21:26AM +0100, Denys Vlasenko wrote:
> If given buffer size is zero, we forget to rcu_read_unlock()
> on error path.
Er... Where could we ever get called with size zero? IOW, the
real question is whether that check makes any sense. If nothing
else, a much more obvious fix (again, assuming there is a call
chain that could have triggered that in the first place), would
be to take that
if (buflen < 1)
goto Elong;
on the very top of __dentry_path(). Note that buflen never
change, so this check could bloody well be handled once - and
earlier. But again, the callers shouldn't be calling it that
way...
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] dcache: fix locking bug in __dentry_path()
2014-01-24 12:24 ` Al Viro
@ 2014-01-24 13:42 ` Denys Vlasenko
0 siblings, 0 replies; 3+ messages in thread
From: Denys Vlasenko @ 2014-01-24 13:42 UTC (permalink / raw)
To: Al Viro; +Cc: linux-kernel
On 01/24/2014 01:24 PM, Al Viro wrote:
> On Fri, Jan 24, 2014 at 11:21:26AM +0100, Denys Vlasenko wrote:
>> If given buffer size is zero, we forget to rcu_read_unlock()
>> on error path.
>
> Er... Where could we ever get called with size zero? IOW, the
> real question is whether that check makes any sense. If nothing
> else, a much more obvious fix (again, assuming there is a call
> chain that could have triggered that in the first place), would
> be to take that
> if (buflen < 1)
> goto Elong;
> on the very top of __dentry_path(). Note that buflen never
> change, so this check could bloody well be handled once - and
> earlier.
Yes. In fact the check is buggier than I thought:
prepend(&end, &len, "\0", 1);
if (buflen < 1)
goto Elong;
/* Get '/' right */
retval = end-1;
*retval = '/'; <=== !!!
It should be "buflen < 2". With buflen == 1, we touch buffer[-1].
> But again, the callers shouldn't be calling it that
> way...
I'll add a check in d_path() and post another patch.
I assume the assertion should be 'size >= 2', since
path "" should never be produced anyway, the shortest path
is "/"?
--
vda
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2014-01-24 13:42 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-01-24 10:21 [PATCH] dcache: fix locking bug in __dentry_path() Denys Vlasenko
2014-01-24 12:24 ` Al Viro
2014-01-24 13:42 ` Denys Vlasenko
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).