Attached are another couple of miscellaneous fixes for FS-Cache and CacheFiles:
(1) Fix a race between object burial in cachefiles and external rmdir.
(2) Fix a race from a split atomic op.
(3) Fix incomplete initialisation of cookie key space.
(4) Fix out-of-bounds read.
The patches are tagged here:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git fscache-fixes-20181017
and can also be found on the following branch:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=fsc...
David --- Al Viro (1): cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
David Howells (1): fscache: Fix incomplete initialisation of inline key space
Eric Sandeen (1): fscache: Fix out of bound read in long cookie keys
kiran.modukuri (1): fscache: Fix race in fscache_op_complete() due to split atomic_sub & read
fs/cachefiles/namei.c | 2 +- fs/fscache/cookie.c | 31 ++++++++++--------------------- fs/fscache/internal.h | 1 - fs/fscache/main.c | 4 +--- include/linux/fscache-cache.h | 4 ++-- 5 files changed, 14 insertions(+), 28 deletions(-)
From: Al Viro viro@zeniv.linux.org.uk
the victim might've been rmdir'ed just before the lock_rename(); unlike the normal callers, we do not look the source up after the parents are locked - we know it beforehand and just recheck that it's still the child of what used to be its parent. Unfortunately, the check is too weak - we don't spot a dead directory since its ->d_parent is unchanged, dentry is positive, etc. So we sail all the way to ->rename(), with hosting filesystems _not_ expecting to be asked renaming an rmdir'ed subdirectory.
The fix is easy, fortunately - the lock on parent is sufficient for making IS_DEADDIR() on child safe.
Cc: stable@vger.kernel.org Fixes: 9ae326a69004 (CacheFiles: A cache that backs onto a mounted filesystem) Signed-off-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: David Howells dhowells@redhat.com ---
fs/cachefiles/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c index af2b17b21b94..95983c744164 100644 --- a/fs/cachefiles/namei.c +++ b/fs/cachefiles/namei.c @@ -343,7 +343,7 @@ static int cachefiles_bury_object(struct cachefiles_cache *cache, trap = lock_rename(cache->graveyard, dir);
/* do some checks before getting the grave dentry */ - if (rep->d_parent != dir) { + if (rep->d_parent != dir || IS_DEADDIR(d_inode(rep))) { /* the entry was probably culled when we dropped the parent dir * lock */ unlock_rename(cache->graveyard, dir);
linux-stable-mirror@lists.linaro.org
-
David Howells