mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-30 14:19:16 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs
History
Eric Biggers 8f3f5ba25e ext4: fix race between ext4_sync_parent() and rename() 
commit 08adf452e6 upstream.

'igrab(d_inode(dentry->d_parent))' without holding dentry->d_lock is
broken because without d_lock, d_parent can be concurrently changed due
to a rename().  Then if the old directory is immediately deleted, old
d_parent->inode can be NULL.  That causes a NULL dereference in igrab().

To fix this, use dget_parent() to safely grab a reference to the parent
dentry, which pins the inode.  This also eliminates the need to use
d_find_any_alias() other than for the initial inode, as we no longer
throw away the dentry at each step.

This is an extremely hard race to hit, but it is possible.  Adding a
udelay() in between the reads of ->d_parent and its ->d_inode makes it
reproducible on a no-journal filesystem using the following program:

    #include <fcntl.h>
    #include <unistd.h>

    int main()
    {
        if (fork()) {
            for (;;) {
                mkdir("dir1", 0700);
                int fd = open("dir1/file", O_RDWR|O_CREAT|O_SYNC);
                write(fd, "X", 1);
                close(fd);
            }
        } else {
            mkdir("dir2", 0700);
            for (;;) {
                rename("dir1/file", "dir2/file");
                rmdir("dir1");
            }
        }
    }

Fixes: d59729f4e7 ("ext4: fix races in ext4_sync_parent()")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Link: https://lore.kernel.org/r/20200506183140.541194-1-ebiggers@kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-06-22 09:05:22 +02:00
..
9p 9p: avoid attaching writeback_fid on mmap with type PRIVATE 2019-10-11 18:21:13 +02:00
adfs fs/adfs: super: fix use-after-free bug 2019-08-06 19:06:49 +02:00
affs affs: fix a memory leak in affs_remount 2020-01-27 14:51:21 +01:00
afs afs: Fix some tracing details 2020-04-02 15:28:19 +02:00
autofs autofs: fix a leak in autofs_expire_indirect() 2019-12-13 08:51:01 +01:00
befs
bfs bfs: add sanity check at bfs_fill_super() 2018-12-01 09:37:27 +01:00
btrfs btrfs: send: emit file capabilities after chown 2020-06-22 09:05:21 +02:00
cachefiles cachefiles: Fix race between read_waiter and read_copier involving op->to_do 2020-06-03 08:19:29 +02:00
ceph ceph: fix double unlock in handle_cap_export() 2020-05-27 17:37:34 +02:00
cifs cifs: Fix null pointer check in cifs_read 2020-06-03 08:19:30 +02:00
coda coda: add error handling for fget 2019-08-06 19:06:51 +02:00
configfs configfs: fix config_item refcnt leak in configfs_rmdir() 2020-05-27 17:37:32 +02:00
cramfs Cramfs: fix abad comparison when wrap-arounds occur 2018-11-13 11:08:55 -08:00
crypto fscrypt: clean up some BUG_ON()s in block encryption/decryption 2019-07-26 09:14:02 +02:00
debugfs debugfs: fix use-after-free on symlink traversal 2019-05-08 07:21:48 +02:00
devpts fs/devpts: always delete dcache dentry-s in dput() 2019-03-23 20:09:59 +01:00
dlm dlm: fix invalid cluster name warning 2019-12-13 08:52:23 +01:00
ecryptfs ecryptfs: replace BUG_ON with error handling code 2020-02-28 16:38:59 +01:00
efivarfs
efs
exofs exofs_mount(): fix leaks on failure exits 2019-12-05 09:20:32 +01:00
exportfs exportfs: fix 'passing zero to ERR_PTR()' warning 2020-01-27 14:50:02 +01:00
ext2 ext2: fix debug reference to ext2_xattr_cache 2020-04-23 10:30:21 +02:00
ext4 ext4: fix race between ext4_sync_parent() and rename() 2020-06-22 09:05:22 +02:00
f2fs f2fs: fix to avoid memory leakage in f2fs_listxattr 2020-04-29 16:31:17 +02:00
fat fat: don't allow to mount if the FAT length == 0 2020-06-22 09:05:08 +02:00
freevxfs
fscache fscache: fix race between enablement and dropping of object 2018-12-17 09:24:40 +01:00
fuse fuse: verify attributes 2019-12-13 08:52:36 +01:00
gfs2 gfs2: move privileged user check to gfs2_quota_lock_check 2020-06-03 08:19:28 +02:00
hfs fs/hfs/extent.c: fix array out of bounds read of array extent 2019-12-01 09:17:10 +01:00
hfsplus hfsplus: fix crash and filesystem corruption when deleting files 2020-04-17 10:48:52 +02:00
hostfs vfs: discard ATTR_ATTR_FLAG 2018-08-17 16:20:28 -07:00
hpfs hpfs: remove unnecessary checks on the value of r when assigning error code 2018-08-25 12:42:33 -07:00
hugetlbfs hugetlb: use same fault hash key for shared and private mappings 2019-05-22 07:37:40 +02:00
isofs isofs: reject hardware sector size > 2048 bytes 2018-08-21 11:37:41 +02:00
jbd2 jbd2: improve comments about freeing data buffers whose page mapping is NULL 2020-04-21 09:03:06 +02:00
jffs2 jffs2: fix use-after-free on symlink traversal 2019-05-08 07:21:48 +02:00
jfs jfs: fix bogus variable self-initialization 2020-01-27 14:50:33 +01:00
kernfs kernfs: fix ino wrap-around detection 2019-12-13 08:52:43 +01:00
lockd lockd: fix decoding of TEST results 2019-12-13 08:51:59 +01:00
minix
nfs NFSv4: Fix fscache cookie aux_data to ensure change_attr is included 2020-05-20 08:18:43 +02:00
nfs_common
nfsd nfsd: memory corruption in nfsd4_lock() 2020-05-02 17:25:50 +02:00
nilfs2 nilfs2: fix null pointer dereference at nilfs_segctor_do_construct() 2020-06-22 09:05:03 +02:00
nls
notify fs: avoid softlockups in s_inodes iterators 2020-01-12 12:17:20 +01:00
ntfs ntfs: mft: remove VLA usage 2018-08-17 16:20:27 -07:00
ocfs2 ocfs2: no need try to truncate file beyond i_size 2020-04-17 10:48:51 +02:00
omfs
openpromfs
orangefs help_next should increase position index 2020-02-24 08:34:53 +01:00
overlayfs ovl: initialize error in ovl_copy_xattr 2020-06-22 09:05:06 +02:00
proc proc: Use new_inode not new_inode_pseudo 2020-06-22 09:05:06 +02:00
pstore pstore: pstore_ftrace_seq_next should increase position index 2020-04-17 10:48:47 +02:00
qnx4
qnx6
quota fs: avoid softlockups in s_inodes iterators 2020-01-12 12:17:20 +01:00
ramfs
reiserfs reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() 2020-02-24 08:34:52 +01:00
romfs
squashfs
sysfs Driver core patches for 4.19-rc1 2018-08-18 11:44:53 -07:00
sysv sysv: return 'err' instead of 0 in __sysv_write_inode 2018-12-17 09:24:30 +01:00
tracefs
ubifs ubifs: remove broken lazytime support 2020-05-27 17:37:30 +02:00
udf udf: Fix free space reporting for metadata and virtual partitions 2020-02-24 08:34:45 +01:00
ufs ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour 2019-05-25 18:23:46 +02:00
xfs xfs: fix duplicate verification from xfs_qm_dqflush() 2020-06-22 09:05:16 +02:00
aio.c aio: fix async fsync creds 2020-06-22 09:05:01 +02:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf.c fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() 2020-06-03 08:19:41 +02:00
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c fs/binfmt_flat.c: make load_flat_shared_library() work 2019-07-03 13:14:44 +02:00
binfmt_misc.c
binfmt_script.c exec: load_script: Do not exec truncated interpreter path 2019-11-06 13:05:37 +01:00
block_dev.c bdev: Refresh bdev size for disks without partitioning 2020-01-09 10:19:07 +01:00
buffer.c ext4: use non-movable memory for superblock readahead 2020-04-23 10:30:12 +02:00
char_dev.c chardev: Avoid potential use-after-free in 'chrdev_open()' 2020-01-14 20:06:57 +01:00
compat.c
compat_binfmt_elf.c
compat_ioctl.c fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP 2020-01-09 10:19:07 +01:00
coredump.c coredump: fix crash when umh is disabled 2020-05-14 07:57:21 +02:00
d_path.c
dax.c dax: pass NOWAIT flag to iomap_apply 2020-03-05 16:42:12 +01:00
dcache.c dcache: sort the freeing-without-RCU-delay mess for good. 2019-05-25 18:23:26 +02:00
dcookies.c
direct-io.c direct-io: allow direct writes to empty inodes 2019-03-05 17:58:50 +01:00
drop_caches.c fs: avoid softlockups in s_inodes iterators 2020-01-12 12:17:20 +01:00
eventfd.c eventfd: track eventfd_signal() recursion depth 2020-02-11 04:34:08 -08:00
eventpoll.c fs/epoll: drop ovflist branch prediction 2019-02-12 19:47:19 +01:00
exec.c exec: Move would_dump into flush_old_exec 2020-05-20 08:18:50 +02:00
fcntl.c signal: Don't send signals to tasks that don't exist 2018-08-15 23:03:20 -05:00
fhandle.c
file.c fix multiplication overflow in copy_fdtable() 2020-05-27 17:37:29 +02:00
file_table.c overlayfs update for 4.19 2018-08-21 18:19:09 -07:00
filesystems.c fs/filesystems.c: downgrade user-reachable WARN_ONCE() to pr_warn_once() 2020-04-17 10:48:51 +02:00
fs-writeback.c cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages 2020-06-22 09:05:03 +02:00
fs_pin.c
fs_struct.c
inode.c futex: Fix inode life-time issue 2020-03-25 08:06:14 +01:00
internal.h acct_on(): don't mess with freeze protection 2019-05-31 06:46:05 -07:00
ioctl.c vfs: fix FIGETBSZ ioctl on an overlayfs file 2018-11-21 09:19:14 +01:00
iomap.c iomap: partially revert 4721a60109 (simulated directio short read on EFAULT) 2019-12-13 08:52:56 +01:00
Kconfig
Kconfig.binfmt
libfs.c libfs: fix infoleak in simple_attr_read() 2020-04-02 15:28:21 +02:00
locks.c locks: print unsigned ino in /proc/locks 2020-01-09 10:19:00 +01:00
Makefile
mbcache.c
mount.h
mpage.c mpage: mpage_readpages() should submit IO as read-ahead 2018-08-17 16:20:29 -07:00
namei.c namei: only return -ECHILD from follow_dotdot_rcu() 2020-03-05 16:42:20 +01:00
namespace.c fs/namespace.c: fix mountpoint reference counter race 2020-04-29 16:31:26 +02:00
no-block.c
nsfs.c dcache: sort the freeing-without-RCU-delay mess for good. 2019-05-25 18:23:26 +02:00
open.c cifs_atomic_open(): fix double-put on late allocation failure 2020-03-18 07:14:21 +01:00
pipe.c fs: prevent page refcount overflow in pipe_buf_get 2019-05-04 09:20:11 +02:00
pnode.c propagate_one(): mnt_set_mountpoint() needs mount_lock 2020-05-02 17:26:01 +02:00
pnode.h
posix_acl.c
proc_namespace.c
read_write.c vfs: avoid problematic remapping requests into partial EOF block 2019-12-01 09:17:04 +01:00
readdir.c filldir[64]: remove WARN_ON_ONCE() for bad directory entries 2020-01-04 19:13:26 +01:00
select.c
seq_file.c seq_file: fix problem when seeking mid-record 2019-08-25 10:47:43 +02:00
signalfd.c
splice.c splice: only read in as much information as there is pipe buffer space 2019-12-17 20:35:43 +01:00
stack.c
stat.c
statfs.c vfs: Fix EOVERFLOW testing in put_compat_statfs64 2019-10-11 18:21:39 +02:00
super.c Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax 2018-08-26 11:48:42 -07:00
sync.c
timerfd.c Merge branch 'work.aio' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2018-08-13 20:56:23 -07:00
userfaultfd.c userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK 2020-01-04 19:13:18 +01:00
utimes.c
xattr.c sysfs: Do not return POSIX ACL xattrs via listxattr 2018-09-18 07:30:48 -04:00