From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jan Kara Subject: Deadlock in VFS on corrupted filesystem Date: Thu, 10 May 2012 10:01:19 +0200 Message-ID: <20120510080119.GA1969@quack.suse.cz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Sami Liedes , linux-fsdevel@vger.kernel.org To: Al Viro Return-path: Received: from cantor2.suse.de ([195.135.220.15]:58524 "EHLO mx2.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756288Ab2EJIBV (ORCPT ); Thu, 10 May 2012 04:01:21 -0400 Content-Disposition: inline Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Hello Al! Sami found in his testing a rather easy way to deadlock a system with corrupted filesystem: Just have a directory D and inside D a directory entry pointing to D itself (e.g. corrupt '.' directory entry to have other name). Then when you try to remove the corrupted directory entry system will deadlock because we will try to lock D both as a parent and a child. Generally, when the directory structure is corrupted so that cycles are created, our locking protocol is prone to deadlocks. This is somewhat unpleasant if you have a system where you allow mounting untrusted media. So my question is: Do we care? And if yes, how to best fix this? My naive idea would be that we could check in d_instantiate() whether we are creating a directory dentry and if yes, check that inode is not already attached to a directory hierarchy (i.e. effectively forbid directory hardlinks). But this might be a bit tricky given dentry aliases. So what are your thoughts? Honza -- Jan Kara SUSE Labs, CR