* [PATCH 0/4] FS-Cache: Miscellaneous fixes
@ 2018-10-17 14:16 David Howells
0 siblings, 0 replies; 4+ messages in thread
From: David Howells @ 2018-10-17 14:16 UTC (permalink / raw)
To: gregkh
Cc: Kiran Kumar Modukuri, syzbot+a95b989b2dde8e806af8, David Howells,
stable, Eric Sandeen, Al Viro, viro, sandeen, dhowells,
linux-cachefs, linux-fsdevel, linux-kernel
Attached are another couple of miscellaneous fixes for FS-Cache and
CacheFiles:
(1) Fix a race between object burial in cachefiles and external rmdir.
(2) Fix a race from a split atomic op.
(3) Fix incomplete initialisation of cookie key space.
(4) Fix out-of-bounds read.
The patches are tagged here:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
fscache-fixes-20181017
and can also be found on the following branch:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=fscache-fixes
David
---
Al Viro (1):
cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
David Howells (1):
fscache: Fix incomplete initialisation of inline key space
Eric Sandeen (1):
fscache: Fix out of bound read in long cookie keys
kiran.modukuri (1):
fscache: Fix race in fscache_op_complete() due to split atomic_sub & read
fs/cachefiles/namei.c | 2 +-
fs/fscache/cookie.c | 31 ++++++++++---------------------
fs/fscache/internal.h | 1 -
fs/fscache/main.c | 4 +---
include/linux/fscache-cache.h | 4 ++--
5 files changed, 14 insertions(+), 28 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 0/4] FS-Cache: Miscellaneous fixes
@ 2018-10-17 14:23 David Howells
2018-10-17 14:23 ` [PATCH 1/4] cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) David Howells
2018-10-18 10:03 ` [PATCH 0/4] FS-Cache: Miscellaneous fixes Greg KH
0 siblings, 2 replies; 4+ messages in thread
From: David Howells @ 2018-10-17 14:23 UTC (permalink / raw)
To: gregkh
Cc: Kiran Kumar Modukuri, syzbot+a95b989b2dde8e806af8, stable,
Eric Sandeen, Al Viro, viro, sandeen, dhowells, linux-cachefs,
linux-fsdevel, linux-kernel
Attached are another couple of miscellaneous fixes for FS-Cache and
CacheFiles:
(1) Fix a race between object burial in cachefiles and external rmdir.
(2) Fix a race from a split atomic op.
(3) Fix incomplete initialisation of cookie key space.
(4) Fix out-of-bounds read.
The patches are tagged here:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
fscache-fixes-20181017
and can also be found on the following branch:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=fscache-fixes
David
---
Al Viro (1):
cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
David Howells (1):
fscache: Fix incomplete initialisation of inline key space
Eric Sandeen (1):
fscache: Fix out of bound read in long cookie keys
kiran.modukuri (1):
fscache: Fix race in fscache_op_complete() due to split atomic_sub & read
fs/cachefiles/namei.c | 2 +-
fs/fscache/cookie.c | 31 ++++++++++---------------------
fs/fscache/internal.h | 1 -
fs/fscache/main.c | 4 +---
include/linux/fscache-cache.h | 4 ++--
5 files changed, 14 insertions(+), 28 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH 1/4] cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
2018-10-17 14:23 [PATCH 0/4] FS-Cache: Miscellaneous fixes David Howells
@ 2018-10-17 14:23 ` David Howells
2018-10-18 10:03 ` [PATCH 0/4] FS-Cache: Miscellaneous fixes Greg KH
1 sibling, 0 replies; 4+ messages in thread
From: David Howells @ 2018-10-17 14:23 UTC (permalink / raw)
To: gregkh
Cc: stable, Al Viro, viro, sandeen, dhowells, linux-cachefs,
linux-fsdevel, linux-kernel
From: Al Viro <viro@zeniv.linux.org.uk>
the victim might've been rmdir'ed just before the lock_rename();
unlike the normal callers, we do not look the source up after the
parents are locked - we know it beforehand and just recheck that it's
still the child of what used to be its parent. Unfortunately,
the check is too weak - we don't spot a dead directory since its
->d_parent is unchanged, dentry is positive, etc. So we sail all
the way to ->rename(), with hosting filesystems _not_ expecting
to be asked renaming an rmdir'ed subdirectory.
The fix is easy, fortunately - the lock on parent is sufficient for
making IS_DEADDIR() on child safe.
Cc: stable@vger.kernel.org
Fixes: 9ae326a69004 (CacheFiles: A cache that backs onto a mounted filesystem)
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David Howells <dhowells@redhat.com>
---
fs/cachefiles/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/cachefiles/namei.c b/fs/cachefiles/namei.c
index af2b17b21b94..95983c744164 100644
--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
@@ -343,7 +343,7 @@ static int cachefiles_bury_object(struct cachefiles_cache *cache,
trap = lock_rename(cache->graveyard, dir);
/* do some checks before getting the grave dentry */
- if (rep->d_parent != dir) {
+ if (rep->d_parent != dir || IS_DEADDIR(d_inode(rep))) {
/* the entry was probably culled when we dropped the parent dir
* lock */
unlock_rename(cache->graveyard, dir);
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 0/4] FS-Cache: Miscellaneous fixes
2018-10-17 14:23 [PATCH 0/4] FS-Cache: Miscellaneous fixes David Howells
2018-10-17 14:23 ` [PATCH 1/4] cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) David Howells
@ 2018-10-18 10:03 ` Greg KH
1 sibling, 0 replies; 4+ messages in thread
From: Greg KH @ 2018-10-18 10:03 UTC (permalink / raw)
To: David Howells
Cc: Kiran Kumar Modukuri, syzbot+a95b989b2dde8e806af8, stable,
Eric Sandeen, Al Viro, linux-cachefs, linux-fsdevel, linux-kernel
On Wed, Oct 17, 2018 at 03:23:14PM +0100, David Howells wrote:
>
> Attached are another couple of miscellaneous fixes for FS-Cache and
> CacheFiles:
>
> (1) Fix a race between object burial in cachefiles and external rmdir.
>
> (2) Fix a race from a split atomic op.
>
> (3) Fix incomplete initialisation of cookie key space.
>
> (4) Fix out-of-bounds read.
Patches 1, 3, and 4 are now merged, thanks. I didn't pull from you as
patch 2 needed to be dropped according to the thread.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2018-10-18 18:14 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-10-17 14:23 [PATCH 0/4] FS-Cache: Miscellaneous fixes David Howells
2018-10-17 14:23 ` [PATCH 1/4] cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) David Howells
2018-10-18 10:03 ` [PATCH 0/4] FS-Cache: Miscellaneous fixes Greg KH
-- strict thread matches above, loose matches on Subject: below --
2018-10-17 14:16 David Howells
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox