From: Al Viro <viro@zeniv.linux.org.uk>
To: Christian Brauner <christian.brauner@ubuntu.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
linux-kernel@vger.kernel.org, Will Deacon <will@kernel.org>,
Kate Stewart <kstewart@linuxfoundation.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Amir Goldstein <amir73il@gmail.com>,
Thomas Gleixner <tglx@linutronix.de>,
Varad Gautam <vrd@amazon.de>,
stable@vger.kernel.org, Jan Glauber <jglauber@marvell.com>
Subject: Re: [PATCH] devpts: Fix NULL pointer dereference in dcache_readdir()
Date: Fri, 4 Oct 2019 17:02:19 +0100 [thread overview]
Message-ID: <20191004160219.GI26530@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20191004152526.adgg3a7u7jylfk4a@wittgenstein>
On Fri, Oct 04, 2019 at 05:25:28PM +0200, Christian Brauner wrote:
> On Fri, Oct 04, 2019 at 04:10:58PM +0100, Al Viro wrote:
> > On Fri, Oct 04, 2019 at 04:33:02PM +0200, Christian Brauner wrote:
> > > On Fri, Oct 04, 2019 at 03:27:48PM +0100, Al Viro wrote:
> > > > On Fri, Oct 04, 2019 at 04:05:03PM +0200, Christian Brauner wrote:
> > > > > From: Will Deacon <will@kernel.org>
> > > > >
> > > > > Closing /dev/pts/ptmx removes the corresponding pty under /dev/pts/
> > > > > without synchronizing against concurrent path walkers. This can lead to
> > > > > 'dcache_readdir()' tripping over a 'struct dentry' with a NULL 'd_inode'
> > > > > field:
> > > >
> > > > FWIW, vfs.git#fixes (or #next.dcache) ought to deal with that one.
> > >
> > > Is it feasible to backport your changes? Or do we want to merge the one
> > > here first and backport?
> >
> > I'm not sure. The whole pile is backportable, all right (and the first commit
>
> Ok. So here's what I propose: we'll merge this one as it seems an
> obvious fix to the problem and can easily be backported to stable
> kernels.
> Then you'll land your generic workaround alleviating callers from
> holding inode_lock(). Then I'll send a patch to remove the inode_lock()
> from devpts for master.
> If we see that your fix is fine to backport and has no performance
> impacts that you find unacceptable we backport it.
There's more than one bug here.
* fucked up lockless traversals. Affect anything that uses dcache_readdir()
* devpts (and selinuxfs, while we are at it) running afoul of (implicit)
assumption by dcache_readdir() - that stuff won't get removed from under it
* (possibly) cifs hitting the same on eviction by memory pressure alone
(no locked inodes anywhere in sight). Possibly == if cifs IPC$ share happens to
show up non-empty (e.g. due to server playing silly buggers).
* (possibly) cifs hitting *another* lovely issue - lookup in one subdirectory
of IPC$ root finding an alias for another subdirectory of said root, triggering
d_move() of dentry of the latter. IF the name happens to be long enough to be
externally allocated and if dcache_readdir() on root is currently copying it to
userland, Bad Things(tm) will happen. That one almost certainly depends upon the
server playing silly buggers and might or might not be possible. I'm not familiar
enough with CIFS to tell.
The first 3 are dealt with by the first commit in that pile; the last one is
not. devpts patch of yours would deal with a part of the second bug.
Performance regression comes with fixing the first one, which is also
quite real. There might be a way to avoid that performance hit,
but it will be harder to backport.
FWIW, some discussion of that fun went in a thread shortly before the merge
window - look for "Possible FS race condition between iterate_dir and
d_alloc_parallel" on fsdevel. Some of that went off-list, though...
next prev parent reply other threads:[~2019-10-04 16:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-04 14:05 [PATCH] devpts: Fix NULL pointer dereference in dcache_readdir() Christian Brauner
2019-10-04 14:27 ` Al Viro
2019-10-04 14:33 ` Christian Brauner
2019-10-04 15:10 ` Al Viro
2019-10-04 15:25 ` Christian Brauner
2019-10-04 16:02 ` Al Viro [this message]
2019-10-04 16:54 ` [cifs] semantics of IPC$ shares (was Re: [PATCH] devpts: Fix NULL pointer dereference in dcache_readdir()) Al Viro
2019-10-05 2:04 ` Steve French
2019-10-04 16:52 ` [PATCH] devpts: Fix NULL pointer dereference in dcache_readdir() Linus Torvalds
2019-10-04 16:54 ` Linus Torvalds
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191004160219.GI26530@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=amir73il@gmail.com \
--cc=christian.brauner@ubuntu.com \
--cc=gregkh@linuxfoundation.org \
--cc=jglauber@marvell.com \
--cc=kstewart@linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=vrd@amazon.de \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).