| From: Ming Lei <ming.lei@canonical.com> |
| Date: Wed, 20 Mar 2013 23:25:24 +0800 |
| Subject: sysfs: fix race between readdir and lseek |
| |
| commit 991f76f837bf22c5bb07261cfd86525a0a96650c upstream. |
| |
| While readdir() is running, lseek() may set filp->f_pos as zero, |
| then may leave filp->private_data pointing to one sysfs_dirent |
| object without holding its reference counter, so the sysfs_dirent |
| object may be used after free in next readdir(). |
| |
| This patch holds inode->i_mutex to avoid the problem since |
| the lock is always held in readdir path. |
| |
| Reported-by: Dave Jones <davej@redhat.com> |
| Tested-by: Sasha Levin <levinsasha928@gmail.com> |
| Signed-off-by: Ming Lei <ming.lei@canonical.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| [bwh: Backported to 3.2: open-code file_inode() which we don't have] |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| fs/sysfs/dir.c | 13 ++++++++++++- |
| 1 file changed, 12 insertions(+), 1 deletion(-) |
| |
| --- a/fs/sysfs/dir.c |
| +++ b/fs/sysfs/dir.c |
| @@ -1023,10 +1023,21 @@ static int sysfs_readdir(struct file * f |
| return 0; |
| } |
| |
| +static loff_t sysfs_dir_llseek(struct file *file, loff_t offset, int whence) |
| +{ |
| + struct inode *inode = file->f_path.dentry->d_inode; |
| + loff_t ret; |
| + |
| + mutex_lock(&inode->i_mutex); |
| + ret = generic_file_llseek(file, offset, whence); |
| + mutex_unlock(&inode->i_mutex); |
| + |
| + return ret; |
| +} |
| |
| const struct file_operations sysfs_dir_operations = { |
| .read = generic_read_dir, |
| .readdir = sysfs_readdir, |
| .release = sysfs_dir_release, |
| - .llseek = generic_file_llseek, |
| + .llseek = sysfs_dir_llseek, |
| }; |
