| From 169b803397499be85bdd1e3d07d6f5e3d4bd669e Mon Sep 17 00:00:00 2001 |
| From: Al Viro <viro@zeniv.linux.org.uk> |
| Date: Wed, 17 Oct 2018 15:23:26 +0100 |
| Subject: cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) |
| |
| From: Al Viro <viro@zeniv.linux.org.uk> |
| |
| commit 169b803397499be85bdd1e3d07d6f5e3d4bd669e upstream. |
| |
| the victim might've been rmdir'ed just before the lock_rename(); |
| unlike the normal callers, we do not look the source up after the |
| parents are locked - we know it beforehand and just recheck that it's |
| still the child of what used to be its parent. Unfortunately, |
| the check is too weak - we don't spot a dead directory since its |
| ->d_parent is unchanged, dentry is positive, etc. So we sail all |
| the way to ->rename(), with hosting filesystems _not_ expecting |
| to be asked renaming an rmdir'ed subdirectory. |
| |
| The fix is easy, fortunately - the lock on parent is sufficient for |
| making IS_DEADDIR() on child safe. |
| |
| Cc: stable@vger.kernel.org |
| Fixes: 9ae326a69004 (CacheFiles: A cache that backs onto a mounted filesystem) |
| Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
| Signed-off-by: David Howells <dhowells@redhat.com> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| fs/cachefiles/namei.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/fs/cachefiles/namei.c |
| +++ b/fs/cachefiles/namei.c |
| @@ -340,7 +340,7 @@ try_again: |
| trap = lock_rename(cache->graveyard, dir); |
| |
| /* do some checks before getting the grave dentry */ |
| - if (rep->d_parent != dir) { |
| + if (rep->d_parent != dir || IS_DEADDIR(d_inode(rep))) { |
| /* the entry was probably culled when we dropped the parent dir |
| * lock */ |
| unlock_rename(cache->graveyard, dir); |