<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/fs/configfs, branch linux-3.4.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>configfs: fix race between dentry put and lookup</title>
<updated>2013-11-29T18:50:37+00:00</updated>
<author>
<name>Junxiao Bi</name>
<email>junxiao.bi@oracle.com</email>
</author>
<published>2013-11-21T22:31:56+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b4db55f32a9b0172a24fb52143f10609708c17ff'/>
<id>b4db55f32a9b0172a24fb52143f10609708c17ff</id>
<content type='text'>
commit 76ae281f6307331aa063288edb6422ae99f435f0 upstream.

A race window in configfs, it starts from one dentry is UNHASHED and end
before configfs_d_iput is called.  In this window, if a lookup happen,
since the original dentry was UNHASHED, so a new dentry will be
allocated, and then in configfs_attach_attr(), sd-&gt;s_dentry will be
updated to the new dentry.  Then in configfs_d_iput(),
BUG_ON(sd-&gt;s_dentry != dentry) will be triggered and system panic.

sys_open:                     sys_close:
 ...                           fput
                                dput
                                 dentry_kill
                                  __d_drop &lt;--- dentry unhashed here,
                                           but sd-&gt;dentry still point
                                           to this dentry.

 lookup_real
  configfs_lookup
   configfs_attach_attr---&gt; update sd-&gt;s_dentry
                            to new allocated dentry here.

                                   d_kill
                                     configfs_d_iput &lt;--- BUG_ON(sd-&gt;s_dentry != dentry)
                                                     triggered here.

To fix it, change configfs_d_iput to not update sd-&gt;s_dentry if
sd-&gt;s_count &gt; 2, that means there are another dentry is using the sd
beside the one that is going to be put.  Use configfs_dirent_lock in
configfs_attach_attr to sync with configfs_d_iput.

With the following steps, you can reproduce the bug.

1. enable ocfs2, this will mount configfs at /sys/kernel/config and
   fill configure in it.

2. run the following script.
	while [ 1 ]; do cat /sys/kernel/config/cluster/$your_cluster_name/idle_timeout_ms &gt; /dev/null; done &amp;
	while [ 1 ]; do cat /sys/kernel/config/cluster/$your_cluster_name/idle_timeout_ms &gt; /dev/null; done &amp;

Signed-off-by: Junxiao Bi &lt;junxiao.bi@oracle.com&gt;
Cc: Joel Becker &lt;jlbec@evilplan.org&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 76ae281f6307331aa063288edb6422ae99f435f0 upstream.

A race window in configfs, it starts from one dentry is UNHASHED and end
before configfs_d_iput is called.  In this window, if a lookup happen,
since the original dentry was UNHASHED, so a new dentry will be
allocated, and then in configfs_attach_attr(), sd-&gt;s_dentry will be
updated to the new dentry.  Then in configfs_d_iput(),
BUG_ON(sd-&gt;s_dentry != dentry) will be triggered and system panic.

sys_open:                     sys_close:
 ...                           fput
                                dput
                                 dentry_kill
                                  __d_drop &lt;--- dentry unhashed here,
                                           but sd-&gt;dentry still point
                                           to this dentry.

 lookup_real
  configfs_lookup
   configfs_attach_attr---&gt; update sd-&gt;s_dentry
                            to new allocated dentry here.

                                   d_kill
                                     configfs_d_iput &lt;--- BUG_ON(sd-&gt;s_dentry != dentry)
                                                     triggered here.

To fix it, change configfs_d_iput to not update sd-&gt;s_dentry if
sd-&gt;s_count &gt; 2, that means there are another dentry is using the sd
beside the one that is going to be put.  Use configfs_dirent_lock in
configfs_attach_attr to sync with configfs_d_iput.

With the following steps, you can reproduce the bug.

1. enable ocfs2, this will mount configfs at /sys/kernel/config and
   fill configure in it.

2. run the following script.
	while [ 1 ]; do cat /sys/kernel/config/cluster/$your_cluster_name/idle_timeout_ms &gt; /dev/null; done &amp;
	while [ 1 ]; do cat /sys/kernel/config/cluster/$your_cluster_name/idle_timeout_ms &gt; /dev/null; done &amp;

Signed-off-by: Junxiao Bi &lt;junxiao.bi@oracle.com&gt;
Cc: Joel Becker &lt;jlbec@evilplan.org&gt;
Cc: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
Signed-off-by: Andrew Morton &lt;akpm@linux-foundation.org&gt;
Signed-off-by: Linus Torvalds &lt;torvalds@linux-foundation.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>make configfs_pin_fs() return root dentry on success</title>
<updated>2012-03-21T01:29:48+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2012-03-17T20:53:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2a152ad3a58508b06b9e0482e68117a79bbb27ce'/>
<id>2a152ad3a58508b06b9e0482e68117a79bbb27ce</id>
<content type='text'>
... and make configfs_mnt static

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
... and make configfs_mnt static

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>configfs: configfs_create_dir() has parent dentry in dentry-&gt;d_parent</title>
<updated>2012-03-21T01:29:47+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2012-03-17T20:49:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0dd6c08a0042ed83037cf5c772d9066e33046427'/>
<id>0dd6c08a0042ed83037cf5c772d9066e33046427</id>
<content type='text'>
no need to play sick games with parent item, internal mount, etc.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
no need to play sick games with parent item, internal mount, etc.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>configfs: sanitize configfs_create()</title>
<updated>2012-03-21T01:29:47+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2012-03-17T20:41:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=16d13b59b5b85ebc91de6c889716fa6e7766237f'/>
<id>16d13b59b5b85ebc91de6c889716fa6e7766237f</id>
<content type='text'>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>configfs: kill configfs_sb</title>
<updated>2012-03-21T01:29:47+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2012-03-17T20:24:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b7c177fcd2022ca8572284deb8f9b6ab5730eafb'/>
<id>b7c177fcd2022ca8572284deb8f9b6ab5730eafb</id>
<content type='text'>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>configfs: don't bother with checks for mkdir/rmdir/unlink/symlink in root</title>
<updated>2012-03-21T01:29:46+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2012-03-17T20:13:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=81d44ed159e3e81f7e62cee2d0fe68aae0c95e78'/>
<id>81d44ed159e3e81f7e62cee2d0fe68aae0c95e78</id>
<content type='text'>
just give root directory separate inode_operations without all those
methods...

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
just give root directory separate inode_operations without all those
methods...

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>switch open-coded instances of d_make_root() to new helper</title>
<updated>2012-03-21T01:29:35+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2012-01-09T03:15:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=48fde701aff662559b38d9a609574068f22d00fe'/>
<id>48fde701aff662559b38d9a609574068f22d00fe</id>
<content type='text'>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>configfs: convert to umode_t</title>
<updated>2012-01-04T03:54:57+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2011-07-25T04:05:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=439475140bed762c04567c325d48409862341ae4'/>
<id>439475140bed762c04567c325d48409862341ae4</id>
<content type='text'>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>switch vfs_mkdir() and -&gt;mkdir() to umode_t</title>
<updated>2012-01-04T03:54:53+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2011-07-26T05:41:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=18bb1db3e7607e4a997d50991a6f9fa5b0f8722c'/>
<id>18bb1db3e7607e4a997d50991a6f9fa5b0f8722c</id>
<content type='text'>
vfs_mkdir() gets int, but immediately drops everything that might not
fit into umode_t and that's the only caller of -&gt;mkdir()...

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
vfs_mkdir() gets int, but immediately drops everything that might not
fit into umode_t and that's the only caller of -&gt;mkdir()...

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>vfs: live vfsmounts never have NULL -&gt;mnt_sb</title>
<updated>2012-01-04T03:52:42+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2011-12-09T04:01:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c972b4bc8331b432f51a5f1bc3ca7e020172717f'/>
<id>c972b4bc8331b432f51a5f1bc3ca7e020172717f</id>
<content type='text'>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
