On Thu, Jan 23, 2020 at 08:12:34PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> Since ->d_compare() and ->d_hash() can be called in RCU-walk mode,
> ->d_parent and ->d_inode can be concurrently modified, and in
> particular, ->d_inode may be changed to NULL. For ext4_d_hash() this
> resulted in a reproducible NULL dereference if a lookup is done in a
> directory being deleted, e.g. with:
>
> int main()
> {
> if (fork()) {
> for (;;) {
> mkdir("subdir", 0700);
> rmdir("subdir");
> }
> } else {
> for (;;)
> access("subdir/file", 0);
> }
> }
>
> ... or by running the 't_encrypted_d_revalidate' program from xfstests.
> Both repros work in any directory on a filesystem with the encoding
> feature, even if the directory doesn't actually have the casefold flag.
>
> I couldn't reproduce a crash in ext4_d_compare(), but it appears that a
> similar crash is possible there.
>
> Fix these bugs by reading ->d_parent and ->d_inode using READ_ONCE() and
> falling back to the case sensitive behavior if the inode is NULL.
>
> Reported-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
> Fixes: b886ee3e778e ("ext4: Support case-insensitive file name lookups")
> Cc: <stable@xxxxxxxxxxxxxxx> # v5.2+
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
Thanks, applied.
- Ted
