From: Darrick J. Wong <djwong@xxxxxxxxxx>
Wrap the xfs_attr_get_ilocked call in xfs_attr_get with an empty
transaction so that we cannot livelock the kernel if someone injects a
loop into the attr structure or the attr fork bmbt.
Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
---
fs/xfs/libxfs/xfs_attr.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
diff --git a/fs/xfs/libxfs/xfs_attr.c b/fs/xfs/libxfs/xfs_attr.c
index b841096947acb..e0be8d0c1ffdc 100644
--- a/fs/xfs/libxfs/xfs_attr.c
+++ b/fs/xfs/libxfs/xfs_attr.c
@@ -274,6 +274,8 @@ xfs_attr_get(
XFS_STATS_INC(args->dp->i_mount, xs_attr_get);
+ ASSERT(!args->trans);
+
if (xfs_is_shutdown(args->dp->i_mount))
return -EIO;
@@ -286,8 +288,27 @@ xfs_attr_get(
/* Entirely possible to look up a name which doesn't exist */
args->op_flags = XFS_DA_OP_OKNOENT;
+ error = xfs_trans_alloc_empty(args->dp->i_mount, &args->trans);
+ if (error)
+ return error;
+
lock_mode = xfs_ilock_attr_map_shared(args->dp);
+
+ /*
+ * Make sure the attr fork iext tree is loaded. Use the empty
+ * transaction to load the bmbt so that we avoid livelocking on loops.
+ */
+ if (xfs_inode_hasattr(args->dp)) {
+ error = xfs_iread_extents(args->trans, args->dp, XFS_ATTR_FORK);
+ if (error)
+ goto out_cancel;
+ }
+
error = xfs_attr_get_ilocked(args);
+
+out_cancel:
+ xfs_trans_cancel(args->trans);
+ args->trans = NULL;
xfs_iunlock(args->dp, lock_mode);
return error;
