Hi all, This series fixes a use-after-free bug that syzbot uncovered. The UAF itself is a result of a race condition between getxattr and removexattr because callers to getxattr do not necessarily take any sort of locks before calling into the filesystem. Although the race condition itself can be fixed through clever use of a memory barrier, further consideration of the use cases of extended attributes shows that most files always have at least one attribute, so we might as well make them permanent. If you're going to start using this mess, you probably ought to just pull from my git trees, which are linked below. This is an extraordinary way to destroy everything. Enjoy! Comments and questions are, as always, welcome. --D kernel git tree: https://git.kernel.org/cgit/linux/kernel/git/djwong/xfs-linux.git/log/?h=make-attr-fork-permanent-5.20 --- fs/xfs/libxfs/xfs_attr.c | 16 ++++---- fs/xfs/libxfs/xfs_attr.h | 10 +++-- fs/xfs/libxfs/xfs_attr_leaf.c | 27 +++++++------- fs/xfs/libxfs/xfs_bmap.c | 71 ++++++++++++++++++------------------ fs/xfs/libxfs/xfs_bmap_btree.c | 8 ++-- fs/xfs/libxfs/xfs_btree.c | 4 +- fs/xfs/libxfs/xfs_dir2_block.c | 2 + fs/xfs/libxfs/xfs_dir2_sf.c | 2 + fs/xfs/libxfs/xfs_inode_buf.c | 7 ++-- fs/xfs/libxfs/xfs_inode_fork.c | 55 ++++++++++++++++------------ fs/xfs/libxfs/xfs_inode_fork.h | 11 ++---- fs/xfs/libxfs/xfs_symlink_remote.c | 2 + fs/xfs/scrub/bmap.c | 14 ++++--- fs/xfs/scrub/dabtree.c | 2 + fs/xfs/scrub/dir.c | 2 + fs/xfs/scrub/quota.c | 2 + fs/xfs/scrub/symlink.c | 2 + fs/xfs/xfs_attr_inactive.c | 12 ++---- fs/xfs/xfs_attr_list.c | 9 ++--- fs/xfs/xfs_bmap_util.c | 12 +++--- fs/xfs/xfs_dir2_readdir.c | 2 + fs/xfs/xfs_icache.c | 12 +++--- fs/xfs/xfs_inode.c | 18 +++++---- fs/xfs/xfs_inode.h | 22 +++++++++++ fs/xfs/xfs_inode_item.c | 50 +++++++++++++------------ fs/xfs/xfs_ioctl.c | 2 + fs/xfs/xfs_iomap.c | 8 ++-- fs/xfs/xfs_itable.c | 2 + fs/xfs/xfs_qm.c | 2 + fs/xfs/xfs_reflink.c | 6 ++- 30 files changed, 203 insertions(+), 191 deletions(-)
