Patch "cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)" has been added to the 3.18-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Thu, 08 Nov 2018 09:35:32 -0800

This is a note to let you know that I've just added the patch titled

    cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)

to the 3.18-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch
and it can be found in the queue-3.18 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From 169b803397499be85bdd1e3d07d6f5e3d4bd669e Mon Sep 17 00:00:00 2001
From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Date: Wed, 17 Oct 2018 15:23:26 +0100
Subject: cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)

From: Al Viro <viro@xxxxxxxxxxxxxxxxxx>

commit 169b803397499be85bdd1e3d07d6f5e3d4bd669e upstream.

the victim might've been rmdir'ed just before the lock_rename();
unlike the normal callers, we do not look the source up after the
parents are locked - we know it beforehand and just recheck that it's
still the child of what used to be its parent.  Unfortunately,
the check is too weak - we don't spot a dead directory since its
->d_parent is unchanged, dentry is positive, etc.  So we sail all
the way to ->rename(), with hosting filesystems _not_ expecting
to be asked renaming an rmdir'ed subdirectory.

The fix is easy, fortunately - the lock on parent is sufficient for
making IS_DEADDIR() on child safe.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: 9ae326a69004 (CacheFiles: A cache that backs onto a mounted filesystem)
Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>
Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 fs/cachefiles/namei.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
@@ -317,7 +317,7 @@ try_again:
 	trap = lock_rename(cache->graveyard, dir);
 
 	/* do some checks before getting the grave dentry */
-	if (rep->d_parent != dir) {
+	if (rep->d_parent != dir || IS_DEADDIR(d_inode(rep))) {
 		/* the entry was probably culled when we dropped the parent dir
 		 * lock */
 		unlock_rename(cache->graveyard, dir);


Patches currently in stable-queue which might be from viro@xxxxxxxxxxxxxxxxxx are

queue-3.18/cachefiles-fix-the-race-between-cachefiles_bury_object-and-rmdir-2.patch
queue-3.18/vfs-make-sendfile-2-killable-even-better.patch






