Patch "configfs: fix a race in configfs_lookup()" has been added to the 5.10-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Sun, 03 Sep 2023 10:45:13 +0200

This is a note to let you know that I've just added the patch titled

    configfs: fix a race in configfs_lookup()

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     configfs-fix-a-race-in-configfs_lookup.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From c42dd069be8dfc9b2239a5c89e73bbd08ab35de0 Mon Sep 17 00:00:00 2001
From: Sishuai Gong <sishuai@xxxxxxxxxx>
Date: Wed, 25 Aug 2021 07:52:20 +0200
Subject: configfs: fix a race in configfs_lookup()

From: Sishuai Gong <sishuai@xxxxxxxxxx>

commit c42dd069be8dfc9b2239a5c89e73bbd08ab35de0 upstream.

When configfs_lookup() is executing list_for_each_entry(),
it is possible that configfs_dir_lseek() is calling list_del().
Some unfortunate interleavings of them can cause a kernel NULL
pointer dereference error

Thread 1                  Thread 2
//configfs_dir_lseek()    //configfs_lookup()
list_del(&cursor->s_sibling);
                         list_for_each_entry(sd, ...)

Fix this by grabbing configfs_dirent_lock in configfs_lookup()
while iterating ->s_children.

Signed-off-by: Sishuai Gong <sishuai@xxxxxxxxxx>
Signed-off-by: Christoph Hellwig <hch@xxxxxx>
Signed-off-by: Kyle Zeng <zengyhkyle@xxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
 fs/configfs/dir.c |    2 ++
 1 file changed, 2 insertions(+)

--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -479,6 +479,7 @@ static struct dentry * configfs_lookup(s
 	if (!configfs_dirent_is_ready(parent_sd))
 		goto out;
 
+	spin_lock(&configfs_dirent_lock);
 	list_for_each_entry(sd, &parent_sd->s_children, s_sibling) {
 		if (sd->s_type & CONFIGFS_NOT_PINNED) {
 			const unsigned char * name = configfs_get_name(sd);
@@ -491,6 +492,7 @@ static struct dentry * configfs_lookup(s
 			break;
 		}
 	}
+	spin_unlock(&configfs_dirent_lock);
 
 	if (!found) {
 		/*


Patches currently in stable-queue which might be from sishuai@xxxxxxxxxx are

queue-5.10/configfs-fix-a-race-in-configfs_lookup.patch






