[21/74] sysfs: fix race between readdir and lseek

[Ben Hutchings]

3.2.43-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Ming Lei 

commit 991f76f837bf22c5bb07261cfd86525a0a96650c upstream.

While readdir() is running, lseek() may set filp->f_pos as zero,
then may leave filp->private_data pointing to one sysfs_dirent
object without holding its reference counter, so the sysfs_dirent
object may be used after free in next readdir().

This patch holds inode->i_mutex to avoid the problem since
the lock is always held in readdir path.

Reported-by: Dave Jones 
Tested-by: Sasha Levin 
Signed-off-by: Ming Lei 
Signed-off-by: Greg Kroah-Hartman 
[bwh: Backported to 3.2: open-code file_inode() which we don't have]
Signed-off-by: Ben Hutchings 
---
 fs/sysfs/dir.c |   13 -
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -1023,10 +1023,21 @@ static int sysfs_readdir(struct file * f
return 0;
 }
 
+static loff_t sysfs_dir_llseek(struct file *file, loff_t offset, int whence)
+{
+   struct inode *inode = file->f_path.dentry->d_inode;
+   loff_t ret;
+
+   mutex_lock(>i_mutex);
+   ret = generic_file_llseek(file, offset, whence);
+   mutex_unlock(>i_mutex);
+
+   return ret;
+}
 
 const struct file_operations sysfs_dir_operations = {
.read   = generic_read_dir,
.readdir= sysfs_readdir,
.release= sysfs_dir_release,
-   .llseek = generic_file_llseek,
+   .llseek = sysfs_dir_llseek,
 };

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[21/74] sysfs: fix race between readdir and lseek

[Ben Hutchings]

3.2.43-rc1 review patch.  If anyone has any objections, please let me know.

--

From: Ming Lei ming@canonical.com

commit 991f76f837bf22c5bb07261cfd86525a0a96650c upstream.

While readdir() is running, lseek() may set filp-f_pos as zero,
then may leave filp-private_data pointing to one sysfs_dirent
object without holding its reference counter, so the sysfs_dirent
object may be used after free in next readdir().

This patch holds inode-i_mutex to avoid the problem since
the lock is always held in readdir path.

Reported-by: Dave Jones da...@redhat.com
Tested-by: Sasha Levin levinsasha...@gmail.com
Signed-off-by: Ming Lei ming@canonical.com
Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org
[bwh: Backported to 3.2: open-code file_inode() which we don't have]
Signed-off-by: Ben Hutchings b...@decadent.org.uk
---
 fs/sysfs/dir.c |   13 -
 1 file changed, 12 insertions(+), 1 deletion(-)

--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -1023,10 +1023,21 @@ static int sysfs_readdir(struct file * f
return 0;
 }
 
+static loff_t sysfs_dir_llseek(struct file *file, loff_t offset, int whence)
+{
+   struct inode *inode = file-f_path.dentry-d_inode;
+   loff_t ret;
+
+   mutex_lock(inode-i_mutex);
+   ret = generic_file_llseek(file, offset, whence);
+   mutex_unlock(inode-i_mutex);
+
+   return ret;
+}
 
 const struct file_operations sysfs_dir_operations = {
.read   = generic_read_dir,
.readdir= sysfs_readdir,
.release= sysfs_dir_release,
-   .llseek = generic_file_llseek,
+   .llseek = sysfs_dir_llseek,
 };

--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/