[21/74] sysfs: fix race between readdir and lseek
3.2.43-rc1 review patch. If anyone has any objections, please let me know. -- From: Ming Lei commit 991f76f837bf22c5bb07261cfd86525a0a96650c upstream. While readdir() is running, lseek() may set filp->f_pos as zero, then may leave filp->private_data pointing to one sysfs_dirent object without holding its reference counter, so the sysfs_dirent object may be used after free in next readdir(). This patch holds inode->i_mutex to avoid the problem since the lock is always held in readdir path. Reported-by: Dave Jones Tested-by: Sasha Levin Signed-off-by: Ming Lei Signed-off-by: Greg Kroah-Hartman [bwh: Backported to 3.2: open-code file_inode() which we don't have] Signed-off-by: Ben Hutchings --- fs/sysfs/dir.c | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) --- a/fs/sysfs/dir.c +++ b/fs/sysfs/dir.c @@ -1023,10 +1023,21 @@ static int sysfs_readdir(struct file * f return 0; } +static loff_t sysfs_dir_llseek(struct file *file, loff_t offset, int whence) +{ + struct inode *inode = file->f_path.dentry->d_inode; + loff_t ret; + + mutex_lock(>i_mutex); + ret = generic_file_llseek(file, offset, whence); + mutex_unlock(>i_mutex); + + return ret; +} const struct file_operations sysfs_dir_operations = { .read = generic_read_dir, .readdir= sysfs_readdir, .release= sysfs_dir_release, - .llseek = generic_file_llseek, + .llseek = sysfs_dir_llseek, }; -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[21/74] sysfs: fix race between readdir and lseek
3.2.43-rc1 review patch. If anyone has any objections, please let me know. -- From: Ming Lei ming@canonical.com commit 991f76f837bf22c5bb07261cfd86525a0a96650c upstream. While readdir() is running, lseek() may set filp-f_pos as zero, then may leave filp-private_data pointing to one sysfs_dirent object without holding its reference counter, so the sysfs_dirent object may be used after free in next readdir(). This patch holds inode-i_mutex to avoid the problem since the lock is always held in readdir path. Reported-by: Dave Jones da...@redhat.com Tested-by: Sasha Levin levinsasha...@gmail.com Signed-off-by: Ming Lei ming@canonical.com Signed-off-by: Greg Kroah-Hartman gre...@linuxfoundation.org [bwh: Backported to 3.2: open-code file_inode() which we don't have] Signed-off-by: Ben Hutchings b...@decadent.org.uk --- fs/sysfs/dir.c | 13 - 1 file changed, 12 insertions(+), 1 deletion(-) --- a/fs/sysfs/dir.c +++ b/fs/sysfs/dir.c @@ -1023,10 +1023,21 @@ static int sysfs_readdir(struct file * f return 0; } +static loff_t sysfs_dir_llseek(struct file *file, loff_t offset, int whence) +{ + struct inode *inode = file-f_path.dentry-d_inode; + loff_t ret; + + mutex_lock(inode-i_mutex); + ret = generic_file_llseek(file, offset, whence); + mutex_unlock(inode-i_mutex); + + return ret; +} const struct file_operations sysfs_dir_operations = { .read = generic_read_dir, .readdir= sysfs_readdir, .release= sysfs_dir_release, - .llseek = generic_file_llseek, + .llseek = sysfs_dir_llseek, }; -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/