[18/20] ocfs2_dentry_revalidate(): use stable parent inode and name passed by caller

Message ID	20250110024303.4157645-18-viro@zeniv.linux.org.uk (mailing list archive)
State	New
Headers	show Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [62.89.141.173]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id EAAAD1E32B3; Fri, 10 Jan 2025 02:43:06 +0000 (UTC) From: Al Viro <viro@zeniv.linux.org.uk> To: linux-fsdevel@vger.kernel.org Cc: agruenba@redhat.com, amir73il@gmail.com, brauner@kernel.org, ceph-devel@vger.kernel.org, dhowells@redhat.com, hubcap@omnibond.com, jack@suse.cz, krisman@kernel.org, linux-nfs@vger.kernel.org, miklos@szeredi.hu, torvalds@linux-foundation.org Subject: [PATCH 18/20] ocfs2_dentry_revalidate(): use stable parent inode and name passed by caller Date: Fri, 10 Jan 2025 02:43:01 +0000 Message-ID: <20250110024303.4157645-18-viro@zeniv.linux.org.uk> In-Reply-To: <20250110024303.4157645-1-viro@zeniv.linux.org.uk> References: <20250110023854.GS1977892@ZenIV> <20250110024303.4157645-1-viro@zeniv.linux.org.uk> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: Al Viro <viro@ftp.linux.org.uk>
Series	[01/20] make sure that DNAME_INLINE_LEN is a multiple of word size \| expand [01/20] make sure that DNAME_INLINE_LEN is a multiple of word size [02/20] dcache: back inline names with a struct-wrapped array of unsigned long [03/20] make take_dentry_name_snapshot() lockless [04/20] dissolve external_name.u into separate members [05/20] ext4 fast_commit: make use of name_snapshot primitives [06/20] generic_ci_d_compare(): use shortname_storage [07/20] Pass parent directory inode and expected name to ->d_revalidate() [08/20] afs_d_revalidate(): use stable name and parent inode passed by caller [09/20] ceph_d_revalidate(): use stable parent inode passed by caller [10/20] ceph_d_revalidate(): propagate stable name down into request enconding [11/20] fscrypt_d_revalidate(): use stable parent inode passed by caller [12/20] exfat_d_revalidate(): use stable parent inode passed by caller [13/20] vfat_revalidate{,_ci}(): use stable parent inode passed by caller [14/20] fuse_dentry_revalidate(): use stable parent inode and name passed by caller [15/20] gfs2_drevalidate(): use stable parent inode and name passed by caller [16/20] nfs{,4}_lookup_validate(): use stable parent inode passed by caller [17/20] nfs: fix ->d_revalidate() UAF on ->d_name accesses [18/20] ocfs2_dentry_revalidate(): use stable parent inode and name passed by caller [19/20] orangefs_d_revalidate(): use stable parent inode and name passed by caller [20/20] 9p: fix ->rename_sem exclusion

Message ID

20250110024303.4157645-18-viro@zeniv.linux.org.uk (mailing list archive)

State

New

Headers

From: Al Viro <viro@zeniv.linux.org.uk>
To: linux-fsdevel@vger.kernel.org
Cc: agruenba@redhat.com,
	amir73il@gmail.com,
	brauner@kernel.org,
	ceph-devel@vger.kernel.org,
	dhowells@redhat.com,
	hubcap@omnibond.com,
	jack@suse.cz,
	krisman@kernel.org,
	linux-nfs@vger.kernel.org,
	miklos@szeredi.hu,
	torvalds@linux-foundation.org
Subject: [PATCH 18/20] ocfs2_dentry_revalidate(): use stable parent inode and
 name passed by caller
Date: Fri, 10 Jan 2025 02:43:01 +0000
Message-ID: <20250110024303.4157645-18-viro@zeniv.linux.org.uk>
In-Reply-To: <20250110024303.4157645-1-viro@zeniv.linux.org.uk>
References: <20250110023854.GS1977892@ZenIV>
 <20250110024303.4157645-1-viro@zeniv.linux.org.uk>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: Al Viro <viro@ftp.linux.org.uk>

Series

[01/20] make sure that DNAME_INLINE_LEN is a multiple of word size | expand

theoretically, ->d_name use in there is a UAF, but only if you are messing with tracepoints... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> --- fs/ocfs2/dcache.c | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-)

Comments

Jan Kara Jan. 10, 2025, 9:54 a.m. UTC | #1

On Fri 10-01-25 02:43:01, Al Viro wrote:
> theoretically, ->d_name use in there is a UAF, but only if you are messing with
> tracepoints...
> 
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Looks good. Feel free to add:

Reviewed-by: Jan Kara <jack@suse.cz>

								Honza

> ---
>  fs/ocfs2/dcache.c | 11 +++--------
>  1 file changed, 3 insertions(+), 8 deletions(-)
> 
> diff --git a/fs/ocfs2/dcache.c b/fs/ocfs2/dcache.c
> index ecb1ce6301c4..1873bbbb7e5b 100644
> --- a/fs/ocfs2/dcache.c
> +++ b/fs/ocfs2/dcache.c
> @@ -45,8 +45,7 @@ static int ocfs2_dentry_revalidate(struct inode *dir, const struct qstr *name,
>  	inode = d_inode(dentry);
>  	osb = OCFS2_SB(dentry->d_sb);
>  
> -	trace_ocfs2_dentry_revalidate(dentry, dentry->d_name.len,
> -				      dentry->d_name.name);
> +	trace_ocfs2_dentry_revalidate(dentry, name->len, name->name);
>  
>  	/* For a negative dentry -
>  	 * check the generation number of the parent and compare with the
> @@ -54,12 +53,8 @@ static int ocfs2_dentry_revalidate(struct inode *dir, const struct qstr *name,
>  	 */
>  	if (inode == NULL) {
>  		unsigned long gen = (unsigned long) dentry->d_fsdata;
> -		unsigned long pgen;
> -		spin_lock(&dentry->d_lock);
> -		pgen = OCFS2_I(d_inode(dentry->d_parent))->ip_dir_lock_gen;
> -		spin_unlock(&dentry->d_lock);
> -		trace_ocfs2_dentry_revalidate_negative(dentry->d_name.len,
> -						       dentry->d_name.name,
> +		unsigned long pgen = OCFS2_I(dir)->ip_dir_lock_gen;
> +		trace_ocfs2_dentry_revalidate_negative(name->len, name->name,
>  						       pgen, gen);
>  		if (gen != pgen)
>  			goto bail;
> -- 
> 2.39.5
>

diff --git a/fs/ocfs2/dcache.c b/fs/ocfs2/dcache.c
index ecb1ce6301c4..1873bbbb7e5b 100644
--- a/fs/ocfs2/dcache.c
+++ b/fs/ocfs2/dcache.c
@@ -45,8 +45,7 @@  static int ocfs2_dentry_revalidate(struct inode *dir, const struct qstr *name,
 	inode = d_inode(dentry);
 	osb = OCFS2_SB(dentry->d_sb);
 
-	trace_ocfs2_dentry_revalidate(dentry, dentry->d_name.len,
-				      dentry->d_name.name);
+	trace_ocfs2_dentry_revalidate(dentry, name->len, name->name);
 
 	/* For a negative dentry -
 	 * check the generation number of the parent and compare with the
@@ -54,12 +53,8 @@  static int ocfs2_dentry_revalidate(struct inode *dir, const struct qstr *name,
 	 */
 	if (inode == NULL) {
 		unsigned long gen = (unsigned long) dentry->d_fsdata;
-		unsigned long pgen;
-		spin_lock(&dentry->d_lock);
-		pgen = OCFS2_I(d_inode(dentry->d_parent))->ip_dir_lock_gen;
-		spin_unlock(&dentry->d_lock);
-		trace_ocfs2_dentry_revalidate_negative(dentry->d_name.len,
-						       dentry->d_name.name,
+		unsigned long pgen = OCFS2_I(dir)->ip_dir_lock_gen;
+		trace_ocfs2_dentry_revalidate_negative(name->len, name->name,
 						       pgen, gen);
 		if (gen != pgen)
 			goto bail;

[18/20] ocfs2_dentry_revalidate(): use stable parent inode and name passed by caller

Commit Message

Comments

Patch