diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2025-09-16 17:22:45 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2025-11-13 15:37:30 -0500 |
| commit | f5e570eaab36a110c6ffda32b87c51170990c2d1 (patch) | |
| tree | 3fcfa5dced9cb88c4ef10f1fc59bfa40de656636 /fs/nfs | |
| parent | bb612fabf2d41495204db0d4756b92e2bb22339c (diff) | |
| download | linux-f5e570eaab36a110c6ffda32b87c51170990c2d1.tar.gz linux-f5e570eaab36a110c6ffda32b87c51170990c2d1.tar.bz2 linux-f5e570eaab36a110c6ffda32b87c51170990c2d1.zip | |
nfs4_setup_readdir(): insufficient locking for ->d_parent->d_inode dereferencing
[ Upstream commit a890a2e339b929dbd843328f9a92a1625404fe63 ]
Theoretically it's an oopsable race, but I don't believe one can manage
to hit it on real hardware; might become doable on a KVM, but it still
won't be easy to attack.
Anyway, it's easy to deal with - since xdr_encode_hyper() is just a call of
put_unaligned_be64(), we can put that under ->d_lock and be done with that.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Anna Schumaker <anna.schumaker@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'fs/nfs')
| -rw-r--r-- | fs/nfs/nfs4proc.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c index 4de3e4bd724b..b76da06864e5 100644 --- a/fs/nfs/nfs4proc.c +++ b/fs/nfs/nfs4proc.c @@ -391,7 +391,9 @@ static void nfs4_setup_readdir(u64 cookie, __be32 *verifier, struct dentry *dent *p++ = htonl(attrs); /* bitmap */ *p++ = htonl(12); /* attribute buffer length */ *p++ = htonl(NF4DIR); + spin_lock(&dentry->d_lock); p = xdr_encode_hyper(p, NFS_FILEID(d_inode(dentry->d_parent))); + spin_unlock(&dentry->d_lock); readdir->pgbase = (char *)p - (char *)start; readdir->count -= readdir->pgbase; |