[Patch] Couple of races on MIPS.
Alexander Viro (viro@math.psu.edu)
Thu, 18 Feb 1999 00:10:48 -0500 (EST)
Ralf, Linus - sorry for bothering you, but we have Yet Another
Race(tm). irix_ngetdents(), irix_getdents64() and irix_ngetdents64()
call ->readdir() method without holding the lock on directory inode.
With obvious results - race with about anything, starting from creat().
Trivial patch follows:
--- arch/mips/kernel/sysirix.c Tue Feb 16 11:54:51 1999
+++ arch/mips/kernel/sysirix.c.new Thu Feb 18 00:01:08 1999
@@ -2066,7 +2066,9 @@
buf.count = count;
buf.error = 0;
+ down(&inode->i_sem);
error = file->f_op->readdir(file, &buf, irix_filldir32);
+ up(&inode->i_sem);
if (error < 0)
goto out;
lastdirent = buf.previous;
@@ -2178,7 +2180,9 @@
buf.previous = NULL;
buf.count = cnt;
buf.error = 0;
+ down(&inode->i_sem);
error = file->f_op->readdir(file, &buf, irix_filldir64);
+ up(&inode->i_sem);
if (error < 0)
goto out;
lastdirent = buf.previous;
@@ -2241,7 +2245,9 @@
buf.previous = NULL;
buf.count = cnt;
buf.error = 0;
+ down(&inode->i_sem);
error = file->f_op->readdir(file, &buf, irix_filldir64);
+ up(&inode->i_sem);
if (error < 0)
goto out;
lastdirent = buf.previous;
Apply it, please. There *may* be another similar specimen in CODA,
but it's trickier and I'm not sure that it's a real bug - we may be
protected in a different way there. Bugs above are directly exploitable.
Cheers,
Al
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/