Re: [PATCH v2] ntfs: serialize attribute-list replacement with lookups
From: Cen Zhang
Date: Sun Jun 28 2026 - 23:26:40 EST
Hi Hyunchul,
Hyunchul Lee <hyc.lee@xxxxxxxxx> 于2026年6月29日周一 08:29写道:
>
> I reviewed and noticed a few concurrency issues.
>
> * ntfs_attr_lookup() releases the read lock before returning, which leaves
> the ctx->al_entry unprotected during the lifetime of the search context.
>
> * In some functions such as ntfs_attrlist_entry_add(), the memcpy()
> reads base_ni->attr_list outside of the writ lock. If another thread
> frees it concurrently, this leads to a UAF.
>
> To resolve these issues, How about coupling the attr_list_lock directly
> with the search context?
>
> * Extend ntfs_attr_get_search_ctx with a lock mode (NONE, READ, WRITE)
> to automatically acquire the lock unpon context creation and release
> it in ntfs_attr_put_search_ctx().
>
> * To prevent deadlocks, the following lock ordering is needed:
> base_ni->mrec_lock => base_ni->attr_list_lock => ni->runlist.lock.
> And to prevent nesting attr_list_lock under runlist.lock, The NONE
> mode bypasses context-owned locking and is required for paths
> that must control ordering manually (e.g, ntfs_attr_vcn_to_lcn_nlock()).
>
Thanks so much for your review and detailed suggestions.
I see the concurrency issues you pointed out and agree with the
concerns. I will revise v3 accordingly.
Best regards,
Cen Zhang