• Sishuai Gong's avatar
    configfs: fix a race in configfs_lookup() · c42dd069
    Sishuai Gong authored
    When configfs_lookup() is executing list_for_each_entry(),
    it is possible that configfs_dir_lseek() is calling list_del().
    Some unfortunate interleavings of them can cause a kernel NULL
    pointer dereference error
    
    Thread 1                  Thread 2
    //configfs_dir_lseek()    //configfs_lookup()
    list_del(&cursor->s_sibling);
                             list_for_each_entry(sd, ...)
    
    Fix this by grabbing configfs_dirent_lock in configfs_lookup()
    while iterating ->s_children.
    Signed-off-by: default avatarSishuai Gong <sishuai@purdue.edu>
    Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
    c42dd069
dir.c 49.3 KB