www.infradead.org Git - users/jedix/linux-maple.git/commit

author	Baokun Li <libaokun1@huawei.com>
	Wed, 22 May 2024 11:43:03 +0000 (19:43 +0800)
committer	Christian Brauner <brauner@kernel.org>
	Wed, 29 May 2024 11:03:30 +0000 (13:03 +0200)
commit	0a790040838c736495d5afd6b2d636f159f817f1
tree	9cd1f1ea6b9254708eab895bbc457debc8eef94f	tree
parent	a26dc49df37e996876f50a0210039b2d211fdd6f	commit \| diff

cachefiles: add spin_lock for cachefiles_ondemand_info

The following concurrency may cause a read request to fail to be completed
and result in a hung:

           t1             |             t2
---------------------------------------------------------
                            cachefiles_ondemand_copen
                              req = xa_erase(&cache->reqs, id)
// Anon fd is maliciously closed.
cachefiles_ondemand_fd_release
  xa_lock(&cache->reqs)
  cachefiles_ondemand_set_object_close(object)
  xa_unlock(&cache->reqs)
                              cachefiles_ondemand_set_object_open
                              // No one will ever close it again.
cachefiles_ondemand_daemon_read
  cachefiles_ondemand_select_req
  // Get a read req but its fd is already closed.
  // The daemon can't issue a cread ioctl with an closed fd, then hung.

So add spin_lock for cachefiles_ondemand_info to protect ondemand_id and
state, thus we can avoid the above problem in cachefiles_ondemand_copen()
by using ondemand_id to determine if fd has been closed.

Fixes: c8383054506c ("cachefiles: notify the user daemon when looking up cookie")
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Link: https://lore.kernel.org/r/20240522114308.2402121-8-libaokun@huaweicloud.com
Acked-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>

fs/cachefiles/internal.h		diff \| blob \| history
fs/cachefiles/ondemand.c		diff \| blob \| history