diff options
| author | Yan, Zheng <zyan@redhat.com> | 2017-11-27 11:23:48 +0800 |
|---|---|---|
| committer | Ilya Dryomov <idryomov@gmail.com> | 2018-01-29 18:36:07 +0100 |
| commit | 5495c2d04f85da09512f5f346ed24dc0261d905d (patch) | |
| tree | 3a6f0c53be2012bc86aba2ef8eb31cd3c3f4cd2b /fs/seq_file.c | |
| parent | 97aeb6bf988e0830fd80dca724fd89526b3f35e4 (diff) | |
| download | linux-5495c2d04f85da09512f5f346ed24dc0261d905d.tar.bz2 | |
ceph: avoid dereferencing invalid pointer during cached readdir
Readdir cache keeps array of dentry pointers in page cache. If any
dentry in readdir cache gets pruned, ceph_d_prune() disables readdir
cache for later readdir syscall. The problem is that ceph_d_prune()
ignores unhashed dentry. Ideally MDS should have already revoked
CEPH_CAP_FILE_SHARED (which also disables readdir cache) when dentry
gets unhashed. But if it is somehow MDS does not properly revoke
CEPH_CAP_FILE_SHARED and the unhashed dentry gets pruned later,
ceph_d_prune() will not disable readdir cache, later readdir may
reference invalid dentry pointer.
The fix is make ceph_d_prune() do extra check for unhashed dentry.
Disable readdir cache if the unhashed dentry is still referenced
by readdir cache.
Another fix in this patch is handle d_splice_alias(). If a dentry
gets spliced into new parent dentry, treat it as if it was pruned
(call ceph_d_prune() for it).
Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Diffstat (limited to 'fs/seq_file.c')
0 files changed, 0 insertions, 0 deletions