diff options
author | Ming Lei <ming.lei@canonical.com> | 2013-03-20 23:25:24 +0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2013-04-05 10:04:16 -0700 |
commit | 01fadbb46b6da196c594ac2266674136cda465a6 (patch) | |
tree | d6618c8c8da329a875715c42dd37e913ffd6c90e /fs/sysfs | |
parent | d8022cb2b0ea2e5d926c9e2a041e411d71fd3d9e (diff) |
sysfs: fix race between readdir and lseek
commit 991f76f837bf22c5bb07261cfd86525a0a96650c upstream.
While readdir() is running, lseek() may set filp->f_pos as zero,
then may leave filp->private_data pointing to one sysfs_dirent
object without holding its reference counter, so the sysfs_dirent
object may be used after free in next readdir().
This patch holds inode->i_mutex to avoid the problem since
the lock is always held in readdir path.
Reported-by: Dave Jones <davej@redhat.com>
Tested-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/sysfs')
-rw-r--r-- | fs/sysfs/dir.c | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c index a545d819b495..f8ca94cb7e85 100644 --- a/fs/sysfs/dir.c +++ b/fs/sysfs/dir.c @@ -1040,10 +1040,21 @@ static int sysfs_readdir(struct file * filp, void * dirent, filldir_t filldir) return 0; } +static loff_t sysfs_dir_llseek(struct file *file, loff_t offset, int whence) +{ + struct inode *inode = file->f_path.dentry->d_inode; + loff_t ret; + + mutex_lock(&inode->i_mutex); + ret = generic_file_llseek(file, offset, whence); + mutex_unlock(&inode->i_mutex); + + return ret; +} const struct file_operations sysfs_dir_operations = { .read = generic_read_dir, .readdir = sysfs_readdir, .release = sysfs_dir_release, - .llseek = generic_file_llseek, + .llseek = sysfs_dir_llseek, }; |