Commit 13319428 authored by Chuck Lever's avatar Chuck Lever Committed by Yongjian Sun
Browse files

libfs: Use d_children list to iterate simple_offset directories 

stable inclusion
from stable-v6.6.75
commit 850e696f362729a163fb6af21a54cde565b71f75
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBLWT7
CVE: CVE-2024-57952

Reference: https://web.git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=850e696f362729a163fb6af21a54cde565b71f75



--------------------------------

[ Upstream commit b9b588f22a0c049a14885399e27625635ae6ef91 ]

The mtree mechanism has been effective at creating directory offsets
that are stable over multiple opendir instances. However, it has not
been able to handle the subtleties of renames that are concurrent
with readdir.

Instead of using the mtree to emit entries in the order of their
offset values, use it only to map incoming ctx->pos to a starting
entry. Then use the directory's d_children list, which is already
maintained properly by the dcache, to find the next child to emit.

One of the sneaky things about this is that when the mtree-allocated
offset value wraps (which is very rare), looking up ctx->pos++ is
not going to find the next entry; it will return NULL. Instead, by
following the d_children list, the offset values can appear in any
order but all of the entries in the directory will be visited
eventually.

Note also that the readdir() is guaranteed to reach the tail of this
list. Entries are added only at the head of d_children, and readdir
walks from its current position in that list towards its tail.

Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
Link: https://lore.kernel.org/r/20241228175522.1854234-6-cel@kernel.org


Signed-off-by: default avatarChristian Brauner <brauner@kernel.org>
Conflicts:
		fs/libfs.c
[0e4a862174f2("libfs: Convert simple directory offsets to use a Maple Tree") not applied for stable]
Signed-off-by: default avatarYongjian Sun <sunyongjian1@huawei.com>
parent b6ca4071

fs/libfs.c

+60 −26
Original line number Diff line number Diff line
@@ -241,12 +241,13 @@ EXPORT_SYMBOL(simple_dir_inode_operations); 


/* simple_offset_add() never assigns these to a dentry */

enum {

	DIR_OFFSET_FIRST	= 2,		/* Find first real entry */

	DIR_OFFSET_EOD		= S32_MAX,

};



/* simple_offset_add() allocation range */

enum {

	DIR_OFFSET_MIN		= 2,

	DIR_OFFSET_MIN		= DIR_OFFSET_FIRST + 1,

	DIR_OFFSET_MAX		= DIR_OFFSET_EOD - 1,

};
@@ -429,51 +430,84 @@ static loff_t offset_dir_llseek(struct file *file, loff_t offset, int whence) 
	return vfs_setpos(file, offset, LONG_MAX);

}



static struct dentry *offset_find_next(struct offset_ctx *octx, loff_t offset)

static struct dentry *find_positive_dentry(struct dentry *parent,

					   struct dentry *dentry,

					   bool next)

{

	MA_STATE(mas, &octx->mt, offset, offset);

	struct dentry *found = NULL;



	spin_lock(&parent->d_lock);

	if (next)

		dentry = list_next_entry(dentry, d_child);

	else if (!dentry)

		dentry = list_first_entry_or_null(&parent->d_subdirs,

						  struct dentry, d_child);

	for (; dentry && !list_entry_is_head(dentry, &parent->d_subdirs, d_child);

	     dentry = list_next_entry(dentry, d_child)) {

		if (!simple_positive(dentry))

			continue;

		spin_lock_nested(&dentry->d_lock, DENTRY_D_LOCK_NESTED);

		if (simple_positive(dentry))

			found = dget_dlock(dentry);

		spin_unlock(&dentry->d_lock);

		if (likely(found))

			break;

	}

	spin_unlock(&parent->d_lock);

	return found;

}



static noinline_for_stack struct dentry *

offset_dir_lookup(struct dentry *parent, loff_t offset)

{

	struct inode *inode = d_inode(parent);

	struct offset_ctx *octx = inode->i_op->get_offset_ctx(inode);

	struct dentry *child, *found = NULL;



	MA_STATE(mas, &octx->mt, offset, offset);



	if (offset == DIR_OFFSET_FIRST)

		found = find_positive_dentry(parent, NULL, false);

	else {

		rcu_read_lock();

		child = mas_find(&mas, DIR_OFFSET_MAX);

	if (!child)

		goto out;

	spin_lock(&child->d_lock);

	if (simple_positive(child))

		found = dget_dlock(child);

	spin_unlock(&child->d_lock);

out:

		found = find_positive_dentry(parent, child, false);

		rcu_read_unlock();

	}

	return found;

}



static bool offset_dir_emit(struct dir_context *ctx, struct dentry *dentry)

{

	struct inode *inode = d_inode(dentry);

	long offset = dentry2offset(dentry);



	return ctx->actor(ctx, dentry->d_name.name, dentry->d_name.len, offset,

	return dir_emit(ctx, dentry->d_name.name, dentry->d_name.len,

			inode->i_ino, fs_umode_to_dtype(inode->i_mode));

}



static void offset_iterate_dir(struct inode *inode, struct dir_context *ctx)

static void offset_iterate_dir(struct file *file, struct dir_context *ctx)

{

	struct offset_ctx *octx = inode->i_op->get_offset_ctx(inode);

	struct dentry *dir = file->f_path.dentry;

	struct dentry *dentry;



	while (true) {

		dentry = offset_find_next(octx, ctx->pos);

	dentry = offset_dir_lookup(dir, ctx->pos);

	if (!dentry)

		goto out_eod;

	while (true) {

		struct dentry *next;



		if (!offset_dir_emit(ctx, dentry)) {

			dput(dentry);

		ctx->pos = dentry2offset(dentry);

		if (!offset_dir_emit(ctx, dentry))

			break;

		}



		ctx->pos = dentry2offset(dentry) + 1;

		next = find_positive_dentry(dir, dentry, true);

		dput(dentry);



		if (!next)

			goto out_eod;

		dentry = next;

	}

	dput(dentry);

	return;



out_eod:
@@ -512,7 +546,7 @@ static int offset_readdir(struct file *file, struct dir_context *ctx) 
	if (!dir_emit_dots(file, ctx))

		return 0;

	if (ctx->pos != DIR_OFFSET_EOD)

		offset_iterate_dir(d_inode(dir), ctx);

		offset_iterate_dir(file, ctx);

	return 0;

}