sysfs: fix race between readdir and lseek

While readdir() is running, lseek() may set filp->f_pos as zero, then may leave filp->private_data pointing to one sysfs_dirent object without holding its reference counter, so the sysfs_dirent object may be used after free in next readdir(). This patch holds inode->i_mutex to avoid the problem since the lock is always held in readdir path. Reported-by: Dave Jones <davej@redhat.com> Tested-by: Sasha Levin <levinsasha928@gmail.com> Cc: <stable@vger.kernel.org> Signed-off-by: Ming Lei <ming.lei@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: Ming Lei <ming.lei@canonical.com> 2013-03-20 11:25:24 -0400
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2013-03-20 19:53:42 -0400
commit: 991f76f837bf22c5bb07261cfd86525a0a96650c (patch)
tree: aabd6397c35daee20d579507f4c5256e88e813ec /fs/sysfs
parent: a937536b868b8369b98967929045f1df54234323 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c
index 2fbdff6be25c..c9e16608f486 100644
--- a/fs/sysfs/dir.c
+++ b/fs/sysfs/dir.c
@@ -1058,10 +1058,21 @@ static int sysfs_readdir(struct file * filp, void * dirent, filldir_t filldir)
        return 0;
 }
+static loff_t sysfs_dir_llseek(struct file *file, loff_t offset, int whence)
+{
+        struct inode *inode = file_inode(file);
+        loff_t ret;
+        mutex_lock(&inode->i_mutex);
+        ret = generic_file_llseek(file, offset, whence);
+        mutex_unlock(&inode->i_mutex);
+        return ret;
+}
 const struct file_operations sysfs_dir_operations = {
        .read           = generic_read_dir,
        .readdir        = sysfs_readdir,
        .release        = sysfs_dir_release,
-        .llseek         = generic_file_llseek,
+        .llseek         = sysfs_dir_llseek,
 };
author	Ming Lei <ming.lei@canonical.com>	2013-03-20 11:25:24 -0400
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2013-03-20 19:53:42 -0400
commit	991f76f837bf22c5bb07261cfd86525a0a96650c (patch)
tree	aabd6397c35daee20d579507f4c5256e88e813ec /fs/sysfs
parent	a937536b868b8369b98967929045f1df54234323 (diff)

diff --git a/fs/sysfs/dir.c b/fs/sysfs/dir.c index 2fbdff6be25c..c9e16608f486 100644 --- a/fs/sysfs/dir.c +++ b/fs/sysfs/dir.c
@@ -1058,10 +1058,21 @@ static int sysfs_readdir(struct file * filp, void * dirent, filldir_t filldir)
1058	return 0;	1058	return 0;
1059	}	1059	}
1060		1060
		1061	static loff_t sysfs_dir_llseek(struct file *file, loff_t offset, int whence)
		1062	{
		1063	struct inode *inode = file_inode(file);
		1064	loff_t ret;
		1065
		1066	mutex_lock(&inode->i_mutex);
		1067	ret = generic_file_llseek(file, offset, whence);
		1068	mutex_unlock(&inode->i_mutex);
		1069
		1070	return ret;
		1071	}
1061		1072
1062	const struct file_operations sysfs_dir_operations = {	1073	const struct file_operations sysfs_dir_operations = {
1063	.read = generic_read_dir,	1074	.read = generic_read_dir,
1064	.readdir = sysfs_readdir,	1075	.readdir = sysfs_readdir,
1065	.release = sysfs_dir_release,	1076	.release = sysfs_dir_release,
1066	.llseek = generic_file_llseek,	1077	.llseek = sysfs_dir_llseek,
1067	};	1078	};