Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
None
-
3
-
9223372036854775807
Description
Using d_unhashed() brings a race window with d_add() and d_drop() leading to dentry hash table corruption. If dentry which is in hash table already is added to hash table, it gets looped to itself via next pointer like in the below real instance:
dentry 0xffff8fd34cc08840
...
d_hash = {
next = 0xffff8fd34cc08848,
pprev = 0x0
},
This is recommended for implementations of atomic_open operation.
See for reference:
commit 00699ad8571afd7fb8bc2c61f67c86c2428680ab Author: Al Viro <viro@zeniv.linux.org.uk> Date: Tue Jul 5 09:44:53 2016 -0400 Use the right predicate in ->atomic_open() instances ...