Commit 791eb564 authored by Matt Fleming's avatar Matt Fleming

efivarfs: Delete dentry from dcache in efivarfs_file_write()

Unlike the unlink path that is called from the VFS layer, we need to
call d_delete() ourselves when a variable is deleted in
efivarfs_file_write().

Failure to do so means we can access a stale struct efivar_entry when
reading/writing the file, which can result in the following oops,

  [   59.978216] general protection fault: 0000 [#1] SMP
  [   60.038660] CPU 9
  [   60.040501] Pid: 1001, comm: cat Not tainted 3.7.0-2.fc19.x86_64 #1 IBM System x3550 M3 -[7944I21]-/69Y4438
  [   60.050840] RIP: 0010:[<ffffffff810d5d1e>]  [<ffffffff810d5d1e>] __lock_acquire+0x5e/0x1bb0
  [   60.059198] RSP: 0018:ffff880270595ce8  EFLAGS: 00010046
  [   60.064500] RAX: 0000000000000046 RBX: 0000000000000002 RCX: 0000000000000000
  [   60.071617] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 6b6b6b6b6b6b6b83
  [   60.078735] RBP: ffff880270595dd8 R08: 0000000000000002 R09: 0000000000000000
  [   60.085852] R10: 6b6b6b6b6b6b6b83 R11: 0000000000000000 R12: 0000000000000000
  [   60.092971] R13: ffff88027170cd20 R14: 0000000000000000 R15: 0000000000000000
  [   60.100091] FS:  00007fc0c8ff3740(0000) GS:ffff880277000000(0000) knlGS:0000000000000000
  [   60.108164] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [   60.113899] CR2: 0000000001520000 CR3: 000000026d594000 CR4: 00000000000007e0
  [   60.121016] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  [   60.128135] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  [   60.135254] Process cat (pid: 1001, threadinfo ffff880270594000, task ffff88027170cd20)
  [   60.143239] Stack:
  [   60.145251]  ffff880270595cf8 ffffffff81021da3 ffff880270595d08 ffffffff81021e19
  [   60.152714]  ffff880270595d38 ffffffff810acdb5 ffff880200000168 0000000000000086
  [   60.160175]  ffff88027170d5e8 ffffffff810d25ed ffff880270595d58 ffffffff810ace7f
  [   60.167638] Call Trace:
  [   60.170088]  [<ffffffff81021da3>] ? native_sched_clock+0x13/0x80
  [   60.176085]  [<ffffffff81021e19>] ? sched_clock+0x9/0x10
  [   60.181389]  [<ffffffff810acdb5>] ? sched_clock_cpu+0xc5/0x120
  [   60.187211]  [<ffffffff810d25ed>] ? trace_hardirqs_off+0xd/0x10
  [   60.193121]  [<ffffffff810ace7f>] ? local_clock+0x6f/0x80
  [   60.198513]  [<ffffffff810d2f6f>] ? lock_release_holdtime.part.26+0xf/0x180
  [   60.205465]  [<ffffffff810d7b57>] ? lock_release_non_nested+0x2e7/0x320
  [   60.212073]  [<ffffffff815638bb>] ? efivarfs_file_write+0x5b/0x280
  [   60.218242]  [<ffffffff810d7f41>] lock_acquire+0xa1/0x1f0
  [   60.223633]  [<ffffffff81563971>] ? efivarfs_file_write+0x111/0x280
  [   60.229892]  [<ffffffff8118b47c>] ? might_fault+0x5c/0xb0
  [   60.235287]  [<ffffffff816f1bf6>] _raw_spin_lock+0x46/0x80
  [   60.240762]  [<ffffffff81563971>] ? efivarfs_file_write+0x111/0x280
  [   60.247018]  [<ffffffff81563971>] efivarfs_file_write+0x111/0x280
  [   60.253103]  [<ffffffff811d307f>] vfs_write+0xaf/0x190
  [   60.258233]  [<ffffffff811d33d5>] sys_write+0x55/0xa0
  [   60.263278]  [<ffffffff816fbd19>] system_call_fastpath+0x16/0x1b
  [   60.269271] Code: 41 0f 45 d8 4c 89 75 f0 4c 89 7d f8 85 c0 0f 84 09 01 00 00 8b 05 a3 f9 ff 00 49 89 fa 41 89 f6 41 89 d3 85 c0 0f 84 12 01 00 00 <49> 8b 02 ba 01 00 00 00 48 3d a0 07 14 82 0f 44 da 41 83 fe 01
  [   60.289431] RIP  [<ffffffff810d5d1e>] __lock_acquire+0x5e/0x1bb0
  [   60.295444]  RSP <ffff880270595ce8>
  [   60.298928] ---[ end trace 1bbfd41a2cf6a0d8 ]---

Cc: Josh Boyer <jwboyer@redhat.com>
Acked-by: default avatarJeremy Kerr <jeremy.kerr@canonical.com>
Cc: Lee, Chun-Yi <jlee@suse.com>
Cc: Andy Whitcroft <apw@canonical.com>
Reported-by: default avatarLingzhu Xiang <lxiang@redhat.com>
Signed-off-by: default avatarMatt Fleming <matt.fleming@intel.com>
parent 1fa7e695
......@@ -793,6 +793,7 @@ static ssize_t efivarfs_file_write(struct file *file,
spin_unlock(&efivars->lock);
efivar_unregister(var);
drop_nlink(inode);
d_delete(file->f_dentry);
dput(file->f_dentry);
} else {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment