configfs: fix a race in configfs_lookup()

mainline inclusion
from mainline-v5.15-rc1
commit c42dd069be8dfc9b2239a5c89e73bbd08ab35de0
category: bugfix
bugzilla: 187567, https://gitee.com/openeuler/kernel/issues/I5PK1G


CVE: NA

--------------------------------

When configfs_lookup() is executing list_for_each_entry(),
it is possible that configfs_dir_lseek() is calling list_del().
Some unfortunate interleavings of them can cause a kernel NULL
pointer dereference error

Thread 1                  Thread 2
//configfs_dir_lseek()    //configfs_lookup()
list_del(&cursor->s_sibling);
                         list_for_each_entry(sd, ...)

Fix this by grabbing configfs_dirent_lock in configfs_lookup()
while iterating ->s_children.

Signed-off-by: Sishuai Gong <sishuai@purdue.edu>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Signed-off-by: Yongqiang Liu <liuyongqiang13@huawei.com>

fs/configfs/dir.c

@@ -463,13 +463,13 @@ static struct dentry * configfs_lookup(struct inode *dir,
 	if (!configfs_dirent_is_ready(parent_sd))
 		return ERR_PTR(-ENOENT);
 
+	spin_lock(&configfs_dirent_lock);
 	list_for_each_entry(sd, &parent_sd->s_children, s_sibling) {
 		if ((sd->s_type & CONFIGFS_NOT_PINNED) &&
 		    !strcmp(configfs_get_name(sd), dentry->d_name.name)) {
 			struct configfs_attribute *attr = sd->s_element;
 			umode_t mode = (attr->ca_mode & S_IALLUGO) | S_IFREG;
 
-			spin_lock(&configfs_dirent_lock);
 			dentry->d_fsdata = configfs_get(sd);
 			sd->s_dentry = dentry;
 			spin_unlock(&configfs_dirent_lock);
@@ -486,10 +486,11 @@ static struct dentry * configfs_lookup(struct inode *dir,
 				inode->i_size = PAGE_SIZE;
 				inode->i_fop = &configfs_file_operations;
 			}
-			break;
+			goto done;
 		}
 	}
-
+	spin_unlock(&configfs_dirent_lock);
+done:
 	d_add(dentry, inode);
 	return NULL;
 }