Re: [PATCH V2] exportfs: do not read dentry after free

From: Al Viro
Date: Fri Nov 23 2018 - 09:07:43 EST

Next message: Auger Eric: "Re: [PATCH v4 7/8] vfio/type1: Add domain at(de)taching group helpers"
Previous message: Neil Armstrong: "Re: [PATCH v2 2/4] clk: meson: clk-regmap: add read-only gate ops"
In reply to: Pan Bian: "[PATCH V2] exportfs: do not read dentry after free"
Next in thread: J. Bruce Fields: "Re: [PATCH V2] exportfs: do not read dentry after free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, Nov 23, 2018 at 03:56:33PM +0800, Pan Bian wrote:
> The function dentry_connected calls dput(dentry) to drop the previously
> acquired reference to dentry. In this case, dentry can be released.
> After that, IS_ROOT(dentry) checks the condition
> (dentry == dentry->d_parent), which may result in a use-after-free bug.
> This patch directly compares dentry with its parent obtained before
> dropping the reference.

It's a bit more subtle than the description implies (the race has
dentry connected during dget_parent() and the child we'd reached it
through moved elsewhere during the dput()), but you are right - the
race is there and that patch fixes it.

I wonder if we could avoid those dget_parent()/dput() completely -
looks like we might be able to with rcu_read_lock() and some
care. OTOH, that's not going to be a hot path, anyway...

Applied.

Next message: Auger Eric: "Re: [PATCH v4 7/8] vfio/type1: Add domain at(de)taching group helpers"
Previous message: Neil Armstrong: "Re: [PATCH v2 2/4] clk: meson: clk-regmap: add read-only gate ops"
In reply to: Pan Bian: "[PATCH V2] exportfs: do not read dentry after free"
Next in thread: J. Bruce Fields: "Re: [PATCH V2] exportfs: do not read dentry after free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]