[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20240131011246.GP2087318@ZenIV>
Date: Wed, 31 Jan 2024 01:12:46 +0000
From: Al Viro <viro@...iv.linux.org.uk>
To: Linus Torvalds <torvalds@...ux-foundation.org>
Cc: Steven Rostedt <rostedt@...dmis.org>,
Masami Hiramatsu <mhiramat@...nel.org>,
linux-kernel@...r.kernel.org, linux-trace-kernel@...r.kernel.org
Subject: Re: [PATCH 6/6] eventfs: clean up dentry ops and add revalidate
function
On Tue, Jan 30, 2024 at 11:03:55AM -0800, Linus Torvalds wrote:
> +void eventfs_d_release(struct dentry *dentry)
> {
> - struct eventfs_inode *ei;
> -
> - mutex_lock(&eventfs_mutex);
> - ei = dentry->d_fsdata;
> - if (ei) {
> - dentry->d_fsdata = NULL;
> - put_ei(ei);
> - }
> - mutex_unlock(&eventfs_mutex);
> + put_ei(dentry->d_fsdata);
> }
I'd rather pass ->d_fsdata to that sucker (or exposed put_ei(),
for that matter).
> @@ -857,6 +847,5 @@ void eventfs_remove_events_dir(struct eventfs_inode *ei)
> * sticks around while the other ei->dentry are created
> * and destroyed dynamically.
> */
> - simple_recursive_removal(dentry, NULL);
That also needs to move earlier in the series - bisect hazard.
> + *
> + * Note that d_revalidate is called potentially under RCU,
> + * so it can't take the eventfs mutex etc. It's fine - if
> + * we open a file just as it's marked dead, things will
> + * still work just fine, and just see the old stale case.
Looks like use after free, unless freeing ei is RCU-delayed...
> + return !(ei && ei->is_freed);
Powered by blists - more mailing lists