Re: [PATCH V2] exportfs: do not read dentry after free
On Fri, Nov 23, 2018 at 03:56:33PM +0800, Pan Bian wrote:
> The function dentry_connected calls dput(dentry) to drop the previously
> acquired reference to dentry. In this case, dentry can be released.
> After that, IS_ROOT(dentry) checks the condition
> (dentry == dentry->d_parent), which may result in a use-after-free bug.
> This patch directly compares dentry with its parent obtained before
> dropping the reference.
Looks right to me, thanks.--b.
>
> Fixes: a056cc8934c("exportfs: stop retrying once we race with
> rename/remove")
>
> Signed-off-by: Pan Bian
>
> ---
> V2: get rid of the comment
>
> ---
> fs/exportfs/expfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
> index 645158d..a69aaf5 100644
> --- a/fs/exportfs/expfs.c
> +++ b/fs/exportfs/expfs.c
> @@ -77,7 +77,7 @@ static bool dentry_connected(struct dentry *dentry)
> struct dentry *parent = dget_parent(dentry);
>
> dput(dentry);
> - if (IS_ROOT(dentry)) {
> + if (dentry == parent) {
> dput(parent);
> return false;
> }
> --
> 2.7.4
>
Re: [PATCH V2] exportfs: do not read dentry after free
On Fri, Nov 23, 2018 at 03:56:33PM +0800, Pan Bian wrote:
> The function dentry_connected calls dput(dentry) to drop the previously
> acquired reference to dentry. In this case, dentry can be released.
> After that, IS_ROOT(dentry) checks the condition
> (dentry == dentry->d_parent), which may result in a use-after-free bug.
> This patch directly compares dentry with its parent obtained before
> dropping the reference.
Looks right to me, thanks.--b.
>
> Fixes: a056cc8934c("exportfs: stop retrying once we race with
> rename/remove")
>
> Signed-off-by: Pan Bian
>
> ---
> V2: get rid of the comment
>
> ---
> fs/exportfs/expfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
> index 645158d..a69aaf5 100644
> --- a/fs/exportfs/expfs.c
> +++ b/fs/exportfs/expfs.c
> @@ -77,7 +77,7 @@ static bool dentry_connected(struct dentry *dentry)
> struct dentry *parent = dget_parent(dentry);
>
> dput(dentry);
> - if (IS_ROOT(dentry)) {
> + if (dentry == parent) {
> dput(parent);
> return false;
> }
> --
> 2.7.4
>
Re: [PATCH V2] exportfs: do not read dentry after free
On Fri, Nov 23, 2018 at 03:56:33PM +0800, Pan Bian wrote: > The function dentry_connected calls dput(dentry) to drop the previously > acquired reference to dentry. In this case, dentry can be released. > After that, IS_ROOT(dentry) checks the condition > (dentry == dentry->d_parent), which may result in a use-after-free bug. > This patch directly compares dentry with its parent obtained before > dropping the reference. It's a bit more subtle than the description implies (the race has dentry connected during dget_parent() and the child we'd reached it through moved elsewhere during the dput()), but you are right - the race is there and that patch fixes it. I wonder if we could avoid those dget_parent()/dput() completely - looks like we might be able to with rcu_read_lock() and some care. OTOH, that's not going to be a hot path, anyway... Applied.
Re: [PATCH V2] exportfs: do not read dentry after free
On Fri, Nov 23, 2018 at 03:56:33PM +0800, Pan Bian wrote: > The function dentry_connected calls dput(dentry) to drop the previously > acquired reference to dentry. In this case, dentry can be released. > After that, IS_ROOT(dentry) checks the condition > (dentry == dentry->d_parent), which may result in a use-after-free bug. > This patch directly compares dentry with its parent obtained before > dropping the reference. It's a bit more subtle than the description implies (the race has dentry connected during dget_parent() and the child we'd reached it through moved elsewhere during the dput()), but you are right - the race is there and that patch fixes it. I wonder if we could avoid those dget_parent()/dput() completely - looks like we might be able to with rcu_read_lock() and some care. OTOH, that's not going to be a hot path, anyway... Applied.
[PATCH V2] exportfs: do not read dentry after free
The function dentry_connected calls dput(dentry) to drop the previously
acquired reference to dentry. In this case, dentry can be released.
After that, IS_ROOT(dentry) checks the condition
(dentry == dentry->d_parent), which may result in a use-after-free bug.
This patch directly compares dentry with its parent obtained before
dropping the reference.
Fixes: a056cc8934c("exportfs: stop retrying once we race with
rename/remove")
Signed-off-by: Pan Bian
---
V2: get rid of the comment
---
fs/exportfs/expfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
index 645158d..a69aaf5 100644
--- a/fs/exportfs/expfs.c
+++ b/fs/exportfs/expfs.c
@@ -77,7 +77,7 @@ static bool dentry_connected(struct dentry *dentry)
struct dentry *parent = dget_parent(dentry);
dput(dentry);
- if (IS_ROOT(dentry)) {
+ if (dentry == parent) {
dput(parent);
return false;
}
--
2.7.4
[PATCH V2] exportfs: do not read dentry after free
The function dentry_connected calls dput(dentry) to drop the previously
acquired reference to dentry. In this case, dentry can be released.
After that, IS_ROOT(dentry) checks the condition
(dentry == dentry->d_parent), which may result in a use-after-free bug.
This patch directly compares dentry with its parent obtained before
dropping the reference.
Fixes: a056cc8934c("exportfs: stop retrying once we race with
rename/remove")
Signed-off-by: Pan Bian
---
V2: get rid of the comment
---
fs/exportfs/expfs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
index 645158d..a69aaf5 100644
--- a/fs/exportfs/expfs.c
+++ b/fs/exportfs/expfs.c
@@ -77,7 +77,7 @@ static bool dentry_connected(struct dentry *dentry)
struct dentry *parent = dget_parent(dentry);
dput(dentry);
- if (IS_ROOT(dentry)) {
+ if (dentry == parent) {
dput(parent);
return false;
}
--
2.7.4
