diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2019-05-31 06:35:48 +0300 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2019-05-31 06:35:48 +0300 |
commit | 8cb7104d03dddeb2f28e590b2d1fab7bf0eef284 (patch) | |
tree | 365294dbbcf9280741addf5e4b5331d4ffe2e2f8 | |
parent | c5ba1712661233ce0f4666b8c3dee5bb78d380f2 (diff) | |
parent | f6122ed2a4f9c9c1c073ddf6308d1b2ac10e0781 (diff) | |
download | linux-8cb7104d03dddeb2f28e590b2d1fab7bf0eef284.tar.xz |
Merge tag 'configfs-for-5.2-2' of git://git.infradead.org/users/hch/configfs
Pull configs fix from Christoph Hellwig:
- fix a use after free in configfs_d_iput (Sahitya Tummala)
* tag 'configfs-for-5.2-2' of git://git.infradead.org/users/hch/configfs:
configfs: Fix use-after-free when accessing sd->s_dentry
-rw-r--r-- | fs/configfs/dir.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c index 5e7932d668ab..22203a3423a3 100644 --- a/fs/configfs/dir.c +++ b/fs/configfs/dir.c @@ -58,15 +58,13 @@ static void configfs_d_iput(struct dentry * dentry, if (sd) { /* Coordinate with configfs_readdir */ spin_lock(&configfs_dirent_lock); - /* Coordinate with configfs_attach_attr where will increase - * sd->s_count and update sd->s_dentry to new allocated one. - * Only set sd->dentry to null when this dentry is the only - * sd owner. - * If not do so, configfs_d_iput may run just after - * configfs_attach_attr and set sd->s_dentry to null - * even it's still in use. + /* + * Set sd->s_dentry to null only when this dentry is the one + * that is going to be killed. Otherwise configfs_d_iput may + * run just after configfs_attach_attr and set sd->s_dentry to + * NULL even it's still in use. */ - if (atomic_read(&sd->s_count) <= 2) + if (sd->s_dentry == dentry) sd->s_dentry = NULL; spin_unlock(&configfs_dirent_lock); |