summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2019-05-31 06:35:48 +0300
committerLinus Torvalds <torvalds@linux-foundation.org>2019-05-31 06:35:48 +0300
commit8cb7104d03dddeb2f28e590b2d1fab7bf0eef284 (patch)
tree365294dbbcf9280741addf5e4b5331d4ffe2e2f8
parentc5ba1712661233ce0f4666b8c3dee5bb78d380f2 (diff)
parentf6122ed2a4f9c9c1c073ddf6308d1b2ac10e0781 (diff)
downloadlinux-8cb7104d03dddeb2f28e590b2d1fab7bf0eef284.tar.xz
Merge tag 'configfs-for-5.2-2' of git://git.infradead.org/users/hch/configfs
Pull configs fix from Christoph Hellwig: - fix a use after free in configfs_d_iput (Sahitya Tummala) * tag 'configfs-for-5.2-2' of git://git.infradead.org/users/hch/configfs: configfs: Fix use-after-free when accessing sd->s_dentry
-rw-r--r--fs/configfs/dir.c14
1 files changed, 6 insertions, 8 deletions
diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index 5e7932d668ab..22203a3423a3 100644
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -58,15 +58,13 @@ static void configfs_d_iput(struct dentry * dentry,
if (sd) {
/* Coordinate with configfs_readdir */
spin_lock(&configfs_dirent_lock);
- /* Coordinate with configfs_attach_attr where will increase
- * sd->s_count and update sd->s_dentry to new allocated one.
- * Only set sd->dentry to null when this dentry is the only
- * sd owner.
- * If not do so, configfs_d_iput may run just after
- * configfs_attach_attr and set sd->s_dentry to null
- * even it's still in use.
+ /*
+ * Set sd->s_dentry to null only when this dentry is the one
+ * that is going to be killed. Otherwise configfs_d_iput may
+ * run just after configfs_attach_attr and set sd->s_dentry to
+ * NULL even it's still in use.
*/
- if (atomic_read(&sd->s_count) <= 2)
+ if (sd->s_dentry == dentry)
sd->s_dentry = NULL;
spin_unlock(&configfs_dirent_lock);