All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Paul E. McKenney" <paulmck@linux.vnet.ibm.com>
To: Steven Rostedt <rostedt@goodmis.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Al Viro <viro@zeniv.linux.org.uk>,
	Dave Chinner <david@fromorbit.com>,
	linux-fsdevel@vger.kernel.org,
	James Morris <james.l.morris@oracle.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	Stephen Smalley <sds@tycho.nsa.gov>,
	"Theodore Ts'o" <tytso@mit.edu>,
	Eric Paris <eparis@parisplace.org>,
	stable <stable@vger.kernel.org>, Paul Moore <paul@paul-moore.com>,
	LKML <linux-kernel@vger.kernel.org>,
	Matthew Wilcox <matthew@wil.cx>,
	Christoph Hellwig <hch@infradead.org>
Subject: Re: [PATCH] vfs: Fix possible NULL pointer dereference in inode_permission()
Date: Thu, 9 Jan 2014 16:44:11 -0800	[thread overview]
Message-ID: <20140110004411.GS10038@linux.vnet.ibm.com> (raw)
In-Reply-To: <20140109185907.20cddb57@gandalf.local.home>

On Thu, Jan 09, 2014 at 06:59:07PM -0500, Steven Rostedt wrote:
> On Thu, 9 Jan 2014 15:45:37 -0800
> "Paul E. McKenney" <paulmck@linux.vnet.ibm.com> wrote:
> 
> > >  static void inode_free_security(struct inode *inode)
> > >  {
> > >  	struct inode_security_struct *isec = inode->i_security;
> > > @@ -244,8 +252,7 @@ static void inode_free_security(struct i
> > >  		list_del_init(&isec->list);
> > >  	spin_unlock(&sbsec->isec_lock);
> > > 
> > > -	inode->i_security = NULL;
> > > -	kmem_cache_free(sel_inode_cache, isec);
> > > +	call_rcu(&isec->rcu, inode_free_rcu);
> > 
> > Does not clearing ->i_security mean that RCU readers can traverse
> > this pointer after the invocation of call_rcu()?  If so, this is
> > problematic.  (If something else already prevents readers from getting
> > here, no problem.)
> 
> This is called when we are about to free the inode. Look at
> destroy_inode(). Basically, this is the same as doing:
> 
> 	call_rcu(&isec->rcu, inode_free_rcu);
> 	call_rcu(&inode->i_rcu, i_callback);
> 
> Where i_callback() does the free of the inode.
> 
> If you can access inode->i_security, after a call_rcu, then you can
> also access the inode itself that has just been freed.
> 
> Yes, technically, having two separate call_rcu(), the first grace
> period can end before the second, but everything to remove the inode
> from sight has already been set up before that first call_rcu() is
> made. That means when the first call_rcu() is executed, the inode
> should already be invisible to the readers.

Got it, should be fine then, sorry for the noise.

							Thanx, Paul

      reply	other threads:[~2014-01-10  0:44 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-01-09 21:27 [PATCH] vfs: Fix possible NULL pointer dereference in inode_permission() Steven Rostedt
2014-01-09 21:42 ` Matthew Wilcox
2014-01-09 21:50   ` Steven Rostedt
2014-01-09 22:31     ` Al Viro
     [not found]       ` <CA+55aFzCTPYEQCPnLBi1CwmMTocVqCFiCuJ391HkVx1CMw61ug@mail.gmail.com>
2014-01-09 23:10         ` Paul E. McKenney
2014-01-09 23:25         ` Steven Rostedt
2014-01-09 23:27           ` Steven Rostedt
2014-01-09 23:37             ` Eric Paris
2014-01-09 23:45               ` Steven Rostedt
2014-01-09 23:53               ` Linus Torvalds
2014-01-10  0:06                 ` Al Viro
2014-01-10  0:09                   ` Al Viro
2014-01-10  0:18                   ` Linus Torvalds
2014-01-10  2:36                     ` James Morris
2014-01-10  9:31                   ` Christoph Hellwig
2014-01-10  9:31                     ` Christoph Hellwig
2014-01-10 18:14                     ` Ben Myers
2014-01-10 18:14                       ` Ben Myers
2014-01-11 10:32                       ` Christoph Hellwig
2014-01-11 10:32                         ` Christoph Hellwig
2014-01-09 23:45             ` Paul E. McKenney
2014-01-09 23:59               ` Steven Rostedt
2014-01-10  0:44                 ` Paul E. McKenney [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140110004411.GS10038@linux.vnet.ibm.com \
    --to=paulmck@linux.vnet.ibm.com \
    --cc=akpm@linux-foundation.org \
    --cc=david@fromorbit.com \
    --cc=eparis@parisplace.org \
    --cc=hch@infradead.org \
    --cc=james.l.morris@oracle.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=matthew@wil.cx \
    --cc=paul@paul-moore.com \
    --cc=rostedt@goodmis.org \
    --cc=sds@tycho.nsa.gov \
    --cc=stable@vger.kernel.org \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.