From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-pf0-f195.google.com ([209.85.192.195]:46216 "EHLO mail-pf0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751632AbeCWXGM (ORCPT ); Fri, 23 Mar 2018 19:06:12 -0400 Received: by mail-pf0-f195.google.com with SMTP id h69so22309pfe.13 for ; Fri, 23 Mar 2018 16:06:12 -0700 (PDT) From: Eric Biggers To: Alexander Viro , linux-fsdevel@vger.kernel.org Cc: John Ogness , Eric Biggers Subject: [PATCH vfs/for-next] fs/dcache.c: fix NULL pointer dereference in shrink_lock_dentry() Date: Fri, 23 Mar 2018 16:04:43 -0700 Message-Id: <20180323230443.168482-1-ebiggers3@gmail.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: From: Eric Biggers We can reach 'out:' with a negative dentry, e.g. if there is contention on ->d_parent->d_lock and another task concurrently gets a reference to the negative dentry. In that case 'inode' will be NULL, so we must not try to unlock 'inode'. This bug was found by xfstest generic/429. Fixes: 121a8e083486 ("get rid of trylock loop in locking dentries on shrink list") Signed-off-by: Eric Biggers --- fs/dcache.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/dcache.c b/fs/dcache.c index 0c78ef4bb5e7..c159a4b304cf 100644 --- a/fs/dcache.c +++ b/fs/dcache.c @@ -1028,7 +1028,8 @@ static bool shrink_lock_dentry(struct dentry *dentry) return true; spin_unlock(&parent->d_lock); out: - spin_unlock(&inode->i_lock); + if (inode) + spin_unlock(&inode->i_lock); return false; } -- 2.17.0.rc0.231.g781580f067-goog