Re: [PATCH] nfsd: fix dentry leak upon mkdir failure.

All of lore.kernel.org
 help / color / mirror / Atom feed

From: bfields@fieldses.org (J. Bruce Fields)
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	linux-fsdevel@vger.kernel.org,
	"J. Bruce Fields" <bfields@redhat.com>,
	syzbot <syzbot+2c95195d5d433f6ed6cb@syzkaller.appspotmail.com>
Subject: Re: [PATCH] nfsd: fix dentry leak upon mkdir failure.
Date: Thu, 15 Aug 2019 16:23:55 -0400	[thread overview]
Message-ID: <20190815202355.GC19554@fieldses.org> (raw)
In-Reply-To: <20190812030354.GR1131@ZenIV.linux.org.uk>

On Mon, Aug 12, 2019 at 04:03:54AM +0100, Al Viro wrote:
> On Mon, Aug 12, 2019 at 11:16:11AM +0900, Tetsuo Handa wrote:
> > syzbot is reporting that nfsd_mkdir() forgot to remove dentry created by
> > d_alloc_name() when __nfsd_mkdir() failed (due to memory allocation fault
> > injection) [1].
> 
> That's not the only problem I see there.
>         ret = __nfsd_mkdir(d_inode(parent), dentry, S_IFDIR | 0600);
>         if (ret)
>                 goto out_err;
>         if (ncl) {
>                 d_inode(dentry)->i_private = ncl;
>                 kref_get(&ncl->cl_ref);
>         }
> and we are doing that to inode *after* it has become visible via dcache -
> __nfsd_mkdir() has already done d_add() (and pinged f-snotify, at that).
> Looks fishy...

Whoops, thanks.  Considering the following (untested).

--b.

commit 930f7dd94cc2
Author: J. Bruce Fields <bfields@redhat.com>
Date:   Thu Aug 15 16:18:26 2019 -0400

    nfsd: initialize i_private before d_add
    
    A process could race in an open and attempt to read one of these files
    before i_private is initialized, and get a spurious error.
    
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: J. Bruce Fields <bfields@redhat.com>

diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index b14f825c62fe..3cf4f6aa48d6 100644
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1171,13 +1171,17 @@ static struct inode *nfsd_get_inode(struct super_block *sb, umode_t mode)
 	return inode;
 }
 
-static int __nfsd_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
+static int __nfsd_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode, struct nfsdfs_client *ncl)
 {
 	struct inode *inode;
 
 	inode = nfsd_get_inode(dir->i_sb, mode);
 	if (!inode)
 		return -ENOMEM;
+	if (ncl) {
+		inode->i_private = ncl;
+		kref_get(&ncl->cl_ref);
+	}
 	d_add(dentry, inode);
 	inc_nlink(dir);
 	fsnotify_mkdir(dir, dentry);
@@ -1194,13 +1198,9 @@ static struct dentry *nfsd_mkdir(struct dentry *parent, struct nfsdfs_client *nc
 	dentry = d_alloc_name(parent, name);
 	if (!dentry)
 		goto out_err;
-	ret = __nfsd_mkdir(d_inode(parent), dentry, S_IFDIR | 0600);
+	ret = __nfsd_mkdir(d_inode(parent), dentry, S_IFDIR | 0600, ncl);
 	if (ret)
 		goto out_err;
-	if (ncl) {
-		d_inode(dentry)->i_private = ncl;
-		kref_get(&ncl->cl_ref);
-	}
 out:
 	inode_unlock(dir);
 	return dentry;

next prev parent reply	other threads:[~2019-08-15 20:23 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-12  2:07 BUG: Dentry still in use [unmount of nfsd nfsd] syzbot
2019-08-12  2:16 ` [PATCH] nfsd: fix dentry leak upon mkdir failure Tetsuo Handa
2019-08-12  3:03   ` Al Viro
2019-08-15 20:23     ` J. Bruce Fields [this message]
2019-08-15 19:59   ` J. Bruce Fields
2019-08-15 20:53     ` Tetsuo Handa

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:b14f825c62f dfblob:3cf4f6aa48d )
 OR (
bs:"Re: [PATCH] nfsd: fix dentry leak upon mkdir failure." )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190815202355.GC19554@fieldses.org \
    --to=bfields@fieldses.org \
    --cc=bfields@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=syzbot+2c95195d5d433f6ed6cb@syzkaller.appspotmail.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.