From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Paul E. McKenney" Subject: Re: [PATCH] vfs: Fix possible NULL pointer dereference in inode_permission() Date: Thu, 9 Jan 2014 15:10:53 -0800 Message-ID: <20140109231053.GP10038@linux.vnet.ibm.com> References: <20140109162731.12500986@gandalf.local.home> <20140109214239.GD29910@parisc-linux.org> <20140109165012.391db81e@gandalf.local.home> <20140109223127.GM10323@ZenIV.linux.org.uk> Reply-To: paulmck@linux.vnet.ibm.com Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Al Viro , Dave Chinner , linux-fsdevel@vger.kernel.org, James Morris , Andrew Morton , Stephen Smalley , "Theodore Ts'o" , Steven Rostedt , Eric Paris , stable , Paul Moore , LKML , Matthew Wilcox , Christoph Hellwig To: Linus Torvalds Return-path: Content-Disposition: inline In-Reply-To: Sender: stable-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Fri, Jan 10, 2014 at 06:41:03AM +0800, Linus Torvalds wrote: > I think the sane short term fix is to make the kfree() of the i_security > member be a rcu free, and not clear the member. Interesting use case. ;-) Thanx, Paul > Not pretty, but should did this case.. > > Linus > > On Jan 10, 2014 6:31 AM, "Al Viro" wrote: > > > > iput() definitely can sleep (that's when actual truncation and inode > > freeing is done for opened-and-unlinked files - on the final iput() after > > close()), but that' irrelevant here - fsnotify_delete_inode() grabs > > a bunch of mutexes, which makes calling it from rcu callback no-go.