From: Breno Leitao <leitao@debian.org>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org,
Andreas Hindborg <a.hindborg@kernel.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>
Subject: Re: [RFC PATCH 01/14] configfs_lookup(): don't leave ->s_dentry dangling on failure
Date: Thu, 21 May 2026 09:38:36 -0700 [thread overview]
Message-ID: <ag806q5ymiSXvIPU@gmail.com> (raw)
In-Reply-To: <20260519070633.2025485-2-viro@zeniv.linux.org.uk>
On Tue, May 19, 2026 at 08:06:20AM +0100, Al Viro wrote:
> Normally ->s_dentry is cleared when dentry it's pointing to becomes
> negative (on eviction, realistically). However, that only happens
> if dentry gets to be positive in the first place; in case of inode
> allocation failure dentry never becomes positive, so ->d_iput()
> is not called at all.
>
> We do part of what normally would've been done by configfs_d_iput()
> (dropping the reference to configfs_dirent) manually, but we do
> not clear ->s_dentry there. Sloppy as it is, it does not matter in
> case of configfs_create_{dir,link}() - there configfs_dirent does
> not survive dropping the sole reference to it.
>
> However, for configfs_lookup() it *does* survive, with a dangling
> pointer to soon to be freed dentry sitting it its ->s_dentry.
>
> Subsequent getdents(2) in that directory will end up dereferencing
> that pointer in order to pick the inode number. Use after free...
>
> This is the minimal fix; the right approach is to set the linkage
> between dentry and configfs_dirent only after we know that we have
> an inode, but that takes more surgery and the bug had been there
> since 2006, so...
>
> Fixes: 3d0f89bb1694 ("configfs: Add permission and ownership to configfs objects") # 2.6.16-rc3
> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Reviewed-by: Breno Leitao <leitao@debian.org>
next prev parent reply other threads:[~2026-05-21 16:38 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-19 7:06 [RFC PATCH 00/14] configfs cleanups and fixes Al Viro
2026-05-19 7:06 ` [RFC PATCH 01/14] configfs_lookup(): don't leave ->s_dentry dangling on failure Al Viro
2026-05-19 9:57 ` Jan Kara
2026-05-21 16:38 ` Breno Leitao [this message]
2026-05-19 7:06 ` [RFC PATCH 02/14] configfs_mkdir(): use take_dentry_name_snapshot() Al Viro
2026-05-19 9:59 ` Jan Kara
2026-05-21 16:54 ` Breno Leitao
2026-05-19 7:06 ` [RFC PATCH 03/14] configfs_detach_prep(): pass configfs_dirent instead of dentry Al Viro
2026-05-19 10:12 ` Jan Kara
2026-05-21 17:03 ` Breno Leitao
2026-05-19 7:06 ` [RFC PATCH 04/14] configfs_depend_prep(): " Al Viro
2026-05-19 10:18 ` Jan Kara
2026-05-19 7:06 ` [RFC PATCH 05/14] configfs_do_depend_item(): " Al Viro
2026-05-19 10:25 ` Jan Kara
2026-05-19 7:06 ` [RFC PATCH 06/14] configfs_detach_rollback(): " Al Viro
2026-05-19 10:26 ` Jan Kara
2026-05-19 7:06 ` [RFC PATCH 07/14] populate_group(): move cleanup on failure to the sole caller Al Viro
2026-05-19 10:29 ` Jan Kara
2026-05-19 7:06 ` [RFC PATCH 08/14] populate_attrs(): move cleanup " Al Viro
2026-05-19 10:31 ` Jan Kara
2026-05-19 7:06 ` [RFC PATCH 09/14] configfs_remove_dir(), detach_attrs(): switch to passing dentry Al Viro
2026-05-19 10:42 ` Jan Kara
2026-05-19 7:06 ` [RFC PATCH 10/14] switch configfs_detach_{group,item}() " Al Viro
2026-05-19 12:10 ` Jan Kara
2026-05-19 7:06 ` [RFC PATCH 11/14] configfs: dentry refcount needs to be pinned only once Al Viro
2026-05-19 13:21 ` Jan Kara
2026-05-19 7:06 ` [RFC PATCH 12/14] configfs: mark pinned dentries persistent Al Viro
2026-05-19 13:03 ` Jan Kara
2026-05-19 7:06 ` [RFC PATCH 13/14] kill configfs_drop_dentry() Al Viro
2026-05-19 13:12 ` Jan Kara
2026-05-19 14:44 ` Linus Torvalds
2026-05-19 15:37 ` Al Viro
2026-05-19 21:06 ` Jan Kara
2026-05-19 7:06 ` [RFC PATCH 14/14] configfs_create(): lift parent timestamp updates into callers Al Viro
2026-05-19 13:23 ` Jan Kara
2026-06-03 7:47 ` [PATCH v2 00/18] configfs cleanups and fixes Al Viro
2026-06-03 7:47 ` [PATCH v2 01/18] configfs_lookup(): don't leave ->s_dentry dangling on failure Al Viro
2026-06-03 7:47 ` [PATCH v2 1/3] get rid of impossible checks in detach_attrs()/configfs_detach_item() Al Viro
2026-06-03 7:53 ` Al Viro
2026-06-03 8:09 ` Christian Brauner
2026-06-03 8:28 ` Al Viro
2026-06-03 7:47 ` [PATCH v2 2/3] configfs_detach_item(): victim is never negative Al Viro
2026-06-03 7:47 ` [PATCH v2 02/18] configfs: fix lockless traversals of ->s_children Al Viro
2026-06-03 7:47 ` [PATCH v2 3/3] configfs: expand the call of simple_rmdir() Al Viro
2026-06-03 7:48 ` [PATCH v2 03/18] configfs_mkdir(): use take_dentry_name_snapshot() Al Viro
2026-06-03 7:48 ` [PATCH v2 04/18] configfs_detach_prep(): pass configfs_dirent instead of dentry Al Viro
2026-06-03 7:48 ` [PATCH v2 05/18] configfs_depend_prep(): " Al Viro
2026-06-03 7:48 ` [PATCH v2 06/18] configfs_do_depend_item(): " Al Viro
2026-06-03 7:48 ` [PATCH v2 07/18] configfs_detach_rollback(): " Al Viro
2026-06-03 7:48 ` [PATCH v2 08/18] populate_group(): move cleanup on failure to the sole caller Al Viro
2026-06-03 7:48 ` [PATCH v2 09/18] populate_attrs(): move cleanup " Al Viro
2026-06-03 7:48 ` [PATCH v2 10/18] configfs_remove_dir(), detach_attrs(): switch to passing dentry Al Viro
2026-06-03 7:48 ` [PATCH v2 11/18] switch configfs_detach_{group,item}() " Al Viro
2026-06-03 7:48 ` [PATCH v2 12/18] configfs: dentry refcount needs to be pinned only once Al Viro
2026-06-03 7:48 ` [PATCH v2 13/18] configfs: mark pinned dentries persistent Al Viro
2026-06-03 7:48 ` [PATCH v2 14/18] kill configfs_drop_dentry() Al Viro
2026-06-03 7:48 ` [PATCH v2 15/18] configfs_create(): lift parent timestamp updates into callers Al Viro
2026-06-03 7:48 ` [PATCH v2 16/18] configs_attach_item(): drop unused parent_item argument Al Viro
2026-06-03 7:48 ` [PATCH v2 17/18] configfs_attach_group(): drop the " Al Viro
2026-06-03 7:48 ` [PATCH v2 18/18] create_default_group(): pass parent's dentry instead of config_group Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ag806q5ymiSXvIPU@gmail.com \
--to=leitao@debian.org \
--cc=a.hindborg@kernel.org \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox