From: "Luís Henriques" <lhenriques@suse.de>
To: Mateusz Guzik <mjguzik@gmail.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Christian Brauner <brauner@kernel.org>,
David Howells <dhowells@redhat.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] fs: fix possible extra iput() in do_unlinkat()
Date: Thu, 28 Sep 2023 16:06:40 +0100 [thread overview]
Message-ID: <878r8q1gn3.fsf@suse.de> (raw)
In-Reply-To: <20230928134513.l2y3eknt2hfq3qgx@f> (Mateusz Guzik's message of "Thu, 28 Sep 2023 15:45:13 +0200")
Mateusz Guzik <mjguzik@gmail.com> writes:
> On Thu, Sep 28, 2023 at 02:11:29PM +0100, Luís Henriques wrote:
>> Because inode is being initialised before checking if dentry is negative,
>> and the ihold() is only done if the dentry is *not* negative, the cleanup
>> code may end-up doing an extra iput() on that inode.
>>
>> Fixes: b18825a7c8e3 ("VFS: Put a small type field into struct dentry::d_flags")
>> Signed-off-by: Luís Henriques <lhenriques@suse.de>
>> ---
>> Hi!
>>
>> I was going to also remove the 'if (inode)' before the 'iput(inode)',
>> because 'iput()' already checks for NULL anyway. But since I probably
>> wouldn't have caught this bug if it wasn't for that 'if', I decided to
>> keep it there. But I can send v2 with that change too if you prefer.
>>
>> Cheers,
>> --
>> Luís
>>
>> fs/namei.c | 4 +---
>> 1 file changed, 1 insertion(+), 3 deletions(-)
>>
>> diff --git a/fs/namei.c b/fs/namei.c
>> index 567ee547492b..156a570d7831 100644
>> --- a/fs/namei.c
>> +++ b/fs/namei.c
>> @@ -4386,11 +4386,9 @@ int do_unlinkat(int dfd, struct filename *name)
>> if (!IS_ERR(dentry)) {
>>
>> /* Why not before? Because we want correct error value */
>> - if (last.name[last.len])
>> + if (last.name[last.len] || d_is_negative(dentry))
>> goto slashes;
>> inode = dentry->d_inode;
>> - if (d_is_negative(dentry))
>> - goto slashes;
>> ihold(inode);
>> error = security_path_unlink(&path, dentry);
>> if (error)
>
> I ran into this myself, but I'm pretty sure there is no bug here. The
> code is just incredibly misleading and it became this way from the
> sweeping change introducing d_is_negative. I could not be bothered to
> argue about patching it so I did not do anything. ;)
>
> AFAICS it is an invariant that d_is_negative passes iff d_inode is NULL.
Ah! yes, of course. Makes sense. Thanks for your review.
> Personally I support the patch, but commit message needs to stop
> claiming a bug.
OK, I'll rephrase the commit message for v2 so that it's clear it's not
really fixing anything, it just helps clarifying some misleading code
paths. (Although, to be fair, the commit message doesn't really
explicitly call it a bug :-) ).
Cheers,
--
Luís
next prev parent reply other threads:[~2023-09-28 15:06 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-28 13:11 [PATCH] fs: fix possible extra iput() in do_unlinkat() Luís Henriques
2023-09-28 13:45 ` Mateusz Guzik
2023-09-28 15:06 ` Luís Henriques [this message]
2023-09-28 16:19 ` Christian Brauner
2023-09-28 17:21 ` Luís Henriques
2023-09-28 14:20 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=878r8q1gn3.fsf@suse.de \
--to=lhenriques@suse.de \
--cc=brauner@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mjguzik@gmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox