From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-co1nam03on0116.outbound.protection.outlook.com ([104.47.40.116]:27616 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729138AbeIOGtj (ORCPT ); Sat, 15 Sep 2018 02:49:39 -0400 From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Mike Christie , Christoph Hellwig , Joel Becker , Sasha Levin Subject: [PATCH AUTOSEL 4.14 14/57] configfs: fix registered group removal Date: Sat, 15 Sep 2018 01:32:37 +0000 Message-ID: <20180915013223.179909-14-alexander.levin@microsoft.com> References: <20180915013223.179909-1-alexander.levin@microsoft.com> In-Reply-To: <20180915013223.179909-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: From: Mike Christie [ Upstream commit cc57c07343bd071cdf1915a91a24ab7d40c9b590 ] This patch fixes a bug where configfs_register_group had added a group in a tree, and userspace has done a rmdir on a dir somewhere above that group and we hit a kernel crash. The problem is configfs_rmdir will detach everything under it and unlink groups on the default_groups list. It will not unlink groups added with configfs_register_group so when configfs_unregister_group is called to drop its references to the group/ite= ms we crash when we try to access the freed dentrys. The patch just adds a check for if a rmdir has been done above us and if so just does the unlink part of unregistration. Sorry if you are getting this multiple times. I thouhgt I sent this to some of you and lkml, but I do not see it. Signed-off-by: Mike Christie Cc: Christoph Hellwig Cc: Joel Becker Signed-off-by: Christoph Hellwig Signed-off-by: Sasha Levin --- fs/configfs/dir.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c index 56fb26127fef..d2a1a79fa324 100644 --- a/fs/configfs/dir.c +++ b/fs/configfs/dir.c @@ -1777,6 +1777,16 @@ void configfs_unregister_group(struct config_group *= group) struct dentry *dentry =3D group->cg_item.ci_dentry; struct dentry *parent =3D group->cg_item.ci_parent->ci_dentry; =20 + mutex_lock(&subsys->su_mutex); + if (!group->cg_item.ci_parent->ci_group) { + /* + * The parent has already been unlinked and detached + * due to a rmdir. + */ + goto unlink_group; + } + mutex_unlock(&subsys->su_mutex); + inode_lock_nested(d_inode(parent), I_MUTEX_PARENT); spin_lock(&configfs_dirent_lock); configfs_detach_prep(dentry, NULL); @@ -1791,6 +1801,7 @@ void configfs_unregister_group(struct config_group *g= roup) dput(dentry); =20 mutex_lock(&subsys->su_mutex); +unlink_group: unlink_group(group); mutex_unlock(&subsys->su_mutex); } --=20 2.17.1