1
linux/fs/cachefiles
Baokun Li da6ef2dffe
cachefiles: fix dentry leak in cachefiles_open_file()
A dentry leak may be caused when a lookup cookie and a cull are concurrent:

            P1             |             P2
-----------------------------------------------------------
cachefiles_lookup_cookie
  cachefiles_look_up_object
    lookup_one_positive_unlocked
     // get dentry
                            cachefiles_cull
                              inode->i_flags |= S_KERNEL_FILE;
    cachefiles_open_file
      cachefiles_mark_inode_in_use
        __cachefiles_mark_inode_in_use
          can_use = false
          if (!(inode->i_flags & S_KERNEL_FILE))
            can_use = true
	  return false
        return false
        // Returns an error but doesn't put dentry

After that the following WARNING will be triggered when the backend folder
is umounted:

==================================================================
BUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img}  still in use (1) [unmount of ext4 sda]
WARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70
CPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25
RIP: 0010:umount_check+0x5d/0x70
Call Trace:
 <TASK>
 d_walk+0xda/0x2b0
 do_one_tree+0x20/0x40
 shrink_dcache_for_umount+0x2c/0x90
 generic_shutdown_super+0x20/0x160
 kill_block_super+0x1a/0x40
 ext4_kill_sb+0x22/0x40
 deactivate_locked_super+0x35/0x80
 cleanup_mnt+0x104/0x160
==================================================================

Whether cachefiles_open_file() returns true or false, the reference count
obtained by lookup_positive_unlocked() in cachefiles_look_up_object()
should be released.

Therefore release that reference count in cachefiles_look_up_object() to
fix the above issue and simplify the code.

Fixes: 1f08c925e7 ("cachefiles: Implement backing file wrangling")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Link: https://lore.kernel.org/r/20240829083409.3788142-1-libaokun@huaweicloud.com
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2024-09-27 18:29:19 +02:00
..
cache.c cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() 2024-07-03 10:36:15 +02:00
daemon.c Merge patch series "cachefiles: random bugfixes" 2024-07-05 18:40:40 +02:00
error_inject.c cachefiles: Remove the now superfluous sentinel element from ctl_table array 2023-12-28 04:57:57 -08:00
interface.c cachefiles: extract ondemand info field from cachefiles_object 2023-11-25 16:03:57 +01:00
internal.h Merge patch series "cachefiles: random bugfixes" 2024-07-05 18:40:40 +02:00
io.c cachefiles, netfs: Fix write to partial block at EOF 2024-09-12 12:20:41 +02:00
Kconfig netfs, fscache: Combine fscache with netfs 2023-12-24 15:08:46 +00:00
key.c cachefiles: Implement key to filename encoding 2022-01-07 13:42:16 +00:00
main.c cachefiles: Implement object lifecycle funcs 2022-01-07 13:42:08 +00:00
Makefile cachefiles: notify the user daemon when looking up cookie 2022-05-18 00:11:17 +08:00
namei.c cachefiles: fix dentry leak in cachefiles_open_file() 2024-09-27 18:29:19 +02:00
ondemand.c Merge patch series "cachefiles: random bugfixes" 2024-07-05 18:40:40 +02:00
security.c cachefiles: Add security derivation 2022-01-07 13:41:14 +00:00
volume.c cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie() 2024-07-03 10:36:15 +02:00
xattr.c cachefiles: Fix non-taking of sb_writers around set/removexattr 2024-09-05 11:00:40 +02:00