eventfs: Delete eventfs_inode when the last dentry is freed
stable inclusion from stable-v6.6.1 commit ea4c30a0a73fb5cb2604539db550f1e620bb949c category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I8IKRU Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=ea4c30a0a73fb5cb2604539db550f1e620bb949c -------------------------------- commit 020010fbfa202aa528a52743eba4ab0da3400a4e upstream There exists a race between holding a reference of an eventfs_inode dentry and the freeing of the eventfs_inode. If user space has a dentry held long enough, it may still be able to access the dentry's eventfs_inode after it has been freed. To prevent this, have he eventfs_inode freed via the last dput() (or via RCU if the eventfs_inode does not have a dentry). This means reintroducing the eventfs_inode del_list field at a temporary place to put the eventfs_inode. It needs to mark it as freed (via the list) but also must invalidate the dentry immediately as the return from eventfs_remove_dir() expects that they are. But the dentry invalidation must not be called under the eventfs_mutex, so it must be done after the eventfs_inode is marked as free (put on a deletion list). Link: https://lkml.kernel.org/r/20231101172650.123479767@goodmis.org Cc: stable@vger.kernel.org Cc: Masami Hiramatsu <mhiramat@kernel.org> Cc: Mark Rutland <mark.rutland@arm.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Ajay Kaher <akaher@vmware.com> Fixes: 5bdcd5f5 ("eventfs: Implement removal of meta data from eventfs") Signed-off-by:Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by:
Loading
Please sign in to comment