diff options
| author | Steven Rostedt (Google) <rostedt@goodmis.org> | 2023-11-01 13:25:47 -0400 |
|---|---|---|
| committer | Steven Rostedt (Google) <rostedt@goodmis.org> | 2023-11-02 00:17:27 -0400 |
| commit | 020010fbfa202aa528a52743eba4ab0da3400a4e (patch) | |
| tree | 9c1176e157b9688aa01c6b22c1a050e3093e9e9d /drivers/cdx/controller/cdx_rpmsg.c | |
| parent | 44365329f8219fc379097c2c9a75ff53f123764f (diff) | |
eventfs: Delete eventfs_inode when the last dentry is freed
There exists a race between holding a reference of an eventfs_inode dentry
and the freeing of the eventfs_inode. If user space has a dentry held long
enough, it may still be able to access the dentry's eventfs_inode after it
has been freed.
To prevent this, have he eventfs_inode freed via the last dput() (or via
RCU if the eventfs_inode does not have a dentry).
This means reintroducing the eventfs_inode del_list field at a temporary
place to put the eventfs_inode. It needs to mark it as freed (via the
list) but also must invalidate the dentry immediately as the return from
eventfs_remove_dir() expects that they are. But the dentry invalidation
must not be called under the eventfs_mutex, so it must be done after the
eventfs_inode is marked as free (put on a deletion list).
Link: https://lkml.kernel.org/r/20231101172650.123479767@goodmis.org
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Ajay Kaher <akaher@vmware.com>
Fixes: 5bdcd5f5331a2 ("eventfs: Implement removal of meta data from eventfs")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Diffstat (limited to 'drivers/cdx/controller/cdx_rpmsg.c')
0 files changed, 0 insertions, 0 deletions