Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3201056imu;
        Fri, 23 Nov 2018 23:59:43 -0800 (PST)
X-Google-Smtp-Source: AJdET5cx2yjI/niORdN5Gc/qq+Em9pIzwAai1TY7a4sw/dy3yWNIOnaeqs0eT3fmu5eZaYYkZ8Dn
X-Received: by 2002:a65:6684:: with SMTP id b4mr17110725pgw.55.1543046383007;
        Fri, 23 Nov 2018 23:59:43 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543046382; cv=none;
        d=google.com; s=arc-20160816;
        b=xEsekx/OjDJHHCPjdKAs33i1ITgqfO2aVtCoETc5/iIfolJQc/ms96ekCRxESxddmr
         SwcWlWUS/zw/SJ6Ihoi78lHBi2bWe14+AI/FJi1TOMtNQCjcPq1mq75Dn+4ws7iBnxqK
         H2m/Ht4JbOfx+w+1saXu1bIi1v+R5mH31qpdCbL7JhBdVGIWu2kXLTQUsvCEvTfOvLtV
         uqi2H6zCf/UzwRQMcFTzg4OjTeAIHDozDf76zREVJ/teqPiuZQL7JQB3+qLUhUGQa3st
         NzZNnmMOWbS15L1+KtaOZN8qQZB+elxuFEwz+K86fQVEMzZtrTsho9cOybdiH2TcFKUy
         F+cQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=YE3EvI3y17cIFvUIjyyL8FY6Xun8Oor94rJFbPNFjqM=;
        b=zG1mZaKrZ5nufF2JSrm+czIisVZd0nU1kCeHVrgFp8mGbKW9ENvoZuEuC5QWErEB6M
         mi8c4vXYAvI9X6KeFo++Z0O6yjssj5wl6Yl8j3bRGZMWeP+LXa+yInpqAmrTkxl+WDYe
         P6AhhByLDxsM4XwEjhm3QzGIgjN9mdnESumk5PFW+Z1g6DvihPwCGseEy5YGCNPY3E8E
         izoOxKE0J9Lx+k+3d5zzhGniI35g1h/5kaHwluojQT6I9x1JQITbO8v6mim/+DYPLFpj
         ThK7NJA0DFN4ViGGmRT/W8Fzncht7n9y7DIIPOPdlTV8ASJK2tjzOqTZceKHH4a4HjPt
         GP5Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=kSK3wM0i;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id y126-v6si61665201pfy.22.2018.11.23.23.59.28;
        Fri, 23 Nov 2018 23:59:42 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=kSK3wM0i;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732217AbeKWQlL (ORCPT <rfc822;arandomawesomegeek@gmail.com>
        + 99 others); Fri, 23 Nov 2018 11:41:11 -0500
Received: from mail-yw1-f67.google.com ([209.85.161.67]:40474 "EHLO
        mail-yw1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729305AbeKWQlL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 23 Nov 2018 11:41:11 -0500
Received: by mail-yw1-f67.google.com with SMTP id r130so1218723ywg.7
        for <linux-kernel@vger.kernel.org>; Thu, 22 Nov 2018 21:58:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=YE3EvI3y17cIFvUIjyyL8FY6Xun8Oor94rJFbPNFjqM=;
        b=kSK3wM0irHrBHyE+lspTs0v8rGRoX4UwnhNr8ztexF0r2DhT7E7uj2VAxhJuLFab/D
         XXZoluBxyg+jtlp23VUSFTtGLbBzchK8pW+xjoxSh38ml97XeW+0ES/mkqIFL7JgSxmZ
         U2XWddsul1J2y4teBoRq8KTeXRomr4PGEtVyHVPL2ktdGIjv8GXj3CZjinfsJwr5u7n/
         hThe/rmiza7AbD2N8lqE57RosMaan04xLalxEYSYhMI7LKn+Jkv+ws7UX8eMkMf2vkFk
         tWLqZMtGT7rlTRnmggTx7S+0Mt9bTYowlFSLw9qK4ra0ATJyBQalVZyeFXz0sQEwLvcQ
         riXw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=YE3EvI3y17cIFvUIjyyL8FY6Xun8Oor94rJFbPNFjqM=;
        b=O8n4FBORpe6TaT3+Bp+hC9sxp5299I0RrIgF2ISFCOrgH30Yu3c7snQWSJt74NAfSU
         BSdSFuOizXDTfM/3goGausyFVMAOL9Y5qJcCcj/XY6dB/qfEMrprl950FJVcw4+CisgU
         2xV5MqyySintzzh5Np9q6zdQ3vha40g9wMyVIkHM7qJ78uYqUgBDJBvtyXOzm0JgTDMo
         ACI/t7ENQJ2YXS1WB8K6RArsr7cOcD13WRaogUwQ3OIqXBMhKJGABjYT381Mp/SWPwUC
         eM+BtTNNsP+cQ0xNZCmQh/wA/E7syWeAnqazoYWQt6tcnAEAej78NilVzMdzm+jpAqCA
         EbvQ==
X-Gm-Message-State: AA+aEWZc/lcQZ0/4DHLDxkJjzqGtxrfqsZtHfwpewtmU127K5Ti4ar0j
        xb1dk5pqJJNBQbeT4Xor9w2yqiTJHEC7GXMR9F0=
X-Received: by 2002:a81:2916:: with SMTP id p22mr11017059ywp.176.1542952707052;
 Thu, 22 Nov 2018 21:58:27 -0800 (PST)
MIME-Version: 1.0
References: <1542942953-93562-1-git-send-email-bianpan2016@163.com>
In-Reply-To: <1542942953-93562-1-git-send-email-bianpan2016@163.com>
From:   Amir Goldstein <amir73il@gmail.com>
Date:   Fri, 23 Nov 2018 07:58:15 +0200
Message-ID: <CAOQ4uxj74Xh6ZbJp7zPZOxOY-gkrm5K1yU31+DW1YMYzOWtKgA@mail.gmail.com>
Subject: Re: [PATCH] exportfs: do not read dentry after free
To:     bianpan2016@163.com
Cc:     Miklos Szeredi <mszeredi@redhat.com>,
        linux-kernel <linux-kernel@vger.kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>,
        "J. Bruce Fields" <bfields@fieldses.org>,
        Christoph Hellwig <hch@lst.de>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Nov 23, 2018 at 5:16 AM Pan Bian <bianpan2016@163.com> wrote:
>
> The function dentry_connected calls dput(dentry) to drop the previously
> acquired reference to dentry. In this case, dentry can be released.
> After that, IS_ROOT(dentry) checks the condition
> (dentry == dentry->d_parent), which may result in a use-after-free bug.
> This patch directly compares dentry with its parent obtained before
> dropping the reference.
>
> Fixes: a056cc8934c("exportfs: stop retrying once we race with
> rename/remove")
>

CC Fixes patch author/reviewers

How did you find this? by code review or did this actually happen?

Normally a IS_ROOT dentry would be either DCACHE_DISCONNECTED or
pinned to some super block, but I guess there may be corner cases?

> Signed-off-by: Pan Bian <bianpan2016@163.com>
> ---
>  fs/exportfs/expfs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
> index 645158d..a69aaf5 100644
> --- a/fs/exportfs/expfs.c
> +++ b/fs/exportfs/expfs.c
> @@ -77,7 +77,7 @@ static bool dentry_connected(struct dentry *dentry)
>                 struct dentry *parent = dget_parent(dentry);
>
>                 dput(dentry);
> -               if (IS_ROOT(dentry)) {
> +               if (dentry == parent) { /* is root entry */
>                         dput(parent);
>                         return false;
>                 }

The change itself looks right, but the name IS_ROOT is confusing
enough as it is. The explicit comment is just plain wrong.
If it was really a root dentry, it wouldn't have been DCACHE_DISCONNECTED
(unless it is a filesystem bug).

Thanks,
Amir.