Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5589721imu; Mon, 26 Nov 2018 02:37:49 -0800 (PST) X-Google-Smtp-Source: AFSGD/U71U8FHjpzOBuxSRltUT0zonPteklTYDsVjRz9m6tDaLAMqmZEK9sKRkWC6yMsDDatb6WX X-Received: by 2002:a63:6704:: with SMTP id b4mr24448478pgc.100.1543228669293; Mon, 26 Nov 2018 02:37:49 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543228669; cv=none; d=google.com; s=arc-20160816; b=avmeKB1YZYBofPdLWxtz0MaNmu1J04zNWe5n99fCwgUCEi37xVjzDwV4JgbvKop3P+ Ib9GX7IKJlSC6B3dvTOiqwq3qsQ2CT+sH7//i/fR7wmU6MwXVczzNsrKsQnA4af6tYJi JISjCaWxLN+UPhEmPRxlvf/OCHWJcGC7wwOEFs+VdyP8E2+vgcs3hmmzeR+V/ePAIL16 48MlOUpjLgrKIGXtz75uVg07QQH2fAxHfBpNcgDZJIelTwr/yP1fFReMfwGIyj0b/JWN hSLCvGkC48h5YFtOombF01fkdUclMX/iJDFKoGwCszFxInFaE2vxecfWjdAiWcXpzchU svFA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature:dkim-signature; bh=zg5/ppP+1YlqxbxHwriFrkyxzrBieQgGbr6uXoWWwbM=; b=RfJS223bfDjMNWw6rHuVvDTfKkEzx1Ma6hkluFQpAUrFzM2vUhNnZmpEDeXavDpLzJ v8L9Ax6kxo9htaa9+qu5IInvkD3YltfV0uiCO56JvpXjg5MpUMXFiYfuCyp5mjsYaXGS hKy4kewHyFEQT5Fzd80KxoF2nBOIRJ+yyrgUkrXfT/sYO8TCQ9vItPLea1cu9nk34ZWh KNQ0py4bqYLe2gL0n/UXCsZu6ay1piX7/mnsDF8PTGwBKfIeXBDitM0YNMBPSFq4bHFc Wwqq6PXmty4IhjCWrsGqNnzSYYokPU3Kx4ulF4ia9WVYnZuxsA2EboISvJ2TCEco9frV zZoA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@themaw.net header.s=fm1 header.b=Ib5j+RMV; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=ZpCydNgT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d8si22022042pln.128.2018.11.26.02.37.34; Mon, 26 Nov 2018 02:37:49 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@themaw.net header.s=fm1 header.b=Ib5j+RMV; dkim=pass header.i=@messagingengine.com header.s=fm1 header.b=ZpCydNgT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726259AbeKZVa0 (ORCPT + 99 others); Mon, 26 Nov 2018 16:30:26 -0500 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:33633 "EHLO out4-smtp.messagingengine.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726241AbeKZVa0 (ORCPT ); Mon, 26 Nov 2018 16:30:26 -0500 Received: from compute1.internal (compute1.nyi.internal [10.202.2.41]) by mailout.nyi.internal (Postfix) with ESMTP id 5CEF922017; Mon, 26 Nov 2018 05:36:44 -0500 (EST) Received: from mailfrontend2 ([10.202.2.163]) by compute1.internal (MEProxy); Mon, 26 Nov 2018 05:36:44 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=themaw.net; h= message-id:subject:from:to:cc:date:in-reply-to:references :content-type:mime-version:content-transfer-encoding; s=fm1; bh= zg5/ppP+1YlqxbxHwriFrkyxzrBieQgGbr6uXoWWwbM=; b=Ib5j+RMVEhzjGDf6 2EDVAnts1060LgwlHv9IiyDc9mkSytEgkaZpBaJdOMovFU9LOiIsE6FD4r7YnoL8 JVXW4c9Em8ajxvFKT0yVXVAkiCUIvU4HSre2Aa7Pv9fRVpukhRV3YJkhfmjCvdVw i9OyEwy+VwQdSU23V/dByEewWxpnjXZ9s2BVMX92U3QuugN3JoWRORN87vHL5eze 7JjYKgXXq/Ahdk7DAvZMd8NNxZu+wHALCnrWV1ADYYAvWSelMuOsZ/xkIIY48Nbj 6Y1pFHwn7Hg8DKGznRVeDw6xHBqmKJkztH8AJpPfILo0+28pV1YL8BN+l7aEl1C5 undOcQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=zg5/ppP+1YlqxbxHwriFrkyxzrBieQgGbr6uXoWWw bM=; b=ZpCydNgTjm90AM9IltpJtBozyuUkqD/76TialjXkH6s2XJm4wjuV0dLLQ WIYAawP9Eco32CeX4l1RGavPdvZ8FVj+EPtvVIu7BvWDaBLf4C0pg89Bzpz9p7G2 kPwFypEkC3ykGAGhKDuyhFOso+1qCjYW6owYLryikhmT+gKrliqDsPWTUZYIt5+G kZwQJr3PbvrL9qQA1U9MXBMYL24Rip5QP/jo93srMt8+ZYMxXnSFnweL44PfbreT 9LqS++EtsxoeMIJvQYctLUj39AMZ4gSwBe4izUoIwMIHv6YiLXB28Jomt4WQA/0W q0UcmpWMXLyMKhfCT8x/qgG2chUpg== X-ME-Sender: X-ME-Proxy: Received: from localhost (unknown [118.209.163.9]) by mail.messagingengine.com (Postfix) with ESMTPA id A6C3F103C2; Mon, 26 Nov 2018 05:36:42 -0500 (EST) Message-ID: <9f79a8203d29f207cfb71c7aefb3c98f28a23aaf.camel@themaw.net> Subject: Re: [PATCH] autofs: drop dentry reference only when it is never used From: Ian Kent To: Pan Bian Cc: autofs@vger.kernel.org, linux-kernel@vger.kernel.org Date: Mon, 26 Nov 2018 18:36:39 +0800 In-Reply-To: <1543197494-15688-1-git-send-email-bianpan2016@163.com> References: <1543197494-15688-1-git-send-email-bianpan2016@163.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.28.5 (3.28.5-2.fc28) Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 2018-11-26 at 09:58 +0800, Pan Bian wrote: > The function autofs_expire_run calls dput(dentry) to drop the reference > count of dentry. However, dentry is read via autofs_dentry_ino(dentry) > after that. This may result in a use-free-bug. The patch drops the > reference count of dentry only when it is never used. Yes, I agree this is a bug and it should be fixed. The autofs_expire_run() function is used for autofs v3 which is very old now so it's not likely to be called. But I think you are correct, if it is called the copy to user space should trigger a umount and (likley) remove the mount point directory, maybe I broke this at some point without realising it ... So thanks, I'll have a closer look but even if the ref counting isn't quite what either of us expect this is probably still worth while. If I don't see any reason to not do this I'll forward the patch to Andrew. Ian > > Signed-off-by: Pan Bian > --- > fs/autofs/expire.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/autofs/expire.c b/fs/autofs/expire.c > index d441244..28d9c2b 100644 > --- a/fs/autofs/expire.c > +++ b/fs/autofs/expire.c > @@ -596,7 +596,6 @@ int autofs_expire_run(struct super_block *sb, > pkt.len = dentry->d_name.len; > memcpy(pkt.name, dentry->d_name.name, pkt.len); > pkt.name[pkt.len] = '\0'; > - dput(dentry); > > if (copy_to_user(pkt_p, &pkt, sizeof(struct autofs_packet_expire))) > ret = -EFAULT; > @@ -609,6 +608,8 @@ int autofs_expire_run(struct super_block *sb, > complete_all(&ino->expire_complete); > spin_unlock(&sbi->fs_lock); > > + dput(dentry); > + > return ret; > } >