Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp580821ybl; Fri, 31 Jan 2020 04:22:27 -0800 (PST) X-Google-Smtp-Source: APXvYqykiNmUlQjHCzkWxweg+LOZXdL61mq54PaoN3t+bnWGOKB8dXHz4qas/CLldchQCMzLC/Dv X-Received: by 2002:a05:6830:124b:: with SMTP id s11mr7247369otp.333.1580473346844; Fri, 31 Jan 2020 04:22:26 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1580473346; cv=none; d=google.com; s=arc-20160816; b=ybjXQ5GGAw3OAFwmxjPbbQIKRhzyoaShhfeRk/uLaeU9UZC2m+hEORODt2+AIszn+6 VOHjOsYM4aPrx8HQPUnM2/wDODVoUu8nGY4LW3h0JDHwAgpj+cnH2ci4kSBOxkSgp2CO LFpzDrbqGcLgHp2JabzFME3yLMUwUzunRyOtLRkSBY//Rf5kO7hCPFcd+pOQVo8s5LLC xy2xULoScSWGwqCRlIWK9OKsQKay/2o2Qwh2w7yDoWweuplpI5YKyAonSgtOWV29UDYa 1JEFmyJ7LMZD06a165fFwRn2aZs0hD7Mc3Ym9R3L42hI340eZEv5mbZOdBJZ16cp1W0x escQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=Qqj2RU9D5r0UZ5b2Y4bv1cknYRwmjxNuZpRc0B0YXL4=; b=JyCU/jQJZHLZBSDxM0z+lZbPYbWFZFOc4asHQ7qt5hbuLhfrEqB4rL7FVUrD3/IE9T 4m90ZX9hdEhus4uDHadHl1Q+C6AqmUIRoTDIhMzYNH9smRP+Bo5cqKLT82zAZdLCXiOT msPFT1iJLzic6+Ev8zCBF+IFpqNWwwvzZ2XgXHcPz8+ws9jxHhC1fI0M2q1M3zhCp2WG Aqymy76BUEtKZrypuOAe9jcIUsSUalLn0rgB7ICH48SJe4LRTBW3JdWn2vxCIVIuz1Sl BW6tl59w/p4GDfcm3Y6S9U2oKcldbktiSbbz5uiMtXB2H/nvucE56fZ887kP5cfMXs2k m3Dg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h7si4308541otm.165.2020.01.31.04.22.14; Fri, 31 Jan 2020 04:22:26 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728552AbgAaMUR (ORCPT + 99 others); Fri, 31 Jan 2020 07:20:17 -0500 Received: from zeniv.linux.org.uk ([195.92.253.2]:40816 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728479AbgAaMUR (ORCPT ); Fri, 31 Jan 2020 07:20:17 -0500 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1ixVHR-005DvB-Og; Fri, 31 Jan 2020 12:20:13 +0000 Date: Fri, 31 Jan 2020 12:20:13 +0000 From: Al Viro To: "Rantala, Tommi T. (Nokia - FI/Espoo)" Cc: "gregkh@linuxfoundation.org" , "linux-kernel@vger.kernel.org" , "stable@vger.kernel.org" Subject: Re: [PATCH 4.19 43/92] do_last(): fetch directory ->i_mode and ->i_uid before its too late Message-ID: <20200131122013.GF23230@ZenIV.linux.org.uk> References: <20200128135809.344954797@linuxfoundation.org> <20200128135814.584735840@linuxfoundation.org> <5cbe397b7f7bb0f8bd579080c8a4c41d7b359632.camel@nokia.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5cbe397b7f7bb0f8bd579080c8a4c41d7b359632.camel@nokia.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jan 31, 2020 at 10:08:37AM +0000, Rantala, Tommi T. (Nokia - FI/Espoo) wrote: > On Tue, 2020-01-28 at 15:08 +0100, Greg Kroah-Hartman wrote: > > From: Al Viro > > > > commit d0cb50185ae942b03c4327be322055d622dc79f6 upstream. > > > > may_create_in_sticky() call is done when we already have dropped the > > reference to dir. > > > > Fixes: 30aba6656f61e (namei: allow restricted O_CREAT of FIFOs and > > regular files) > > Signed-off-by: Al Viro > > Signed-off-by: Greg Kroah-Hartman > > > > --- > > fs/namei.c | 17 ++++++++++------- > > 1 file changed, 10 insertions(+), 7 deletions(-) > > > > --- a/fs/namei.c > > +++ b/fs/namei.c > > [...] > > @@ -3258,6 +3259,8 @@ static int do_last(struct nameidata *nd, > > struct file *file, const struct open_flags *op) > > { > > struct dentry *dir = nd->path.dentry; > > + kuid_t dir_uid = dir->d_inode->i_uid; > > I hit the following oops in 4.19.100 while running kselftests. > > fs/namei.c:3262 matches the line above. > > Any ideas? Yes. Make those two line kuid_t dir_uid = nd->inode->i_uid; umode_t dir_mode = nd->inode->i_mode; I'm pretty sure that I know which way I'd fucked up there; we can get here in RCU mode with stale nd->path.dentry (that would make the thing fail with -ECHILD. with retry in non-RCU mode). In non-stale case nd->inode is the same as nd->path.dentry->d_inode and it's always pointing to a struct inode that hadn't been freed yet.