Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp4610595pxu;
        Mon, 21 Dec 2020 17:55:00 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxyW3EjseJ1qvNmS42pij1ZoSx8PSYudc79LtsWbD9ty4NGtHgnwS3Zd5nE3XSZyCIZHN9h
X-Received: by 2002:a17:906:3c04:: with SMTP id h4mr17493663ejg.220.1608602100378;
        Mon, 21 Dec 2020 17:55:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1608602100; cv=none;
        d=google.com; s=arc-20160816;
        b=wz+xgaGj8S4fUVw6VfL8L/OVJKWtv7XnixdOyVku8gzJNtkKfp86yID9F4VNshhLEg
         /jMrlemvEKbMtBV1R2tzWkEeOZimRoJKDTcp9a9vpfI9/eLabPP/xhDVRc+O0SNkS5vF
         uP4MogaRt8sdthGtwjqm8NbXWMBHzKsHfpmcqQccfiI7Lf93V6G/+qYKmkhtctJau9qX
         NlgbOSB/WbqQiKKhL75nRtWSSoEHMv1SBpIDcETB22Eqb4hRkG+A+kRC42yt0fAOnwBF
         V2xZrNXa3mxFPCkoNAtPNIcXBhJ7ylycOVGcmZPmPDqC49cu53M0Zjpke6QYoWs8TM0m
         TgjA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:in-reply-to:content-disposition
         :mime-version:references:message-id:subject:cc:to:from:date;
        bh=LpjlM6zDdfl8y8LI8WpbbudIeitf/T9zeiVdwHTT2S0=;
        b=xMZIi4IWBmTlgeVZFy+x7lbjDwRTZ3uQeZddznQ0sw9gMVRnhvvaD6RpqQ6E5TG/93
         IbCA59ftjV5dpWq1+FOEJfiI564apvf55IS25OOCIjgRnmfL1TQUxOT3MTS4j5wvhcmz
         mG+oKBZT2Qr6PTsFVgBgLSjvoNGs5dzbYuERk1Y4SaeVNVp+TJWJoSAxzeUZJbwhY1gV
         XjrPod95/qpbKJZ012IwZ5KJTqh20Kt6d3SzRZSJd96zyBDwyDuED4byU4sDvyDo7J5C
         XvirRvUMAtBMWuH2B9bxVt/2J9Le7jaaVDa/yaNYL3A5qyvt7bsPZdHHRoDE8yhNR9KE
         zPmw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id a6si9570451ejs.282.2020.12.21.17.54.37;
        Mon, 21 Dec 2020 17:55:00 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725881AbgLVBxu (ORCPT <rfc822;luxor68@gmail.com> + 99 others);
        Mon, 21 Dec 2020 20:53:50 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36600 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725852AbgLVBxu (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 21 Dec 2020 20:53:50 -0500
Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [IPv6:2002:c35c:fd02::1])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DD3EFC0613D3;
        Mon, 21 Dec 2020 17:53:08 -0800 (PST)
Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux))
        id 1krWrG-00368L-Jw; Tue, 22 Dec 2020 01:53:02 +0000
Date:   Tue, 22 Dec 2020 01:53:02 +0000
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     Liangyan <liangyan.peng@linux.alibaba.com>
Cc:     Miklos Szeredi <miklos@szeredi.hu>, linux-unionfs@vger.kernel.org,
        linux-kernel@vger.kernel.org, joseph.qi@linux.alibaba.com
Subject: Re: [PATCH v3] ovl: fix  dentry leak in ovl_get_redirect
Message-ID: <20201222015302.GR3579531@ZenIV.linux.org.uk>
References: <20201221183327.134077-1-liangyan.peng@linux.alibaba.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20201221183327.134077-1-liangyan.peng@linux.alibaba.com>
Sender: Al Viro <viro@ftp.linux.org.uk>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Dec 22, 2020 at 02:33:27AM +0800, Liangyan wrote:

> diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
> index 28a075b5f5b2..e9aa4a12ad82 100644
> --- a/fs/overlayfs/dir.c
> +++ b/fs/overlayfs/dir.c
> @@ -973,6 +973,7 @@ static char *ovl_get_redirect(struct dentry *dentry, bool abs_redirect)
>  	for (d = dget(dentry); !IS_ROOT(d);) {
>  		const char *name;
>  		int thislen;
> +		struct dentry *parent = NULL;
>  
>  		spin_lock(&d->d_lock);
>  		name = ovl_dentry_get_redirect(d);
> @@ -992,11 +993,10 @@ static char *ovl_get_redirect(struct dentry *dentry, bool abs_redirect)
>  
>  		buflen -= thislen;
>  		memcpy(&buf[buflen], name, thislen);
> -		tmp = dget_dlock(d->d_parent);
>  		spin_unlock(&d->d_lock);
> -
> +		parent = dget_parent(d);
>  		dput(d);
> -		d = tmp;
> +		d = parent;
>  
>  		/* Absolute redirect: finished */
>  		if (buf[buflen] == '/')

FWIW, I'd suggest this:

dget_dlock(d->d_parent) is unsafe - it requires ->d_lock on
dentry we are grabbing and that's not what we are holding
here.  It's the wrong way to grab the parent anyway; use
dget_parent(d) instead.


diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 28a075b5f5b2..d1efa3a5a503 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -992,8 +992,8 @@ static char *ovl_get_redirect(struct dentry *dentry, bool abs_redirect)
 
 		buflen -= thislen;
 		memcpy(&buf[buflen], name, thislen);
-		tmp = dget_dlock(d->d_parent);
 		spin_unlock(&d->d_lock);
+		tmp = dget_parent(d);
 
 		dput(d);
 		d = tmp;