Merge tag 'configfs-for-5.2-2' of git://git.infradead.org/users/hch/configfs

Pull configs fix from Christoph Hellwig:

 - fix a use after free in configfs_d_iput (Sahitya Tummala)

* tag 'configfs-for-5.2-2' of git://git.infradead.org/users/hch/configfs:
  configfs: Fix use-after-free when accessing sd->s_dentry

diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index 5e7932d..22203a3 100644 (file)
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -58,15 +58,13 @@ static void configfs_d_iput(struct dentry * dentry,
        if (sd) {
                /* Coordinate with configfs_readdir */
                spin_lock(&configfs_dirent_lock);
-               /* Coordinate with configfs_attach_attr where will increase
-                * sd->s_count and update sd->s_dentry to new allocated one.
-                * Only set sd->dentry to null when this dentry is the only
-                * sd owner.
-                * If not do so, configfs_d_iput may run just after
-                * configfs_attach_attr and set sd->s_dentry to null
-                * even it's still in use.
+               /*
+                * Set sd->s_dentry to null only when this dentry is the one
+                * that is going to be killed.  Otherwise configfs_d_iput may
+                * run just after configfs_attach_attr and set sd->s_dentry to
+                * NULL even it's still in use.
                 */
-               if (atomic_read(&sd->s_count) <= 2)
+               if (sd->s_dentry == dentry)
                        sd->s_dentry = NULL;
 
                spin_unlock(&configfs_dirent_lock);