Re: [PATCH v3] ovl: fix dentry leak in ovl_get_redirect
From: Al Viro
Date: Mon Dec 21 2020 - 20:54:06 EST
On Tue, Dec 22, 2020 at 02:33:27AM +0800, Liangyan wrote:
> diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
> index 28a075b5f5b2..e9aa4a12ad82 100644
> --- a/fs/overlayfs/dir.c
> +++ b/fs/overlayfs/dir.c
> @@ -973,6 +973,7 @@ static char *ovl_get_redirect(struct dentry *dentry, bool abs_redirect)
> for (d = dget(dentry); !IS_ROOT(d);) {
> const char *name;
> int thislen;
> + struct dentry *parent = NULL;
>
> spin_lock(&d->d_lock);
> name = ovl_dentry_get_redirect(d);
> @@ -992,11 +993,10 @@ static char *ovl_get_redirect(struct dentry *dentry, bool abs_redirect)
>
> buflen -= thislen;
> memcpy(&buf[buflen], name, thislen);
> - tmp = dget_dlock(d->d_parent);
> spin_unlock(&d->d_lock);
> -
> + parent = dget_parent(d);
> dput(d);
> - d = tmp;
> + d = parent;
>
> /* Absolute redirect: finished */
> if (buf[buflen] == '/')
FWIW, I'd suggest this:
dget_dlock(d->d_parent) is unsafe - it requires ->d_lock on
dentry we are grabbing and that's not what we are holding
here. It's the wrong way to grab the parent anyway; use
dget_parent(d) instead.
diff --git a/fs/overlayfs/dir.c b/fs/overlayfs/dir.c
index 28a075b5f5b2..d1efa3a5a503 100644
--- a/fs/overlayfs/dir.c
+++ b/fs/overlayfs/dir.c
@@ -992,8 +992,8 @@ static char *ovl_get_redirect(struct dentry *dentry, bool abs_redirect)
buflen -= thislen;
memcpy(&buf[buflen], name, thislen);
- tmp = dget_dlock(d->d_parent);
spin_unlock(&d->d_lock);
+ tmp = dget_parent(d);
dput(d);
d = tmp;