[PATCH] securityfs: Add missing d_delete() call on removal

Kees Cook keescook at chromium.org
Wed May 6 22:49:52 UTC 2020

On Wed, May 06, 2020 at 07:49:20PM +0100, Al Viro wrote:
> On Wed, May 06, 2020 at 08:34:29AM -0700, Kees Cook wrote:
> > Just posted the whole series:
> > https://lore.kernel.org/lkml/20200506152114.50375-1-keescook@chromium.org/
> > 
> > But the specific question was driven by this patch:
> > https://lore.kernel.org/lkml/20200506152114.50375-11-keescook@chromium.org/
> Yecchh...  First of all, you are leaving a dangling pointer in your
> struct pstore_private ->dentry.  What's more, in your case d_delete()

Yeah, good idea: I can wipe out the pstore_private->dentry at this point
just for robustness. From what I could tell the evict got immediately
called after the dput().

> is definitely wrong - either there are other references to dentry
> (in which case d_delete() is the same as d_drop()), or dput() right
> after it will drive ->d_count to zero and since you end up using
> simple_dentry_operations, dentry will be freed immediately after
> that.

Do you mean the d_drop() isn't needed? What happens if someone has
the file open during this routine? The goal here is to make these files
disappear so they'll go through evict.

> I have not looked at the locking in that series yet, so no comments

Yeah, I would not be surprised by some more locking issues, but I think
it's an improvement over what was there. Most of the code seems to have
been designed to be non-modular. :P

> on the races, but in any case - that d_delete() is a misspelled d_drop().

I'll change it; thanks!

Kees Cook

More information about the Linux-security-module-archive mailing list