Re: d_op->d_delete race problem

Linus Torvalds (torvalds@transmeta.com)
Mon, 22 Sep 1997 09:16:22 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: savron@world-net.sct.fr: "Re: /dev/full a security hole"
Previous message: Ulrich Drepper: "Re: Style question: comparison between signed and unsigned?"

On Sun, 21 Sep 1997, Bill Hawes wrote:
>
> I've run into a potential problem in dput() with the call to
> d_op->d_delete. It's called with the dentry d_count at 0 but still
> hashed, so if the d_delete op blocks, there's a chance the dentry could
> go back into use. Since d_count isn't checked again after
> d_op->d_delete returns, this could lead to memory being freed while a
> reference is still active.

No, if you have that problem then you have a bug in the low-level
filesystem: the delete function is supposed to unhash the thing before
blocking if it is deleted. See the NFS code, which does this correctly.

Linus

Next message: savron@world-net.sct.fr: "Re: /dev/full a security hole"
Previous message: Ulrich Drepper: "Re: Style question: comparison between signed and unsigned?"