Re: [RFC] [PATCH] Fix warning at fs/dcache.c:430 dentry_free

Next message: Armando De Leon: "Re: [PATCH] Input: gpio-keys - add hibernation support"
Previous message: George Moussalem via B4 Relay: "[PATCH v21 3/6] arm64: dts: qcom: ipq6018: add pwm node"
In reply to: Helge Deller: "Re: [RFC] [PATCH] Fix warning at fs/dcache.c:430 dentry_free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Al Viro

Date: Mon Apr 06 2026 - 16:37:37 EST

On Mon, Apr 06, 2026 at 10:21:17PM +0200, Helge Deller wrote:
> Hi Al,
>
> On 4/6/26 22:07, Al Viro wrote:
> > On Mon, Apr 06, 2026 at 09:52:16PM +0200, Helge Deller wrote:
> > > The debian buildd servers for the parisc architecture crash reproduceably when
> > > building the webkit2gtk debian package, shortly after having shown the warning
> > > below.
> > >
> > > This patch keeps the lock of the dentry up until when the dentry is given back
> > > to the cache and after having freed the "external dentry name".
> > >
> > > I'm not sure if this patch is really correct, but it seems to have fixed the
> > > problem, although more testing is needed.
> >
> > Hard NAK. You are turning every place that grabs ->d_lock on a dentry scheduled
> > for freeing (like, say it, any RCU pathwalk trying to check if the end result can
> > be grabbed) into a UAF.
>
> Thanks for looking into the patch!
> I assume UAF means User-after-free?
> As I'm not an expert here, could you please point me to where
> this use-after-free happens?
> The kfree() is used on the external dentry name, and the lock is
> unlocked before calling kmem_cache_free(), so I'd not expect that I
> introduced an UAF here. But of course I could be wrong....

s/UAF/deadlock/, actually.

A: rcu_read_lock();
A: find a dentry (lockless)
B: grab dentry->d_lock
B: dentry_free(dentry);
B: call_rcu(..., __d_free) (or __d_free_external - whatever)
A: grab dentry->d_lock, so we could verify that it's still live

A spins until __d_free() unlocks the sucker, which is not going to be called
until A does rcu_read_unlock().