Re: [BUG] configfs: slab-use-after-free in configfs_drop_dentry() on rmdir

Next message: Ruidong Tian: "[PATCH v7 07/16] arm64: ras: Add error record processing and interrupt handling"
Previous message: Ruidong Tian: "[PATCH v7 09/16] arm64: ras: Probe RAS architecture version"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Al Viro

Date: Tue Jun 02 2026 - 03:20:49 EST

On Wed, May 27, 2026 at 11:27:57AM +0100, Breno Leitao wrote:
> + /*
> + * configfs_create() failed (e.g. -ENOMEM
> + * from new_inode()). The dentry will be
> + * dput()ed by the caller and freed via RCU;
> + * because it never gained an inode,
> + * configfs_d_iput() will not run to clear
> + * sd->s_dentry. Drop the linkage here so a
> + * later detach_attrs() walking the parent's
> + * s_children list does not dereference a
> + * freed dentry in configfs_drop_dentry().
> + */
> + spin_lock(&configfs_dirent_lock);
> + if (sd->s_dentry == dentry)

Don't need that comparison - to get a different ->s_dentry you'd need a lookup
on the same name in the same parent since having dropped configfs_dirent_lock,
and VFS locking guarantees that it won't happen.

IOW, the variant in
https://lore.kernel.org/all/20260519070633.2025485-2-viro@xxxxxxxxxxxxxxxxxx/
should be fine.