Re: KASAN: use-after-free Read in path_lookupat

From: Al Viro
Date: Mon Mar 25 2019 - 17:14:12 EST


On Mon, Mar 25, 2019 at 12:18:02PM -0700, Linus Torvalds wrote:
> COMPLETELY UNTESTED. And no filesystems converted to actually use the
> new rcu_destroy_inode() thing.
>
> Hmm?

Maybe, but we really need to come up with sane documentation on the
entire drop_inode/evict_inode/destroy_inode/rcu_destroy_inode
group ;-/ And I want to understand the writeback-related issues
in ocfs2 and f2fs - the current kludges in those smell fishy.

> if (unlikely(inode_init_always(sb, inode))) {
> - if (inode->i_sb->s_op->destroy_inode)
> + if (inode->i_sb->s_op->destroy_inode) {
> inode->i_sb->s_op->destroy_inode(inode);
> - else
> + if (!inode->i_sb->s_op->rcu_destroy_inode)
> + return NULL;
> + }
> + if (!inode->i_sb->s_op->rcu_destroy_inode ||
> + !inode->i_sb->s_op->rcu_destroy_inode(inode))
> kmem_cache_free(inode_cachep, inode);

ITYM i_callback(inode); here, possibly suitably renamed.