Re: [PATCH 6/6] eventfs: clean up dentry ops and add revalidate function
From: Linus Torvalds
Date: Tue Jan 30 2024 - 21:38:20 EST
On Tue, 30 Jan 2024 at 17:12, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
>
> > + *
> > + * Note that d_revalidate is called potentially under RCU,
> > + * so it can't take the eventfs mutex etc. It's fine - if
> > + * we open a file just as it's marked dead, things will
> > + * still work just fine, and just see the old stale case.
>
> Looks like use after free, unless freeing ei is RCU-delayed...
We hold the ref to the ei in the very dentry that is doing d_revalidate().
So it should be fine. The race is with eventfs marking the ei
'is_freed' (under the mutex that we don't hold here), but when that
happens and we end up still using the dentry, the ei is still there,
all the operations are just going to fail.
Linus