Re: [RFC] [PATCH] Fix warning at fs/dcache.c:430 dentry_free

Next message: Luck, Tony: "Re: [PATCH v4 4/7] fs,x86/resctrl: Add architecture hooks for every mount/unmount"
Previous message: Joe Perches: "Re: [PATCH] checkpatch: add --json output mode"
In reply to: Helge Deller: "Re: [RFC] [PATCH] Fix warning at fs/dcache.c:430 dentry_free"
Next in thread: Al Viro: "Re: [RFC] [PATCH] Fix warning at fs/dcache.c:430 dentry_free"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Helge Deller

Date: Mon Apr 06 2026 - 16:35:04 EST

Hi Al,

On 4/6/26 22:07, Al Viro wrote:

On Mon, Apr 06, 2026 at 09:52:16PM +0200, Helge Deller wrote:

The debian buildd servers for the parisc architecture crash reproduceably when
building the webkit2gtk debian package, shortly after having shown the warning
below.

This patch keeps the lock of the dentry up until when the dentry is given back
to the cache and after having freed the "external dentry name".

I'm not sure if this patch is really correct, but it seems to have fixed the
problem, although more testing is needed.

Hard NAK. You are turning every place that grabs ->d_lock on a dentry scheduled
for freeing (like, say it, any RCU pathwalk trying to check if the end result can
be grabbed) into a UAF.

Thanks for looking into the patch!
I assume UAF means User-after-free?
As I'm not an expert here, could you please point me to where
this use-after-free happens?
The kfree() is used on the external dentry name, and the lock is
unlocked before calling kmem_cache_free(), so I'd not expect that I
introduced an UAF here. But of course I could be wrong....

Do you have a better localized reproducer?

Sadly not yet. I will try, but since the package is huge and the machines are
relatively slow it's not easy to track down.

Thanks!
Helge