diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2023-09-20 05:52:58 +0200 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2024-02-25 08:10:32 +0100 |
| commit | 47458802f6606f652cd0f6dc38cd52ce60ec0145 (patch) | |
| tree | 6f3b9617c9b8cb9b649d1768938875fb6a6812ed /fs/proc/inode.c | |
| parent | nfs: fix UAF on pathwalk running into umount (diff) | |
| download | linux-47458802f6606f652cd0f6dc38cd52ce60ec0145.tar.xz linux-47458802f6606f652cd0f6dc38cd52ce60ec0145.zip | |
procfs: move dropping pde and pid from ->evict_inode() to ->free_inode()
that keeps both around until struct inode is freed, making access
to them safe from rcu-pathwalk
Acked-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to '')
| -rw-r--r-- | fs/proc/inode.c | 19 |
1 files changed, 8 insertions, 11 deletions
diff --git a/fs/proc/inode.c b/fs/proc/inode.c index b33e490e3fd9..05350f3c2812 100644 --- a/fs/proc/inode.c +++ b/fs/proc/inode.c @@ -30,7 +30,6 @@ static void proc_evict_inode(struct inode *inode) { - struct proc_dir_entry *de; struct ctl_table_header *head; struct proc_inode *ei = PROC_I(inode); @@ -38,17 +37,8 @@ static void proc_evict_inode(struct inode *inode) clear_inode(inode); /* Stop tracking associated processes */ - if (ei->pid) { + if (ei->pid) proc_pid_evict_inode(ei); - ei->pid = NULL; - } - - /* Let go of any associated proc directory entry */ - de = ei->pde; - if (de) { - pde_put(de); - ei->pde = NULL; - } head = ei->sysctl; if (head) { @@ -80,6 +70,13 @@ static struct inode *proc_alloc_inode(struct super_block *sb) static void proc_free_inode(struct inode *inode) { + struct proc_inode *ei = PROC_I(inode); + + if (ei->pid) + put_pid(ei->pid); + /* Let go of any associated proc directory entry */ + if (ei->pde) + pde_put(ei->pde); kmem_cache_free(proc_inode_cachep, PROC_I(inode)); } |