From patchwork Sat Jan 12 00:00:24 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ian Kent <raven@themaw.net>
X-Patchwork-Id: 10760805
Return-Path: <linux-fsdevel-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 920431390
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
 Sat, 12 Jan 2019 00:09:52 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 752A429DFB
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
 Sat, 12 Jan 2019 00:09:52 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id 694A629E10; Sat, 12 Jan 2019 00:09:52 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-7.9 required=2.0 tests=BAYES_00,MAILING_LIST_MULTI,
	RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5D1F529DFB
	for <patchwork-linux-fsdevel@patchwork.kernel.org>;
 Sat, 12 Jan 2019 00:09:51 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726282AbfALAJq (ORCPT
        <rfc822;patchwork-linux-fsdevel@patchwork.kernel.org>);
        Fri, 11 Jan 2019 19:09:46 -0500
Received: from icp-osb-irony-out3.external.iinet.net.au ([203.59.1.153]:46786
        "EHLO icp-osb-irony-out3.external.iinet.net.au"
 rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1726193AbfALAJp (ORCPT
        <rfc822;linux-fsdevel@vger.kernel.org>);
        Fri, 11 Jan 2019 19:09:45 -0500
X-Greylist: delayed 555 seconds by postgrey-1.27 at vger.kernel.org;
 Fri, 11 Jan 2019 19:09:45 EST
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: 
 A2ABAADXLDlc//yp0HYNVhoBAQEBAQIBAQEBBwIBAQEBgVEFAQEBAQsBgmmBKYQBiBqMPwEBBoEQg2uFaY5LgXsohEwDAoJNNAkNAQMBAQEBAQECgQmFWScEUigBBwUCJgJJFhODI4FpAwiuAHF8MxqHcQSCJoELgXOJWHiBB4FEhWSBRYNAglcCj3dJNpEFCYcaiwELAoFXiEgDD4c/nCmCDk0uCoMnCYpRhg9liAqCTQEB
X-IPAS-Result: 
 A2ABAADXLDlc//yp0HYNVhoBAQEBAQIBAQEBBwIBAQEBgVEFAQEBAQsBgmmBKYQBiBqMPwEBBoEQg2uFaY5LgXsohEwDAoJNNAkNAQMBAQEBAQECgQmFWScEUigBBwUCJgJJFhODI4FpAwiuAHF8MxqHcQSCJoELgXOJWHiBB4FEhWSBRYNAglcCj3dJNpEFCYcaiwELAoFXiEgDD4c/nCmCDk0uCoMnCYpRhg9liAqCTQEB
X-IronPort-AV: E=Sophos;i="5.56,467,1539619200";
   d="scan'208";a="155670348"
Received: from unknown (HELO [192.168.1.228]) ([118.208.169.252])
  by icp-osb-irony-out3.iinet.net.au with ESMTP; 12 Jan 2019 08:00:27 +0800
Subject: [PATCH 1/3] autofs: drop dentry reference only when it is never used
From: Ian Kent <raven@themaw.net>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: autofs mailing list <autofs@vger.kernel.org>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Pan Bian <bianpan2016@163.com>
Date: Sat, 12 Jan 2019 08:00:24 +0800
Message-ID: <154725122396.11260.16053424107144453867.stgit@pluto-themaw-net>
User-Agent: StGit/unknown-version
MIME-Version: 1.0
Sender: linux-fsdevel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-fsdevel.vger.kernel.org>
X-Mailing-List: linux-fsdevel@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

From: Pan Bian <bianpan2016@163.com>

The function autofs_expire_run calls dput(dentry) to drop the reference
count of dentry. However, dentry is read via autofs_dentry_ino(dentry)
after that. This may result in a use-free-bug. The patch drops the
reference count of dentry only when it is never used.

Signed-off-by: Pan Bian <bianpan2016@163.com>
Acked-by: Ian Kent <raven@themaw.net>
---
 fs/autofs/expire.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/autofs/expire.c b/fs/autofs/expire.c
index d441244b79df..28d9c2b1b3bb 100644
--- a/fs/autofs/expire.c
+++ b/fs/autofs/expire.c
@@ -596,7 +596,6 @@ int autofs_expire_run(struct super_block *sb,
 	pkt.len = dentry->d_name.len;
 	memcpy(pkt.name, dentry->d_name.name, pkt.len);
 	pkt.name[pkt.len] = '\0';
-	dput(dentry);
 
 	if (copy_to_user(pkt_p, &pkt, sizeof(struct autofs_packet_expire)))
 		ret = -EFAULT;
@@ -609,6 +608,8 @@ int autofs_expire_run(struct super_block *sb,
 	complete_all(&ino->expire_complete);
 	spin_unlock(&sbi->fs_lock);
 
+	dput(dentry);
+
 	return ret;
 }