Re: [PATCH 18/20] ocfs2_dentry_revalidate(): use stable parent inode and name passed by caller

Jan Kara <jack@xxxxxxx> · Fri, 10 Jan 2025 10:54:00 +0100

On Fri 10-01-25 02:43:01, Al Viro wrote:
> theoretically, ->d_name use in there is a UAF, but only if you are messing with
> tracepoints...
> 
> Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx>

Looks good. Feel free to add:

Reviewed-by: Jan Kara <jack@xxxxxxx>

								Honza

> ---
>  fs/ocfs2/dcache.c | 11 +++--------
>  1 file changed, 3 insertions(+), 8 deletions(-)
> 
> diff --git a/fs/ocfs2/dcache.c b/fs/ocfs2/dcache.c
> index ecb1ce6301c4..1873bbbb7e5b 100644
> --- a/fs/ocfs2/dcache.c
> +++ b/fs/ocfs2/dcache.c
> @@ -45,8 +45,7 @@ static int ocfs2_dentry_revalidate(struct inode *dir, const struct qstr *name,
>  	inode = d_inode(dentry);
>  	osb = OCFS2_SB(dentry->d_sb);
>  
> -	trace_ocfs2_dentry_revalidate(dentry, dentry->d_name.len,
> -				      dentry->d_name.name);
> +	trace_ocfs2_dentry_revalidate(dentry, name->len, name->name);
>  
>  	/* For a negative dentry -
>  	 * check the generation number of the parent and compare with the
> @@ -54,12 +53,8 @@ static int ocfs2_dentry_revalidate(struct inode *dir, const struct qstr *name,
>  	 */
>  	if (inode == NULL) {
>  		unsigned long gen = (unsigned long) dentry->d_fsdata;
> -		unsigned long pgen;
> -		spin_lock(&dentry->d_lock);
> -		pgen = OCFS2_I(d_inode(dentry->d_parent))->ip_dir_lock_gen;
> -		spin_unlock(&dentry->d_lock);
> -		trace_ocfs2_dentry_revalidate_negative(dentry->d_name.len,
> -						       dentry->d_name.name,
> +		unsigned long pgen = OCFS2_I(dir)->ip_dir_lock_gen;
> +		trace_ocfs2_dentry_revalidate_negative(name->len, name->name,
>  						       pgen, gen);
>  		if (gen != pgen)
>  			goto bail;
> -- 
> 2.39.5
> 
-- 
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR