On Thu, 2016-07-07 at 15:11 +0100, David Howells wrote: > Jeff Layton <jlayton@xxxxxxxxxx> wrote: > > > > > Currently the two are unioned together, but I don't think that's > > safe. > > > > It looks like get_cached_acl could race with the last put in > > posix_acl_release. get_cached_acl calls atomic_inc_not_zero on > > a_refcount, but that field could have already been clobbered by > > call_rcu, and may no longer be zero. Fix this by de-unioning the > > two > > fields. > > > > Fixes: b8a7a3a66747 (posix_acl: Inode acl caching fixes) > > Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx> > Acked-by: David Howells <dhowells@xxxxxxxxxx> Thanks David, I think we're spared in most cases, as long as the atomic_inc_not_zero occurs while the next pointer in the rcu_head is still NULL. If it's not though, then we're set up for a GPF and/or a use-after-free. AFAICT, this is a regression from v4.6, so I think we want this in v4.7. Al, do you mind picking this up? Or NAK it and propose an alternate fix? Thanks, -- Jeff Layton <jlayton@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
