From a40b5adddd23051da2fba3e94aa300f022488015 Mon Sep 17 00:00:00 2001 From: Qiheng Lin Date: Sun, 29 Jan 2023 16:33:26 +0800 Subject: [PATCH] hmdfs: remove d_rehash in hmdfs_fill_super d_rehash would add the root_dentry to the dcache hlist, and kill_anon_super--generic_shutdown_super--shrink_dcache_for_umount --do_one_tree() calls d_drop() to unhash the dentry and dput() to destroy the dentry. While multiple hmdfs instances umount concurrently, their root_dentry are removed from dcache hlist. ___d_drop() use IS_ROOT() to judge them and use the d_sb->s_roots rather than the d_hash lock, so cause UAF when __hlist_bl_del accessing the ->pprev dentery. Signed-off-by: Qiheng Lin Change-Id: I5f72bd076174a2e92ad04320cac5a412a4087cb2 --- fs/hmdfs/main.c | 1 - 1 file changed, 1 deletion(-) diff --git a/fs/hmdfs/main.c b/fs/hmdfs/main.c index 8075fe4bc5c9..cb3034e95651 100644 --- a/fs/hmdfs/main.c +++ b/fs/hmdfs/main.c @@ -904,7 +904,6 @@ static int hmdfs_fill_super(struct super_block *sb, void *data, int silent) if (err) goto out_freeroot; hmdfs_set_lower_path(root_dentry, &lower_path); - d_rehash(sb->s_root); sbi->cred = get_cred(current_cred()); INIT_LIST_HEAD(&sbi->client_cache); INIT_LIST_HEAD(&sbi->server_cache); -- Gitee