Eric Lee / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 25d41d8455ec1ee7433e146ee94436dc4195f420

Authored by Jan Kara
Committed by Greg Kroah-Hartman
1 parent b38360a284
Exists in master and in 39 other branches 8mp-imx_5.4.70_2.3.0, 8qm-imx_5.4.70_2.3.0, emb_imx_lf-5.15.y, emb_lf-6.1.y, imx_3.0.35_4.1.0, imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, imx_4.1.15_1.0.0_ga, pitx_8mp_lf-5.10.y, rt-smarc-imx_4.1.15_1.0.0_ga, rt_linux_5.15.71, smarc-8m-android-11.0.0_2.0.0, smarc-imx6_4.14.98_2.0.0_ga, smarc-imx6_4.9.88_2.0.0_ga, smarc-imx7_4.14.98_2.0.0_ga, smarc-imx7_4.9.11_1.0.0_ga, smarc-imx7_4.9.88_2.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga, smarc-imx_4.1.15_1.0.0_ga, smarc-imx_4.9.11_1.0.0_ga, smarc-imx_4.9.51_imx8m_ga, smarc-imx_4.9.88_2.0.0_ga, smarc-m6.0.1_2.1.0-ga, smarc-n7.1.2_2.0.0-ga, smarc-rel_imx_4.1.15_1.2.0_ga, smarc_8m_00d0_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.14.78_1.0.0_ga, smarc_8m_imx_4.14.98_2.0.0_ga, smarc_8m_imx_4.19.35_1.1.0, smarc_8mm_imx_4.14.78_1.0.0_ga, smarc_8mm_imx_4.14.98_2.0.0_ga, smarc_8mm_imx_4.19.35_1.1.0, smarc_8mm_imx_5.4.24_2.1.0, smarc_8mp_lf-5.10.y, smarc_8mq_imx_5.4.24_2.1.0, smarc_8mq_lf-5.10.y, smarc_imx_lf-5.15.y

debugfs: Fix filesystem reference counting on debugfs_remove() failure 

When __debugfs_remove() fails (because simple_rmdir() fails e.g. when a
directory is not empty), we must not decrement use count of the filesystem
as nothing was in fact deleted.

This fixes use after free caused by debugfs in some cases.

Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

Showing 1 changed file with 7 additions and 4 deletions Side-by-side Diff

... ... @@ -307,7 +307,7 @@
307 307 }
308 308 EXPORT_SYMBOL_GPL(debugfs_create_symlink);
309 309  
310   -static void __debugfs_remove(struct dentry *dentry, struct dentry *parent)
  310 +static int __debugfs_remove(struct dentry *dentry, struct dentry *parent)
311 311 {
312 312 int ret = 0;
313 313  
... ... @@ -330,6 +330,7 @@
330 330 dput(dentry);
331 331 }
332 332 }
  333 + return ret;
333 334 }
334 335  
335 336 /**
... ... @@ -348,7 +349,8 @@
348 349 void debugfs_remove(struct dentry *dentry)
349 350 {
350 351 struct dentry *parent;
351   -
  352 + int ret;
  353 +
352 354 if (!dentry)
353 355 return;
354 356  
355 357  
... ... @@ -357,9 +359,10 @@
357 359 return;
358 360  
359 361 mutex_lock(&parent->d_inode->i_mutex);
360   - __debugfs_remove(dentry, parent);
  362 + ret = __debugfs_remove(dentry, parent);
361 363 mutex_unlock(&parent->d_inode->i_mutex);
362   - simple_release_fs(&debugfs_mount, &debugfs_mount_count);
  364 + if (!ret)
  365 + simple_release_fs(&debugfs_mount, &debugfs_mount_count);
363 366 }
364 367 EXPORT_SYMBOL_GPL(debugfs_remove);
365 368