64fa03de33: BUG:Dentry_still_in_use

Submitted by Serge E. Hallyn on May 8, 2017, 4:44 a.m.

Details

Message ID 20170508044408.GA11400@mail.hallyn.com
State New
Series "64fa03de33: BUG:Dentry_still_in_use"
Headers show

Commit Message

Serge E. Hallyn May 8, 2017, 4:44 a.m.
From 6a3fb632f67f8425c6e76c65dad8115f1550d2a0 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge@hallyn.com>
Date: Sun, 7 May 2017 23:40:42 -0500
Subject: [PATCH 1/1] cap_inode_getsecurity: don't pin dentry (fold up)

This should fix the "Dentry_still_in_use" reported by the kernel
test robot.

Signed-off-by: Serge Hallyn <serge@hallyn.com>
---
 security/commoncap.c | 27 +++++++++++++++------------
 1 file changed, 15 insertions(+), 12 deletions(-)

Patch hide | download patch | download mbox

diff --git a/security/commoncap.c b/security/commoncap.c
index a1a2935..c970b71 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -406,21 +406,21 @@  int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
 				 &tmpbuf, size, GFP_NOFS);
 
 	if (ret < 0)
-		return ret;
+		goto out;
 
 	fs_ns = inode->i_sb->s_user_ns;
 	cap = (struct vfs_cap_data *) tmpbuf;
 	if (is_v2header(ret, cap->magic_etc)) {
 		/* If this is sizeof(vfs_cap_data) then we're ok with the
 		 * on-disk value, so return that.  */
-		if (alloc)
+		if (alloc) {
 			*buffer = tmpbuf;
-		else
-			kfree(tmpbuf);
-		return ret;
+			tmpbuf = NULL;
+		}
+		goto out;
 	} else if (!is_v3header(ret, cap->magic_etc)) {
-		kfree(tmpbuf);
-		return -EINVAL;
+		ret = -EINVAL;
+		goto out;
 	}
 
 	nscap = (struct vfs_ns_cap_data *) tmpbuf;
@@ -434,14 +434,14 @@  int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
 		if (alloc) {
 			*buffer = tmpbuf;
 			nscap->rootid = cpu_to_le32(mappedroot);
-		} else
-			kfree(tmpbuf);
-		return size;
+			tmpbuf = NULL;
+		}
+		goto out;
 	}
 
 	if (!rootid_owns_currentns(kroot)) {
-		kfree(tmpbuf);
-		return -EOPNOTSUPP;
+		ret = -EOPNOTSUPP;
+		goto out;
 	}
 
 	/* This comes from a parent namespace.  Return as a v2 capability */
@@ -459,6 +459,9 @@  int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
 			cap->magic_etc = cpu_to_le32(magic);
 		}
 	}
+
+out:
+	dput(dentry);
 	kfree(tmpbuf);
 	return size;
 }

Comments

Masami Ichikawa May 8, 2017, 11:47 a.m.
On Mon, May 8, 2017 at 1:44 PM, Serge E. Hallyn <serge@hallyn.com> wrote:
> From 6a3fb632f67f8425c6e76c65dad8115f1550d2a0 Mon Sep 17 00:00:00 2001
> From: Serge Hallyn <serge@hallyn.com>
> Date: Sun, 7 May 2017 23:40:42 -0500
> Subject: [PATCH 1/1] cap_inode_getsecurity: don't pin dentry (fold up)
>
> This should fix the "Dentry_still_in_use" reported by the kernel
> test robot.
>
> Signed-off-by: Serge Hallyn <serge@hallyn.com>
> ---
>  security/commoncap.c | 27 +++++++++++++++------------
>  1 file changed, 15 insertions(+), 12 deletions(-)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index a1a2935..c970b71 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -406,21 +406,21 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
>                                  &tmpbuf, size, GFP_NOFS);
>
>         if (ret < 0)
> -               return ret;
> +               goto out;
>
>         fs_ns = inode->i_sb->s_user_ns;
>         cap = (struct vfs_cap_data *) tmpbuf;
>         if (is_v2header(ret, cap->magic_etc)) {
>                 /* If this is sizeof(vfs_cap_data) then we're ok with the
>                  * on-disk value, so return that.  */
> -               if (alloc)
> +               if (alloc) {
>                         *buffer = tmpbuf;
> -               else
> -                       kfree(tmpbuf);
> -               return ret;
> +                       tmpbuf = NULL;
> +               }
> +               goto out;
>         } else if (!is_v3header(ret, cap->magic_etc)) {
> -               kfree(tmpbuf);
> -               return -EINVAL;
> +               ret = -EINVAL;
> +               goto out;
>         }
>
>         nscap = (struct vfs_ns_cap_data *) tmpbuf;
> @@ -434,14 +434,14 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
>                 if (alloc) {
>                         *buffer = tmpbuf;
>                         nscap->rootid = cpu_to_le32(mappedroot);
> -               } else
> -                       kfree(tmpbuf);
> -               return size;
> +                       tmpbuf = NULL;
> +               }
> +               goto out;
>         }
>
>         if (!rootid_owns_currentns(kroot)) {
> -               kfree(tmpbuf);
> -               return -EOPNOTSUPP;
> +               ret = -EOPNOTSUPP;
> +               goto out;
>         }
>
>         /* This comes from a parent namespace.  Return as a v2 capability */
> @@ -459,6 +459,9 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
>                         cap->magic_etc = cpu_to_le32(magic);
>                 }
>         }
> +
> +out:
> +       dput(dentry);
>         kfree(tmpbuf);
>         return size;

If ret is set to some error code, e.g. -EINVAL, then jump to out
label, this function should return error code, doesn't it?

>  }
> --
> 2.7.4
>
> _______________________________________________
> Containers mailing list
> Containers@lists.linux-foundation.org
> https://lists.linuxfoundation.org/mailman/listinfo/containers
Serge E. Hallyn May 8, 2017, 3:49 p.m.
Quoting Masami Ichikawa (masami256@gmail.com):
> On Mon, May 8, 2017 at 1:44 PM, Serge E. Hallyn <serge@hallyn.com> wrote:
> > From 6a3fb632f67f8425c6e76c65dad8115f1550d2a0 Mon Sep 17 00:00:00 2001
> > From: Serge Hallyn <serge@hallyn.com>
> > Date: Sun, 7 May 2017 23:40:42 -0500
> > Subject: [PATCH 1/1] cap_inode_getsecurity: don't pin dentry (fold up)
> >
> > This should fix the "Dentry_still_in_use" reported by the kernel
> > test robot.
> >
> > Signed-off-by: Serge Hallyn <serge@hallyn.com>
> > ---
> >  security/commoncap.c | 27 +++++++++++++++------------
> >  1 file changed, 15 insertions(+), 12 deletions(-)
> >
> > diff --git a/security/commoncap.c b/security/commoncap.c
> > index a1a2935..c970b71 100644
> > --- a/security/commoncap.c
> > +++ b/security/commoncap.c
> > @@ -406,21 +406,21 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
> >                                  &tmpbuf, size, GFP_NOFS);
> >
> >         if (ret < 0)
> > -               return ret;
> > +               goto out;
> >
> >         fs_ns = inode->i_sb->s_user_ns;
> >         cap = (struct vfs_cap_data *) tmpbuf;
> >         if (is_v2header(ret, cap->magic_etc)) {
> >                 /* If this is sizeof(vfs_cap_data) then we're ok with the
> >                  * on-disk value, so return that.  */
> > -               if (alloc)
> > +               if (alloc) {
> >                         *buffer = tmpbuf;
> > -               else
> > -                       kfree(tmpbuf);
> > -               return ret;
> > +                       tmpbuf = NULL;
> > +               }
> > +               goto out;
> >         } else if (!is_v3header(ret, cap->magic_etc)) {
> > -               kfree(tmpbuf);
> > -               return -EINVAL;
> > +               ret = -EINVAL;
> > +               goto out;
> >         }
> >
> >         nscap = (struct vfs_ns_cap_data *) tmpbuf;
> > @@ -434,14 +434,14 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
> >                 if (alloc) {
> >                         *buffer = tmpbuf;
> >                         nscap->rootid = cpu_to_le32(mappedroot);
> > -               } else
> > -                       kfree(tmpbuf);
> > -               return size;
> > +                       tmpbuf = NULL;
> > +               }
> > +               goto out;
> >         }
> >
> >         if (!rootid_owns_currentns(kroot)) {
> > -               kfree(tmpbuf);
> > -               return -EOPNOTSUPP;
> > +               ret = -EOPNOTSUPP;
> > +               goto out;
> >         }
> >
> >         /* This comes from a parent namespace.  Return as a v2 capability */
> > @@ -459,6 +459,9 @@ int cap_inode_getsecurity(struct inode *inode, const char *name, void **buffer,
> >                         cap->magic_etc = cpu_to_le32(magic);
> >                 }
> >         }
> > +
> > +out:
> > +       dput(dentry);
> >         kfree(tmpbuf);
> >         return size;
> 
> If ret is set to some error code, e.g. -EINVAL, then jump to out
> label, this function should return error code, doesn't it?

D'oh, yes.

Sorry, I'd wanted to ack the fact that there was a real bug before I went to bed.

I'll send a proper patch tonight.