fsnotify: fix fsnotify hooks in pseudo filesystems

commit 29044dae2e746949ad4b9cbdbfb248994d1dcdb4 upstream.

Commit 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of
d_delete()") moved the fsnotify delete hook before d_delete() so fsnotify
will have access to a positive dentry.

This allowed a race where opening the deleted file via cached dentry
is now possible after receiving the IN_DELETE event.

To fix the regression in pseudo filesystems, convert d_delete() calls
to d_drop() (see commit 46c46f8df9aa ("devpts_pty_kill(): don't bother
with d_delete()") and move the fsnotify hook after d_drop().

Add a missing fsnotify_unlink() hook in nfsdfs that was found during
the audit of fsnotify hooks in pseudo filesystems.

Note that the fsnotify hooks in simple_recursive_removal() follow
d_invalidate(), so they require no change.

Link: https://lore.kernel.org/r/20220120215305.282577-2-amir73il@gmail.com
Reported-by: Ivan Delalande <colona@arista.com>
Link: https://lore.kernel.org/linux-fsdevel/YeNyzoDM5hP5LtGW@visor/
Fixes: 49246466a989 ("fsnotify: move fsnotify_nameremove() hook out of d_delete()")
Cc: stable@vger.kernel.org # v5.3+
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
index b0983e2a4e2c72d214d46abf66cc2ba0e4f1d4b8..32ddad3ec5d5352f5136d8a1677f68e943c26d78 100644 (file)
--- a/fs/configfs/dir.c
+++ b/fs/configfs/dir.c
@@ -1805,8 +1805,8 @@ void configfs_unregister_group(struct config_group *group)
        configfs_detach_group(&group->cg_item);
        d_inode(dentry)->i_flags |= S_DEAD;
        dont_mount(dentry);
+       d_drop(dentry);
        fsnotify_rmdir(d_inode(parent), dentry);
-       d_delete(dentry);
        inode_unlock(d_inode(parent));
 
        dput(dentry);
@@ -1947,10 +1947,10 @@ void configfs_unregister_subsystem(struct configfs_subsystem *subsys)
        configfs_detach_group(&group->cg_item);
        d_inode(dentry)->i_flags |= S_DEAD;
        dont_mount(dentry);
-       fsnotify_rmdir(d_inode(root), dentry);
        inode_unlock(d_inode(dentry));
 
-       d_delete(dentry);
+       d_drop(dentry);
+       fsnotify_rmdir(d_inode(root), dentry);
 
        inode_unlock(d_inode(root));
 

diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c
index 42e5a766d33c7d1fea3ca9c05be73639c38c421e..4f25015aa5342a332c76ad7d931a507784eea764 100644 (file)
--- a/fs/devpts/inode.c
+++ b/fs/devpts/inode.c
@@ -621,8 +621,8 @@ void devpts_pty_kill(struct dentry *dentry)
 
        dentry->d_fsdata = NULL;
        drop_nlink(dentry->d_inode);
-       fsnotify_unlink(d_inode(dentry->d_parent), dentry);
        d_drop(dentry);
+       fsnotify_unlink(d_inode(dentry->d_parent), dentry);
        dput(dentry);   /* d_alloc_name() in devpts_pty_new() */
 }
 

diff --git a/fs/nfsd/nfsctl.c b/fs/nfsd/nfsctl.c
index a8f954bbde4f5a466b97e67d4a75fa3b7e364dc1..dedec4771ecc2cd1d569184d19db07b356b7964d 100644 (file)
--- a/fs/nfsd/nfsctl.c
+++ b/fs/nfsd/nfsctl.c
@@ -1247,7 +1247,8 @@ static void nfsdfs_remove_file(struct inode *dir, struct dentry *dentry)
        clear_ncl(d_inode(dentry));
        dget(dentry);
        ret = simple_unlink(dir, dentry);
-       d_delete(dentry);
+       d_drop(dentry);
+       fsnotify_unlink(dir, dentry);
        dput(dentry);
        WARN_ON_ONCE(ret);
 }
@@ -1336,8 +1337,8 @@ void nfsd_client_rmdir(struct dentry *dentry)
        dget(dentry);
        ret = simple_rmdir(dir, dentry);
        WARN_ON_ONCE(ret);
+       d_drop(dentry);
        fsnotify_rmdir(dir, dentry);
-       d_delete(dentry);
        dput(dentry);
        inode_unlock(dir);
 }

diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c
index eadc0ede928c320a7afae33e1821d7e1ce63f246..5f854ffbab925b20b49516a35740168c4a3701e0 100644 (file)
--- a/net/sunrpc/rpc_pipe.c
+++ b/net/sunrpc/rpc_pipe.c
@@ -599,9 +599,9 @@ static int __rpc_rmdir(struct inode *dir, struct dentry *dentry)
 
        dget(dentry);
        ret = simple_rmdir(dir, dentry);
+       d_drop(dentry);
        if (!ret)
                fsnotify_rmdir(dir, dentry);
-       d_delete(dentry);
        dput(dentry);
        return ret;
 }
@@ -612,9 +612,9 @@ static int __rpc_unlink(struct inode *dir, struct dentry *dentry)
 
        dget(dentry);
        ret = simple_unlink(dir, dentry);
+       d_drop(dentry);
        if (!ret)
                fsnotify_unlink(dir, dentry);
-       d_delete(dentry);
        dput(dentry);
        return ret;
 }