Fix race between proc_get_inode() and remove_proc_entry()
proc_lookup remove_proc_entry
=========== =================
lock_kernel();
spin_lock(&proc_subdir_lock);
[find PDE with refcount 0]
spin_unlock(&proc_subdir_lock);
spin_lock(&proc_subdir_lock);
[find PDE with refcount 0]
[check refcount and free PDE]
spin_unlock(&proc_subdir_lock);
proc_get_inode:
de_get(de); /* boom */
Signed-off-by: Alexey Dobriyan <adobriyan@openvz.org>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Oleg Nesterov <oleg@tv-sign.ru>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
diff --git a/fs/proc/inode.c b/fs/proc/inode.c
index 22b1158..d1de637 100644
--- a/fs/proc/inode.c
+++ b/fs/proc/inode.c
@@ -21,7 +21,7 @@
#include "internal.h"
-static inline struct proc_dir_entry * de_get(struct proc_dir_entry *de)
+struct proc_dir_entry *de_get(struct proc_dir_entry *de)
{
if (de)
atomic_inc(&de->count);
@@ -31,7 +31,7 @@
/*
* Decrements the use count and checks for deferred deletion.
*/
-static void de_put(struct proc_dir_entry *de)
+void de_put(struct proc_dir_entry *de)
{
if (de) {
lock_kernel();
@@ -146,11 +146,6 @@
{
struct inode * inode;
- /*
- * Increment the use count so the dir entry can't disappear.
- */
- de_get(de);
-
WARN_ON(de && de->deleted);
if (de != NULL && !try_module_get(de->owner))
@@ -184,7 +179,6 @@
if (de != NULL)
module_put(de->owner);
out_mod:
- de_put(de);
return NULL;
}
@@ -199,6 +193,7 @@
s->s_op = &proc_sops;
s->s_time_gran = 1;
+ de_get(&proc_root);
root_inode = proc_get_inode(s, PROC_ROOT_INO, &proc_root);
if (!root_inode)
goto out_no_root;
@@ -212,6 +207,7 @@
out_no_root:
printk("proc_read_super: get root inode failed\n");
iput(root_inode);
+ de_put(&proc_root);
return -ENOMEM;
}
MODULE_LICENSE("GPL");