queue-4.4/autofs-drop-dentry-reference-only-when-it-is-never-u.patch

   1 From baefe25c3c47559cfca0782102ccc0029decf850 Mon Sep 17 00:00:00 2001
   2 From: Pan Bian <bianpan2016@163.com>
   3 Date: Fri, 1 Feb 2019 14:21:26 -0800
   4 Subject: autofs: drop dentry reference only when it is never used
   5
   6 [ Upstream commit 63ce5f552beb9bdb41546b3a26c4374758b21815 ]
   7
   8 autofs_expire_run() calls dput(dentry) to drop the reference count of
   9 dentry.  However, dentry is read via autofs_dentry_ino(dentry) after
  10 that.  This may result in a use-free-bug.  The patch drops the reference
  11 count of dentry only when it is never used.
  12
  13 Link: http://lkml.kernel.org/r/154725122396.11260.16053424107144453867.stgit@pluto-themaw-net
  14 Signed-off-by: Pan Bian <bianpan2016@163.com>
  15 Signed-off-by: Ian Kent <raven@themaw.net>
  16 Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
  17 Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
  18 Signed-off-by: Sasha Levin <sashal@kernel.org>
  19 ---
  20  fs/autofs4/expire.c | 3 ++-
  21  1 file changed, 2 insertions(+), 1 deletion(-)
  22
  23 diff --git a/fs/autofs4/expire.c b/fs/autofs4/expire.c
  24 index 7a5a598a2d94..0d8b9c4f27f2 100644
  25 --- a/fs/autofs4/expire.c
  26 +++ b/fs/autofs4/expire.c
  27 @@ -560,7 +560,6 @@ int autofs4_expire_run(struct super_block *sb,
  28         pkt.len = dentry->d_name.len;
  29         memcpy(pkt.name, dentry->d_name.name, pkt.len);
  30         pkt.name[pkt.len] = '\0';
  31 -       dput(dentry);
  32
  33         if ( copy_to_user(pkt_p, &pkt, sizeof(struct autofs_packet_expire)) )
  34                 ret = -EFAULT;
  35 @@ -573,6 +572,8 @@ int autofs4_expire_run(struct super_block *sb,
  36         complete_all(&ino->expire_complete);
  37         spin_unlock(&sbi->fs_lock);
  38
  39 +       dput(dentry);
  40 +
  41         return ret;
  42  }
  43
  44 --
  45 2.19.1
  46