On Tue, Jan 30, 2024 at 11:03:55AM -0800, Linus Torvalds wrote:
> +void eventfs_d_release(struct dentry *dentry)
> {
> - struct eventfs_inode *ei;
> -
> - mutex_lock(&eventfs_mutex);
> - ei = dentry->d_fsdata;
> - if (ei) {
> - dentry->d_fsdata = NULL;
> - put_ei(ei);
> - }
> - mutex_unlock(&eventfs_mutex);
> + put_ei(dentry->d_fsdata);
> }
I'd rather pass ->d_fsdata to that sucker (or exposed put_ei(),
for that matter).
> @@ -857,6 +847,5 @@ void eventfs_remove_events_dir(struct eventfs_inode *ei)
> * sticks around while the other ei->dentry are created
> * and destroyed dynamically.
> */
> - simple_recursive_removal(dentry, NULL);
That also needs to move earlier in the series - bisect hazard.
> + *
> + * Note that d_revalidate is called potentially under RCU,
> + * so it can't take the eventfs mutex etc. It's fine - if
> + * we open a file just as it's marked dead, things will
> + * still work just fine, and just see the old stale case.
Looks like use after free, unless freeing ei is RCU-delayed...
> + return !(ei && ei->is_freed);
