configfs: fix config_item refcnt leak in configfs_rmdir()

sherlly · Christoph Hellwig · commit 8aebfffacfa3 · 2020-04-27T08:17:10.000+02:00
configfs_rmdir() invokes configfs_get_config_item(), which returns a
reference of the specified config_item object to "parent_item" with
increased refcnt.

When configfs_rmdir() returns, local variable "parent_item" becomes
invalid, so the refcount should be decreased to keep refcount balanced.

The reference counting issue happens in one exception handling path of
configfs_rmdir(). When down_write_killable() fails, the function forgets
to decrease the refcnt increased by configfs_get_config_item(), causing
a refcnt leak.

Fix this issue by calling config_item_put() when down_write_killable()
fails.

Signed-off-by: Xiyu Yang &lt;xiyuyang19@fudan.edu.cn&gt;
Signed-off-by: Xin Tan &lt;tanxin.ctf@gmail.com&gt;
Signed-off-by: Christoph Hellwig &lt;hch@lst.de&gt;
diff --git a/fs/configfs/dir.c b/fs/configfs/dir.c
@@ -1519,6 +1519,7 @@ static int configfs_rmdir(struct inode *dir, struct dentry *dentry)
 		spin_lock(&configfs_dirent_lock);
 		configfs_detach_rollback(dentry);
 		spin_unlock(&configfs_dirent_lock);
+		config_item_put(parent_item);
 		return -EINTR;
 	}
 	frag->frag_dead = true;

Original file line number	Diff line number	Diff line change
`@@ -1519,6 +1519,7 @@ static int configfs_rmdir(struct inode dir, struct dentry dentry)`
`1519`	`1519`	`spin_lock(&configfs_dirent_lock);`
`1520`	`1520`	`configfs_detach_rollback(dentry);`
`1521`	`1521`	`spin_unlock(&configfs_dirent_lock);`
	`1522`	`+ config_item_put(parent_item);`
`1522`	`1523`	`return -EINTR;`
`1523`	`1524`	`}`
`1524`	`1525`	`frag->frag_dead = true;`