From 10ba578c018294bb037a7eb90010491cdda270a7 Mon Sep 17 00:00:00 2001 From: Andrei Vagin Date: Tue, 17 Nov 2020 14:53:06 -0800 Subject: tmpfs: make sure that a dentry will not be destroyed before the open() call If we don't hold a reference, the dentry can be destroyed by another thread. Reported-by: syzbot+f2132e50060c41f6d41f@syzkaller.appspotmail.com PiperOrigin-RevId: 342951940 --- pkg/sentry/fsimpl/tmpfs/filesystem.go | 2 ++ 1 file changed, 2 insertions(+) (limited to 'pkg/sentry') diff --git a/pkg/sentry/fsimpl/tmpfs/filesystem.go b/pkg/sentry/fsimpl/tmpfs/filesystem.go index e39cd305b..61138a7a4 100644 --- a/pkg/sentry/fsimpl/tmpfs/filesystem.go +++ b/pkg/sentry/fsimpl/tmpfs/filesystem.go @@ -381,6 +381,8 @@ afterTrailingSymlink: creds := rp.Credentials() child := fs.newDentry(fs.newRegularFile(creds.EffectiveKUID, creds.EffectiveKGID, opts.Mode)) parentDir.insertChildLocked(child, name) + child.IncRef() + defer child.DecRef(ctx) unlock() fd, err := child.open(ctx, rp, &opts, true) if err != nil { -- cgit v1.2.3