On Fri, Nov 22, 2019 at 07:18:28PM -0800, Alexei Starovoitov wrote: > > + f = fget_raw(fd); > > + if (!f) > > + goto error; > > + > > + /* For unmountable pseudo filesystem, it seems to have no meaning > > + * to get their fake paths as they don't have path, and to be no > > + * way to validate this function pointer can be always safe to call > > + * in the current context. > > + */ > > + if (f->f_path.dentry->d_op && f->f_path.dentry->d_op->d_dname) > > + return -EINVAL; An obvious leak here, BTW. Anyway, what could that be used for? I mean, if you want to check something about syscall arguments, that's an unfixably racy way to go. Descriptor table can be a shared data structure, and two consequent fdget() on the same number can bloody well yield completely unrelated struct file references. IOW, anything that does descriptor -> struct file * translation more than once is an instant TOCTOU suspect. In this particular case, the function will produce a pathname of something that was once reachable via descriptor with this number; quite possibly never before that function had been called _and_ not once after it has returned.
