From: Al Viro <viro@xxxxxxxxxxxxxxxxxx> We need to dismiss a symlink when we are done traversing it; currently that's done when we call step_into() for its last component. For the cases when we do not call step_into() for that component (i.e. when it's . or ..) we do the same symlink dismissal after the call of handle_dots(). What we need to guarantee is that the symlink won't be dismissed while we are still using nd->last.name - it's pointing into the body of said symlink. step_into() is sufficiently late - by the time it's called we'd already obtained the dentry, so the name we'd been looking up is no longer needed. However, it turns out to be cleaner to have that ("we are done with that component now, can dismiss the link") done explicitly - in the callers of step_into(). In handle_dots() case we won't be using the component string at all, so for . and .. the corresponding point is actually _before_ the call of handle_dots(), not after it. Fix a minor irregularity in do_last(), while we are at it - if trailing symlink ended with . or .. we forgot to dismiss it. Not a problem, since nameidata is about to be done with (neither . nor .. can be a trailing symlink, so this is the last iteration through the loop) and terminate_walk() will clean the stack anyway, but let's keep it more regular. Signed-off-by: Al Viro <viro@xxxxxxxxxxxxxxxxxx> --- fs/namei.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/fs/namei.c b/fs/namei.c index 84ce7ccd944e..3097edcb4a1a 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -1838,8 +1838,6 @@ enum {WALK_FOLLOW = 1, WALK_MORE = 2}; static inline int step_into(struct nameidata *nd, struct path *path, int flags, struct inode *inode, unsigned seq) { - if (!(flags & WALK_MORE) && nd->depth) - put_link(nd); if (likely(!d_is_symlink(path->dentry)) || !(flags & WALK_FOLLOW || nd->flags & LOOKUP_FOLLOW)) { /* not a symlink or should not follow */ @@ -1869,9 +1867,9 @@ static int walk_component(struct nameidata *nd, int flags) * parent relationships. */ if (unlikely(nd->last_type != LAST_NORM)) { - err = handle_dots(nd, nd->last_type); if (!(flags & WALK_MORE) && nd->depth) put_link(nd); + err = handle_dots(nd, nd->last_type); return err; } dentry = lookup_fast(nd, &inode, &seq); @@ -1882,6 +1880,8 @@ static int walk_component(struct nameidata *nd, int flags) if (IS_ERR(dentry)) return PTR_ERR(dentry); } + if (!(flags & WALK_MORE) && nd->depth) + put_link(nd); err = handle_mounts(nd, dentry, &path, &inode, &seq); if (unlikely(err < 0)) @@ -3291,6 +3291,8 @@ static int do_last(struct nameidata *nd, nd->flags |= op->intent; if (nd->last_type != LAST_NORM) { + if (nd->depth) + put_link(nd); error = handle_dots(nd, nd->last_type); if (unlikely(error)) return error; @@ -3382,6 +3384,8 @@ static int do_last(struct nameidata *nd, } finish_lookup: + if (nd->depth) + put_link(nd); error = handle_mounts(nd, dentry, &path, &inode, &seq); if (unlikely(error < 0)) return error; -- 2.11.0