On Thu, Dec 30, 2021 at 02:17:23AM +0000, Al Viro wrote:
> > +static int io_setxattr_prep(struct io_kiocb *req,
> > + const struct io_uring_sqe *sqe)
> > +{
> > + struct io_xattr *ix = &req->xattr;
> > + const char __user *path;
> > + int ret;
> > +
> > + ret = __io_setxattr_prep(req, sqe);
> > + if (ret)
> > + return ret;
> > +
> > + path = u64_to_user_ptr(READ_ONCE(sqe->addr3));
> > +
> > + ix->filename = getname_flags(path, LOOKUP_FOLLOW, NULL);
> > + if (IS_ERR(ix->filename)) {
> > + ret = PTR_ERR(ix->filename);
> > + ix->filename = NULL;
> > + }
> > +
> > + return ret;
> > +}
>
> ... and here you use it and bring the pathname in. Should the latter
> step fail, you restore ->filename to NULL and return an error.
>
> Could you explain what kind of magic could allow the caller to tell
> whether ix->ctx.kname needs to be freed on error? I don't see any way
> that could possibly work...
getxattr side has the same problem, AFAICS...
