On Mon, Sep 19, 2022 at 04:10:29PM +0200, Miklos Szeredi wrote: > - child = d_alloc(dentry, &slash_name); > + child = d_alloc(parentpath->dentry, &slash_name); > if (unlikely(!child)) > goto out_err; > + file->f_path.mnt = parentpath->mnt; > + file->f_path.dentry = child; > mode = vfs_prepare_mode(mnt_userns, dir, mode, mode, mode); > error = dir->i_op->tmpfile(mnt_userns, dir, child, mode); > + error = finish_open_simple(file, error); > + dput(child); > + if (error) > + goto out_err; > + error = may_open(mnt_userns, &file->f_path, 0, file->f_flags); > if (error) > goto out_err; > error = -ENOENT; > inode = child->d_inode; > if (unlikely(!inode)) > goto out_err; Ugh... First of all, goto out_err leading to immediate return error; is obfuscation for no good reason. What's more, how the hell can we get a negative dentry here? The only thing that makes this check valid is that after successful open child is pinned as file->f_path.dentry - otherwise dput() above might have very well freed it. And if we ever end up with a negative dentry in file->f_path.dentry of an opened file, we are really screwed...