Re: [PATCH] Fix mountpoint reference leakage in linkat

Jeff Layton <jlayton@xxxxxxxxxx> · Fri, 31 Jan 2014 16:32:31 -0500

On Fri, 31 Jan 2014 16:13:19 -0500
Oleg Drokin <green@xxxxxxxxxxxxxx> wrote:

> 
> On Jan 31, 2014, at 4:03 PM, Al Viro wrote:
> >> diff --git a/fs/namei.c b/fs/namei.c
> >> index bcb838e..e620937 100644
> >> --- a/fs/namei.c
> >> +++ b/fs/namei.c
> >> @@ -3931,6 +3931,7 @@ out_dput:
> >> 			goto retry;
> >> 	}
> >> 	if (retry_estale(error, how)) {
> >> +		path_put(&old_path);
> >> 		how |= LOOKUP_REVAL;
> >> 		goto retry;
> >> 	}
> > Umm...  That obviously can't be right - we have another goto retry
> > in the same situation (see in your diff context).  I agree that
> > we have a leak there, but you've fixed only a half of it.
> 
> Hm, you are right, I did not notice this other one somehow.
> 
> So, not to take any guesses, should I convert the other goto retry into
> retry_deleg similar in style to what happens in rename and unlink, only
> make retry)deleg label before call to the security_path_link?
> After the call to the security_path_link?
> Or would you prefer to just free old_path in both cases?
> 
> Bye,
>     Oleg

Maybe something like this (untested) instead?

--------------------------8<---------------------------

[PATCH] vfs: fix linkat old_path reference leak

Cc: <stable@xxxxxxxxxxxxxxx> # v3.8+
Reported-by: Oleg Drokin <green@xxxxxxxxxxxxxx>
Signed-off-by: Jeff Layton <jlayton@xxxxxxxxxx>
---
 fs/namei.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/namei.c b/fs/namei.c
index 46dbd31..e70dd81 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -3927,8 +3927,10 @@ retry:
 	new_dentry = user_path_create(newdfd, newname, &new_path,
 					(how & LOOKUP_REVAL));
 	error = PTR_ERR(new_dentry);
-	if (IS_ERR(new_dentry))
+	if (IS_ERR(new_dentry)) {
+		path_put(&old_path);
 		goto out;
+	}
 
 	error = -EXDEV;
 	if (old_path.mnt != new_path.mnt)
@@ -3942,6 +3944,7 @@ retry:
 	error = vfs_link(old_path.dentry, new_path.dentry->d_inode, new_dentry, &delegated_inode);
 out_dput:
 	done_path_create(&new_path, new_dentry);
+	path_put(&old_path);
 	if (delegated_inode) {
 		error = break_deleg_wait(&delegated_inode);
 		if (!error)
@@ -3952,8 +3955,6 @@ out_dput:
 		goto retry;
 	}
 out:
-	path_put(&old_path);
-
 	return error;
 }
 
-- 
1.8.5.3




--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html







