On Mon, May 11, 2015 at 07:08:05PM +0100, Al Viro wrote:
> +static bool legitimize_links(struct nameidata *nd)
> +{
> + int i;
> + for (i = 0; i < nd->depth; i++) {
> + struct saved *last = nd->stack + i;
> + if (unlikely(!legitimize_path(nd, &last->link, last->seq))) {
> + drop_links(nd);
> + nd->depth = i;
Broken, actually - it should be i + 1. What happens is that we attempt to
grab references on nd->stack[...].link; if everything succeeds, we'd won.
If legitimizing nd->stack[i].link fails (e.g. ->d_seq has changed on us),
we
* put_link everything in stack and clear nd->stack[...].cookie, making
sure that nobody will call ->put_link() on it later.
* leave the things for terminate_walk() so that it would do
path_put() on everything we have grabbed and ignored everything we hadn't
even got around to.
But this failed legitimize_path() requires path_put() - we *can't* block
there (we wouldn't be able to do ->put_link() afterwards if we did), so
we just zero what we didn't grab and leave what we had for subsequent
path_put(). Which may be anything from "nothing" (mount_lock has been
touched) to "both vfsmount and dentry" (->d_seq mismatch).
So we need to set nd->depth to i + 1 here, not i. As it is, we are risking
a vfsmount (and possibly dentry) leak. Fixed and force-pushed...
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
