On Wed, Jan 01, 2020 at 12:43:24AM +0000, Al Viro wrote:
> I'm not sure if you have caught anything else, but we really, really should *NOT*
> consider the LAST_BIND as "maybe we should follow the result" material. So
> at least the following is needed; could you check if anything else remains
> with that applied?
>
> diff --git a/fs/namei.c b/fs/namei.c
> index d6c91d1e88cb..d4fbbda8a7ff 100644
> --- a/fs/namei.c
> +++ b/fs/namei.c
> @@ -2656,10 +2656,7 @@ mountpoint_last(struct nameidata *nd)
> nd->flags &= ~LOOKUP_PARENT;
>
> if (unlikely(nd->last_type != LAST_NORM)) {
> - error = handle_dots(nd, nd->last_type);
> - if (error)
> - return error;
> - path.dentry = dget(nd->path.dentry);
> + return handle_dots(nd, nd->last_type);
> } else {
> path.dentry = d_lookup(dir, &nd->last);
> if (!path.dentry) {
Note, BTW, that lookup_last() (aka walk_component()) does just
that - we only hit step_into() on LAST_NORM. The same goes
for do_last(). mountpoint_last() not doing the same is _not_
intentional - it's definitely a bug.
Consider your testcase; link points to . here. So the only
thing you could expect from trying to follow it would be
the directory 'link' lives in. And you don't have it
when you reach the fscker via /proc/self/fd/3; what happens
instead is nd->path set to ./link (by nd_jump_link()) *AND*
step_into() called, pushing the same ./link onto stack.
It violates all kinds of assumptions made by fs/namei.c -
when pushing a symlink onto stack nd->path is expected to
contain the base directory for resolving it.
I'm fairly sure that this is the cause of at least some
of the insanity you've caught; there always could be
something else, of course, but this hole needs to be
closed in any case.
