Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7b9337aa authored by Nick Piggin's avatar Nick Piggin
Browse files

fs: namei fix ->put_link on wrong inode in do_filp_open 



J. R. Okajima noticed that ->put_link is being attempted on the
wrong inode, and suggested the way to fix it. I changed it a bit
according to Al's suggestion to keep an explicit link path around.

Signed-off-by: default avatarNick Piggin <npiggin@kernel.dk>
parent f20877d9

fs/namei.c

+19 −18
Original line number Diff line number Diff line
@@ -779,7 +779,8 @@ static void path_put_conditional(struct path *path, struct nameidata *nd) 
		mntput(path->mnt);

}



static inline void path_to_nameidata(struct path *path, struct nameidata *nd)

static inline void path_to_nameidata(const struct path *path,

					struct nameidata *nd)

{

	if (!(nd->flags & LOOKUP_RCU)) {

		dput(nd->path.dentry);
@@ -791,20 +792,20 @@ static inline void path_to_nameidata(struct path *path, struct nameidata *nd) 
}



static __always_inline int

__do_follow_link(struct path *path, struct nameidata *nd, void **p)

__do_follow_link(const struct path *link, struct nameidata *nd, void **p)

{

	int error;

	struct dentry *dentry = path->dentry;

	struct dentry *dentry = link->dentry;



	touch_atime(path->mnt, dentry);

	touch_atime(link->mnt, dentry);

	nd_set_link(nd, NULL);



	if (path->mnt != nd->path.mnt) {

		path_to_nameidata(path, nd);

	if (link->mnt != nd->path.mnt) {

		path_to_nameidata(link, nd);

		nd->inode = nd->path.dentry->d_inode;

		dget(dentry);

	}

	mntget(path->mnt);

	mntget(link->mnt);



	nd->last_type = LAST_BIND;

	*p = dentry->d_inode->i_op->follow_link(dentry, nd);
@@ -2347,11 +2348,12 @@ struct file *do_filp_open(int dfd, const char *pathname, 
	nd.flags = flags;

	filp = do_last(&nd, &path, open_flag, acc_mode, mode, pathname);

	while (unlikely(!filp)) { /* trailing symlink */

		struct path holder;

		struct path link = path;

		struct inode *linki = link.dentry->d_inode;

		void *cookie;

		error = -ELOOP;

		/* S_ISDIR part is a temporary automount kludge */

		if (!(nd.flags & LOOKUP_FOLLOW) && !S_ISDIR(nd.inode->i_mode))

		if (!(nd.flags & LOOKUP_FOLLOW) && !S_ISDIR(linki->i_mode))

			goto exit_dput;

		if (count++ == 32)

			goto exit_dput;
@@ -2367,23 +2369,22 @@ struct file *do_filp_open(int dfd, const char *pathname, 
		 * just set LAST_BIND.

		 */

		nd.flags |= LOOKUP_PARENT;

		error = security_inode_follow_link(path.dentry, &nd);

		error = security_inode_follow_link(link.dentry, &nd);

		if (error)

			goto exit_dput;

		error = __do_follow_link(&path, &nd, &cookie);

		error = __do_follow_link(&link, &nd, &cookie);

		if (unlikely(error)) {

			if (!IS_ERR(cookie) && nd.inode->i_op->put_link)

				nd.inode->i_op->put_link(path.dentry, &nd, cookie);

			if (!IS_ERR(cookie) && linki->i_op->put_link)

				linki->i_op->put_link(link.dentry, &nd, cookie);

			/* nd.path had been dropped */

			nd.path = path;

			nd.path = link;

			goto out_path;

		}

		holder = path;

		nd.flags &= ~LOOKUP_PARENT;

		filp = do_last(&nd, &path, open_flag, acc_mode, mode, pathname);

		if (nd.inode->i_op->put_link)

			nd.inode->i_op->put_link(holder.dentry, &nd, cookie);

		path_put(&holder);

		if (linki->i_op->put_link)

			linki->i_op->put_link(link.dentry, &nd, cookie);

		path_put(&link);

	}

out:

	if (nd.root.mnt)