diff options
| author | Nick Piggin <npiggin@kernel.dk> | 2011-01-14 03:42:43 -0500 |
|---|---|---|
| committer | Nick Piggin <npiggin@kernel.dk> | 2011-01-14 03:42:43 -0500 |
| commit | 7b9337aaf98f9941d0927a75217d3ff31afec609 (patch) | |
| tree | d61753169b24d521147116717f310dfb65d3d20d | |
| parent | f20877d94a74557b7c28b4ed8920d834c31e0ea5 (diff) | |
fs: namei fix ->put_link on wrong inode in do_filp_open
J. R. Okajima noticed that ->put_link is being attempted on the
wrong inode, and suggested the way to fix it. I changed it a bit
according to Al's suggestion to keep an explicit link path around.
Signed-off-by: Nick Piggin <npiggin@kernel.dk>
| -rw-r--r-- | fs/namei.c | 37 |
1 files changed, 19 insertions, 18 deletions
diff --git a/fs/namei.c b/fs/namei.c index bc24894c5f14..9cda4c452a6d 100644 --- a/fs/namei.c +++ b/fs/namei.c | |||
| @@ -779,7 +779,8 @@ static void path_put_conditional(struct path *path, struct nameidata *nd) | |||
| 779 | mntput(path->mnt); | 779 | mntput(path->mnt); |
| 780 | } | 780 | } |
| 781 | 781 | ||
| 782 | static inline void path_to_nameidata(struct path *path, struct nameidata *nd) | 782 | static inline void path_to_nameidata(const struct path *path, |
| 783 | struct nameidata *nd) | ||
| 783 | { | 784 | { |
| 784 | if (!(nd->flags & LOOKUP_RCU)) { | 785 | if (!(nd->flags & LOOKUP_RCU)) { |
| 785 | dput(nd->path.dentry); | 786 | dput(nd->path.dentry); |
| @@ -791,20 +792,20 @@ static inline void path_to_nameidata(struct path *path, struct nameidata *nd) | |||
| 791 | } | 792 | } |
| 792 | 793 | ||
| 793 | static __always_inline int | 794 | static __always_inline int |
| 794 | __do_follow_link(struct path *path, struct nameidata *nd, void **p) | 795 | __do_follow_link(const struct path *link, struct nameidata *nd, void **p) |
| 795 | { | 796 | { |
| 796 | int error; | 797 | int error; |
| 797 | struct dentry *dentry = path->dentry; | 798 | struct dentry *dentry = link->dentry; |
| 798 | 799 | ||
| 799 | touch_atime(path->mnt, dentry); | 800 | touch_atime(link->mnt, dentry); |
| 800 | nd_set_link(nd, NULL); | 801 | nd_set_link(nd, NULL); |
| 801 | 802 | ||
| 802 | if (path->mnt != nd->path.mnt) { | 803 | if (link->mnt != nd->path.mnt) { |
| 803 | path_to_nameidata(path, nd); | 804 | path_to_nameidata(link, nd); |
| 804 | nd->inode = nd->path.dentry->d_inode; | 805 | nd->inode = nd->path.dentry->d_inode; |
| 805 | dget(dentry); | 806 | dget(dentry); |
| 806 | } | 807 | } |
| 807 | mntget(path->mnt); | 808 | mntget(link->mnt); |
| 808 | 809 | ||
| 809 | nd->last_type = LAST_BIND; | 810 | nd->last_type = LAST_BIND; |
| 810 | *p = dentry->d_inode->i_op->follow_link(dentry, nd); | 811 | *p = dentry->d_inode->i_op->follow_link(dentry, nd); |
| @@ -2347,11 +2348,12 @@ reval: | |||
| 2347 | nd.flags = flags; | 2348 | nd.flags = flags; |
| 2348 | filp = do_last(&nd, &path, open_flag, acc_mode, mode, pathname); | 2349 | filp = do_last(&nd, &path, open_flag, acc_mode, mode, pathname); |
| 2349 | while (unlikely(!filp)) { /* trailing symlink */ | 2350 | while (unlikely(!filp)) { /* trailing symlink */ |
| 2350 | struct path holder; | 2351 | struct path link = path; |
| 2352 | struct inode *linki = link.dentry->d_inode; | ||
| 2351 | void *cookie; | 2353 | void *cookie; |
| 2352 | error = -ELOOP; | 2354 | error = -ELOOP; |
| 2353 | /* S_ISDIR part is a temporary automount kludge */ | 2355 | /* S_ISDIR part is a temporary automount kludge */ |
| 2354 | if (!(nd.flags & LOOKUP_FOLLOW) && !S_ISDIR(nd.inode->i_mode)) | 2356 | if (!(nd.flags & LOOKUP_FOLLOW) && !S_ISDIR(linki->i_mode)) |
| 2355 | goto exit_dput; | 2357 | goto exit_dput; |
| 2356 | if (count++ == 32) | 2358 | if (count++ == 32) |
| 2357 | goto exit_dput; | 2359 | goto exit_dput; |
| @@ -2367,23 +2369,22 @@ reval: | |||
| 2367 | * just set LAST_BIND. | 2369 | * just set LAST_BIND. |
| 2368 | */ | 2370 | */ |
| 2369 | nd.flags |= LOOKUP_PARENT; | 2371 | nd.flags |= LOOKUP_PARENT; |
| 2370 | error = security_inode_follow_link(path.dentry, &nd); | 2372 | error = security_inode_follow_link(link.dentry, &nd); |
| 2371 | if (error) | 2373 | if (error) |
| 2372 | goto exit_dput; | 2374 | goto exit_dput; |
| 2373 | error = __do_follow_link(&path, &nd, &cookie); | 2375 | error = __do_follow_link(&link, &nd, &cookie); |
| 2374 | if (unlikely(error)) { | 2376 | if (unlikely(error)) { |
| 2375 | if (!IS_ERR(cookie) && nd.inode->i_op->put_link) | 2377 | if (!IS_ERR(cookie) && linki->i_op->put_link) |
| 2376 | nd.inode->i_op->put_link(path.dentry, &nd, cookie); | 2378 | linki->i_op->put_link(link.dentry, &nd, cookie); |
| 2377 | /* nd.path had been dropped */ | 2379 | /* nd.path had been dropped */ |
| 2378 | nd.path = path; | 2380 | nd.path = link; |
| 2379 | goto out_path; | 2381 | goto out_path; |
| 2380 | } | 2382 | } |
| 2381 | holder = path; | ||
| 2382 | nd.flags &= ~LOOKUP_PARENT; | 2383 | nd.flags &= ~LOOKUP_PARENT; |
| 2383 | filp = do_last(&nd, &path, open_flag, acc_mode, mode, pathname); | 2384 | filp = do_last(&nd, &path, open_flag, acc_mode, mode, pathname); |
| 2384 | if (nd.inode->i_op->put_link) | 2385 | if (linki->i_op->put_link) |
| 2385 | nd.inode->i_op->put_link(holder.dentry, &nd, cookie); | 2386 | linki->i_op->put_link(link.dentry, &nd, cookie); |
| 2386 | path_put(&holder); | 2387 | path_put(&link); |
| 2387 | } | 2388 | } |
| 2388 | out: | 2389 | out: |
| 2389 | if (nd.root.mnt) | 2390 | if (nd.root.mnt) |