minimal fix for do_filp_open() race

failure exits on the no-O_CREAT side of do_filp_open() merge with
those of O_CREAT one; unfortunately, if do_path_lookup() returns
-ESTALE, we'll get out_filp:, notice that we are about to return
-ESTALE without having trying to create the sucker with LOOKUP_REVAL
and jump right into the O_CREAT side of code.  And proceed to try
and create a file.  Usually that'll fail with -ESTALE again, but
we can race and get that attempt of pathname resolution to succeed.

open() without O_CREAT really shouldn't end up creating files, races
or not.  The real fix is to rearchitect the whole do_filp_open(),
but for now splitting the failure exits will do.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

1 files changed, 10 insertions, 3 deletions

diff --git a/fs/namei.c b/fs/namei.c
index 0087cf9c2c6b..a5e844fe4b28 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2455,22 +2455,29 @@ struct file *do_filp_open(int dfd, const char *pathname,
         /* !O_CREAT, simple open */
         error = do_path_lookup(dfd, pathname, flags, &nd);
         if (unlikely(error))
-                goto out_filp;
+                goto out_filp2;
         error = -ELOOP;
         if (!(nd.flags & LOOKUP_FOLLOW)) {
                 if (nd.inode->i_op->follow_link)
-                        goto out_path;
+                        goto out_path2;
         }
         error = -ENOTDIR;
         if (nd.flags & LOOKUP_DIRECTORY) {
                 if (!nd.inode->i_op->lookup)
-                        goto out_path;
+                        goto out_path2;
         }
         audit_inode(pathname, nd.path.dentry);
         filp = finish_open(&nd, open_flag, acc_mode);
+out2:
         release_open_intent(&nd);
         return filp;
 
+out_path2:
+        path_put(&nd.path);
+out_filp2:
+        filp = ERR_PTR(error);
+        goto out2;
+
 creat:
         /* OK, have to create the file. Find the parent. */
         error = path_init_rcu(dfd, pathname,