1 files changed, 21 insertions, 13 deletions
diff --git a/fs/namei.c b/fs/namei.c
index 9802345df5e7..0223c41fb114 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -238,7 +238,8 @@ int generic_permission(struct inode *inode, int mask, unsigned int flags,
        /*
         * Read/write DACs are always overridable.
-         * Executable DACs are overridable if at least one exec bit is set.
+         * Executable DACs are overridable for all directories and
+         * for non-directories that have least one exec bit set.
         */
        if (!(mask & MAY_EXEC) || execute_ok(inode))
                if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
@@ -812,6 +813,11 @@ static int follow_automount(struct path *path, unsigned flags,
        if (!mnt) /* mount collision */
                return 0;
+        if (!*need_mntput) {
+                /* lock_mount() may release path->mnt on error */
+                mntget(path->mnt);
+                *need_mntput = true;
+        }
        err = finish_automount(mnt, path);
        switch (err) {
@@ -819,12 +825,9 @@ static int follow_automount(struct path *path, unsigned flags,
                /* Someone else made a mount here whilst we were busy */
                return 0;
        case 0:
-                dput(path->dentry);
+                path_put(path);
-                if (*need_mntput)
-                        mntput(path->mnt);
                path->mnt = mnt;
                path->dentry = dget(mnt->mnt_root);
-                *need_mntput = true;
                return 0;
        default:
                return err;
@@ -844,9 +847,10 @@ static int follow_automount(struct path *path, unsigned flags,
 */
 static int follow_managed(struct path *path, unsigned flags)
 {
+        struct vfsmount *mnt = path->mnt; /* held by caller, must be left alone */
        unsigned managed;
        bool need_mntput = false;
-        int ret;
+        int ret = 0;
        /* Given that we're not holding a lock here, we retain the value in a
         * local variable for each dentry as we look at it so that we don't see
@@ -861,7 +865,7 @@ static int follow_managed(struct path *path, unsigned flags)
                        BUG_ON(!path->dentry->d_op->d_manage);
                        ret = path->dentry->d_op->d_manage(path->dentry, false);
                        if (ret < 0)
-                                return ret == -EISDIR ? 0 : ret;
+                                break;
                }
                /* Transit to a mounted filesystem. */
@@ -887,14 +891,19 @@ static int follow_managed(struct path *path, unsigned flags)
                if (managed & DCACHE_NEED_AUTOMOUNT) {
                        ret = follow_automount(path, flags, &need_mntput);
                        if (ret < 0)
-                                return ret == -EISDIR ? 0 : ret;
+                                break;
                        continue;
                }
                /* We didn't change the current path point */
                break;
        }
-        return 0;
+        if (need_mntput && path->mnt == mnt)
+                mntput(path->mnt);
+        if (ret == -EISDIR)
+                ret = 0;
+        return ret;
 }
 int follow_down_one(struct path *path)
@@ -1003,9 +1012,6 @@ failed:
 * Follow down to the covering mount currently visible to userspace.  At each
 * point, the filesystem owning that dentry may be queried as to whether the
 * caller is permitted to proceed or not.
- *
- * Care must be taken as namespace_sem may be held (indicated by mounting_here
- * being true).
 */
 int follow_down(struct path *path)
 {
@@ -2713,8 +2719,10 @@ static long do_unlinkat(int dfd, const char __user *pathname)
        error = PTR_ERR(dentry);
        if (!IS_ERR(dentry)) {
                /* Why not before? Because we want correct error value */
+                if (nd.last.name[nd.last.len])
+                        goto slashes;
                inode = dentry->d_inode;
-                if (nd.last.name[nd.last.len] || !inode)
+                if (!inode)
                        goto slashes;
                ihold(inode);
                error = mnt_want_write(nd.path.mnt);

diff --git a/fs/namei.c b/fs/namei.c index 9802345df5e7..0223c41fb114 100644 --- a/fs/namei.c +++ b/fs/namei.c
@@ -238,7 +238,8 @@ int generic_permission(struct inode *inode, int mask, unsigned int flags,
238		238
239	/*	239	/*
240	* Read/write DACs are always overridable.	240	* Read/write DACs are always overridable.
241	* Executable DACs are overridable if at least one exec bit is set.	241	* Executable DACs are overridable for all directories and
		242	* for non-directories that have least one exec bit set.
242	*/	243	*/
243	if (!(mask & MAY_EXEC) \|\| execute_ok(inode))	244	if (!(mask & MAY_EXEC) \|\| execute_ok(inode))
244	if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))	245	if (ns_capable(inode_userns(inode), CAP_DAC_OVERRIDE))
@@ -812,6 +813,11 @@ static int follow_automount(struct path *path, unsigned flags,
812	if (!mnt) /* mount collision */	813	if (!mnt) /* mount collision */
813	return 0;	814	return 0;
814		815
		816	if (!*need_mntput) {
		817	/* lock_mount() may release path->mnt on error */
		818	mntget(path->mnt);
		819	*need_mntput = true;
		820	}
815	err = finish_automount(mnt, path);	821	err = finish_automount(mnt, path);
816		822
817	switch (err) {	823	switch (err) {
@@ -819,12 +825,9 @@ static int follow_automount(struct path *path, unsigned flags,
819	/* Someone else made a mount here whilst we were busy */	825	/* Someone else made a mount here whilst we were busy */
820	return 0;	826	return 0;
821	case 0:	827	case 0:
822	dput(path->dentry);	828	path_put(path);
823	if (*need_mntput)
824	mntput(path->mnt);
825	path->mnt = mnt;	829	path->mnt = mnt;
826	path->dentry = dget(mnt->mnt_root);	830	path->dentry = dget(mnt->mnt_root);
827	*need_mntput = true;
828	return 0;	831	return 0;
829	default:	832	default:
830	return err;	833	return err;
@@ -844,9 +847,10 @@ static int follow_automount(struct path *path, unsigned flags,
844	*/	847	*/
845	static int follow_managed(struct path *path, unsigned flags)	848	static int follow_managed(struct path *path, unsigned flags)
846	{	849	{
		850	struct vfsmount mnt = path->mnt; / held by caller, must be left alone */
847	unsigned managed;	851	unsigned managed;
848	bool need_mntput = false;	852	bool need_mntput = false;
849	int ret;	853	int ret = 0;
850		854
851	/* Given that we're not holding a lock here, we retain the value in a	855	/* Given that we're not holding a lock here, we retain the value in a
852	* local variable for each dentry as we look at it so that we don't see	856	* local variable for each dentry as we look at it so that we don't see
@@ -861,7 +865,7 @@ static int follow_managed(struct path *path, unsigned flags)
861	BUG_ON(!path->dentry->d_op->d_manage);	865	BUG_ON(!path->dentry->d_op->d_manage);
862	ret = path->dentry->d_op->d_manage(path->dentry, false);	866	ret = path->dentry->d_op->d_manage(path->dentry, false);
863	if (ret < 0)	867	if (ret < 0)
864	return ret == -EISDIR ? 0 : ret;	868	break;
865	}	869	}
866		870
867	/* Transit to a mounted filesystem. */	871	/* Transit to a mounted filesystem. */
@@ -887,14 +891,19 @@ static int follow_managed(struct path *path, unsigned flags)
887	if (managed & DCACHE_NEED_AUTOMOUNT) {	891	if (managed & DCACHE_NEED_AUTOMOUNT) {
888	ret = follow_automount(path, flags, &need_mntput);	892	ret = follow_automount(path, flags, &need_mntput);
889	if (ret < 0)	893	if (ret < 0)
890	return ret == -EISDIR ? 0 : ret;	894	break;
891	continue;	895	continue;
892	}	896	}
893		897
894	/* We didn't change the current path point */	898	/* We didn't change the current path point */
895	break;	899	break;
896	}	900	}
897	return 0;	901
		902	if (need_mntput && path->mnt == mnt)
		903	mntput(path->mnt);
		904	if (ret == -EISDIR)
		905	ret = 0;
		906	return ret;
898	}	907	}
899		908
900	int follow_down_one(struct path *path)	909	int follow_down_one(struct path *path)
@@ -1003,9 +1012,6 @@ failed:
1003	* Follow down to the covering mount currently visible to userspace. At each	1012	* Follow down to the covering mount currently visible to userspace. At each
1004	* point, the filesystem owning that dentry may be queried as to whether the	1013	* point, the filesystem owning that dentry may be queried as to whether the
1005	* caller is permitted to proceed or not.	1014	* caller is permitted to proceed or not.
1006	*
1007	* Care must be taken as namespace_sem may be held (indicated by mounting_here
1008	* being true).
1009	*/	1015	*/
1010	int follow_down(struct path *path)	1016	int follow_down(struct path *path)
1011	{	1017	{
@@ -2713,8 +2719,10 @@ static long do_unlinkat(int dfd, const char __user *pathname)
2713	error = PTR_ERR(dentry);	2719	error = PTR_ERR(dentry);
2714	if (!IS_ERR(dentry)) {	2720	if (!IS_ERR(dentry)) {
2715	/* Why not before? Because we want correct error value */	2721	/* Why not before? Because we want correct error value */
		2722	if (nd.last.name[nd.last.len])
		2723	goto slashes;
2716	inode = dentry->d_inode;	2724	inode = dentry->d_inode;
2717	if (nd.last.name[nd.last.len] \|\| !inode)	2725	if (!inode)
2718	goto slashes;	2726	goto slashes;
2719	ihold(inode);	2727	ihold(inode);
2720	error = mnt_want_write(nd.path.mnt);	2728	error = mnt_want_write(nd.path.mnt);