From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Subject: Re: [PATCH v3 105/110] namei: make unlazy_walk and terminate_walk handle nd->stack, add unlazy_link Date: Tue, 12 May 2015 00:43:33 +0100 Message-ID: <20150511234333.GA7232@ZenIV.linux.org.uk> References: <20150511180650.GA4147@ZenIV.linux.org.uk> <1431367690-5223-105-git-send-email-viro@ZenIV.linux.org.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Neil Brown , Christoph Hellwig , linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org To: Linus Torvalds Return-path: Content-Disposition: inline In-Reply-To: <1431367690-5223-105-git-send-email-viro@ZenIV.linux.org.uk> Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Mon, May 11, 2015 at 07:08:05PM +0100, Al Viro wrote: > +static bool legitimize_links(struct nameidata *nd) > +{ > + int i; > + for (i = 0; i < nd->depth; i++) { > + struct saved *last = nd->stack + i; > + if (unlikely(!legitimize_path(nd, &last->link, last->seq))) { > + drop_links(nd); > + nd->depth = i; Broken, actually - it should be i + 1. What happens is that we attempt to grab references on nd->stack[...].link; if everything succeeds, we'd won. If legitimizing nd->stack[i].link fails (e.g. ->d_seq has changed on us), we * put_link everything in stack and clear nd->stack[...].cookie, making sure that nobody will call ->put_link() on it later. * leave the things for terminate_walk() so that it would do path_put() on everything we have grabbed and ignored everything we hadn't even got around to. But this failed legitimize_path() requires path_put() - we *can't* block there (we wouldn't be able to do ->put_link() afterwards if we did), so we just zero what we didn't grab and leave what we had for subsequent path_put(). Which may be anything from "nothing" (mount_lock has been touched) to "both vfsmount and dentry" (->d_seq mismatch). So we need to set nd->depth to i + 1 here, not i. As it is, we are risking a vfsmount (and possibly dentry) leak. Fixed and force-pushed...