[PATCH] 2.6.39/40 kernel BUG at fs/namei.c:1381

[PATCH] 2.6.39/40 kernel BUG at fs/namei.c:1381

[Erez Zadok]

VFS: move BUG_ON test for symlink nd->depth after current->link_count test

This solves a serious VFS-level bug in nested_symlink (which was rewritten from
do_follow_link), and follows the order of depth tests that existed before.
The bug triggers a BUG_ON in fs/namei.c:1381, when running racer with
symlink and rename ops.

Signed-off-by: Erez Zadok <ezk@cs.sunysb.edu>
Acked-by: Miklos Szeredi <mszeredi@suse.cz>
CC: stable@kernel.org
diff --git a/fs/namei.c b/fs/namei.c
index 017c3fa..7a93387 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1343,12 +1343,12 @@ static inline int nested_symlink(struct path *path, struct nameidata *nd)
 {
 	int res;
 
-	BUG_ON(nd->depth >= MAX_NESTED_LINKS);
 	if (unlikely(current->link_count >= MAX_NESTED_LINKS)) {
 		path_put_conditional(path, nd);
 		path_put(&nd->path);
 		return -ELOOP;
 	}
+	BUG_ON(nd->depth >= MAX_NESTED_LINKS);
 
 	nd->depth++;
 	current->link_count++;

Re: [PATCH] 2.6.39/40 kernel BUG at fs/namei.c:1381

[Al Viro]

On Sat, May 21, 2011 at 01:19:59AM -0400, Erez Zadok wrote:
> VFS: move BUG_ON test for symlink nd->depth after current->link_count test
> 
> This solves a serious VFS-level bug in nested_symlink (which was rewritten from
> do_follow_link), and follows the order of depth tests that existed before.
> The bug triggers a BUG_ON in fs/namei.c:1381, when running racer with
> symlink and rename ops.

Racer has nothing to do with that; just a deeply nested symlink in the middle
of pathname will do.

> -	BUG_ON(nd->depth >= MAX_NESTED_LINKS);
>  	if (unlikely(current->link_count >= MAX_NESTED_LINKS)) {
>  		path_put_conditional(path, nd);
>  		path_put(&nd->path);
>  		return -ELOOP;
>  	}
> +	BUG_ON(nd->depth >= MAX_NESTED_LINKS);

ACK (and AFAICS Linus has already applied that).