[PATCH] vfs: Don't leak a path when get_empty_filp in dentry_open

[PATCH] vfs: Don't leak a path when get_empty_filp in dentry_open

[Eric W. Biederman]

Normally in dentry_open the passed in path is placed on the new filp
removing the caller from needing to worry about it.  In the rare case
that we can not allocate a filp the path is not consumed.  None of the
callers of dentry_open call path_put in their error handling when
dentry_open fails so call path_put for them on error and keep everyone's
error handling simple.

Cc: stable@vger.kernel.org
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
---
 fs/open.c |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/fs/open.c b/fs/open.c
index 4b3e1edf2fe4..0afa243941da 100644
--- a/fs/open.c
+++ b/fs/open.c
@@ -843,6 +843,8 @@ struct file *dentry_open(const struct path *path, int flags,
 			put_filp(f);
 			f = ERR_PTR(error);
 		}
+	} else {
+		path_put(path);
 	}
 	return f;
 }
-- 
1.7.5.4

Re: [PATCH] vfs: Don't leak a path when get_empty_filp in dentry_open

[Al Viro]

On Thu, Jan 16, 2014 at 03:45:38PM -0800, Eric W. Biederman wrote:
> 
> Normally in dentry_open the passed in path is placed on the new filp
> removing the caller from needing to worry about it.  In the rare case
> that we can not allocate a filp the path is not consumed.  None of the
> callers of dentry_open call path_put in their error handling when
> dentry_open fails so call path_put for them on error and keep everyone's
> error handling simple.

You are misreading that code.  _No_ path in dentry_open() drops that
sucker, no matter whether we succeed or fail.  do_dentry_open() grabs
an extra reference on success, so those fput() on other failure exits
just balance that.

The calling conventions are not "transfer the reference you held into
struct file, caller must drop on failure"; it's "clone the reference
into struct file; caller's reference remains in all cases".

IOW, you are looking for path_put() in error handling in callers, when
in fact it's on common paths (and quite often in callers of callers of
callers).  Makes life simpler, actually.  Try to convert it to your
variant of calling conventions and you'll see that callers become more
complex and brittle.  As it is, this patch is simply broken - you'll get
double path_put() out of it, not to mention the different treatment of
refcounts depending on the kind of failure exit that had been taken.

NAK.

Re: [PATCH] vfs: Don't leak a path when get_empty_filp in dentry_open

[Eric W. Biederman]

Al Viro <viro@ZenIV.linux.org.uk> writes:

> On Thu, Jan 16, 2014 at 03:45:38PM -0800, Eric W. Biederman wrote:
>> 
>> Normally in dentry_open the passed in path is placed on the new filp
>> removing the caller from needing to worry about it.  In the rare case
>> that we can not allocate a filp the path is not consumed.  None of the
>> callers of dentry_open call path_put in their error handling when
>> dentry_open fails so call path_put for them on error and keep everyone's
>> error handling simple.
>
> You are misreading that code.  _No_ path in dentry_open() drops that
> sucker, no matter whether we succeed or fail.  do_dentry_open() grabs
> an extra reference on success, so those fput() on other failure exits
> just balance that.

Yep you are right.  My mistake.  The weird code flow tricked me.

Eric