minimal fix for do_filp_open() race
failure exits on the no-O_CREAT side of do_filp_open() merge with those of O_CREAT one; unfortunately, if do_path_lookup() returns -ESTALE, we'll get out_filp:, notice that we are about to return -ESTALE without having trying to create the sucker with LOOKUP_REVAL and jump right into the O_CREAT side of code. And proceed to try and create a file. Usually that'll fail with -ESTALE again, but we can race and get that attempt of pathname resolution to succeed. open() without O_CREAT really shouldn't end up creating files, races or not. The real fix is to rearchitect the whole do_filp_open(), but for now splitting the failure exits will do. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
parent
b65a0e0c84
commit
1858efd471
1 changed files with 10 additions and 3 deletions
13
fs/namei.c
13
fs/namei.c
|
@ -2455,22 +2455,29 @@ struct file *do_filp_open(int dfd, const char *pathname,
|
||||||
/* !O_CREAT, simple open */
|
/* !O_CREAT, simple open */
|
||||||
error = do_path_lookup(dfd, pathname, flags, &nd);
|
error = do_path_lookup(dfd, pathname, flags, &nd);
|
||||||
if (unlikely(error))
|
if (unlikely(error))
|
||||||
goto out_filp;
|
goto out_filp2;
|
||||||
error = -ELOOP;
|
error = -ELOOP;
|
||||||
if (!(nd.flags & LOOKUP_FOLLOW)) {
|
if (!(nd.flags & LOOKUP_FOLLOW)) {
|
||||||
if (nd.inode->i_op->follow_link)
|
if (nd.inode->i_op->follow_link)
|
||||||
goto out_path;
|
goto out_path2;
|
||||||
}
|
}
|
||||||
error = -ENOTDIR;
|
error = -ENOTDIR;
|
||||||
if (nd.flags & LOOKUP_DIRECTORY) {
|
if (nd.flags & LOOKUP_DIRECTORY) {
|
||||||
if (!nd.inode->i_op->lookup)
|
if (!nd.inode->i_op->lookup)
|
||||||
goto out_path;
|
goto out_path2;
|
||||||
}
|
}
|
||||||
audit_inode(pathname, nd.path.dentry);
|
audit_inode(pathname, nd.path.dentry);
|
||||||
filp = finish_open(&nd, open_flag, acc_mode);
|
filp = finish_open(&nd, open_flag, acc_mode);
|
||||||
|
out2:
|
||||||
release_open_intent(&nd);
|
release_open_intent(&nd);
|
||||||
return filp;
|
return filp;
|
||||||
|
|
||||||
|
out_path2:
|
||||||
|
path_put(&nd.path);
|
||||||
|
out_filp2:
|
||||||
|
filp = ERR_PTR(error);
|
||||||
|
goto out2;
|
||||||
|
|
||||||
creat:
|
creat:
|
||||||
/* OK, have to create the file. Find the parent. */
|
/* OK, have to create the file. Find the parent. */
|
||||||
error = path_init_rcu(dfd, pathname,
|
error = path_init_rcu(dfd, pathname,
|
||||||
|
|
Loading…
Reference in a new issue