Commit 3abb17e8 authored by Linus Torvalds's avatar Linus Torvalds

vfs: fix BUG_ON() in fs/namei.c:1461

When Al moved the nameidata_dentry_drop_rcu_maybe() call into the
do_follow_link function in commit 844a3917 ("nothing in
do_follow_link() is going to see RCU"), he mistakenly left the

	BUG_ON(inode != path->dentry->d_inode);

behind.  Which would otherwise be ok, but that BUG_ON() really needs to
be _after_ dropping RCU, since the dentry isn't necessarily stable
otherwise.

So complete the code movement in that commit, and move the BUG_ON() into
do_follow_link() too.  This means that we need to pass in 'inode' as an
argument (just for this one use), but that's a small thing.  And
eventually we may be confident enough in our path lookup that we can
just remove the BUG_ON() and the unnecessary inode argument.
Reported-and-tested-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 85e2efbb
...@@ -795,7 +795,7 @@ __do_follow_link(const struct path *link, struct nameidata *nd, void **p) ...@@ -795,7 +795,7 @@ __do_follow_link(const struct path *link, struct nameidata *nd, void **p)
* Without that kind of total limit, nasty chains of consecutive * Without that kind of total limit, nasty chains of consecutive
* symlinks can cause almost arbitrarily long lookups. * symlinks can cause almost arbitrarily long lookups.
*/ */
static inline int do_follow_link(struct path *path, struct nameidata *nd) static inline int do_follow_link(struct inode *inode, struct path *path, struct nameidata *nd)
{ {
void *cookie; void *cookie;
int err = -ELOOP; int err = -ELOOP;
...@@ -803,6 +803,7 @@ static inline int do_follow_link(struct path *path, struct nameidata *nd) ...@@ -803,6 +803,7 @@ static inline int do_follow_link(struct path *path, struct nameidata *nd)
/* We drop rcu-walk here */ /* We drop rcu-walk here */
if (nameidata_dentry_drop_rcu_maybe(nd, path->dentry)) if (nameidata_dentry_drop_rcu_maybe(nd, path->dentry))
return -ECHILD; return -ECHILD;
BUG_ON(inode != path->dentry->d_inode);
if (current->link_count >= MAX_NESTED_LINKS) if (current->link_count >= MAX_NESTED_LINKS)
goto loop; goto loop;
...@@ -1413,8 +1414,7 @@ static int link_path_walk(const char *name, struct nameidata *nd) ...@@ -1413,8 +1414,7 @@ static int link_path_walk(const char *name, struct nameidata *nd)
goto out_dput; goto out_dput;
if (inode->i_op->follow_link) { if (inode->i_op->follow_link) {
BUG_ON(inode != next.dentry->d_inode); err = do_follow_link(inode, &next, nd);
err = do_follow_link(&next, nd);
if (err) if (err)
goto return_err; goto return_err;
nd->inode = nd->path.dentry->d_inode; nd->inode = nd->path.dentry->d_inode;
...@@ -1458,8 +1458,7 @@ static int link_path_walk(const char *name, struct nameidata *nd) ...@@ -1458,8 +1458,7 @@ static int link_path_walk(const char *name, struct nameidata *nd)
break; break;
if (inode && unlikely(inode->i_op->follow_link) && if (inode && unlikely(inode->i_op->follow_link) &&
(lookup_flags & LOOKUP_FOLLOW)) { (lookup_flags & LOOKUP_FOLLOW)) {
BUG_ON(inode != next.dentry->d_inode); err = do_follow_link(inode, &next, nd);
err = do_follow_link(&next, nd);
if (err) if (err)
goto return_err; goto return_err;
nd->inode = nd->path.dentry->d_inode; nd->inode = nd->path.dentry->d_inode;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment