Skip to content

Commit 766c4cb

Browse files
author
Al Viro
committed
namei: d_is_negative() should be checked before ->d_seq validation
Fetching ->d_inode, verifying ->d_seq and finding d_is_negative() to be true does *not* mean that inode we'd fetched had been NULL - that holds only while ->d_seq is still unchanged. Shift d_is_negative() checks into lookup_fast() prior to ->d_seq verification. Reported-by: Steven Rostedt <rostedt@goodmis.org> Tested-by: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
1 parent 5ebe6af commit 766c4cb

File tree

1 file changed

+13
-6
lines changed

1 file changed

+13
-6
lines changed

fs/namei.c

Lines changed: 13 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1415,6 +1415,7 @@ static int lookup_fast(struct nameidata *nd,
14151415
*/
14161416
if (nd->flags & LOOKUP_RCU) {
14171417
unsigned seq;
1418+
bool negative;
14181419
dentry = __d_lookup_rcu(parent, &nd->last, &seq);
14191420
if (!dentry)
14201421
goto unlazy;
@@ -1424,8 +1425,11 @@ static int lookup_fast(struct nameidata *nd,
14241425
* the dentry name information from lookup.
14251426
*/
14261427
*inode = dentry->d_inode;
1428+
negative = d_is_negative(dentry);
14271429
if (read_seqcount_retry(&dentry->d_seq, seq))
14281430
return -ECHILD;
1431+
if (negative)
1432+
return -ENOENT;
14291433

14301434
/*
14311435
* This sequence count validates that the parent had no
@@ -1472,6 +1476,10 @@ static int lookup_fast(struct nameidata *nd,
14721476
goto need_lookup;
14731477
}
14741478

1479+
if (unlikely(d_is_negative(dentry))) {
1480+
dput(dentry);
1481+
return -ENOENT;
1482+
}
14751483
path->mnt = mnt;
14761484
path->dentry = dentry;
14771485
err = follow_managed(path, nd->flags);
@@ -1583,10 +1591,10 @@ static inline int walk_component(struct nameidata *nd, struct path *path,
15831591
goto out_err;
15841592

15851593
inode = path->dentry->d_inode;
1594+
err = -ENOENT;
1595+
if (d_is_negative(path->dentry))
1596+
goto out_path_put;
15861597
}
1587-
err = -ENOENT;
1588-
if (d_is_negative(path->dentry))
1589-
goto out_path_put;
15901598

15911599
if (should_follow_link(path->dentry, follow)) {
15921600
if (nd->flags & LOOKUP_RCU) {
@@ -3036,14 +3044,13 @@ static int do_last(struct nameidata *nd, struct path *path,
30363044

30373045
BUG_ON(nd->flags & LOOKUP_RCU);
30383046
inode = path->dentry->d_inode;
3039-
finish_lookup:
3040-
/* we _can_ be in RCU mode here */
30413047
error = -ENOENT;
30423048
if (d_is_negative(path->dentry)) {
30433049
path_to_nameidata(path, nd);
30443050
goto out;
30453051
}
3046-
3052+
finish_lookup:
3053+
/* we _can_ be in RCU mode here */
30473054
if (should_follow_link(path->dentry, !symlink_ok)) {
30483055
if (nd->flags & LOOKUP_RCU) {
30493056
if (unlikely(nd->path.mnt != path->mnt ||

0 commit comments

Comments
 (0)