• Linus Torvalds's avatar
    Fix possible filp_cachep memory corruption · 2dab5974
    Linus Torvalds authored
    In commit 31e6b01f ("fs: rcu-walk for path lookup") we started doing
    path lookup using RCU, which then falls back to a careful non-RCU lookup
    in case of problems (LOOKUP_REVAL).  So do_filp_open() has this "re-do
    the lookup carefully" looping case.
    
    However, that means that we must not release the open-intent file data
    if we are going to loop around and use it once more!
    
    Fix this by moving the release of the open-intent data to the function
    that allocates it (do_filp_open() itself) rather than the helper
    functions that can get called multiple times (finish_open() and
    do_last()).  This makes the logic for the lifetime of that field much
    more obvious, and avoids the possible double free.
    Reported-by: default avatarJ. R. Okajima <hooanon05@yahoo.co.jp>
    Acked-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    Cc: Nick Piggin <npiggin@kernel.dk>
    Cc: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
    2dab5974
namei.c 88.2 KB