let path_init() failures treated the same way as subsequent link_path_walk()
authorAl Viro <viro@zeniv.linux.org.uk>
Sun, 12 Oct 2014 03:05:52 +0000 (23:05 -0400)
committerAl Viro <viro@zeniv.linux.org.uk>
Sun, 12 Oct 2014 21:09:04 +0000 (17:09 -0400)
As it is, path_lookupat() and path_mounpoint() might end up leaking struct file
reference in some cases.

Spotted-by: Eric Biggers <ebiggers3@gmail.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/namei.c

index d20d579a022e45e3e9c23fc2356bf37ec204a445..0f64aa4126179b8fc3ac3733232501a97b527a3a 100644 (file)
@@ -1950,7 +1950,7 @@ static int path_lookupat(int dfd, const char *name,
        err = path_init(dfd, name, flags | LOOKUP_PARENT, nd, &base);
 
        if (unlikely(err))
-               return err;
+               goto out;
 
        current->total_link_count = 0;
        err = link_path_walk(name, nd);
@@ -1982,6 +1982,7 @@ static int path_lookupat(int dfd, const char *name,
                }
        }
 
+out:
        if (base)
                fput(base);
 
@@ -2301,7 +2302,7 @@ path_mountpoint(int dfd, const char *name, struct path *path, unsigned int flags
 
        err = path_init(dfd, name, flags | LOOKUP_PARENT, &nd, &base);
        if (unlikely(err))
-               return err;
+               goto out;
 
        current->total_link_count = 0;
        err = link_path_walk(name, &nd);