namei: d_is_negative() should be checked before ->d_seq validation
authorAl Viro <viro@zeniv.linux.org.uk>
Thu, 7 May 2015 23:24:57 +0000 (19:24 -0400)
committerAl Viro <viro@zeniv.linux.org.uk>
Sat, 9 May 2015 04:12:35 +0000 (00:12 -0400)
Fetching ->d_inode, verifying ->d_seq and finding d_is_negative() to
be true does *not* mean that inode we'd fetched had been NULL - that
holds only while ->d_seq is still unchanged.

Shift d_is_negative() checks into lookup_fast() prior to ->d_seq
verification.

Reported-by: Steven Rostedt <rostedt@goodmis.org>
Tested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
fs/namei.c

index 4a8d998..f67cf6c 100644 (file)
@@ -1415,6 +1415,7 @@ static int lookup_fast(struct nameidata *nd,
         */
        if (nd->flags & LOOKUP_RCU) {
                unsigned seq;
+               bool negative;
                dentry = __d_lookup_rcu(parent, &nd->last, &seq);
                if (!dentry)
                        goto unlazy;
@@ -1424,8 +1425,11 @@ static int lookup_fast(struct nameidata *nd,
                 * the dentry name information from lookup.
                 */
                *inode = dentry->d_inode;
+               negative = d_is_negative(dentry);
                if (read_seqcount_retry(&dentry->d_seq, seq))
                        return -ECHILD;
+               if (negative)
+                       return -ENOENT;
 
                /*
                 * This sequence count validates that the parent had no
@@ -1472,6 +1476,10 @@ unlazy:
                goto need_lookup;
        }
 
+       if (unlikely(d_is_negative(dentry))) {
+               dput(dentry);
+               return -ENOENT;
+       }
        path->mnt = mnt;
        path->dentry = dentry;
        err = follow_managed(path, nd->flags);
@@ -1583,10 +1591,10 @@ static inline int walk_component(struct nameidata *nd, struct path *path,
                        goto out_err;
 
                inode = path->dentry->d_inode;
+               err = -ENOENT;
+               if (d_is_negative(path->dentry))
+                       goto out_path_put;
        }
-       err = -ENOENT;
-       if (d_is_negative(path->dentry))
-               goto out_path_put;
 
        if (should_follow_link(path->dentry, follow)) {
                if (nd->flags & LOOKUP_RCU) {
@@ -3036,14 +3044,13 @@ retry_lookup:
 
        BUG_ON(nd->flags & LOOKUP_RCU);
        inode = path->dentry->d_inode;
-finish_lookup:
-       /* we _can_ be in RCU mode here */
        error = -ENOENT;
        if (d_is_negative(path->dentry)) {
                path_to_nameidata(path, nd);
                goto out;
        }
-
+finish_lookup:
+       /* we _can_ be in RCU mode here */
        if (should_follow_link(path->dentry, !symlink_ok)) {
                if (nd->flags & LOOKUP_RCU) {
                        if (unlikely(nd->path.mnt != path->mnt ||