commit 3abb17e82f08628b59e20d8cbcb55e2204180f69 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

vfs: fix BUG_ON() in fs/namei.c:1461

When Al moved the nameidata_dentry_drop_rcu_maybe() call into the
do_follow_link function in commit 844a391799c2 ("nothing in
do_follow_link() is going to see RCU"), he mistakenly left the

BUG_ON(inode != path->dentry->d_inode);

behind. Which would otherwise be ok, but that BUG_ON() really needs to
be _after_ dropping RCU, since the dentry isn't necessarily stable
otherwise.

So complete the code movement in that commit, and move the BUG_ON() into
do_follow_link() too. This means that we need to pass in 'inode' as an
argument (just for this one use), but that's a small thing. And
eventually we may be confident enough in our path lookup that we can
just remove the BUG_ON() and the unnecessary inode argument.

Reported-and-tested-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus Torvalds 15 years ago 3abb17e8 85e2efbb

+4 -5

1 changed file

expand all

unified split

namei.c

+4 -5

fs/namei.c

··· 795 * Without that kind of total limit, nasty chains of consecutive 796 * symlinks can cause almost arbitrarily long lookups. 797 */ 798 - static inline int do_follow_link(struct path *path, struct nameidata *nd) 799 { 800 void *cookie; 801 int err = -ELOOP; ··· 803 /* We drop rcu-walk here */ 804 if (nameidata_dentry_drop_rcu_maybe(nd, path->dentry)) 805 return -ECHILD; 806 807 if (current->link_count >= MAX_NESTED_LINKS) 808 goto loop; ··· 1414 goto out_dput; 1415 1416 if (inode->i_op->follow_link) { 1417 - BUG_ON(inode != next.dentry->d_inode); 1418 - err = do_follow_link(&next, nd); 1419 if (err) 1420 goto return_err; 1421 nd->inode = nd->path.dentry->d_inode; ··· 1458 break; 1459 if (inode && unlikely(inode->i_op->follow_link) && 1460 (lookup_flags & LOOKUP_FOLLOW)) { 1461 - BUG_ON(inode != next.dentry->d_inode); 1462 - err = do_follow_link(&next, nd); 1463 if (err) 1464 goto return_err; 1465 nd->inode = nd->path.dentry->d_inode;

··· 795 * Without that kind of total limit, nasty chains of consecutive 796 * symlinks can cause almost arbitrarily long lookups. 797 */ 798 + static inline int do_follow_link(struct inode *inode, struct path *path, struct nameidata *nd) 799 { 800 void *cookie; 801 int err = -ELOOP; ··· 803 /* We drop rcu-walk here */ 804 if (nameidata_dentry_drop_rcu_maybe(nd, path->dentry)) 805 return -ECHILD; 806 + BUG_ON(inode != path->dentry->d_inode); 807 808 if (current->link_count >= MAX_NESTED_LINKS) 809 goto loop; ··· 1413 goto out_dput; 1414 1415 if (inode->i_op->follow_link) { 1416 + err = do_follow_link(inode, &next, nd); 1417 if (err) 1418 goto return_err; 1419 nd->inode = nd->path.dentry->d_inode; ··· 1458 break; 1459 if (inode && unlikely(inode->i_op->follow_link) && 1460 (lookup_flags & LOOKUP_FOLLOW)) { 1461 + err = do_follow_link(inode, &next, nd); 1462 if (err) 1463 goto return_err; 1464 nd->inode = nd->path.dentry->d_inode;