[Devel] [PATCH RHEL7 COMMIT] fs/namei.c: return error if nd->inode check is empty in handle_dotdot_rcu()

Mon Nov 29 08:56:16 MSK 2021

The commit is pushed to "branch-rh7-3.10.0-1160.42.2.vz7.184.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1160.42.2.vz7.184.6
------>
commit a15b7cc1a79a4d425cea7deafbfb7c4eb3e41187
Author: Vasily Averin <vvs at virtuozzo.com>
Date:   Mon Nov 29 08:56:12 2021 +0300

    fs/namei.c: return error if nd->inode check is empty in handle_dotdot_rcu()
    
    LOOKUP_RCU does not use dget/dput and have no protection agains
    concurrent rmdir. On the other hand may_lookup() exepct that nd->inode
    is not empty. Direct lookup guarantees this, non-RCU dotdot lookup
    is not affected too because it uses dget. However follow_dotdot_rcu()
    does not have a similar check.
    
    This patch should prevent oops in may_lookup() in described scenario.
    
    The problem was fixed in upstream long time ago, however it's too hard
    to backport all f according patches correctly. So let's use minially
    required change to protect vz7 kernels.
    
    https://jira.sw.ru/browse/PSBM-92308
    https://jira.sw.ru/browse/PSBM-128194
    https://jira.sw.ru/browse/PSBM-136369
    Signed-off-by: Vasily Averin <vvs at virtuozzo.com>
---
 fs/namei.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/namei.c b/fs/namei.c
index 85c0ffa..869839e 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1223,7 +1223,8 @@ static int follow_dotdot_rcu(struct nameidata *nd)
 			goto failed;
 	}
 	nd->inode = nd->path.dentry->d_inode;
-	return 0;
+	if (nd->inode)
+		return 0;
 
 failed:
 	nd->flags &= ~LOOKUP_RCU;
