Re: [PATCH] vfs: Don't leak a path when get_empty_filp in dentry_open

From: Al Viro
Date: Thu Jan 16 2014 - 18:59:37 EST

On Thu, Jan 16, 2014 at 03:45:38PM -0800, Eric W. Biederman wrote:
> Normally in dentry_open the passed in path is placed on the new filp
> removing the caller from needing to worry about it. In the rare case
> that we can not allocate a filp the path is not consumed. None of the
> callers of dentry_open call path_put in their error handling when
> dentry_open fails so call path_put for them on error and keep everyone's
> error handling simple.

You are misreading that code. _No_ path in dentry_open() drops that
sucker, no matter whether we succeed or fail. do_dentry_open() grabs
an extra reference on success, so those fput() on other failure exits
just balance that.

The calling conventions are not "transfer the reference you held into
struct file, caller must drop on failure"; it's "clone the reference
into struct file; caller's reference remains in all cases".

IOW, you are looking for path_put() in error handling in callers, when
in fact it's on common paths (and quite often in callers of callers of
callers). Makes life simpler, actually. Try to convert it to your
variant of calling conventions and you'll see that callers become more
complex and brittle. As it is, this patch is simply broken - you'll get
double path_put() out of it, not to mention the different treatment of
refcounts depending on the kind of failure exit that had been taken.

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at
Please read the FAQ at