fix breakage in do_rmdir()

Al Viro · torvalds · commit 24fb33d40d60 · 2020-08-12T10:22:39.000-07:00
syzbot reported and bisected a use-after-free due to the recent init cleanups. The putname() should happen only after we'd *not* branched to retry, same as it's done in do_unlinkat(). Reported-by: syzbot+bbeb1c88016c7db4aa24@syzkaller.appspotmail.com Fixes: e24ab0e "fs: push the getname from do_rmdir into the callers" Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
diff --git a/fs/namei.c b/fs/namei.c
@@ -3770,11 +3770,11 @@ long do_rmdir(int dfd, struct filename *name)
 	mnt_drop_write(path.mnt);
 exit1:
 	path_put(&path);
-	putname(name);
 	if (retry_estale(error, lookup_flags)) {
 		lookup_flags |= LOOKUP_REVAL;
 		goto retry;
 	}
+	putname(name);
 	return error;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -3770,11 +3770,11 @@ long do_rmdir(int dfd, struct filename *name)`
`3770`	`3770`	`mnt_drop_write(path.mnt);`
`3771`	`3771`	`exit1:`
`3772`	`3772`	`path_put(&path);`
`3773`		`- putname(name);`
`3774`	`3773`	`if (retry_estale(error, lookup_flags)) {`
`3775`	`3774`	`lookup_flags \|= LOOKUP_REVAL;`
`3776`	`3775`	`goto retry;`
`3777`	`3776`	`}`
	`3777`	`+ putname(name);`
`3778`	`3778`	`return error;`
`3779`	`3779`	`}`
`3780`	`3780`