On assignment of a negative dentry, do_filp_open will crash with an oops
in do_sys_open because do_filp_open returns "1" from revalidate rather
than properly detect a negative dentry which has a dentry revalidate
function before the file actually exists.
Easy to reproduce. Create negative dentry and attach a revalidate
function which returns 1 instead of 0 on non-existent file entry. The
convoluted code in do_filp_open does not detect dentry errors in all cases
properly.
Jeff
>
> On assignment of a negative dentry, do_filp_open will crash with an oops
> in do_sys_open because do_filp_open returns "1" from revalidate rather
> than properly detect a negative dentry which has a dentry revalidate
> function before the file actually exists.
>
>
> Easy to reproduce. Create negative dentry and attach a revalidate
> function which returns 1 instead of 0 on non-existent file entry. The
> convoluted code in do_filp_open does not detect dentry errors in all cases
> properly.
>
> Jeff
>
Correction:
It's vfs_create that fails to check return codes properly.
/*
* Create - we need to know the parent.
*/
error = path_lookup_create(dfd, pathname, LOOKUP_PARENT,
&nd, flag, mode);
////
If ERROR is a positive value, ERR_PTR fails to convert it to a negative
value. This causes the EDI register to get set to "1" after do_filp_open
returns.
////
if (error)
return ERR_PTR(error);
/*
* We have the parent and last component. First of all, check
* that we are not asked to creat(2) an obvious directory - that
* will not do.
*/
error = -EISDIR;
if (nd.last_type != LAST_NORM || nd.last.name[nd.last.len])
goto exit;