[PATCH v2 1/3] fs: get mnt_writers count for an open backing file's real path

Al Viro viro at zeniv.linux.org.uk
Mon Oct 9 06:43:30 UTC 2023


On Sat, Oct 07, 2023 at 11:44:31AM +0300, Amir Goldstein wrote:
> +static inline void file_put_write_access(struct file *file)
> +{
> +	put_write_access(file->f_inode);
> +	mnt_put_write_access(file->f_path.mnt);
> +	if (unlikely(file->f_mode & FMODE_BACKING)) {
> +		struct path *real_path = backing_file_real_path(file);
> +
> +		if (real_path->mnt)
> +			mnt_put_write_access(real_path->mnt);

IDGI.  Where do we get FMODE_BACKING combined with NULL real_path.mnt *AND*
put_file_access() possibly called?  Or file_get_write_access(), for
that matter...

FMODE_BACKING is set only in alloc_empty_backing_file().  The only caller
is backing_file_open(), which immediately sets real_path to its third
argument.  That could only come from ovl_open_realfile().  And if that
had been called with buggered struct path, it would have already blown
up on mnt_idmap(realpath->mnt).

The only interval where such beasts exist is from
        ff->file.f_mode |= FMODE_BACKING | FMODE_NOACCOUNT;
	return &ff->file;
in alloc_empty_backing_file() through

	f->f_path = *path;
	path_get(real_path);
	*backing_file_real_path(f) = *real_path;

in backing_file_open().  Where would that struct file (just allocated,
never seen outside of local variables in those two scopes) be passed
to get_file_write_access() or put_file_access()?

Or am I misreading something?



More information about the Linux-security-module-archive mailing list