namei: only return -ECHILD from follow_dotdot_rcu()

It's over-zealous to return hard errors under RCU-walk here, given that
a REF-walk will be triggered for all other cases handling ".." under
RCU.

The original purpose of this check was to ensure that if a rename occurs
such that a directory is moved outside of the bind-mount which the
resolution started in, it would be detected and blocked to avoid being
able to mess with paths outside of the bind-mount. However, triggering a
new REF-walk is just as effective a solution.

Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Fixes: 397d425dc26d ("vfs: Test for and handle paths that are unreachable from their mnt_root")
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Aleksa Sarai <cyphar@cyphar.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

diff --git a/fs/namei.c b/fs/namei.c
index d6c91d1e88cb361f751f825bf84ace990629223b..17ebaac2da494b6c1d4adb668c702581da214aae 100644 (file)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -1365,7 +1365,7 @@ static int follow_dotdot_rcu(struct nameidata *nd)
                        nd->path.dentry = parent;
                        nd->seq = seq;
                        if (unlikely(!path_connected(&nd->path)))
-                               return -ENOENT;
+                               return -ECHILD;
                        break;
                } else {
                        struct mount *mnt = real_mount(nd->path.mnt);