vfs: Fix refcounting of filenames in fs_parser

commit 7cdfa44227b0d8842d46a775cebe4311150cb8f2 upstream.

Fix an overput in which filename_lookup() unconditionally drops a ref to
the filename it was given, but this isn't taken account of in the caller,
fs_lookup_param().

Addresses-Coverity-ID: 1443811 ("Use after free")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/fs_parser.c b/fs/fs_parser.c
index 0d388faa25d16aa8768f655611b0ece06b1707d3..460ea4206fa25cd8121271cd83407ab0074e7aac 100644 (file)
--- a/fs/fs_parser.c
+++ b/fs/fs_parser.c
@@ -264,6 +264,7 @@ int fs_lookup_param(struct fs_context *fc,
                return invalf(fc, "%s: not usable as path", param->key);
        }
 
+       f->refcnt++; /* filename_lookup() drops our ref. */
        ret = filename_lookup(param->dirfd, f, flags, _path, NULL);
        if (ret < 0) {
                errorf(fc, "%s: Lookup failure for '%s'", param->key, f->name);