From 578c26f31c0c90c9e6b2f7125a8539c307a51dff Mon Sep 17 00:00:00 2001
From: Konstantin Belousov <kib@FreeBSD.org>
Date: Mon, 19 Apr 2021 16:35:25 +0300
Subject: [PATCH] linkat(2): check NIRES_EMPTYPATH on the first fd arg

Reported by:	arichardson
Reviewed by:	markj
MFC after:	1 week
Differential revision:	https://reviews.freebsd.org/D29834
---
 sys/kern/vfs_syscalls.c | 24 +++++++-----------------
 1 file changed, 7 insertions(+), 17 deletions(-)

diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 43104a472b5b..26a8d31e4456 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1575,6 +1575,13 @@ kern_linkat(struct thread *td, int fd1, int fd2, const char *path1,
 		if ((error = namei(&nd)) != 0)
 			return (error);
 		NDFREE(&nd, NDF_ONLY_PNBUF);
+		if ((nd.ni_resflags & NIRES_EMPTYPATH) != 0) {
+			error = priv_check(td, PRIV_VFS_FHOPEN);
+			if (error != 0) {
+				vrele(nd.ni_vp);
+				return (error);
+			}
+		}
 		error = kern_linkat_vp(td, nd.ni_vp, fd2, path2, segflag);
 	} while (error ==  EAGAIN || error == ERELOOKUP);
 	return (error);
@@ -1596,23 +1603,6 @@ kern_linkat_vp(struct thread *td, struct vnode *vp, int fd, const char *path,
 	    LOCKPARENT | SAVENAME | AUDITVNODE2 | NOCACHE, segflag, path, fd,
 	    &cap_linkat_target_rights, td);
 	if ((error = namei(&nd)) == 0) {
-		if ((nd.ni_resflags & NIRES_EMPTYPATH) != 0) {
-			error = priv_check(td, PRIV_VFS_FHOPEN);
-			if (error != 0) {
-				NDFREE(&nd, NDF_ONLY_PNBUF);
-				if (nd.ni_vp != NULL) {
-					if (nd.ni_dvp == nd.ni_vp)
-						vrele(nd.ni_dvp);
-					else
-						vput(nd.ni_dvp);
-					vrele(nd.ni_vp);
-				} else {
-					vput(nd.ni_dvp);
-				}
-				vrele(vp);
-				return (error);
-			}
-		}
 		if (nd.ni_vp != NULL) {
 			NDFREE(&nd, NDF_ONLY_PNBUF);
 			if (nd.ni_dvp == nd.ni_vp)