From ffd8d101a3a7d3f2e79deee1e342801703b6dc70 Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 4 Oct 2012 19:56:40 -0400 Subject: fs: prevent use after free in auditing when symlink following was denied Commit "fs: add link restriction audit reporting" has added auditing of failed attempts to follow symlinks. Unfortunately, the auditing was being done after the struct path structure was released earlier. Signed-off-by: Sasha Levin Signed-off-by: Al Viro --- fs/namei.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/namei.c b/fs/namei.c index aa30d19e9edd..6d47fac64292 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -692,9 +692,9 @@ static inline int may_follow_link(struct path *link, struct nameidata *nd) if (uid_eq(parent->i_uid, inode->i_uid)) return 0; + audit_log_link_denied("follow_link", link); path_put_conditional(link, nd); path_put(&nd->path); - audit_log_link_denied("follow_link", link); return -EACCES; } -- cgit v1.2.3-70-g09d2 From d1c7d97ad58836affde6e39980b96527510b572e Mon Sep 17 00:00:00 2001 From: Sasha Levin Date: Thu, 4 Oct 2012 19:57:31 -0400 Subject: fs: handle failed audit_log_start properly audit_log_start() may return NULL, this is unchecked by the caller in audit_log_link_denied() and could cause a NULL ptr deref. Introduced by commit a51d9eaa ("fs: add link restriction audit reporting"). Signed-off-by: Sasha Levin Signed-off-by: Al Viro --- kernel/audit.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/audit.c b/kernel/audit.c index 4d0ceede3319..40414e9143db 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1440,6 +1440,8 @@ void audit_log_link_denied(const char *operation, struct path *link) ab = audit_log_start(current->audit_context, GFP_KERNEL, AUDIT_ANOM_LINK); + if (!ab) + return; audit_log_format(ab, "op=%s action=denied", operation); audit_log_format(ab, " pid=%d comm=", current->pid); audit_log_untrustedstring(ab, current->comm); -- cgit v1.2.3-70-g09d2 From aed976475bff939672b0e21595839c445dcec0fa Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 9 Oct 2012 15:27:43 +0100 Subject: dup3: Return an error when oldfd == newfd. I have tested the attached patch to fix the dup3 regression. Rich. From 0944e30e12dec6544b3602626b60ff412375c78f Mon Sep 17 00:00:00 2001 From: "Richard W.M. Jones" Date: Tue, 9 Oct 2012 14:42:45 +0100 Subject: [PATCH] dup3: Return an error when oldfd == newfd. The following commit: commit fe17f22d7fd0e344ef6447238f799bb49f670c6f Author: Al Viro Date: Tue Aug 21 11:48:11 2012 -0400 take purely descriptor-related stuff from fcntl.c to file.c was supposed to be just code motion, but it dropped the following two lines: if (unlikely(oldfd == newfd)) return -EINVAL; from the dup3 system call. dup3 is not specified by POSIX, so Linux can do what it likes. However the POSIX proposal for dup3 [1] states that it should return an error if oldfd == newfd. [1] http://austingroupbugs.net/view.php?id=411 Signed-off-by: Richard W.M. Jones Tested-by: Richard W.M. Jones Signed-off-by: Al Viro --- fs/file.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/file.c b/fs/file.c index 0f1bda4bebfa..d3b5fa80b71b 100644 --- a/fs/file.c +++ b/fs/file.c @@ -922,6 +922,9 @@ SYSCALL_DEFINE3(dup3, unsigned int, oldfd, unsigned int, newfd, int, flags) if ((flags & ~O_CLOEXEC) != 0) return -EINVAL; + if (unlikely(oldfd == newfd)) + return -EINVAL; + if (newfd >= rlimit(RLIMIT_NOFILE)) return -EMFILE; -- cgit v1.2.3-70-g09d2 From 4f7754c8891af65124dce63adb59a33198f0bf35 Mon Sep 17 00:00:00 2001 From: Marco Stornelli Date: Sat, 6 Oct 2012 12:38:18 +0200 Subject: exofs: drop lock/unlock super Removed lock/unlock super. Acked-by: Artem Bityutskiy Acked-by: Boaz Harrosh Signed-off-by: Marco Stornelli Signed-off-by: Al Viro --- fs/exofs/super.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/fs/exofs/super.c b/fs/exofs/super.c index 59e3bbfac0b1..5e59280d42d7 100644 --- a/fs/exofs/super.c +++ b/fs/exofs/super.c @@ -389,8 +389,6 @@ static int exofs_sync_fs(struct super_block *sb, int wait) if (unlikely(ret)) goto out; - lock_super(sb); - ios->length = offsetof(struct exofs_fscb, s_dev_table_oid); memset(fscb, 0, ios->length); fscb->s_nextid = cpu_to_le64(sbi->s_nextid); @@ -406,8 +404,6 @@ static int exofs_sync_fs(struct super_block *sb, int wait) if (unlikely(ret)) EXOFS_ERR("%s: ore_write failed.\n", __func__); - - unlock_super(sb); out: EXOFS_DBGMSG("s_nextid=0x%llx ret=%d\n", _LLU(sbi->s_nextid), ret); ore_put_io_state(ios); -- cgit v1.2.3-70-g09d2 From 67e2c19a3bcd32172c1d67294a1d6bb4bc60ca77 Mon Sep 17 00:00:00 2001 From: Marco Stornelli Date: Sat, 6 Oct 2012 12:39:20 +0200 Subject: ext3: drop lock/unlock super Removed lock/unlock super. Signed-off-by: Marco Stornelli Reviewed-by: Jan Kara Signed-off-by: Al Viro --- fs/ext3/super.c | 6 ------ 1 file changed, 6 deletions(-) diff --git a/fs/ext3/super.c b/fs/ext3/super.c index 17ae5c83d234..29e79713c7eb 100644 --- a/fs/ext3/super.c +++ b/fs/ext3/super.c @@ -2578,11 +2578,9 @@ out: static int ext3_unfreeze(struct super_block *sb) { if (!(sb->s_flags & MS_RDONLY)) { - lock_super(sb); /* Reser the needs_recovery flag before the fs is unlocked. */ EXT3_SET_INCOMPAT_FEATURE(sb, EXT3_FEATURE_INCOMPAT_RECOVER); ext3_commit_super(sb, EXT3_SB(sb)->s_es, 1); - unlock_super(sb); journal_unlock_updates(EXT3_SB(sb)->s_journal); } return 0; @@ -2602,7 +2600,6 @@ static int ext3_remount (struct super_block * sb, int * flags, char * data) #endif /* Store the original options */ - lock_super(sb); old_sb_flags = sb->s_flags; old_opts.s_mount_opt = sbi->s_mount_opt; old_opts.s_resuid = sbi->s_resuid; @@ -2708,8 +2705,6 @@ static int ext3_remount (struct super_block * sb, int * flags, char * data) old_opts.s_qf_names[i] != sbi->s_qf_names[i]) kfree(old_opts.s_qf_names[i]); #endif - unlock_super(sb); - if (enable_quota) dquot_resume(sb, -1); return 0; @@ -2728,7 +2723,6 @@ restore_opts: sbi->s_qf_names[i] = old_opts.s_qf_names[i]; } #endif - unlock_super(sb); return err; } -- cgit v1.2.3-70-g09d2 From e40b34c7921534a46f7bae23ec6646d3d9c2c7b2 Mon Sep 17 00:00:00 2001 From: Marco Stornelli Date: Sat, 6 Oct 2012 12:40:03 +0200 Subject: fat: drop lock/unlock super Removed lock/unlock super. Added a new private s_lock mutex. Signed-off-by: Marco Stornelli Signed-off-by: Al Viro --- fs/fat/dir.c | 4 ++-- fs/fat/fat.h | 5 +++-- fs/fat/inode.c | 5 +++-- fs/fat/namei_msdos.c | 26 +++++++++++++------------- fs/fat/namei_vfat.c | 30 +++++++++++++++--------------- 5 files changed, 36 insertions(+), 34 deletions(-) diff --git a/fs/fat/dir.c b/fs/fat/dir.c index bca6d0a1255e..2a182342442e 100644 --- a/fs/fat/dir.c +++ b/fs/fat/dir.c @@ -571,7 +571,7 @@ static int __fat_readdir(struct inode *inode, struct file *filp, void *dirent, int short_len = 0, fill_len = 0; int ret = 0; - lock_super(sb); + mutex_lock(&sbi->s_lock); cpos = filp->f_pos; /* Fake . and .. for the root directory. */ @@ -693,7 +693,7 @@ fill_failed: if (unicode) __putname(unicode); out: - unlock_super(sb); + mutex_unlock(&sbi->s_lock); return ret; } diff --git a/fs/fat/fat.h b/fs/fat/fat.h index ca7e8f8bad7c..623f36f0423b 100644 --- a/fs/fat/fat.h +++ b/fs/fat/fat.h @@ -71,8 +71,9 @@ struct msdos_sb_info { unsigned long root_cluster; /* first cluster of the root directory */ unsigned long fsinfo_sector; /* sector number of FAT32 fsinfo */ struct mutex fat_lock; - unsigned int prev_free; /* previously allocated cluster number */ - unsigned int free_clusters; /* -1 if undefined */ + struct mutex s_lock; + unsigned int prev_free; /* previously allocated cluster number */ + unsigned int free_clusters; /* -1 if undefined */ unsigned int free_clus_valid; /* is free_clusters valid? */ struct fat_mount_options options; struct nls_table *nls_disk; /* Codepage used on disk */ diff --git a/fs/fat/inode.c b/fs/fat/inode.c index 76f60c642c06..5bafaad00530 100644 --- a/fs/fat/inode.c +++ b/fs/fat/inode.c @@ -673,9 +673,9 @@ static int fat_write_inode(struct inode *inode, struct writeback_control *wbc) if (inode->i_ino == MSDOS_FSINFO_INO) { struct super_block *sb = inode->i_sb; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); err = fat_clusters_flush(sb); - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); } else err = __fat_write_inode(inode, wbc->sync_mode == WB_SYNC_ALL); @@ -1268,6 +1268,7 @@ int fat_fill_super(struct super_block *sb, void *data, int silent, int isvfat, b = (struct fat_boot_sector *) bh->b_data; } + mutex_init(&sbi->s_lock); sbi->cluster_size = sb->s_blocksize * sbi->sec_per_clus; sbi->cluster_bits = ffs(sbi->cluster_size) - 1; sbi->fats = b->fats; diff --git a/fs/fat/namei_msdos.c b/fs/fat/namei_msdos.c index c1055e778fff..e2cfda94a28d 100644 --- a/fs/fat/namei_msdos.c +++ b/fs/fat/namei_msdos.c @@ -208,7 +208,7 @@ static struct dentry *msdos_lookup(struct inode *dir, struct dentry *dentry, struct inode *inode; int err; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); err = msdos_find(dir, dentry->d_name.name, dentry->d_name.len, &sinfo); switch (err) { case -ENOENT: @@ -221,7 +221,7 @@ static struct dentry *msdos_lookup(struct inode *dir, struct dentry *dentry, default: inode = ERR_PTR(err); } - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); return d_splice_alias(inode, dentry); } @@ -273,7 +273,7 @@ static int msdos_create(struct inode *dir, struct dentry *dentry, umode_t mode, unsigned char msdos_name[MSDOS_NAME]; int err, is_hid; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); err = msdos_format_name(dentry->d_name.name, dentry->d_name.len, msdos_name, &MSDOS_SB(sb)->options); @@ -302,7 +302,7 @@ static int msdos_create(struct inode *dir, struct dentry *dentry, umode_t mode, d_instantiate(dentry, inode); out: - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); if (!err) err = fat_flush_inodes(sb, dir, inode); return err; @@ -316,7 +316,7 @@ static int msdos_rmdir(struct inode *dir, struct dentry *dentry) struct fat_slot_info sinfo; int err; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); /* * Check whether the directory is not in use, then check * whether it is empty. @@ -337,7 +337,7 @@ static int msdos_rmdir(struct inode *dir, struct dentry *dentry) inode->i_ctime = CURRENT_TIME_SEC; fat_detach(inode); out: - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); if (!err) err = fat_flush_inodes(sb, dir, inode); @@ -354,7 +354,7 @@ static int msdos_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) struct timespec ts; int err, is_hid, cluster; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); err = msdos_format_name(dentry->d_name.name, dentry->d_name.len, msdos_name, &MSDOS_SB(sb)->options); @@ -392,14 +392,14 @@ static int msdos_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) d_instantiate(dentry, inode); - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); fat_flush_inodes(sb, dir, inode); return 0; out_free: fat_free_clusters(dir, cluster); out: - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); return err; } @@ -411,7 +411,7 @@ static int msdos_unlink(struct inode *dir, struct dentry *dentry) struct fat_slot_info sinfo; int err; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); err = msdos_find(dir, dentry->d_name.name, dentry->d_name.len, &sinfo); if (err) goto out; @@ -423,7 +423,7 @@ static int msdos_unlink(struct inode *dir, struct dentry *dentry) inode->i_ctime = CURRENT_TIME_SEC; fat_detach(inode); out: - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); if (!err) err = fat_flush_inodes(sb, dir, inode); @@ -606,7 +606,7 @@ static int msdos_rename(struct inode *old_dir, struct dentry *old_dentry, unsigned char old_msdos_name[MSDOS_NAME], new_msdos_name[MSDOS_NAME]; int err, is_hid; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); err = msdos_format_name(old_dentry->d_name.name, old_dentry->d_name.len, old_msdos_name, @@ -625,7 +625,7 @@ static int msdos_rename(struct inode *old_dir, struct dentry *old_dentry, err = do_msdos_rename(old_dir, old_msdos_name, old_dentry, new_dir, new_msdos_name, new_dentry, is_hid); out: - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); if (!err) err = fat_flush_inodes(sb, old_dir, new_dir); return err; diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c index e535dd75b986..ac959d655e7d 100644 --- a/fs/fat/namei_vfat.c +++ b/fs/fat/namei_vfat.c @@ -721,7 +721,7 @@ static struct dentry *vfat_lookup(struct inode *dir, struct dentry *dentry, struct dentry *alias; int err; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); err = vfat_find(dir, &dentry->d_name, &sinfo); if (err) { @@ -752,13 +752,13 @@ static struct dentry *vfat_lookup(struct inode *dir, struct dentry *dentry, if (!S_ISDIR(inode->i_mode)) d_move(alias, dentry); iput(inode); - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); return alias; } else dput(alias); out: - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); dentry->d_time = dentry->d_parent->d_inode->i_version; dentry = d_splice_alias(inode, dentry); if (dentry) @@ -766,7 +766,7 @@ out: return dentry; error: - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); return ERR_PTR(err); } @@ -779,7 +779,7 @@ static int vfat_create(struct inode *dir, struct dentry *dentry, umode_t mode, struct timespec ts; int err; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); ts = CURRENT_TIME_SEC; err = vfat_add_entry(dir, &dentry->d_name, 0, 0, &ts, &sinfo); @@ -800,7 +800,7 @@ static int vfat_create(struct inode *dir, struct dentry *dentry, umode_t mode, dentry->d_time = dentry->d_parent->d_inode->i_version; d_instantiate(dentry, inode); out: - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); return err; } @@ -811,7 +811,7 @@ static int vfat_rmdir(struct inode *dir, struct dentry *dentry) struct fat_slot_info sinfo; int err; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); err = fat_dir_empty(inode); if (err) @@ -829,7 +829,7 @@ static int vfat_rmdir(struct inode *dir, struct dentry *dentry) inode->i_mtime = inode->i_atime = CURRENT_TIME_SEC; fat_detach(inode); out: - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); return err; } @@ -841,7 +841,7 @@ static int vfat_unlink(struct inode *dir, struct dentry *dentry) struct fat_slot_info sinfo; int err; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); err = vfat_find(dir, &dentry->d_name, &sinfo); if (err) @@ -854,7 +854,7 @@ static int vfat_unlink(struct inode *dir, struct dentry *dentry) inode->i_mtime = inode->i_atime = CURRENT_TIME_SEC; fat_detach(inode); out: - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); return err; } @@ -867,7 +867,7 @@ static int vfat_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) struct timespec ts; int err, cluster; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); ts = CURRENT_TIME_SEC; cluster = fat_alloc_new_dir(dir, &ts); @@ -896,13 +896,13 @@ static int vfat_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) dentry->d_time = dentry->d_parent->d_inode->i_version; d_instantiate(dentry, inode); - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); return 0; out_free: fat_free_clusters(dir, cluster); out: - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); return err; } @@ -921,7 +921,7 @@ static int vfat_rename(struct inode *old_dir, struct dentry *old_dentry, old_sinfo.bh = sinfo.bh = dotdot_bh = NULL; old_inode = old_dentry->d_inode; new_inode = new_dentry->d_inode; - lock_super(sb); + mutex_lock(&MSDOS_SB(sb)->s_lock); err = vfat_find(old_dir, &old_dentry->d_name, &old_sinfo); if (err) goto out; @@ -996,7 +996,7 @@ out: brelse(sinfo.bh); brelse(dotdot_bh); brelse(old_sinfo.bh); - unlock_super(sb); + mutex_unlock(&MSDOS_SB(sb)->s_lock); return err; -- cgit v1.2.3-70-g09d2 From f6e12dc4fc6f78745fd48a24ff2f06efb0bdeb0d Mon Sep 17 00:00:00 2001 From: Marco Stornelli Date: Sat, 6 Oct 2012 12:41:05 +0200 Subject: hpfs: drop lock/unlock super Removed lock/unlock super. Signed-off-by: Marco Stornelli Acked-by: Mikulas Patocka Signed-off-by: Al Viro --- fs/hpfs/super.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/fs/hpfs/super.c b/fs/hpfs/super.c index bc28bf077a6a..a3076228523d 100644 --- a/fs/hpfs/super.c +++ b/fs/hpfs/super.c @@ -398,7 +398,6 @@ static int hpfs_remount_fs(struct super_block *s, int *flags, char *data) *flags |= MS_NOATIME; hpfs_lock(s); - lock_super(s); uid = sbi->sb_uid; gid = sbi->sb_gid; umask = 0777 & ~sbi->sb_mode; lowercase = sbi->sb_lowercase; @@ -431,12 +430,10 @@ static int hpfs_remount_fs(struct super_block *s, int *flags, char *data) replace_mount_options(s, new_opts); - unlock_super(s); hpfs_unlock(s); return 0; out_err: - unlock_super(s); hpfs_unlock(s); kfree(new_opts); return -EINVAL; -- cgit v1.2.3-70-g09d2 From c07cb01c45d6f5f80da63e0b17dca889dba48cc1 Mon Sep 17 00:00:00 2001 From: Marco Stornelli Date: Sat, 6 Oct 2012 12:41:46 +0200 Subject: sysv: drop lock/unlock super Removed lock/unlock super. Added a new private s_lock mutex. Signed-off-by: Marco Stornelli Signed-off-by: Al Viro --- fs/sysv/balloc.c | 18 +++++++++--------- fs/sysv/ialloc.c | 14 +++++++------- fs/sysv/inode.c | 4 ++-- fs/sysv/super.c | 1 + fs/sysv/sysv.h | 1 + 5 files changed, 20 insertions(+), 18 deletions(-) diff --git a/fs/sysv/balloc.c b/fs/sysv/balloc.c index 9a6ad96acf27..921c053fc052 100644 --- a/fs/sysv/balloc.c +++ b/fs/sysv/balloc.c @@ -60,12 +60,12 @@ void sysv_free_block(struct super_block * sb, sysv_zone_t nr) return; } - lock_super(sb); + mutex_lock(&sbi->s_lock); count = fs16_to_cpu(sbi, *sbi->s_bcache_count); if (count > sbi->s_flc_size) { printk("sysv_free_block: flc_count > flc_size\n"); - unlock_super(sb); + mutex_unlock(&sbi->s_lock); return; } /* If the free list head in super-block is full, it is copied @@ -77,7 +77,7 @@ void sysv_free_block(struct super_block * sb, sysv_zone_t nr) bh = sb_getblk(sb, block); if (!bh) { printk("sysv_free_block: getblk() failed\n"); - unlock_super(sb); + mutex_unlock(&sbi->s_lock); return; } memset(bh->b_data, 0, sb->s_blocksize); @@ -93,7 +93,7 @@ void sysv_free_block(struct super_block * sb, sysv_zone_t nr) *sbi->s_bcache_count = cpu_to_fs16(sbi, count); fs32_add(sbi, sbi->s_free_blocks, 1); dirty_sb(sb); - unlock_super(sb); + mutex_unlock(&sbi->s_lock); } sysv_zone_t sysv_new_block(struct super_block * sb) @@ -104,7 +104,7 @@ sysv_zone_t sysv_new_block(struct super_block * sb) struct buffer_head * bh; unsigned count; - lock_super(sb); + mutex_lock(&sbi->s_lock); count = fs16_to_cpu(sbi, *sbi->s_bcache_count); if (count == 0) /* Applies only to Coherent FS */ @@ -147,11 +147,11 @@ sysv_zone_t sysv_new_block(struct super_block * sb) /* Now the free list head in the superblock is valid again. */ fs32_add(sbi, sbi->s_free_blocks, -1); dirty_sb(sb); - unlock_super(sb); + mutex_unlock(&sbi->s_lock); return nr; Enospc: - unlock_super(sb); + mutex_unlock(&sbi->s_lock); return 0; } @@ -173,7 +173,7 @@ unsigned long sysv_count_free_blocks(struct super_block * sb) if (sbi->s_type == FSTYPE_AFS) return 0; - lock_super(sb); + mutex_lock(&sbi->s_lock); sb_count = fs32_to_cpu(sbi, *sbi->s_free_blocks); if (0) @@ -211,7 +211,7 @@ unsigned long sysv_count_free_blocks(struct super_block * sb) if (count != sb_count) goto Ecount; done: - unlock_super(sb); + mutex_unlock(&sbi->s_lock); return count; Einval: diff --git a/fs/sysv/ialloc.c b/fs/sysv/ialloc.c index 8233b02eccae..f9db4eb31db4 100644 --- a/fs/sysv/ialloc.c +++ b/fs/sysv/ialloc.c @@ -118,7 +118,7 @@ void sysv_free_inode(struct inode * inode) "%s\n", inode->i_sb->s_id); return; } - lock_super(sb); + mutex_lock(&sbi->s_lock); count = fs16_to_cpu(sbi, *sbi->s_sb_fic_count); if (count < sbi->s_fic_size) { *sv_sb_fic_inode(sb,count++) = cpu_to_fs16(sbi, ino); @@ -128,7 +128,7 @@ void sysv_free_inode(struct inode * inode) dirty_sb(sb); memset(raw_inode, 0, sizeof(struct sysv_inode)); mark_buffer_dirty(bh); - unlock_super(sb); + mutex_unlock(&sbi->s_lock); brelse(bh); } @@ -147,13 +147,13 @@ struct inode * sysv_new_inode(const struct inode * dir, umode_t mode) if (!inode) return ERR_PTR(-ENOMEM); - lock_super(sb); + mutex_lock(&sbi->s_lock); count = fs16_to_cpu(sbi, *sbi->s_sb_fic_count); if (count == 0 || (*sv_sb_fic_inode(sb,count-1) == 0)) { count = refill_free_cache(sb); if (count == 0) { iput(inode); - unlock_super(sb); + mutex_unlock(&sbi->s_lock); return ERR_PTR(-ENOSPC); } } @@ -174,7 +174,7 @@ struct inode * sysv_new_inode(const struct inode * dir, umode_t mode) sysv_write_inode(inode, &wbc); /* ensure inode not allocated again */ mark_inode_dirty(inode); /* cleared by sysv_write_inode() */ /* That's it. */ - unlock_super(sb); + mutex_unlock(&sbi->s_lock); return inode; } @@ -185,7 +185,7 @@ unsigned long sysv_count_free_inodes(struct super_block * sb) struct sysv_inode * raw_inode; int ino, count, sb_count; - lock_super(sb); + mutex_lock(&sbi->s_lock); sb_count = fs16_to_cpu(sbi, *sbi->s_sb_total_free_inodes); @@ -213,7 +213,7 @@ unsigned long sysv_count_free_inodes(struct super_block * sb) if (count != sb_count) goto Einval; out: - unlock_super(sb); + mutex_unlock(&sbi->s_lock); return count; Einval: diff --git a/fs/sysv/inode.c b/fs/sysv/inode.c index d33e506c1eac..c327d4ee1235 100644 --- a/fs/sysv/inode.c +++ b/fs/sysv/inode.c @@ -36,7 +36,7 @@ static int sysv_sync_fs(struct super_block *sb, int wait) struct sysv_sb_info *sbi = SYSV_SB(sb); unsigned long time = get_seconds(), old_time; - lock_super(sb); + mutex_lock(&sbi->s_lock); /* * If we are going to write out the super block, @@ -51,7 +51,7 @@ static int sysv_sync_fs(struct super_block *sb, int wait) mark_buffer_dirty(sbi->s_bh2); } - unlock_super(sb); + mutex_unlock(&sbi->s_lock); return 0; } diff --git a/fs/sysv/super.c b/fs/sysv/super.c index 7491c33b6468..a38e87bdd78d 100644 --- a/fs/sysv/super.c +++ b/fs/sysv/super.c @@ -368,6 +368,7 @@ static int sysv_fill_super(struct super_block *sb, void *data, int silent) sbi->s_sb = sb; sbi->s_block_base = 0; + mutex_init(&sbi->s_lock); sb->s_fs_info = sbi; sb_set_blocksize(sb, BLOCK_SIZE); diff --git a/fs/sysv/sysv.h b/fs/sysv/sysv.h index 0bc35fdc58e2..69d488986cce 100644 --- a/fs/sysv/sysv.h +++ b/fs/sysv/sysv.h @@ -58,6 +58,7 @@ struct sysv_sb_info { u32 s_nzones; /* same as s_sbd->s_fsize */ u16 s_namelen; /* max length of dir entry */ int s_forced_ro; + struct mutex s_lock; }; /* -- cgit v1.2.3-70-g09d2 From b6963327e0521e682c2fffd018574251d3c22b41 Mon Sep 17 00:00:00 2001 From: Marco Stornelli Date: Sat, 6 Oct 2012 12:42:28 +0200 Subject: ufs: drop lock/unlock super Removed lock/unlock super. Added a new private s_lock mutex. Signed-off-by: Marco Stornelli Signed-off-by: Al Viro --- fs/ufs/balloc.c | 30 +++++++++++++++--------------- fs/ufs/ialloc.c | 16 ++++++++-------- fs/ufs/super.c | 21 +++++++++++---------- fs/ufs/ufs.h | 1 + 4 files changed, 35 insertions(+), 33 deletions(-) diff --git a/fs/ufs/balloc.c b/fs/ufs/balloc.c index 1b3e410bf334..a7ea492ae660 100644 --- a/fs/ufs/balloc.c +++ b/fs/ufs/balloc.c @@ -54,7 +54,7 @@ void ufs_free_fragments(struct inode *inode, u64 fragment, unsigned count) if (ufs_fragnum(fragment) + count > uspi->s_fpg) ufs_error (sb, "ufs_free_fragments", "internal error"); - lock_super(sb); + mutex_lock(&UFS_SB(sb)->s_lock); cgno = ufs_dtog(uspi, fragment); bit = ufs_dtogd(uspi, fragment); @@ -118,12 +118,12 @@ void ufs_free_fragments(struct inode *inode, u64 fragment, unsigned count) ubh_sync_block(UCPI_UBH(ucpi)); ufs_mark_sb_dirty(sb); - unlock_super (sb); + mutex_unlock(&UFS_SB(sb)->s_lock); UFSD("EXIT\n"); return; failed: - unlock_super (sb); + mutex_unlock(&UFS_SB(sb)->s_lock); UFSD("EXIT (FAILED)\n"); return; } @@ -155,7 +155,7 @@ void ufs_free_blocks(struct inode *inode, u64 fragment, unsigned count) goto failed; } - lock_super(sb); + mutex_lock(&UFS_SB(sb)->s_lock); do_more: overflow = 0; @@ -215,12 +215,12 @@ do_more: } ufs_mark_sb_dirty(sb); - unlock_super (sb); + mutex_unlock(&UFS_SB(sb)->s_lock); UFSD("EXIT\n"); return; failed_unlock: - unlock_super (sb); + mutex_unlock(&UFS_SB(sb)->s_lock); failed: UFSD("EXIT (FAILED)\n"); return; @@ -361,7 +361,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, usb1 = ubh_get_usb_first(uspi); *err = -ENOSPC; - lock_super (sb); + mutex_lock(&UFS_SB(sb)->s_lock); tmp = ufs_data_ptr_to_cpu(sb, p); if (count + ufs_fragnum(fragment) > uspi->s_fpb) { @@ -382,19 +382,19 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, "fragment %llu, tmp %llu\n", (unsigned long long)fragment, (unsigned long long)tmp); - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); return INVBLOCK; } if (fragment < UFS_I(inode)->i_lastfrag) { UFSD("EXIT (ALREADY ALLOCATED)\n"); - unlock_super (sb); + mutex_unlock(&UFS_SB(sb)->s_lock); return 0; } } else { if (tmp) { UFSD("EXIT (ALREADY ALLOCATED)\n"); - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); return 0; } } @@ -403,7 +403,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, * There is not enough space for user on the device */ if (!capable(CAP_SYS_RESOURCE) && ufs_freespace(uspi, UFS_MINFREE) <= 0) { - unlock_super (sb); + mutex_unlock(&UFS_SB(sb)->s_lock); UFSD("EXIT (FAILED)\n"); return 0; } @@ -428,7 +428,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, ufs_clear_frags(inode, result + oldcount, newcount - oldcount, locked_page != NULL); } - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); UFSD("EXIT, result %llu\n", (unsigned long long)result); return result; } @@ -443,7 +443,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, fragment + count); ufs_clear_frags(inode, result + oldcount, newcount - oldcount, locked_page != NULL); - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); UFSD("EXIT, result %llu\n", (unsigned long long)result); return result; } @@ -481,7 +481,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, *err = 0; UFS_I(inode)->i_lastfrag = max(UFS_I(inode)->i_lastfrag, fragment + count); - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); if (newcount < request) ufs_free_fragments (inode, result + newcount, request - newcount); ufs_free_fragments (inode, tmp, oldcount); @@ -489,7 +489,7 @@ u64 ufs_new_fragments(struct inode *inode, void *p, u64 fragment, return result; } - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); UFSD("EXIT (FAILED)\n"); return 0; } diff --git a/fs/ufs/ialloc.c b/fs/ufs/ialloc.c index e84cbe21b986..d0426d74817b 100644 --- a/fs/ufs/ialloc.c +++ b/fs/ufs/ialloc.c @@ -71,11 +71,11 @@ void ufs_free_inode (struct inode * inode) ino = inode->i_ino; - lock_super (sb); + mutex_lock(&UFS_SB(sb)->s_lock); if (!((ino > 1) && (ino < (uspi->s_ncg * uspi->s_ipg )))) { ufs_warning(sb, "ufs_free_inode", "reserved inode or nonexistent inode %u\n", ino); - unlock_super (sb); + mutex_unlock(&UFS_SB(sb)->s_lock); return; } @@ -83,7 +83,7 @@ void ufs_free_inode (struct inode * inode) bit = ufs_inotocgoff (ino); ucpi = ufs_load_cylinder (sb, cg); if (!ucpi) { - unlock_super (sb); + mutex_unlock(&UFS_SB(sb)->s_lock); return; } ucg = ubh_get_ucg(UCPI_UBH(ucpi)); @@ -117,7 +117,7 @@ void ufs_free_inode (struct inode * inode) ubh_sync_block(UCPI_UBH(ucpi)); ufs_mark_sb_dirty(sb); - unlock_super (sb); + mutex_unlock(&UFS_SB(sb)->s_lock); UFSD("EXIT\n"); } @@ -197,7 +197,7 @@ struct inode *ufs_new_inode(struct inode *dir, umode_t mode) uspi = sbi->s_uspi; usb1 = ubh_get_usb_first(uspi); - lock_super (sb); + mutex_lock(&sbi->s_lock); /* * Try to place the inode in its parent directory @@ -333,20 +333,20 @@ cg_found: brelse(bh); } - unlock_super (sb); + mutex_unlock(&sbi->s_lock); UFSD("allocating inode %lu\n", inode->i_ino); UFSD("EXIT\n"); return inode; fail_remove_inode: - unlock_super(sb); + mutex_unlock(&sbi->s_lock); clear_nlink(inode); iput(inode); UFSD("EXIT (FAILED): err %d\n", err); return ERR_PTR(err); failed: - unlock_super (sb); + mutex_unlock(&sbi->s_lock); make_bad_inode(inode); iput (inode); UFSD("EXIT (FAILED): err %d\n", err); diff --git a/fs/ufs/super.c b/fs/ufs/super.c index f7cfecfe1cab..dc8e3a861d0f 100644 --- a/fs/ufs/super.c +++ b/fs/ufs/super.c @@ -699,7 +699,7 @@ static int ufs_sync_fs(struct super_block *sb, int wait) unsigned flags; lock_ufs(sb); - lock_super(sb); + mutex_lock(&UFS_SB(sb)->s_lock); UFSD("ENTER\n"); @@ -717,7 +717,7 @@ static int ufs_sync_fs(struct super_block *sb, int wait) ufs_put_cstotal(sb); UFSD("EXIT\n"); - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); unlock_ufs(sb); return 0; @@ -805,6 +805,7 @@ static int ufs_fill_super(struct super_block *sb, void *data, int silent) } #endif mutex_init(&sbi->mutex); + mutex_init(&sbi->s_lock); spin_lock_init(&sbi->work_lock); INIT_DELAYED_WORK(&sbi->sync_work, delayed_sync_fs); /* @@ -1280,7 +1281,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) unsigned flags; lock_ufs(sb); - lock_super(sb); + mutex_lock(&UFS_SB(sb)->s_lock); uspi = UFS_SB(sb)->s_uspi; flags = UFS_SB(sb)->s_flags; usb1 = ubh_get_usb_first(uspi); @@ -1294,7 +1295,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) new_mount_opt = 0; ufs_set_opt (new_mount_opt, ONERROR_LOCK); if (!ufs_parse_options (data, &new_mount_opt)) { - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); unlock_ufs(sb); return -EINVAL; } @@ -1302,14 +1303,14 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) new_mount_opt |= ufstype; } else if ((new_mount_opt & UFS_MOUNT_UFSTYPE) != ufstype) { printk("ufstype can't be changed during remount\n"); - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); unlock_ufs(sb); return -EINVAL; } if ((*mount_flags & MS_RDONLY) == (sb->s_flags & MS_RDONLY)) { UFS_SB(sb)->s_mount_opt = new_mount_opt; - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); unlock_ufs(sb); return 0; } @@ -1334,7 +1335,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) #ifndef CONFIG_UFS_FS_WRITE printk("ufs was compiled with read-only support, " "can't be mounted as read-write\n"); - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); unlock_ufs(sb); return -EINVAL; #else @@ -1344,13 +1345,13 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) ufstype != UFS_MOUNT_UFSTYPE_SUNx86 && ufstype != UFS_MOUNT_UFSTYPE_UFS2) { printk("this ufstype is read-only supported\n"); - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); unlock_ufs(sb); return -EINVAL; } if (!ufs_read_cylinder_structures(sb)) { printk("failed during remounting\n"); - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); unlock_ufs(sb); return -EPERM; } @@ -1358,7 +1359,7 @@ static int ufs_remount (struct super_block *sb, int *mount_flags, char *data) #endif } UFS_SB(sb)->s_mount_opt = new_mount_opt; - unlock_super(sb); + mutex_unlock(&UFS_SB(sb)->s_lock); unlock_ufs(sb); return 0; } diff --git a/fs/ufs/ufs.h b/fs/ufs/ufs.h index 343e6fc571e5..ff2c15ab81aa 100644 --- a/fs/ufs/ufs.h +++ b/fs/ufs/ufs.h @@ -24,6 +24,7 @@ struct ufs_sb_info { int work_queued; /* non-zero if the delayed work is queued */ struct delayed_work sync_work; /* FS sync delayed work */ spinlock_t work_lock; /* protects sync_work and work_queued */ + struct mutex s_lock; }; struct ufs_inode_info { -- cgit v1.2.3-70-g09d2 From 8e22cc88d68ca1a46d7d582938f979eb640ed30f Mon Sep 17 00:00:00 2001 From: Marco Stornelli Date: Sat, 6 Oct 2012 12:43:09 +0200 Subject: vfs: drop lock/unlock super Removed s_lock from super_block and removed lock/unlock super. Signed-off-by: Marco Stornelli Signed-off-by: Al Viro --- fs/super.c | 23 ----------------------- include/linux/fs.h | 1 - 2 files changed, 24 deletions(-) diff --git a/fs/super.c b/fs/super.c index a3bc935069d9..12f123712161 100644 --- a/fs/super.c +++ b/fs/super.c @@ -186,14 +186,7 @@ static struct super_block *alloc_super(struct file_system_type *type, int flags) spin_lock_init(&s->s_inode_lru_lock); INIT_LIST_HEAD(&s->s_mounts); init_rwsem(&s->s_umount); - mutex_init(&s->s_lock); lockdep_set_class(&s->s_umount, &type->s_umount_key); - /* - * The locking rules for s_lock are up to the - * filesystem. For example ext3fs has different - * lock ordering than usbfs: - */ - lockdep_set_class(&s->s_lock, &type->s_lock_key); /* * sget() can have s_umount recursion. * @@ -394,22 +387,6 @@ bool grab_super_passive(struct super_block *sb) return false; } -/* - * Superblock locking. We really ought to get rid of these two. - */ -void lock_super(struct super_block * sb) -{ - mutex_lock(&sb->s_lock); -} - -void unlock_super(struct super_block * sb) -{ - mutex_unlock(&sb->s_lock); -} - -EXPORT_SYMBOL(lock_super); -EXPORT_SYMBOL(unlock_super); - /** * generic_shutdown_super - common helper for ->kill_sb() * @sb: superblock to kill diff --git a/include/linux/fs.h b/include/linux/fs.h index c617ed024df8..b7e70609243d 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1507,7 +1507,6 @@ struct super_block { unsigned long s_magic; struct dentry *s_root; struct rw_semaphore s_umount; - struct mutex s_lock; int s_count; atomic_t s_active; #ifdef CONFIG_SECURITY -- cgit v1.2.3-70-g09d2 From 35c2a7f4908d404c9124c2efc6ada4640ca4d5d5 Mon Sep 17 00:00:00 2001 From: Hugh Dickins Date: Sun, 7 Oct 2012 20:32:51 -0700 Subject: tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(), u64 inum = fid->raw[2]; which is unhelpfully reported as at the end of shmem_alloc_inode(): BUG: unable to handle kernel paging request at ffff880061cd3000 IP: [] shmem_alloc_inode+0x40/0x40 Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC Call Trace: [] ? exportfs_decode_fh+0x79/0x2d0 [] do_handle_open+0x163/0x2c0 [] sys_open_by_handle_at+0xc/0x10 [] tracesys+0xe1/0xe6 Right, tmpfs is being stupid to access fid->raw[2] before validating that fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may fall at the end of a page, and the next page not be present. But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and could oops in the same way: add the missing fh_len checks to those. Reported-by: Sasha Levin Signed-off-by: Hugh Dickins Cc: Al Viro Cc: Sage Weil Cc: Steven Whitehouse Cc: Christoph Hellwig Cc: stable@vger.kernel.org Signed-off-by: Al Viro --- fs/ceph/export.c | 18 ++++++++++++++---- fs/gfs2/export.c | 4 ++++ fs/isofs/export.c | 2 +- fs/reiserfs/inode.c | 6 +++++- fs/xfs/xfs_export.c | 3 +++ mm/shmem.c | 6 ++++-- 6 files changed, 31 insertions(+), 8 deletions(-) diff --git a/fs/ceph/export.c b/fs/ceph/export.c index 8e1b60e557b6..02ce90972d81 100644 --- a/fs/ceph/export.c +++ b/fs/ceph/export.c @@ -99,7 +99,7 @@ static int ceph_encode_fh(struct inode *inode, u32 *rawfh, int *max_len, * FIXME: we should try harder by querying the mds for the ino. */ static struct dentry *__fh_to_dentry(struct super_block *sb, - struct ceph_nfs_fh *fh) + struct ceph_nfs_fh *fh, int fh_len) { struct ceph_mds_client *mdsc = ceph_sb_to_client(sb)->mdsc; struct inode *inode; @@ -107,6 +107,9 @@ static struct dentry *__fh_to_dentry(struct super_block *sb, struct ceph_vino vino; int err; + if (fh_len < sizeof(*fh) / 4) + return ERR_PTR(-ESTALE); + dout("__fh_to_dentry %llx\n", fh->ino); vino.ino = fh->ino; vino.snap = CEPH_NOSNAP; @@ -150,7 +153,7 @@ static struct dentry *__fh_to_dentry(struct super_block *sb, * convert connectable fh to dentry */ static struct dentry *__cfh_to_dentry(struct super_block *sb, - struct ceph_nfs_confh *cfh) + struct ceph_nfs_confh *cfh, int fh_len) { struct ceph_mds_client *mdsc = ceph_sb_to_client(sb)->mdsc; struct inode *inode; @@ -158,6 +161,9 @@ static struct dentry *__cfh_to_dentry(struct super_block *sb, struct ceph_vino vino; int err; + if (fh_len < sizeof(*cfh) / 4) + return ERR_PTR(-ESTALE); + dout("__cfh_to_dentry %llx (%llx/%x)\n", cfh->ino, cfh->parent_ino, cfh->parent_name_hash); @@ -207,9 +213,11 @@ static struct dentry *ceph_fh_to_dentry(struct super_block *sb, struct fid *fid, int fh_len, int fh_type) { if (fh_type == 1) - return __fh_to_dentry(sb, (struct ceph_nfs_fh *)fid->raw); + return __fh_to_dentry(sb, (struct ceph_nfs_fh *)fid->raw, + fh_len); else - return __cfh_to_dentry(sb, (struct ceph_nfs_confh *)fid->raw); + return __cfh_to_dentry(sb, (struct ceph_nfs_confh *)fid->raw, + fh_len); } /* @@ -230,6 +238,8 @@ static struct dentry *ceph_fh_to_parent(struct super_block *sb, if (fh_type == 1) return ERR_PTR(-ESTALE); + if (fh_len < sizeof(*cfh) / 4) + return ERR_PTR(-ESTALE); pr_debug("fh_to_parent %llx/%d\n", cfh->parent_ino, cfh->parent_name_hash); diff --git a/fs/gfs2/export.c b/fs/gfs2/export.c index e8ed6d4a6181..4767774a5f3e 100644 --- a/fs/gfs2/export.c +++ b/fs/gfs2/export.c @@ -161,6 +161,8 @@ static struct dentry *gfs2_fh_to_dentry(struct super_block *sb, struct fid *fid, case GFS2_SMALL_FH_SIZE: case GFS2_LARGE_FH_SIZE: case GFS2_OLD_FH_SIZE: + if (fh_len < GFS2_SMALL_FH_SIZE) + return NULL; this.no_formal_ino = ((u64)be32_to_cpu(fh[0])) << 32; this.no_formal_ino |= be32_to_cpu(fh[1]); this.no_addr = ((u64)be32_to_cpu(fh[2])) << 32; @@ -180,6 +182,8 @@ static struct dentry *gfs2_fh_to_parent(struct super_block *sb, struct fid *fid, switch (fh_type) { case GFS2_LARGE_FH_SIZE: case GFS2_OLD_FH_SIZE: + if (fh_len < GFS2_LARGE_FH_SIZE) + return NULL; parent.no_formal_ino = ((u64)be32_to_cpu(fh[4])) << 32; parent.no_formal_ino |= be32_to_cpu(fh[5]); parent.no_addr = ((u64)be32_to_cpu(fh[6])) << 32; diff --git a/fs/isofs/export.c b/fs/isofs/export.c index 1d3804492aa7..2b4f2358eadb 100644 --- a/fs/isofs/export.c +++ b/fs/isofs/export.c @@ -175,7 +175,7 @@ static struct dentry *isofs_fh_to_parent(struct super_block *sb, { struct isofs_fid *ifid = (struct isofs_fid *)fid; - if (fh_type != 2) + if (fh_len < 2 || fh_type != 2) return NULL; return isofs_export_iget(sb, diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c index 46485557cdc6..f27f01a98aa2 100644 --- a/fs/reiserfs/inode.c +++ b/fs/reiserfs/inode.c @@ -1573,8 +1573,10 @@ struct dentry *reiserfs_fh_to_dentry(struct super_block *sb, struct fid *fid, reiserfs_warning(sb, "reiserfs-13077", "nfsd/reiserfs, fhtype=%d, len=%d - odd", fh_type, fh_len); - fh_type = 5; + fh_type = fh_len; } + if (fh_len < 2) + return NULL; return reiserfs_get_dentry(sb, fid->raw[0], fid->raw[1], (fh_type == 3 || fh_type >= 5) ? fid->raw[2] : 0); @@ -1583,6 +1585,8 @@ struct dentry *reiserfs_fh_to_dentry(struct super_block *sb, struct fid *fid, struct dentry *reiserfs_fh_to_parent(struct super_block *sb, struct fid *fid, int fh_len, int fh_type) { + if (fh_type > fh_len) + fh_type = fh_len; if (fh_type < 4) return NULL; diff --git a/fs/xfs/xfs_export.c b/fs/xfs/xfs_export.c index 42679223a0fd..8c6d1d70278c 100644 --- a/fs/xfs/xfs_export.c +++ b/fs/xfs/xfs_export.c @@ -189,6 +189,9 @@ xfs_fs_fh_to_parent(struct super_block *sb, struct fid *fid, struct xfs_fid64 *fid64 = (struct xfs_fid64 *)fid; struct inode *inode = NULL; + if (fh_len < xfs_fileid_length(fileid_type)) + return NULL; + switch (fileid_type) { case FILEID_INO32_GEN_PARENT: inode = xfs_nfs_get_inode(sb, fid->i32.parent_ino, diff --git a/mm/shmem.c b/mm/shmem.c index cc12072f8787..67afba5117f2 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2220,12 +2220,14 @@ static struct dentry *shmem_fh_to_dentry(struct super_block *sb, { struct inode *inode; struct dentry *dentry = NULL; - u64 inum = fid->raw[2]; - inum = (inum << 32) | fid->raw[1]; + u64 inum; if (fh_len < 3) return NULL; + inum = fid->raw[2]; + inum = (inum << 32) | fid->raw[1]; + inode = ilookup5(sb, (unsigned long)(inum + fid->raw[0]), shmem_match, fid->raw); if (inode) { -- cgit v1.2.3-70-g09d2 From 614c321f4bf130766ff66fd142b1da47ab037303 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Wed, 10 Oct 2012 01:06:20 -0400 Subject: MAX_LFS_FILESIZE definition for 64bit needs LL... Signed-off-by: Al Viro --- include/linux/fs.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/fs.h b/include/linux/fs.h index b7e70609243d..ec911aeea968 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1132,7 +1132,7 @@ static inline int file_check_writeable(struct file *filp) #if BITS_PER_LONG==32 #define MAX_LFS_FILESIZE (((loff_t)PAGE_CACHE_SIZE << (BITS_PER_LONG-1))-1) #elif BITS_PER_LONG==64 -#define MAX_LFS_FILESIZE ((loff_t)0x7fffffffffffffff) +#define MAX_LFS_FILESIZE ((loff_t)0x7fffffffffffffffLL) #endif #define FL_POSIX 1 -- cgit v1.2.3-70-g09d2 From 462e1e1bc879d10d7c2ce96a1b1001edaaa815ba Mon Sep 17 00:00:00 2001 From: Lai Jiangshan Date: Tue, 9 Oct 2012 14:49:47 -0700 Subject: lglock: remove unused DEFINE_LGLOCK_LOCKDEP() struct lglocks use their own lock_key/lock_dep_map which are defined in struct lglock. DEFINE_LGLOCK_LOCKDEP() is unused, so remove it and save a small piece of memory. Signed-off-by: Lai Jiangshan Cc: Alexander Viro Cc: Rusty Russell Cc: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Al Viro --- include/linux/lglock.h | 9 --------- 1 file changed, 9 deletions(-) diff --git a/include/linux/lglock.h b/include/linux/lglock.h index f01e5f6d1f07..45eff71de887 100644 --- a/include/linux/lglock.h +++ b/include/linux/lglock.h @@ -36,16 +36,8 @@ #ifdef CONFIG_DEBUG_LOCK_ALLOC #define LOCKDEP_INIT_MAP lockdep_init_map - -#define DEFINE_LGLOCK_LOCKDEP(name) \ - struct lock_class_key name##_lock_key; \ - struct lockdep_map name##_lock_dep_map; \ - EXPORT_SYMBOL(name##_lock_dep_map) - #else #define LOCKDEP_INIT_MAP(a, b, c, d) - -#define DEFINE_LGLOCK_LOCKDEP(name) #endif struct lglock { @@ -57,7 +49,6 @@ struct lglock { }; #define DEFINE_LGLOCK(name) \ - DEFINE_LGLOCK_LOCKDEP(name); \ DEFINE_PER_CPU(arch_spinlock_t, name ## _lock) \ = __ARCH_SPIN_LOCK_UNLOCKED; \ struct lglock name = { .lock = &name ## _lock } -- cgit v1.2.3-70-g09d2 From 466cab878ef98a0618734a1fa64a02e5fbf90867 Mon Sep 17 00:00:00 2001 From: Lai Jiangshan Date: Tue, 9 Oct 2012 14:49:51 -0700 Subject: lglock: make the per_cpu locks static The per_cpu locks are not used outside the file which contains the DEFINE_LGLOCK(), so we can make these symbols static. Signed-off-by: Lai Jiangshan Cc: Alexander Viro Cc: Rusty Russell Cc: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Al Viro --- include/linux/lglock.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/linux/lglock.h b/include/linux/lglock.h index 45eff71de887..8f974517c48a 100644 --- a/include/linux/lglock.h +++ b/include/linux/lglock.h @@ -49,7 +49,7 @@ struct lglock { }; #define DEFINE_LGLOCK(name) \ - DEFINE_PER_CPU(arch_spinlock_t, name ## _lock) \ + static DEFINE_PER_CPU(arch_spinlock_t, name ## _lock) \ = __ARCH_SPIN_LOCK_UNLOCKED; \ struct lglock name = { .lock = &name ## _lock } -- cgit v1.2.3-70-g09d2 From 4b2c551f77f5a0c496e2125b1d883f4b26aabf2c Mon Sep 17 00:00:00 2001 From: Lai Jiangshan Date: Tue, 9 Oct 2012 14:49:54 -0700 Subject: lglock: add DEFINE_STATIC_LGLOCK() When the lglock doesn't need to be exported we can use DEFINE_STATIC_LGLOCK(). Signed-off-by: Lai Jiangshan Cc: Alexander Viro Cc: Rusty Russell Cc: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Al Viro --- fs/file_table.c | 2 +- include/linux/lglock.h | 8 +++++++- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/fs/file_table.c b/fs/file_table.c index dac67923330f..a72bf9ddd0d2 100644 --- a/fs/file_table.c +++ b/fs/file_table.c @@ -36,7 +36,7 @@ struct files_stat_struct files_stat = { .max_files = NR_FILE }; -DEFINE_LGLOCK(files_lglock); +DEFINE_STATIC_LGLOCK(files_lglock); /* SLAB cache for file structures */ static struct kmem_cache *filp_cachep __read_mostly; diff --git a/include/linux/lglock.h b/include/linux/lglock.h index 8f974517c48a..0d24e932db0b 100644 --- a/include/linux/lglock.h +++ b/include/linux/lglock.h @@ -32,7 +32,8 @@ #define br_write_lock(name) lg_global_lock(name) #define br_write_unlock(name) lg_global_unlock(name) -#define DEFINE_BRLOCK(name) DEFINE_LGLOCK(name) +#define DEFINE_BRLOCK(name) DEFINE_LGLOCK(name) +#define DEFINE_STATIC_BRLOCK(name) DEFINE_STATIC_LGLOCK(name) #ifdef CONFIG_DEBUG_LOCK_ALLOC #define LOCKDEP_INIT_MAP lockdep_init_map @@ -53,6 +54,11 @@ struct lglock { = __ARCH_SPIN_LOCK_UNLOCKED; \ struct lglock name = { .lock = &name ## _lock } +#define DEFINE_STATIC_LGLOCK(name) \ + static DEFINE_PER_CPU(arch_spinlock_t, name ## _lock) \ + = __ARCH_SPIN_LOCK_UNLOCKED; \ + static struct lglock name = { .lock = &name ## _lock } + void lg_lock_init(struct lglock *lg, char *name); void lg_local_lock(struct lglock *lg); void lg_local_unlock(struct lglock *lg); -- cgit v1.2.3-70-g09d2 From 808d4e3cfdcc52b19276175464f6dbca4df13b09 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Thu, 11 Oct 2012 11:42:01 -0400 Subject: consitify do_mount() arguments Signed-off-by: Al Viro --- fs/namespace.c | 12 ++++++------ include/linux/fs.h | 2 +- include/linux/security.h | 12 ++++++------ security/capability.c | 4 ++-- security/security.c | 4 ++-- security/selinux/hooks.c | 4 ++-- security/smack/smack_lsm.c | 4 ++-- security/tomoyo/common.h | 2 +- security/tomoyo/mount.c | 5 +++-- security/tomoyo/tomoyo.c | 4 ++-- 10 files changed, 27 insertions(+), 26 deletions(-) diff --git a/fs/namespace.c b/fs/namespace.c index 7bdf7907413f..fc33207e28ad 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -1640,7 +1640,7 @@ static int do_change_type(struct path *path, int flag) /* * do loopback mount. */ -static int do_loopback(struct path *path, char *old_name, +static int do_loopback(struct path *path, const char *old_name, int recurse) { LIST_HEAD(umount_list); @@ -1764,7 +1764,7 @@ static inline int tree_contains_unbindable(struct mount *mnt) return 0; } -static int do_move_mount(struct path *path, char *old_name) +static int do_move_mount(struct path *path, const char *old_name) { struct path old_path, parent_path; struct mount *p; @@ -1917,8 +1917,8 @@ unlock: * create a new mount for userspace and request it to be added into the * namespace's tree */ -static int do_new_mount(struct path *path, char *type, int flags, - int mnt_flags, char *name, void *data) +static int do_new_mount(struct path *path, const char *type, int flags, + int mnt_flags, const char *name, void *data) { struct vfsmount *mnt; int err; @@ -2191,8 +2191,8 @@ int copy_mount_string(const void __user *data, char **where) * Therefore, if this magic number is present, it carries no information * and must be discarded. */ -long do_mount(char *dev_name, char *dir_name, char *type_page, - unsigned long flags, void *data_page) +long do_mount(const char *dev_name, const char *dir_name, + const char *type_page, unsigned long flags, void *data_page) { struct path path; int retval = 0; diff --git a/include/linux/fs.h b/include/linux/fs.h index ec911aeea968..9baf8270f9d1 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -2075,7 +2075,7 @@ extern struct vfsmount *kern_mount_data(struct file_system_type *, void *data); extern void kern_unmount(struct vfsmount *mnt); extern int may_umount_tree(struct vfsmount *); extern int may_umount(struct vfsmount *); -extern long do_mount(char *, char *, char *, unsigned long, void *); +extern long do_mount(const char *, const char *, const char *, unsigned long, void *); extern struct vfsmount *collect_mounts(struct path *); extern void drop_collected_mounts(struct vfsmount *); extern int iterate_mounts(int (*)(struct vfsmount *, void *), void *, diff --git a/include/linux/security.h b/include/linux/security.h index 5b50c4e1a7c2..05e88bdcf7d9 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -1411,8 +1411,8 @@ struct security_operations { int (*sb_kern_mount) (struct super_block *sb, int flags, void *data); int (*sb_show_options) (struct seq_file *m, struct super_block *sb); int (*sb_statfs) (struct dentry *dentry); - int (*sb_mount) (char *dev_name, struct path *path, - char *type, unsigned long flags, void *data); + int (*sb_mount) (const char *dev_name, struct path *path, + const char *type, unsigned long flags, void *data); int (*sb_umount) (struct vfsmount *mnt, int flags); int (*sb_pivotroot) (struct path *old_path, struct path *new_path); @@ -1694,8 +1694,8 @@ int security_sb_remount(struct super_block *sb, void *data); int security_sb_kern_mount(struct super_block *sb, int flags, void *data); int security_sb_show_options(struct seq_file *m, struct super_block *sb); int security_sb_statfs(struct dentry *dentry); -int security_sb_mount(char *dev_name, struct path *path, - char *type, unsigned long flags, void *data); +int security_sb_mount(const char *dev_name, struct path *path, + const char *type, unsigned long flags, void *data); int security_sb_umount(struct vfsmount *mnt, int flags); int security_sb_pivotroot(struct path *old_path, struct path *new_path); int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts); @@ -1964,8 +1964,8 @@ static inline int security_sb_statfs(struct dentry *dentry) return 0; } -static inline int security_sb_mount(char *dev_name, struct path *path, - char *type, unsigned long flags, +static inline int security_sb_mount(const char *dev_name, struct path *path, + const char *type, unsigned long flags, void *data) { return 0; diff --git a/security/capability.c b/security/capability.c index a40aac677c72..b14a30c234b8 100644 --- a/security/capability.c +++ b/security/capability.c @@ -74,8 +74,8 @@ static int cap_sb_statfs(struct dentry *dentry) return 0; } -static int cap_sb_mount(char *dev_name, struct path *path, char *type, - unsigned long flags, void *data) +static int cap_sb_mount(const char *dev_name, struct path *path, + const char *type, unsigned long flags, void *data) { return 0; } diff --git a/security/security.c b/security/security.c index 3724029d0f6d..8dcd4ae10a5f 100644 --- a/security/security.c +++ b/security/security.c @@ -276,8 +276,8 @@ int security_sb_statfs(struct dentry *dentry) return security_ops->sb_statfs(dentry); } -int security_sb_mount(char *dev_name, struct path *path, - char *type, unsigned long flags, void *data) +int security_sb_mount(const char *dev_name, struct path *path, + const char *type, unsigned long flags, void *data) { return security_ops->sb_mount(dev_name, path, type, flags, data); } diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 651d8456611a..24ab4148547c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -2452,9 +2452,9 @@ static int selinux_sb_statfs(struct dentry *dentry) return superblock_has_perm(cred, dentry->d_sb, FILESYSTEM__GETATTR, &ad); } -static int selinux_mount(char *dev_name, +static int selinux_mount(const char *dev_name, struct path *path, - char *type, + const char *type, unsigned long flags, void *data) { diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 2874c7316783..38be92ce901e 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -408,8 +408,8 @@ static int smack_sb_statfs(struct dentry *dentry) * Returns 0 if current can write the floor of the filesystem * being mounted on, an error code otherwise. */ -static int smack_sb_mount(char *dev_name, struct path *path, - char *type, unsigned long flags, void *data) +static int smack_sb_mount(const char *dev_name, struct path *path, + const char *type, unsigned long flags, void *data) { struct superblock_smack *sbp = path->dentry->d_sb->s_security; struct smk_audit_info ad; diff --git a/security/tomoyo/common.h b/security/tomoyo/common.h index af010b62d544..d4f166bc3508 100644 --- a/security/tomoyo/common.h +++ b/security/tomoyo/common.h @@ -970,7 +970,7 @@ int tomoyo_init_request_info(struct tomoyo_request_info *r, const u8 index); int tomoyo_mkdev_perm(const u8 operation, struct path *path, const unsigned int mode, unsigned int dev); -int tomoyo_mount_permission(char *dev_name, struct path *path, +int tomoyo_mount_permission(const char *dev_name, struct path *path, const char *type, unsigned long flags, void *data_page); int tomoyo_open_control(const u8 type, struct file *file); diff --git a/security/tomoyo/mount.c b/security/tomoyo/mount.c index fe00cdfd0267..390c646013cb 100644 --- a/security/tomoyo/mount.c +++ b/security/tomoyo/mount.c @@ -71,7 +71,8 @@ static bool tomoyo_check_mount_acl(struct tomoyo_request_info *r, * * Caller holds tomoyo_read_lock(). */ -static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, +static int tomoyo_mount_acl(struct tomoyo_request_info *r, + const char *dev_name, struct path *dir, const char *type, unsigned long flags) { @@ -183,7 +184,7 @@ static int tomoyo_mount_acl(struct tomoyo_request_info *r, char *dev_name, * * Returns 0 on success, negative value otherwise. */ -int tomoyo_mount_permission(char *dev_name, struct path *path, +int tomoyo_mount_permission(const char *dev_name, struct path *path, const char *type, unsigned long flags, void *data_page) { diff --git a/security/tomoyo/tomoyo.c b/security/tomoyo/tomoyo.c index d88eb3a046ed..a2ee362546ab 100644 --- a/security/tomoyo/tomoyo.c +++ b/security/tomoyo/tomoyo.c @@ -408,8 +408,8 @@ static int tomoyo_path_chroot(struct path *path) * * Returns 0 on success, negative value otherwise. */ -static int tomoyo_sb_mount(char *dev_name, struct path *path, - char *type, unsigned long flags, void *data) +static int tomoyo_sb_mount(const char *dev_name, struct path *path, + const char *type, unsigned long flags, void *data) { return tomoyo_mount_permission(dev_name, path, type, flags, data); } -- cgit v1.2.3-70-g09d2 From 98f6ef64b15a48f15062aff5d143b5d9a6ae7711 Mon Sep 17 00:00:00 2001 From: Arnd Bergmann Date: Thu, 11 Oct 2012 13:20:00 +0000 Subject: vfs: bogus warnings in fs/namei.c The follow_link() function always initializes its *p argument, or returns an error, but when building with 'gcc -s', the compiler gets confused by the __always_inline attribute to the function and can no longer detect where the cookie was initialized. The solution is to always initialize the pointer from follow_link, even in the error path. When building with -O2, this has zero impact on generated code and adds a single instruction in the error path for a -Os build on ARM. Without this patch, building with gcc-4.6 through gcc-4.8 and CONFIG_CC_OPTIMIZE_FOR_SIZE results in: fs/namei.c: In function 'link_path_walk': fs/namei.c:649:24: warning: 'cookie' may be used uninitialized in this function [-Wuninitialized] fs/namei.c:1544:9: note: 'cookie' was declared here fs/namei.c: In function 'path_lookupat': fs/namei.c:649:24: warning: 'cookie' may be used uninitialized in this function [-Wuninitialized] fs/namei.c:1934:10: note: 'cookie' was declared here fs/namei.c: In function 'path_openat': fs/namei.c:649:24: warning: 'cookie' may be used uninitialized in this function [-Wuninitialized] fs/namei.c:2899:9: note: 'cookie' was declared here Signed-off-by: Arnd Bergmann Signed-off-by: Al Viro --- fs/namei.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/namei.c b/fs/namei.c index 6d47fac64292..c1f18e4f034c 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -810,6 +810,7 @@ follow_link(struct path *link, struct nameidata *nd, void **p) return error; out_put_nd_path: + *p = NULL; path_put(&nd->path); path_put(link); return error; -- cgit v1.2.3-70-g09d2