commit 7dc9c484a71525794ca05cf7a47f283f1b54cd12 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
do_add_mount() should sanitize mnt_flags
CIFS shouldn't make mountpoints shrinkable
mnt_flags fixes in do_remount()
attach_recursive_mnt() needs to hold vfsmount_lock over set_mnt_shared()
may_umount() needs namespace_sem
Fix configfs leak
Fix the -ESTALE handling in do_filp_open()
ecryptfs: Fix refcnt leak on ecryptfs_follow_link() error path
Fix ACC_MODE() for real
Unrot uml mconsole a bit
hppfs: handle ->put_link()
Kill 9p readlink()
fix autofs/afs/etc. magic mountpoint breakage

Linus Torvalds 16 years ago 7dc9c484 3a5dd791

+73 -117

11 changed files

expand all

unified split

arch

drivers

mconsole_kern.c

vfs_inode.c

cifs

cifs_dfs_ref.c

configfs

symlink.c

ecryptfs

inode.c

hppfs

hppfs.c

namei.c

namespace.c

proc

base.c

include

linux

fs.h

security

tomoyo

tomoyo.c

+20 -33

arch/um/drivers/mconsole_kern.c

··· 125 void mconsole_proc(struct mc_request *req) 126 { 127 struct nameidata nd; 128 - struct file_system_type *proc; 129 - struct super_block *super; 130 struct file *file; 131 int n, err; 132 char *ptr = req->request.data, *buf; 133 134 ptr += strlen("proc"); 135 ptr = skip_spaces(ptr); 136 137 - proc = get_fs_type("proc"); 138 - if (proc == NULL) { 139 - mconsole_reply(req, "procfs not registered", 1, 0); 140 - goto out; 141 - } 142 - 143 - super = (*proc->get_sb)(proc, 0, NULL, NULL); 144 - put_filesystem(proc); 145 - if (super == NULL) { 146 - mconsole_reply(req, "Failed to get procfs superblock", 1, 0); 147 - goto out; 148 - } 149 - up_write(&super->s_umount); 150 - 151 - nd.path.dentry = super->s_root; 152 - nd.path.mnt = NULL; 153 - nd.flags = O_RDONLY + 1; 154 - nd.last_type = LAST_ROOT; 155 - 156 - /* START: it was experienced that the stability problems are closed 157 - * if commenting out these two calls + the below read cycle. To 158 - * make UML crash again, it was enough to readd either one.*/ 159 - err = link_path_walk(ptr, &nd); 160 if (err) { 161 mconsole_reply(req, "Failed to look up file", 1, 0); 162 - goto out_kill; 163 } 164 165 file = dentry_open(nd.path.dentry, nd.path.mnt, O_RDONLY, 166 current_cred()); 167 if (IS_ERR(file)) { 168 mconsole_reply(req, "Failed to open file", 1, 0); 169 - goto out_kill; 170 } 171 - /*END*/ 172 173 buf = kmalloc(PAGE_SIZE, GFP_KERNEL); 174 if (buf == NULL) { ··· 162 goto out_fput; 163 } 164 165 - if ((file->f_op != NULL) && (file->f_op->read != NULL)) { 166 do { 167 - n = (*file->f_op->read)(file, buf, PAGE_SIZE - 1, 168 - &file->f_pos); 169 if (n >= 0) { 170 buf[n] = '\0'; 171 mconsole_reply(req, buf, 0, (n > 0)); ··· 186 kfree(buf); 187 out_fput: 188 fput(file); 189 - out_kill: 190 - deactivate_super(super); 191 out: ; 192 } 193 #endif

··· 125 void mconsole_proc(struct mc_request *req) 126 { 127 struct nameidata nd; 128 + struct vfsmount *mnt = current->nsproxy->pid_ns->proc_mnt; 129 struct file *file; 130 int n, err; 131 char *ptr = req->request.data, *buf; 132 + mm_segment_t old_fs = get_fs(); 133 134 ptr += strlen("proc"); 135 ptr = skip_spaces(ptr); 136 137 + err = vfs_path_lookup(mnt->mnt_root, mnt, ptr, LOOKUP_FOLLOW, &nd); 138 if (err) { 139 mconsole_reply(req, "Failed to look up file", 1, 0); 140 + goto out; 141 + } 142 + 143 + err = may_open(&nd.path, MAY_READ, FMODE_READ); 144 + if (result) { 145 + mconsole_reply(req, "Failed to open file", 1, 0); 146 + path_put(&nd.path); 147 + goto out; 148 } 149 150 file = dentry_open(nd.path.dentry, nd.path.mnt, O_RDONLY, 151 current_cred()); 152 + err = PTR_ERR(file); 153 if (IS_ERR(file)) { 154 mconsole_reply(req, "Failed to open file", 1, 0); 155 + path_put(&nd.path); 156 + goto out; 157 } 158 159 buf = kmalloc(PAGE_SIZE, GFP_KERNEL); 160 if (buf == NULL) { ··· 176 goto out_fput; 177 } 178 179 + if (file->f_op->read) { 180 do { 181 + loff_t pos; 182 + set_fs(KERNEL_DS); 183 + n = vfs_read(file, buf, PAGE_SIZE - 1, &pos); 184 + file_pos_write(file, pos); 185 + set_fs(old_fs); 186 if (n >= 0) { 187 buf[n] = '\0'; 188 mconsole_reply(req, buf, 0, (n > 0)); ··· 197 kfree(buf); 198 out_fput: 199 fput(file); 200 out: ; 201 } 202 #endif

+1 -40

fs/9p/vfs_inode.c

··· 1001 } 1002 1003 /** 1004 - * v9fs_vfs_readlink - read a symlink's location 1005 - * @dentry: dentry for symlink 1006 - * @buffer: buffer to load symlink location into 1007 - * @buflen: length of buffer 1008 - * 1009 - */ 1010 - 1011 - static int v9fs_vfs_readlink(struct dentry *dentry, char __user * buffer, 1012 - int buflen) 1013 - { 1014 - int retval; 1015 - int ret; 1016 - char *link = __getname(); 1017 - 1018 - if (unlikely(!link)) 1019 - return -ENOMEM; 1020 - 1021 - if (buflen > PATH_MAX) 1022 - buflen = PATH_MAX; 1023 - 1024 - P9_DPRINTK(P9_DEBUG_VFS, " dentry: %s (%p)\n", dentry->d_name.name, 1025 - dentry); 1026 - 1027 - retval = v9fs_readlink(dentry, link, buflen); 1028 - 1029 - if (retval > 0) { 1030 - if ((ret = copy_to_user(buffer, link, retval)) != 0) { 1031 - P9_DPRINTK(P9_DEBUG_ERROR, 1032 - "problem copying to user: %d\n", ret); 1033 - retval = ret; 1034 - } 1035 - } 1036 - 1037 - __putname(link); 1038 - return retval; 1039 - } 1040 - 1041 - /** 1042 * v9fs_vfs_follow_link - follow a symlink path 1043 * @dentry: dentry for symlink 1044 * @nd: nameidata ··· 1192 .rmdir = v9fs_vfs_rmdir, 1193 .mknod = v9fs_vfs_mknod, 1194 .rename = v9fs_vfs_rename, 1195 - .readlink = v9fs_vfs_readlink, 1196 .getattr = v9fs_vfs_getattr, 1197 .setattr = v9fs_vfs_setattr, 1198 }; ··· 1214 }; 1215 1216 static const struct inode_operations v9fs_symlink_inode_operations = { 1217 - .readlink = v9fs_vfs_readlink, 1218 .follow_link = v9fs_vfs_follow_link, 1219 .put_link = v9fs_vfs_put_link, 1220 .getattr = v9fs_vfs_getattr,

··· 1001 } 1002 1003 /** 1004 * v9fs_vfs_follow_link - follow a symlink path 1005 * @dentry: dentry for symlink 1006 * @nd: nameidata ··· 1230 .rmdir = v9fs_vfs_rmdir, 1231 .mknod = v9fs_vfs_mknod, 1232 .rename = v9fs_vfs_rename, 1233 .getattr = v9fs_vfs_getattr, 1234 .setattr = v9fs_vfs_setattr, 1235 }; ··· 1253 }; 1254 1255 static const struct inode_operations v9fs_symlink_inode_operations = { 1256 + .readlink = generic_readlink, 1257 .follow_link = v9fs_vfs_follow_link, 1258 .put_link = v9fs_vfs_put_link, 1259 .getattr = v9fs_vfs_getattr,

+1 -2

fs/cifs/cifs_dfs_ref.c

··· 269 int err; 270 271 mntget(newmnt); 272 - err = do_add_mount(newmnt, &nd->path, nd->path.mnt->mnt_flags, mntlist); 273 switch (err) { 274 case 0: 275 path_put(&nd->path); ··· 371 if (IS_ERR(mnt)) 372 goto out_err; 373 374 - nd->path.mnt->mnt_flags |= MNT_SHRINKABLE; 375 rc = add_mount_helper(mnt, nd, &cifs_dfs_automount_list); 376 377 out:

··· 269 int err; 270 271 mntget(newmnt); 272 + err = do_add_mount(newmnt, &nd->path, nd->path.mnt->mnt_flags | MNT_SHRINKABLE, mntlist); 273 switch (err) { 274 case 0: 275 path_put(&nd->path); ··· 371 if (IS_ERR(mnt)) 372 goto out_err; 373 374 rc = add_mount_helper(mnt, nd, &cifs_dfs_automount_list); 375 376 out:

+3 -1

fs/configfs/symlink.c

··· 121 ret = -ENOENT; 122 path_put(path); 123 } 124 - } else 125 ret = -EPERM; 126 } 127 128 return ret;

··· 121 ret = -ENOENT; 122 path_put(path); 123 } 124 + } else { 125 ret = -EPERM; 126 + path_put(path); 127 + } 128 } 129 130 return ret;

+12 -12

fs/ecryptfs/inode.c

··· 715 /* Released in ecryptfs_put_link(); only release here on error */ 716 buf = kmalloc(len, GFP_KERNEL); 717 if (!buf) { 718 - rc = -ENOMEM; 719 goto out; 720 } 721 old_fs = get_fs(); 722 set_fs(get_ds()); 723 rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len); 724 set_fs(old_fs); 725 - if (rc < 0) 726 - goto out_free; 727 - else 728 buf[rc] = '\0'; 729 - rc = 0; 730 - nd_set_link(nd, buf); 731 - goto out; 732 - out_free: 733 - kfree(buf); 734 out: 735 - return ERR_PTR(rc); 736 } 737 738 static void 739 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr) 740 { 741 - /* Free the char* */ 742 - kfree(nd_get_link(nd)); 743 } 744 745 /**

··· 715 /* Released in ecryptfs_put_link(); only release here on error */ 716 buf = kmalloc(len, GFP_KERNEL); 717 if (!buf) { 718 + buf = ERR_PTR(-ENOMEM); 719 goto out; 720 } 721 old_fs = get_fs(); 722 set_fs(get_ds()); 723 rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len); 724 set_fs(old_fs); 725 + if (rc < 0) { 726 + kfree(buf); 727 + buf = ERR_PTR(rc); 728 + } else 729 buf[rc] = '\0'; 730 out: 731 + nd_set_link(nd, buf); 732 + return NULL; 733 } 734 735 static void 736 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr) 737 { 738 + char *buf = nd_get_link(nd); 739 + if (!IS_ERR(buf)) { 740 + /* Free the char* */ 741 + kfree(buf); 742 + } 743 } 744 745 /**

+12 -6

fs/hppfs/hppfs.c

··· 646 static int hppfs_readlink(struct dentry *dentry, char __user *buffer, 647 int buflen) 648 { 649 - struct dentry *proc_dentry; 650 - 651 - proc_dentry = HPPFS_I(dentry->d_inode)->proc_dentry; 652 return proc_dentry->d_inode->i_op->readlink(proc_dentry, buffer, 653 buflen); 654 } 655 656 static void *hppfs_follow_link(struct dentry *dentry, struct nameidata *nd) 657 { 658 - struct dentry *proc_dentry; 659 - 660 - proc_dentry = HPPFS_I(dentry->d_inode)->proc_dentry; 661 662 return proc_dentry->d_inode->i_op->follow_link(proc_dentry, nd); 663 } 664 665 static const struct inode_operations hppfs_dir_iops = { ··· 674 static const struct inode_operations hppfs_link_iops = { 675 .readlink = hppfs_readlink, 676 .follow_link = hppfs_follow_link, 677 }; 678 679 static struct inode *get_inode(struct super_block *sb, struct dentry *dentry)

··· 646 static int hppfs_readlink(struct dentry *dentry, char __user *buffer, 647 int buflen) 648 { 649 + struct dentry *proc_dentry = HPPFS_I(dentry->d_inode)->proc_dentry; 650 return proc_dentry->d_inode->i_op->readlink(proc_dentry, buffer, 651 buflen); 652 } 653 654 static void *hppfs_follow_link(struct dentry *dentry, struct nameidata *nd) 655 { 656 + struct dentry *proc_dentry = HPPFS_I(dentry->d_inode)->proc_dentry; 657 658 return proc_dentry->d_inode->i_op->follow_link(proc_dentry, nd); 659 + } 660 + 661 + static void hppfs_put_link(struct dentry *dentry, struct nameidata *nd, 662 + void *cookie) 663 + { 664 + struct dentry *proc_dentry = HPPFS_I(dentry->d_inode)->proc_dentry; 665 + 666 + if (proc_dentry->d_inode->i_op->put_link) 667 + proc_dentry->d_inode->i_op->put_link(proc_dentry, nd, cookie); 668 } 669 670 static const struct inode_operations hppfs_dir_iops = { ··· 669 static const struct inode_operations hppfs_link_iops = { 670 .readlink = hppfs_readlink, 671 .follow_link = hppfs_follow_link, 672 + .put_link = hppfs_put_link, 673 }; 674 675 static struct inode *get_inode(struct super_block *sb, struct dentry *dentry)

+11 -12

fs/namei.c

··· 561 dget(dentry); 562 } 563 mntget(path->mnt); 564 cookie = dentry->d_inode->i_op->follow_link(dentry, nd); 565 error = PTR_ERR(cookie); 566 if (!IS_ERR(cookie)) { ··· 1604 struct file *filp; 1605 struct nameidata nd; 1606 int error; 1607 - struct path path, save; 1608 struct dentry *dir; 1609 int count = 0; 1610 int will_truncate; 1611 int flag = open_to_namei_flags(open_flag); 1612 1613 /* 1614 * O_SYNC is implemented as __O_SYNC|O_DSYNC. As many places only ··· 1621 open_flag |= O_DSYNC; 1622 1623 if (!acc_mode) 1624 - acc_mode = MAY_OPEN | ACC_MODE(flag); 1625 1626 /* O_TRUNC implies we need access checks for write permissions */ 1627 if (flag & O_TRUNC) ··· 1661 /* 1662 * Create - we need to know the parent. 1663 */ 1664 error = path_init(dfd, pathname, LOOKUP_PARENT, &nd); 1665 if (error) 1666 return ERR_PTR(error); 1667 error = path_walk(pathname, &nd); 1668 if (error) { 1669 if (nd.root.mnt) ··· 1858 error = security_inode_follow_link(path.dentry, &nd); 1859 if (error) 1860 goto exit_dput; 1861 - save = nd.path; 1862 - path_get(&save); 1863 error = __do_follow_link(&path, &nd); 1864 - if (error == -ESTALE) { 1865 - /* nd.path had been dropped */ 1866 - nd.path = save; 1867 - path_get(&nd.path); 1868 - nd.flags |= LOOKUP_REVAL; 1869 - error = __do_follow_link(&path, &nd); 1870 - } 1871 - path_put(&save); 1872 path_put(&path); 1873 if (error) { 1874 /* Does someone understand code flow here? Or it is only ··· 1868 release_open_intent(&nd); 1869 if (nd.root.mnt) 1870 path_put(&nd.root); 1871 return ERR_PTR(error); 1872 } 1873 nd.flags &= ~LOOKUP_PARENT;

··· 561 dget(dentry); 562 } 563 mntget(path->mnt); 564 + nd->last_type = LAST_BIND; 565 cookie = dentry->d_inode->i_op->follow_link(dentry, nd); 566 error = PTR_ERR(cookie); 567 if (!IS_ERR(cookie)) { ··· 1603 struct file *filp; 1604 struct nameidata nd; 1605 int error; 1606 + struct path path; 1607 struct dentry *dir; 1608 int count = 0; 1609 int will_truncate; 1610 int flag = open_to_namei_flags(open_flag); 1611 + int force_reval = 0; 1612 1613 /* 1614 * O_SYNC is implemented as __O_SYNC|O_DSYNC. As many places only ··· 1619 open_flag |= O_DSYNC; 1620 1621 if (!acc_mode) 1622 + acc_mode = MAY_OPEN | ACC_MODE(open_flag); 1623 1624 /* O_TRUNC implies we need access checks for write permissions */ 1625 if (flag & O_TRUNC) ··· 1659 /* 1660 * Create - we need to know the parent. 1661 */ 1662 + reval: 1663 error = path_init(dfd, pathname, LOOKUP_PARENT, &nd); 1664 if (error) 1665 return ERR_PTR(error); 1666 + if (force_reval) 1667 + nd.flags |= LOOKUP_REVAL; 1668 error = path_walk(pathname, &nd); 1669 if (error) { 1670 if (nd.root.mnt) ··· 1853 error = security_inode_follow_link(path.dentry, &nd); 1854 if (error) 1855 goto exit_dput; 1856 error = __do_follow_link(&path, &nd); 1857 path_put(&path); 1858 if (error) { 1859 /* Does someone understand code flow here? Or it is only ··· 1873 release_open_intent(&nd); 1874 if (nd.root.mnt) 1875 path_put(&nd.root); 1876 + if (error == -ESTALE && !force_reval) { 1877 + force_reval = 1; 1878 + goto reval; 1879 + } 1880 return ERR_PTR(error); 1881 } 1882 nd.flags &= ~LOOKUP_PARENT;

+11 -3

fs/namespace.c

··· 965 int may_umount(struct vfsmount *mnt) 966 { 967 int ret = 1; 968 spin_lock(&vfsmount_lock); 969 if (propagate_mount_busy(mnt, 2)) 970 ret = 0; 971 spin_unlock(&vfsmount_lock); 972 return ret; 973 } 974 ··· 1354 if (err) 1355 goto out_cleanup_ids; 1356 1357 if (IS_MNT_SHARED(dest_mnt)) { 1358 for (p = source_mnt; p; p = next_mnt(p, source_mnt)) 1359 set_mnt_shared(p); 1360 } 1361 - 1362 - spin_lock(&vfsmount_lock); 1363 if (parent_path) { 1364 detach_mnt(source_mnt, parent_path); 1365 attach_mnt(source_mnt, path); ··· 1536 err = change_mount_flags(path->mnt, flags); 1537 else 1538 err = do_remount_sb(sb, flags, data, 0); 1539 - if (!err) 1540 path->mnt->mnt_flags = mnt_flags; 1541 up_write(&sb->s_umount); 1542 if (!err) { 1543 security_sb_post_remount(path->mnt, flags, data); ··· 1670 int mnt_flags, struct list_head *fslist) 1671 { 1672 int err; 1673 1674 down_write(&namespace_sem); 1675 /* Something was mounted here while we slept */

··· 965 int may_umount(struct vfsmount *mnt) 966 { 967 int ret = 1; 968 + down_read(&namespace_sem); 969 spin_lock(&vfsmount_lock); 970 if (propagate_mount_busy(mnt, 2)) 971 ret = 0; 972 spin_unlock(&vfsmount_lock); 973 + up_read(&namespace_sem); 974 return ret; 975 } 976 ··· 1352 if (err) 1353 goto out_cleanup_ids; 1354 1355 + spin_lock(&vfsmount_lock); 1356 + 1357 if (IS_MNT_SHARED(dest_mnt)) { 1358 for (p = source_mnt; p; p = next_mnt(p, source_mnt)) 1359 set_mnt_shared(p); 1360 } 1361 if (parent_path) { 1362 detach_mnt(source_mnt, parent_path); 1363 attach_mnt(source_mnt, path); ··· 1534 err = change_mount_flags(path->mnt, flags); 1535 else 1536 err = do_remount_sb(sb, flags, data, 0); 1537 + if (!err) { 1538 + spin_lock(&vfsmount_lock); 1539 + mnt_flags |= path->mnt->mnt_flags & MNT_PNODE_MASK; 1540 path->mnt->mnt_flags = mnt_flags; 1541 + spin_unlock(&vfsmount_lock); 1542 + } 1543 up_write(&sb->s_umount); 1544 if (!err) { 1545 security_sb_post_remount(path->mnt, flags, data); ··· 1664 int mnt_flags, struct list_head *fslist) 1665 { 1666 int err; 1667 + 1668 + mnt_flags &= ~(MNT_SHARED | MNT_WRITE_HOLD); 1669 1670 down_write(&namespace_sem); 1671 /* Something was mounted here while we slept */

-1

fs/proc/base.c

··· 1419 goto out; 1420 1421 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path); 1422 - nd->last_type = LAST_BIND; 1423 out: 1424 return ERR_PTR(error); 1425 }

··· 1419 goto out; 1420 1421 error = PROC_I(inode)->op.proc_get_link(inode, &nd->path); 1422 out: 1423 return ERR_PTR(error); 1424 }

+1 -1

include/linux/fs.h

··· 2463 2464 int __init get_filesystem_list(char *buf); 2465 2466 - #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE]) 2467 #define OPEN_FMODE(flag) ((__force fmode_t)((flag + 1) & O_ACCMODE)) 2468 2469 #endif /* __KERNEL__ */

··· 2463 2464 int __init get_filesystem_list(char *buf); 2465 2466 + #define ACC_MODE(x) ("\004\002\006\006"[(x)&O_ACCMODE]) 2467 #define OPEN_FMODE(flag) ((__force fmode_t)((flag + 1) & O_ACCMODE)) 2468 2469 #endif /* __KERNEL__ */

+1 -6

security/tomoyo/tomoyo.c

··· 80 return tomoyo_find_next_domain(bprm); 81 /* 82 * Read permission is checked against interpreters using next domain. 83 - * '1' is the result of open_to_namei_flags(O_RDONLY). 84 */ 85 - return tomoyo_check_open_permission(domain, &bprm->file->f_path, 1); 86 } 87 88 static int tomoyo_path_truncate(struct path *path, loff_t length, ··· 183 static int tomoyo_dentry_open(struct file *f, const struct cred *cred) 184 { 185 int flags = f->f_flags; 186 - 187 - if ((flags + 1) & O_ACCMODE) 188 - flags++; 189 - flags |= f->f_flags & (O_APPEND | O_TRUNC); 190 /* Don't check read permission here if called from do_execve(). */ 191 if (current->in_execve) 192 return 0;

··· 80 return tomoyo_find_next_domain(bprm); 81 /* 82 * Read permission is checked against interpreters using next domain. 83 */ 84 + return tomoyo_check_open_permission(domain, &bprm->file->f_path, O_RDONLY); 85 } 86 87 static int tomoyo_path_truncate(struct path *path, loff_t length, ··· 184 static int tomoyo_dentry_open(struct file *f, const struct cred *cred) 185 { 186 int flags = f->f_flags; 187 /* Don't check read permission here if called from do_execve(). */ 188 if (current->in_execve) 189 return 0;