| 
									
										
										
										
											2010-04-06 15:14:15 -07:00
										 |  |  | #include <linux/ceph/ceph_debug.h>
 | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | #include <linux/exportfs.h>
 | 
					
						
							| 
									
										
											  
											
												include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files.  percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed.  Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability.  As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
  http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
  only the necessary includes are there.  ie. if only gfp is used,
  gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
  blocks and try to put the new include such that its order conforms
  to its surrounding.  It's put in the include block which contains
  core kernel includes, in the same order that the rest are ordered -
  alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
  doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
  because the file doesn't have fitting include block), it prints out
  an error message indicating which .h file needs to be added to the
  file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
   over 4000 files, deleting around 700 includes and adding ~480 gfp.h
   and ~3000 slab.h inclusions.  The script emitted errors for ~400
   files.
2. Each error was manually checked.  Some didn't need the inclusion,
   some needed manual addition while adding it to implementation .h or
   embedding .c file was more appropriate for others.  This step added
   inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
   from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
   e.g. lib/decompress_*.c used malloc/free() wrappers around slab
   APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
   editing them as sprinkling gfp.h and slab.h inclusions around .h
   files could easily lead to inclusion dependency hell.  Most gfp.h
   inclusion directives were ignored as stuff from gfp.h was usually
   wildly available and often used in preprocessor macros.  Each
   slab.h inclusion directive was examined and added manually as
   necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
   were fixed.  CONFIG_GCOV_KERNEL was turned off for all tests (as my
   distributed build env didn't work with gcov compiles) and a few
   more options had to be turned off depending on archs to make things
   build (like ipr on powerpc/64 which failed due to missing writeq).
   * x86 and x86_64 UP and SMP allmodconfig and a custom test config.
   * powerpc and powerpc64 SMP allmodconfig
   * sparc and sparc64 SMP allmodconfig
   * ia64 SMP allmodconfig
   * s390 SMP allmodconfig
   * alpha SMP allmodconfig
   * um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
   a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
											
										 
											2010-03-24 17:04:11 +09:00
										 |  |  | #include <linux/slab.h>
 | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | #include <asm/unaligned.h>
 | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | #include "super.h"
 | 
					
						
							| 
									
										
										
										
											2010-04-06 15:14:15 -07:00
										 |  |  | #include "mds_client.h"
 | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * NFS export support | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * NFS re-export of a ceph mount is, at present, only semireliable. | 
					
						
							|  |  |  |  * The basic issue is that the Ceph architectures doesn't lend itself | 
					
						
							|  |  |  |  * well to generating filehandles that will remain valid forever. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * So, we do our best.  If you're lucky, your inode will be in the | 
					
						
							|  |  |  |  * client's cache.  If it's not, and you have a connectable fh, then | 
					
						
							|  |  |  |  * the MDS server may be able to find it for you.  Otherwise, you get | 
					
						
							|  |  |  |  * ESTALE. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * There are ways to this more reliable, but in the non-connectable fh | 
					
						
							|  |  |  |  * case, we won't every work perfectly, and in the connectable case, | 
					
						
							|  |  |  |  * some changes are needed on the MDS side to work better. | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * Basic fh | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | struct ceph_nfs_fh { | 
					
						
							|  |  |  | 	u64 ino; | 
					
						
							|  |  |  | } __attribute__ ((packed)); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * Larger 'connectable' fh that includes parent ino and name hash. | 
					
						
							|  |  |  |  * Use this whenever possible, as it works more reliably. | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | struct ceph_nfs_confh { | 
					
						
							|  |  |  | 	u64 ino, parent_ino; | 
					
						
							|  |  |  | 	u32 parent_name_hash; | 
					
						
							|  |  |  | } __attribute__ ((packed)); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-04-05 12:07:36 -07:00
										 |  |  | /*
 | 
					
						
							|  |  |  |  * The presence of @parent_inode here tells us whether NFS wants a | 
					
						
							|  |  |  |  * connectable file handle.  However, we want to make a connectionable | 
					
						
							|  |  |  |  * file handle unconditionally so that the MDS gets as much of a hint | 
					
						
							|  |  |  |  * as possible.  That means we only use @parent_dentry to indicate | 
					
						
							|  |  |  |  * whether nfsd wants a connectable fh, and whether we should indicate | 
					
						
							|  |  |  |  * failure from a too-small @max_len. | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | static int ceph_encode_fh(struct inode *inode, u32 *rawfh, int *max_len, | 
					
						
							|  |  |  | 			  struct inode *parent_inode) | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2010-10-05 16:03:41 +05:30
										 |  |  | 	int type; | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	struct ceph_nfs_fh *fh = (void *)rawfh; | 
					
						
							|  |  |  | 	struct ceph_nfs_confh *cfh = (void *)rawfh; | 
					
						
							| 
									
										
										
										
											2010-10-05 16:03:41 +05:30
										 |  |  | 	int connected_handle_length = sizeof(*cfh)/4; | 
					
						
							|  |  |  | 	int handle_length = sizeof(*fh)/4; | 
					
						
							| 
									
										
										
										
											2012-04-05 12:07:36 -07:00
										 |  |  | 	struct dentry *dentry = d_find_alias(inode); | 
					
						
							|  |  |  | 	struct dentry *parent; | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	/* don't re-export snaps */ | 
					
						
							|  |  |  | 	if (ceph_snap(inode) != CEPH_NOSNAP) | 
					
						
							|  |  |  | 		return -EINVAL; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2012-04-05 12:07:36 -07:00
										 |  |  | 	/* if we found an alias, generate a connectable fh */ | 
					
						
							|  |  |  | 	if (*max_len >= connected_handle_length && dentry) { | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 		dout("encode_fh %p connectable\n", dentry); | 
					
						
							| 
									
										
										
										
											2012-04-05 12:07:36 -07:00
										 |  |  | 		spin_lock(&dentry->d_lock); | 
					
						
							|  |  |  | 		parent = dentry->d_parent; | 
					
						
							|  |  |  | 		cfh->ino = ceph_ino(inode); | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 		cfh->parent_ino = ceph_ino(parent->d_inode); | 
					
						
							| 
									
										
										
										
											2011-07-26 11:30:55 -07:00
										 |  |  | 		cfh->parent_name_hash = ceph_dentry_hash(parent->d_inode, | 
					
						
							|  |  |  | 							 dentry); | 
					
						
							| 
									
										
										
										
											2010-10-05 16:03:41 +05:30
										 |  |  | 		*max_len = connected_handle_length; | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 		type = 2; | 
					
						
							| 
									
										
										
										
											2012-04-05 12:07:36 -07:00
										 |  |  | 		spin_unlock(&dentry->d_lock); | 
					
						
							| 
									
										
										
										
											2010-10-05 16:03:41 +05:30
										 |  |  | 	} else if (*max_len >= handle_length) { | 
					
						
							| 
									
										
										
										
											2012-04-05 12:07:36 -07:00
										 |  |  | 		if (parent_inode) { | 
					
						
							|  |  |  | 			/* nfsd wants connectable */ | 
					
						
							| 
									
										
										
										
											2010-10-05 16:03:42 +05:30
										 |  |  | 			*max_len = connected_handle_length; | 
					
						
							| 
									
										
										
										
											2011-07-26 11:30:55 -07:00
										 |  |  | 			type = 255; | 
					
						
							|  |  |  | 		} else { | 
					
						
							|  |  |  | 			dout("encode_fh %p\n", dentry); | 
					
						
							| 
									
										
										
										
											2012-04-05 12:07:36 -07:00
										 |  |  | 			fh->ino = ceph_ino(inode); | 
					
						
							| 
									
										
										
										
											2011-07-26 11:30:55 -07:00
										 |  |  | 			*max_len = handle_length; | 
					
						
							|  |  |  | 			type = 1; | 
					
						
							| 
									
										
										
										
											2010-10-05 16:03:42 +05:30
										 |  |  | 		} | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	} else { | 
					
						
							| 
									
										
										
										
											2010-10-05 16:03:42 +05:30
										 |  |  | 		*max_len = handle_length; | 
					
						
							| 
									
										
										
										
											2011-07-26 11:30:55 -07:00
										 |  |  | 		type = 255; | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	} | 
					
						
							| 
									
										
										
										
											2012-10-18 14:01:43 -07:00
										 |  |  | 	if (dentry) | 
					
						
							|  |  |  | 		dput(dentry); | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	return type; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * convert regular fh to dentry | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * FIXME: we should try harder by querying the mds for the ino. | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | static struct dentry *__fh_to_dentry(struct super_block *sb, | 
					
						
							| 
									
										
											  
											
												tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking
Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
	u64 inum = fid->raw[2];
which is unhelpfully reported as at the end of shmem_alloc_inode():
BUG: unable to handle kernel paging request at ffff880061cd3000
IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Call Trace:
 [<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
 [<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
 [<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
 [<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
Right, tmpfs is being stupid to access fid->raw[2] before validating that
fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
fall at the end of a page, and the next page not be present.
But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
could oops in the same way: add the missing fh_len checks to those.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sage Weil <sage@inktank.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
											
										 
											2012-10-07 20:32:51 -07:00
										 |  |  | 				     struct ceph_nfs_fh *fh, int fh_len) | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2011-04-06 09:31:40 -07:00
										 |  |  | 	struct ceph_mds_client *mdsc = ceph_sb_to_client(sb)->mdsc; | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	struct inode *inode; | 
					
						
							|  |  |  | 	struct dentry *dentry; | 
					
						
							|  |  |  | 	struct ceph_vino vino; | 
					
						
							|  |  |  | 	int err; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking
Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
	u64 inum = fid->raw[2];
which is unhelpfully reported as at the end of shmem_alloc_inode():
BUG: unable to handle kernel paging request at ffff880061cd3000
IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Call Trace:
 [<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
 [<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
 [<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
 [<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
Right, tmpfs is being stupid to access fid->raw[2] before validating that
fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
fall at the end of a page, and the next page not be present.
But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
could oops in the same way: add the missing fh_len checks to those.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sage Weil <sage@inktank.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
											
										 
											2012-10-07 20:32:51 -07:00
										 |  |  | 	if (fh_len < sizeof(*fh) / 4) | 
					
						
							|  |  |  | 		return ERR_PTR(-ESTALE); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	dout("__fh_to_dentry %llx\n", fh->ino); | 
					
						
							|  |  |  | 	vino.ino = fh->ino; | 
					
						
							|  |  |  | 	vino.snap = CEPH_NOSNAP; | 
					
						
							|  |  |  | 	inode = ceph_find_inode(sb, vino); | 
					
						
							| 
									
										
										
										
											2011-04-06 09:31:40 -07:00
										 |  |  | 	if (!inode) { | 
					
						
							|  |  |  | 		struct ceph_mds_request *req; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		req = ceph_mdsc_create_request(mdsc, CEPH_MDS_OP_LOOKUPINO, | 
					
						
							|  |  |  | 					       USE_ANY_MDS); | 
					
						
							|  |  |  | 		if (IS_ERR(req)) | 
					
						
							|  |  |  | 			return ERR_CAST(req); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		req->r_ino1 = vino; | 
					
						
							|  |  |  | 		req->r_num_caps = 1; | 
					
						
							|  |  |  | 		err = ceph_mdsc_do_request(mdsc, NULL, req); | 
					
						
							| 
									
										
										
										
											2011-04-06 09:35:00 -07:00
										 |  |  | 		inode = req->r_target_inode; | 
					
						
							|  |  |  | 		if (inode) | 
					
						
							| 
									
										
										
										
											2011-05-27 09:24:26 -07:00
										 |  |  | 			ihold(inode); | 
					
						
							| 
									
										
										
										
											2011-04-06 09:31:40 -07:00
										 |  |  | 		ceph_mdsc_put_request(req); | 
					
						
							|  |  |  | 		if (!inode) | 
					
						
							|  |  |  | 			return ERR_PTR(-ESTALE); | 
					
						
							|  |  |  | 	} | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	dentry = d_obtain_alias(inode); | 
					
						
							| 
									
										
										
										
											2010-04-21 12:31:13 +02:00
										 |  |  | 	if (IS_ERR(dentry)) { | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 		pr_err("fh_to_dentry %llx -- inode %p but ENOMEM\n", | 
					
						
							|  |  |  | 		       fh->ino, inode); | 
					
						
							|  |  |  | 		iput(inode); | 
					
						
							| 
									
										
										
										
											2010-04-21 12:31:13 +02:00
										 |  |  | 		return dentry; | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 	err = ceph_init_dentry(dentry); | 
					
						
							|  |  |  | 	if (err < 0) { | 
					
						
							|  |  |  | 		iput(inode); | 
					
						
							|  |  |  | 		return ERR_PTR(err); | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	dout("__fh_to_dentry %llx %p dentry %p\n", fh->ino, inode, dentry); | 
					
						
							|  |  |  | 	return dentry; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * convert connectable fh to dentry | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | static struct dentry *__cfh_to_dentry(struct super_block *sb, | 
					
						
							| 
									
										
											  
											
												tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking
Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
	u64 inum = fid->raw[2];
which is unhelpfully reported as at the end of shmem_alloc_inode():
BUG: unable to handle kernel paging request at ffff880061cd3000
IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Call Trace:
 [<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
 [<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
 [<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
 [<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
Right, tmpfs is being stupid to access fid->raw[2] before validating that
fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
fall at the end of a page, and the next page not be present.
But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
could oops in the same way: add the missing fh_len checks to those.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sage Weil <sage@inktank.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
											
										 
											2012-10-07 20:32:51 -07:00
										 |  |  | 				      struct ceph_nfs_confh *cfh, int fh_len) | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | { | 
					
						
							| 
									
										
										
										
											2010-04-06 15:14:15 -07:00
										 |  |  | 	struct ceph_mds_client *mdsc = ceph_sb_to_client(sb)->mdsc; | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	struct inode *inode; | 
					
						
							|  |  |  | 	struct dentry *dentry; | 
					
						
							|  |  |  | 	struct ceph_vino vino; | 
					
						
							|  |  |  | 	int err; | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
											  
											
												tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking
Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
	u64 inum = fid->raw[2];
which is unhelpfully reported as at the end of shmem_alloc_inode():
BUG: unable to handle kernel paging request at ffff880061cd3000
IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Call Trace:
 [<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
 [<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
 [<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
 [<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
Right, tmpfs is being stupid to access fid->raw[2] before validating that
fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
fall at the end of a page, and the next page not be present.
But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
could oops in the same way: add the missing fh_len checks to those.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sage Weil <sage@inktank.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
											
										 
											2012-10-07 20:32:51 -07:00
										 |  |  | 	if (fh_len < sizeof(*cfh) / 4) | 
					
						
							|  |  |  | 		return ERR_PTR(-ESTALE); | 
					
						
							|  |  |  | 
 | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	dout("__cfh_to_dentry %llx (%llx/%x)\n", | 
					
						
							|  |  |  | 	     cfh->ino, cfh->parent_ino, cfh->parent_name_hash); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	vino.ino = cfh->ino; | 
					
						
							|  |  |  | 	vino.snap = CEPH_NOSNAP; | 
					
						
							|  |  |  | 	inode = ceph_find_inode(sb, vino); | 
					
						
							|  |  |  | 	if (!inode) { | 
					
						
							|  |  |  | 		struct ceph_mds_request *req; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 		req = ceph_mdsc_create_request(mdsc, CEPH_MDS_OP_LOOKUPHASH, | 
					
						
							|  |  |  | 					       USE_ANY_MDS); | 
					
						
							|  |  |  | 		if (IS_ERR(req)) | 
					
						
							| 
									
										
										
										
											2010-05-22 12:01:14 +02:00
										 |  |  | 			return ERR_CAST(req); | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 		req->r_ino1 = vino; | 
					
						
							|  |  |  | 		req->r_ino2.ino = cfh->parent_ino; | 
					
						
							|  |  |  | 		req->r_ino2.snap = CEPH_NOSNAP; | 
					
						
							|  |  |  | 		req->r_path2 = kmalloc(16, GFP_NOFS); | 
					
						
							|  |  |  | 		snprintf(req->r_path2, 16, "%d", cfh->parent_name_hash); | 
					
						
							|  |  |  | 		req->r_num_caps = 1; | 
					
						
							|  |  |  | 		err = ceph_mdsc_do_request(mdsc, NULL, req); | 
					
						
							| 
									
										
										
										
											2011-04-06 09:35:00 -07:00
										 |  |  | 		inode = req->r_target_inode; | 
					
						
							|  |  |  | 		if (inode) | 
					
						
							| 
									
										
										
										
											2011-05-27 09:24:26 -07:00
										 |  |  | 			ihold(inode); | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 		ceph_mdsc_put_request(req); | 
					
						
							|  |  |  | 		if (!inode) | 
					
						
							|  |  |  | 			return ERR_PTR(err ? err : -ESTALE); | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	dentry = d_obtain_alias(inode); | 
					
						
							| 
									
										
										
										
											2010-04-21 12:31:13 +02:00
										 |  |  | 	if (IS_ERR(dentry)) { | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 		pr_err("cfh_to_dentry %llx -- inode %p but ENOMEM\n", | 
					
						
							|  |  |  | 		       cfh->ino, inode); | 
					
						
							|  |  |  | 		iput(inode); | 
					
						
							| 
									
										
										
										
											2010-04-21 12:31:13 +02:00
										 |  |  | 		return dentry; | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 	err = ceph_init_dentry(dentry); | 
					
						
							|  |  |  | 	if (err < 0) { | 
					
						
							|  |  |  | 		iput(inode); | 
					
						
							|  |  |  | 		return ERR_PTR(err); | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	dout("__cfh_to_dentry %llx %p dentry %p\n", cfh->ino, inode, dentry); | 
					
						
							|  |  |  | 	return dentry; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | static struct dentry *ceph_fh_to_dentry(struct super_block *sb, struct fid *fid, | 
					
						
							|  |  |  | 					int fh_len, int fh_type) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	if (fh_type == 1) | 
					
						
							| 
									
										
											  
											
												tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking
Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
	u64 inum = fid->raw[2];
which is unhelpfully reported as at the end of shmem_alloc_inode():
BUG: unable to handle kernel paging request at ffff880061cd3000
IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Call Trace:
 [<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
 [<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
 [<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
 [<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
Right, tmpfs is being stupid to access fid->raw[2] before validating that
fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
fall at the end of a page, and the next page not be present.
But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
could oops in the same way: add the missing fh_len checks to those.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sage Weil <sage@inktank.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
											
										 
											2012-10-07 20:32:51 -07:00
										 |  |  | 		return __fh_to_dentry(sb, (struct ceph_nfs_fh *)fid->raw, | 
					
						
							|  |  |  | 								fh_len); | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	else | 
					
						
							| 
									
										
											  
											
												tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking
Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
	u64 inum = fid->raw[2];
which is unhelpfully reported as at the end of shmem_alloc_inode():
BUG: unable to handle kernel paging request at ffff880061cd3000
IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Call Trace:
 [<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
 [<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
 [<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
 [<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
Right, tmpfs is being stupid to access fid->raw[2] before validating that
fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
fall at the end of a page, and the next page not be present.
But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
could oops in the same way: add the missing fh_len checks to those.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sage Weil <sage@inktank.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
											
										 
											2012-10-07 20:32:51 -07:00
										 |  |  | 		return __cfh_to_dentry(sb, (struct ceph_nfs_confh *)fid->raw, | 
					
						
							|  |  |  | 								fh_len); | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | /*
 | 
					
						
							|  |  |  |  * get parent, if possible. | 
					
						
							|  |  |  |  * | 
					
						
							|  |  |  |  * FIXME: we could do better by querying the mds to discover the | 
					
						
							|  |  |  |  * parent. | 
					
						
							|  |  |  |  */ | 
					
						
							|  |  |  | static struct dentry *ceph_fh_to_parent(struct super_block *sb, | 
					
						
							|  |  |  | 					 struct fid *fid, | 
					
						
							|  |  |  | 					int fh_len, int fh_type) | 
					
						
							|  |  |  | { | 
					
						
							|  |  |  | 	struct ceph_nfs_confh *cfh = (void *)fid->raw; | 
					
						
							|  |  |  | 	struct ceph_vino vino; | 
					
						
							|  |  |  | 	struct inode *inode; | 
					
						
							|  |  |  | 	struct dentry *dentry; | 
					
						
							|  |  |  | 	int err; | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	if (fh_type == 1) | 
					
						
							|  |  |  | 		return ERR_PTR(-ESTALE); | 
					
						
							| 
									
										
											  
											
												tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking
Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
	u64 inum = fid->raw[2];
which is unhelpfully reported as at the end of shmem_alloc_inode():
BUG: unable to handle kernel paging request at ffff880061cd3000
IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Call Trace:
 [<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
 [<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
 [<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
 [<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
Right, tmpfs is being stupid to access fid->raw[2] before validating that
fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
fall at the end of a page, and the next page not be present.
But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
could oops in the same way: add the missing fh_len checks to those.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sage Weil <sage@inktank.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
											
										 
											2012-10-07 20:32:51 -07:00
										 |  |  | 	if (fh_len < sizeof(*cfh) / 4) | 
					
						
							|  |  |  | 		return ERR_PTR(-ESTALE); | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 
 | 
					
						
							|  |  |  | 	pr_debug("fh_to_parent %llx/%d\n", cfh->parent_ino, | 
					
						
							|  |  |  | 		 cfh->parent_name_hash); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	vino.ino = cfh->ino; | 
					
						
							|  |  |  | 	vino.snap = CEPH_NOSNAP; | 
					
						
							|  |  |  | 	inode = ceph_find_inode(sb, vino); | 
					
						
							|  |  |  | 	if (!inode) | 
					
						
							|  |  |  | 		return ERR_PTR(-ESTALE); | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | 	dentry = d_obtain_alias(inode); | 
					
						
							| 
									
										
										
										
											2010-04-21 12:31:13 +02:00
										 |  |  | 	if (IS_ERR(dentry)) { | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 		pr_err("fh_to_parent %llx -- inode %p but ENOMEM\n", | 
					
						
							|  |  |  | 		       cfh->ino, inode); | 
					
						
							|  |  |  | 		iput(inode); | 
					
						
							| 
									
										
										
										
											2010-04-21 12:31:13 +02:00
										 |  |  | 		return dentry; | 
					
						
							| 
									
										
										
										
											2009-10-06 11:31:13 -07:00
										 |  |  | 	} | 
					
						
							|  |  |  | 	err = ceph_init_dentry(dentry); | 
					
						
							|  |  |  | 	if (err < 0) { | 
					
						
							|  |  |  | 		iput(inode); | 
					
						
							|  |  |  | 		return ERR_PTR(err); | 
					
						
							|  |  |  | 	} | 
					
						
							|  |  |  | 	dout("fh_to_parent %llx %p dentry %p\n", cfh->ino, inode, dentry); | 
					
						
							|  |  |  | 	return dentry; | 
					
						
							|  |  |  | } | 
					
						
							|  |  |  | 
 | 
					
						
							|  |  |  | const struct export_operations ceph_export_ops = { | 
					
						
							|  |  |  | 	.encode_fh = ceph_encode_fh, | 
					
						
							|  |  |  | 	.fh_to_dentry = ceph_fh_to_dentry, | 
					
						
							|  |  |  | 	.fh_to_parent = ceph_fh_to_parent, | 
					
						
							|  |  |  | }; |