2005-12-16 01:29:43 +03:00
|
|
|
/* -*- mode: c; c-basic-offset: 8; -*-
|
|
|
|
* vim: noexpandtab sw=8 ts=8 sts=0:
|
|
|
|
*
|
|
|
|
* symlink.c - operations for configfs symlinks.
|
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public
|
|
|
|
* License as published by the Free Software Foundation; either
|
|
|
|
* version 2 of the License, or (at your option) any later version.
|
|
|
|
*
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
* General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public
|
|
|
|
* License along with this program; if not, write to the
|
|
|
|
* Free Software Foundation, Inc., 59 Temple Place - Suite 330,
|
|
|
|
* Boston, MA 021110-1307, USA.
|
|
|
|
*
|
|
|
|
* Based on sysfs:
|
|
|
|
* sysfs is Copyright (C) 2001, 2002, 2003 Patrick Mochel
|
|
|
|
*
|
|
|
|
* configfs Copyright (C) 2005 Oracle. All rights reserved.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/fs.h>
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/namei.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 11:04:11 +03:00
|
|
|
#include <linux/slab.h>
|
2005-12-16 01:29:43 +03:00
|
|
|
|
|
|
|
#include <linux/configfs.h>
|
|
|
|
#include "configfs_internal.h"
|
|
|
|
|
2008-06-20 16:09:22 +04:00
|
|
|
/* Protects attachments of new symlinks */
|
|
|
|
DEFINE_MUTEX(configfs_symlink_mutex);
|
|
|
|
|
2005-12-16 01:29:43 +03:00
|
|
|
static int item_depth(struct config_item * item)
|
|
|
|
{
|
|
|
|
struct config_item * p = item;
|
|
|
|
int depth = 0;
|
|
|
|
do { depth++; } while ((p = p->ci_parent) && !configfs_is_root(p));
|
|
|
|
return depth;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int item_path_length(struct config_item * item)
|
|
|
|
{
|
|
|
|
struct config_item * p = item;
|
|
|
|
int length = 1;
|
|
|
|
do {
|
|
|
|
length += strlen(config_item_name(p)) + 1;
|
|
|
|
p = p->ci_parent;
|
|
|
|
} while (p && !configfs_is_root(p));
|
|
|
|
return length;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void fill_item_path(struct config_item * item, char * buffer, int length)
|
|
|
|
{
|
|
|
|
struct config_item * p;
|
|
|
|
|
|
|
|
--length;
|
|
|
|
for (p = item; p && !configfs_is_root(p); p = p->ci_parent) {
|
|
|
|
int cur = strlen(config_item_name(p));
|
|
|
|
|
|
|
|
/* back up enough to print this bus id with '/' */
|
|
|
|
length -= cur;
|
2018-07-01 23:56:54 +03:00
|
|
|
memcpy(buffer + length, config_item_name(p), cur);
|
2005-12-16 01:29:43 +03:00
|
|
|
*(buffer + --length) = '/';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int create_link(struct config_item *parent_item,
|
2006-03-10 22:42:30 +03:00
|
|
|
struct config_item *item,
|
2005-12-16 01:29:43 +03:00
|
|
|
struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct configfs_dirent *target_sd = item->ci_dentry->d_fsdata;
|
|
|
|
struct configfs_symlink *sl;
|
|
|
|
int ret;
|
|
|
|
|
[PATCH] configfs: Prevent userspace from creating new entries under attaching directories
process 1: process 2:
configfs_mkdir("A")
attach_group("A")
attach_item("A")
d_instantiate("A")
populate_groups("A")
mutex_lock("A")
attach_group("A/B")
attach_item("A")
d_instantiate("A/B")
mkdir("A/B/C")
do_path_lookup("A/B/C", LOOKUP_PARENT)
ok
lookup_create("A/B/C")
mutex_lock("A/B")
ok
configfs_mkdir("A/B/C")
ok
attach_group("A/C")
attach_item("A/C")
d_instantiate("A/C")
populate_groups("A/C")
mutex_lock("A/C")
attach_group("A/C/D")
attach_item("A/C/D")
failure
mutex_unlock("A/C")
detach_groups("A/C")
nothing to do
mkdir("A/C/E")
do_path_lookup("A/C/E", LOOKUP_PARENT)
ok
lookup_create("A/C/E")
mutex_lock("A/C")
ok
configfs_mkdir("A/C/E")
ok
detach_item("A/C")
d_delete("A/C")
mutex_unlock("A")
detach_groups("A")
mutex_lock("A/B")
detach_group("A/B")
detach_groups("A/B")
nothing since no _default_ group
detach_item("A/B")
mutex_unlock("A/B")
d_delete("A/B")
detach_item("A")
d_delete("A")
Two bugs:
1/ "A/B/C" and "A/C/E" are created, but never removed while their parent are
removed in the end. The same could happen with symlink() instead of mkdir().
2/ "A" and "A/C" inodes are not locked while detach_item() is called on them,
which may probably confuse VFS.
This commit fixes 1/, tagging new directories with CONFIGFS_USET_CREATING before
building the inode and instantiating the dentry, and validating the whole
group+default groups hierarchy in a second pass by clearing
CONFIGFS_USET_CREATING.
mkdir(), symlink(), lookup(), and dir_open() simply return -ENOENT if
called in (or linking to) a directory tagged with CONFIGFS_USET_CREATING. This
does not prevent userspace from calling stat() successfuly on such directories,
but this prevents userspace from adding (children to | symlinking from/to |
read/write attributes of | listing the contents of) not validated items. In
other words, userspace will not interact with the subsystem on a new item until
the new item creation completes correctly.
It was first proposed to re-use CONFIGFS_USET_IN_MKDIR instead of a new
flag CONFIGFS_USET_CREATING, but this generated conflicts when checking the
target of a new symlink: a valid target directory in the middle of attaching
a new user-created child item could be wrongly detected as being attached.
2/ is fixed by next commit.
Signed-off-by: Louis Rilling <louis.rilling@kerlabs.com>
Signed-off-by: Joel Becker <joel.becker@oracle.com>
Signed-off-by: Mark Fasheh <mfasheh@suse.com>
2008-07-04 18:56:05 +04:00
|
|
|
ret = -ENOENT;
|
|
|
|
if (!configfs_dirent_is_ready(target_sd))
|
|
|
|
goto out;
|
2005-12-16 01:29:43 +03:00
|
|
|
ret = -ENOMEM;
|
|
|
|
sl = kmalloc(sizeof(struct configfs_symlink), GFP_KERNEL);
|
|
|
|
if (sl) {
|
2008-06-16 21:00:59 +04:00
|
|
|
spin_lock(&configfs_dirent_lock);
|
2008-06-23 16:16:17 +04:00
|
|
|
if (target_sd->s_type & CONFIGFS_USET_DROPPING) {
|
|
|
|
spin_unlock(&configfs_dirent_lock);
|
|
|
|
kfree(sl);
|
|
|
|
return -ENOENT;
|
|
|
|
}
|
configfs: Fix race between create_link and configfs_rmdir
This patch closes a long standing race in configfs between
the creation of a new symlink in create_link(), while the
symlink target's config_item is being concurrently removed
via configfs_rmdir().
This can happen because the symlink target's reference
is obtained by config_item_get() in create_link() before
the CONFIGFS_USET_DROPPING bit set by configfs_detach_prep()
during configfs_rmdir() shutdown is actually checked..
This originally manifested itself on ppc64 on v4.8.y under
heavy load using ibmvscsi target ports with Novalink API:
[ 7877.289863] rpadlpar_io: slot U8247.22L.212A91A-V1-C8 added
[ 7879.893760] ------------[ cut here ]------------
[ 7879.893768] WARNING: CPU: 15 PID: 17585 at ./include/linux/kref.h:46 config_item_get+0x7c/0x90 [configfs]
[ 7879.893811] CPU: 15 PID: 17585 Comm: targetcli Tainted: G O 4.8.17-customv2.22 #12
[ 7879.893812] task: c00000018a0d3400 task.stack: c0000001f3b40000
[ 7879.893813] NIP: d000000002c664ec LR: d000000002c60980 CTR: c000000000b70870
[ 7879.893814] REGS: c0000001f3b43810 TRAP: 0700 Tainted: G O (4.8.17-customv2.22)
[ 7879.893815] MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 28222242 XER: 00000000
[ 7879.893820] CFAR: d000000002c664bc SOFTE: 1
GPR00: d000000002c60980 c0000001f3b43a90 d000000002c70908 c0000000fbc06820
GPR04: c0000001ef1bd900 0000000000000004 0000000000000001 0000000000000000
GPR08: 0000000000000000 0000000000000001 d000000002c69560 d000000002c66d80
GPR12: c000000000b70870 c00000000e798700 c0000001f3b43ca0 c0000001d4949d40
GPR16: c00000014637e1c0 0000000000000000 0000000000000000 c0000000f2392940
GPR20: c0000001f3b43b98 0000000000000041 0000000000600000 0000000000000000
GPR24: fffffffffffff000 0000000000000000 d000000002c60be0 c0000001f1dac490
GPR28: 0000000000000004 0000000000000000 c0000001ef1bd900 c0000000f2392940
[ 7879.893839] NIP [d000000002c664ec] config_item_get+0x7c/0x90 [configfs]
[ 7879.893841] LR [d000000002c60980] check_perm+0x80/0x2e0 [configfs]
[ 7879.893842] Call Trace:
[ 7879.893844] [c0000001f3b43ac0] [d000000002c60980] check_perm+0x80/0x2e0 [configfs]
[ 7879.893847] [c0000001f3b43b10] [c000000000329770] do_dentry_open+0x2c0/0x460
[ 7879.893849] [c0000001f3b43b70] [c000000000344480] path_openat+0x210/0x1490
[ 7879.893851] [c0000001f3b43c80] [c00000000034708c] do_filp_open+0xfc/0x170
[ 7879.893853] [c0000001f3b43db0] [c00000000032b5bc] do_sys_open+0x1cc/0x390
[ 7879.893856] [c0000001f3b43e30] [c000000000009584] system_call+0x38/0xec
[ 7879.893856] Instruction dump:
[ 7879.893858] 409d0014 38210030 e8010010 7c0803a6 4e800020 3d220000 e94981e0 892a0000
[ 7879.893861] 2f890000 409effe0 39200001 992a0000 <0fe00000> 4bffffd0 60000000 60000000
[ 7879.893866] ---[ end trace 14078f0b3b5ad0aa ]---
To close this race, go ahead and obtain the symlink's target
config_item reference only after the existing CONFIGFS_USET_DROPPING
check succeeds.
This way, if configfs_rmdir() wins create_link() will return -ENONET,
and if create_link() wins configfs_rmdir() will return -EBUSY.
Reported-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
Tested-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Cc: stable@vger.kernel.org
2017-06-08 07:51:54 +03:00
|
|
|
sl->sl_target = config_item_get(item);
|
2005-12-16 01:29:43 +03:00
|
|
|
list_add(&sl->sl_list, &target_sd->s_links);
|
2008-06-16 21:00:59 +04:00
|
|
|
spin_unlock(&configfs_dirent_lock);
|
2005-12-16 01:29:43 +03:00
|
|
|
ret = configfs_create_link(sl, parent_item->ci_dentry,
|
|
|
|
dentry);
|
|
|
|
if (ret) {
|
2008-06-16 21:00:59 +04:00
|
|
|
spin_lock(&configfs_dirent_lock);
|
2005-12-16 01:29:43 +03:00
|
|
|
list_del_init(&sl->sl_list);
|
2008-06-16 21:00:59 +04:00
|
|
|
spin_unlock(&configfs_dirent_lock);
|
2005-12-16 01:29:43 +03:00
|
|
|
config_item_put(item);
|
|
|
|
kfree(sl);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
[PATCH] configfs: Prevent userspace from creating new entries under attaching directories
process 1: process 2:
configfs_mkdir("A")
attach_group("A")
attach_item("A")
d_instantiate("A")
populate_groups("A")
mutex_lock("A")
attach_group("A/B")
attach_item("A")
d_instantiate("A/B")
mkdir("A/B/C")
do_path_lookup("A/B/C", LOOKUP_PARENT)
ok
lookup_create("A/B/C")
mutex_lock("A/B")
ok
configfs_mkdir("A/B/C")
ok
attach_group("A/C")
attach_item("A/C")
d_instantiate("A/C")
populate_groups("A/C")
mutex_lock("A/C")
attach_group("A/C/D")
attach_item("A/C/D")
failure
mutex_unlock("A/C")
detach_groups("A/C")
nothing to do
mkdir("A/C/E")
do_path_lookup("A/C/E", LOOKUP_PARENT)
ok
lookup_create("A/C/E")
mutex_lock("A/C")
ok
configfs_mkdir("A/C/E")
ok
detach_item("A/C")
d_delete("A/C")
mutex_unlock("A")
detach_groups("A")
mutex_lock("A/B")
detach_group("A/B")
detach_groups("A/B")
nothing since no _default_ group
detach_item("A/B")
mutex_unlock("A/B")
d_delete("A/B")
detach_item("A")
d_delete("A")
Two bugs:
1/ "A/B/C" and "A/C/E" are created, but never removed while their parent are
removed in the end. The same could happen with symlink() instead of mkdir().
2/ "A" and "A/C" inodes are not locked while detach_item() is called on them,
which may probably confuse VFS.
This commit fixes 1/, tagging new directories with CONFIGFS_USET_CREATING before
building the inode and instantiating the dentry, and validating the whole
group+default groups hierarchy in a second pass by clearing
CONFIGFS_USET_CREATING.
mkdir(), symlink(), lookup(), and dir_open() simply return -ENOENT if
called in (or linking to) a directory tagged with CONFIGFS_USET_CREATING. This
does not prevent userspace from calling stat() successfuly on such directories,
but this prevents userspace from adding (children to | symlinking from/to |
read/write attributes of | listing the contents of) not validated items. In
other words, userspace will not interact with the subsystem on a new item until
the new item creation completes correctly.
It was first proposed to re-use CONFIGFS_USET_IN_MKDIR instead of a new
flag CONFIGFS_USET_CREATING, but this generated conflicts when checking the
target of a new symlink: a valid target directory in the middle of attaching
a new user-created child item could be wrongly detected as being attached.
2/ is fixed by next commit.
Signed-off-by: Louis Rilling <louis.rilling@kerlabs.com>
Signed-off-by: Joel Becker <joel.becker@oracle.com>
Signed-off-by: Mark Fasheh <mfasheh@suse.com>
2008-07-04 18:56:05 +04:00
|
|
|
out:
|
2005-12-16 01:29:43 +03:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2008-08-02 09:04:36 +04:00
|
|
|
static int get_target(const char *symname, struct path *path,
|
2012-03-18 00:24:54 +04:00
|
|
|
struct config_item **target, struct super_block *sb)
|
2005-12-16 01:29:43 +03:00
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
|
2008-08-02 09:04:36 +04:00
|
|
|
ret = kern_path(symname, LOOKUP_FOLLOW|LOOKUP_DIRECTORY, path);
|
2005-12-16 01:29:43 +03:00
|
|
|
if (!ret) {
|
2012-03-18 00:24:54 +04:00
|
|
|
if (path->dentry->d_sb == sb) {
|
2008-08-02 09:04:36 +04:00
|
|
|
*target = configfs_get_config_item(path->dentry);
|
2005-12-16 01:29:43 +03:00
|
|
|
if (!*target) {
|
|
|
|
ret = -ENOENT;
|
2008-08-02 09:04:36 +04:00
|
|
|
path_put(path);
|
2005-12-16 01:29:43 +03:00
|
|
|
}
|
2010-01-14 06:10:57 +03:00
|
|
|
} else {
|
2005-12-16 01:29:43 +03:00
|
|
|
ret = -EPERM;
|
2010-01-14 06:10:57 +03:00
|
|
|
path_put(path);
|
|
|
|
}
|
2005-12-16 01:29:43 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
int configfs_symlink(struct inode *dir, struct dentry *dentry, const char *symname)
|
|
|
|
{
|
|
|
|
int ret;
|
2008-08-02 09:04:36 +04:00
|
|
|
struct path path;
|
[PATCH] configfs: Prevent userspace from creating new entries under attaching directories
process 1: process 2:
configfs_mkdir("A")
attach_group("A")
attach_item("A")
d_instantiate("A")
populate_groups("A")
mutex_lock("A")
attach_group("A/B")
attach_item("A")
d_instantiate("A/B")
mkdir("A/B/C")
do_path_lookup("A/B/C", LOOKUP_PARENT)
ok
lookup_create("A/B/C")
mutex_lock("A/B")
ok
configfs_mkdir("A/B/C")
ok
attach_group("A/C")
attach_item("A/C")
d_instantiate("A/C")
populate_groups("A/C")
mutex_lock("A/C")
attach_group("A/C/D")
attach_item("A/C/D")
failure
mutex_unlock("A/C")
detach_groups("A/C")
nothing to do
mkdir("A/C/E")
do_path_lookup("A/C/E", LOOKUP_PARENT)
ok
lookup_create("A/C/E")
mutex_lock("A/C")
ok
configfs_mkdir("A/C/E")
ok
detach_item("A/C")
d_delete("A/C")
mutex_unlock("A")
detach_groups("A")
mutex_lock("A/B")
detach_group("A/B")
detach_groups("A/B")
nothing since no _default_ group
detach_item("A/B")
mutex_unlock("A/B")
d_delete("A/B")
detach_item("A")
d_delete("A")
Two bugs:
1/ "A/B/C" and "A/C/E" are created, but never removed while their parent are
removed in the end. The same could happen with symlink() instead of mkdir().
2/ "A" and "A/C" inodes are not locked while detach_item() is called on them,
which may probably confuse VFS.
This commit fixes 1/, tagging new directories with CONFIGFS_USET_CREATING before
building the inode and instantiating the dentry, and validating the whole
group+default groups hierarchy in a second pass by clearing
CONFIGFS_USET_CREATING.
mkdir(), symlink(), lookup(), and dir_open() simply return -ENOENT if
called in (or linking to) a directory tagged with CONFIGFS_USET_CREATING. This
does not prevent userspace from calling stat() successfuly on such directories,
but this prevents userspace from adding (children to | symlinking from/to |
read/write attributes of | listing the contents of) not validated items. In
other words, userspace will not interact with the subsystem on a new item until
the new item creation completes correctly.
It was first proposed to re-use CONFIGFS_USET_IN_MKDIR instead of a new
flag CONFIGFS_USET_CREATING, but this generated conflicts when checking the
target of a new symlink: a valid target directory in the middle of attaching
a new user-created child item could be wrongly detected as being attached.
2/ is fixed by next commit.
Signed-off-by: Louis Rilling <louis.rilling@kerlabs.com>
Signed-off-by: Joel Becker <joel.becker@oracle.com>
Signed-off-by: Mark Fasheh <mfasheh@suse.com>
2008-07-04 18:56:05 +04:00
|
|
|
struct configfs_dirent *sd;
|
2005-12-16 01:29:43 +03:00
|
|
|
struct config_item *parent_item;
|
2009-04-18 23:40:03 +04:00
|
|
|
struct config_item *target_item = NULL;
|
2017-10-16 18:18:40 +03:00
|
|
|
const struct config_item_type *type;
|
2005-12-16 01:29:43 +03:00
|
|
|
|
[PATCH] configfs: Prevent userspace from creating new entries under attaching directories
process 1: process 2:
configfs_mkdir("A")
attach_group("A")
attach_item("A")
d_instantiate("A")
populate_groups("A")
mutex_lock("A")
attach_group("A/B")
attach_item("A")
d_instantiate("A/B")
mkdir("A/B/C")
do_path_lookup("A/B/C", LOOKUP_PARENT)
ok
lookup_create("A/B/C")
mutex_lock("A/B")
ok
configfs_mkdir("A/B/C")
ok
attach_group("A/C")
attach_item("A/C")
d_instantiate("A/C")
populate_groups("A/C")
mutex_lock("A/C")
attach_group("A/C/D")
attach_item("A/C/D")
failure
mutex_unlock("A/C")
detach_groups("A/C")
nothing to do
mkdir("A/C/E")
do_path_lookup("A/C/E", LOOKUP_PARENT)
ok
lookup_create("A/C/E")
mutex_lock("A/C")
ok
configfs_mkdir("A/C/E")
ok
detach_item("A/C")
d_delete("A/C")
mutex_unlock("A")
detach_groups("A")
mutex_lock("A/B")
detach_group("A/B")
detach_groups("A/B")
nothing since no _default_ group
detach_item("A/B")
mutex_unlock("A/B")
d_delete("A/B")
detach_item("A")
d_delete("A")
Two bugs:
1/ "A/B/C" and "A/C/E" are created, but never removed while their parent are
removed in the end. The same could happen with symlink() instead of mkdir().
2/ "A" and "A/C" inodes are not locked while detach_item() is called on them,
which may probably confuse VFS.
This commit fixes 1/, tagging new directories with CONFIGFS_USET_CREATING before
building the inode and instantiating the dentry, and validating the whole
group+default groups hierarchy in a second pass by clearing
CONFIGFS_USET_CREATING.
mkdir(), symlink(), lookup(), and dir_open() simply return -ENOENT if
called in (or linking to) a directory tagged with CONFIGFS_USET_CREATING. This
does not prevent userspace from calling stat() successfuly on such directories,
but this prevents userspace from adding (children to | symlinking from/to |
read/write attributes of | listing the contents of) not validated items. In
other words, userspace will not interact with the subsystem on a new item until
the new item creation completes correctly.
It was first proposed to re-use CONFIGFS_USET_IN_MKDIR instead of a new
flag CONFIGFS_USET_CREATING, but this generated conflicts when checking the
target of a new symlink: a valid target directory in the middle of attaching
a new user-created child item could be wrongly detected as being attached.
2/ is fixed by next commit.
Signed-off-by: Louis Rilling <louis.rilling@kerlabs.com>
Signed-off-by: Joel Becker <joel.becker@oracle.com>
Signed-off-by: Mark Fasheh <mfasheh@suse.com>
2008-07-04 18:56:05 +04:00
|
|
|
sd = dentry->d_parent->d_fsdata;
|
|
|
|
/*
|
|
|
|
* Fake invisibility if dir belongs to a group/default groups hierarchy
|
|
|
|
* being attached
|
|
|
|
*/
|
|
|
|
ret = -ENOENT;
|
|
|
|
if (!configfs_dirent_is_ready(sd))
|
|
|
|
goto out;
|
|
|
|
|
2005-12-16 01:29:43 +03:00
|
|
|
parent_item = configfs_get_config_item(dentry->d_parent);
|
|
|
|
type = parent_item->ci_type;
|
|
|
|
|
[PATCH] configfs: Prevent userspace from creating new entries under attaching directories
process 1: process 2:
configfs_mkdir("A")
attach_group("A")
attach_item("A")
d_instantiate("A")
populate_groups("A")
mutex_lock("A")
attach_group("A/B")
attach_item("A")
d_instantiate("A/B")
mkdir("A/B/C")
do_path_lookup("A/B/C", LOOKUP_PARENT)
ok
lookup_create("A/B/C")
mutex_lock("A/B")
ok
configfs_mkdir("A/B/C")
ok
attach_group("A/C")
attach_item("A/C")
d_instantiate("A/C")
populate_groups("A/C")
mutex_lock("A/C")
attach_group("A/C/D")
attach_item("A/C/D")
failure
mutex_unlock("A/C")
detach_groups("A/C")
nothing to do
mkdir("A/C/E")
do_path_lookup("A/C/E", LOOKUP_PARENT)
ok
lookup_create("A/C/E")
mutex_lock("A/C")
ok
configfs_mkdir("A/C/E")
ok
detach_item("A/C")
d_delete("A/C")
mutex_unlock("A")
detach_groups("A")
mutex_lock("A/B")
detach_group("A/B")
detach_groups("A/B")
nothing since no _default_ group
detach_item("A/B")
mutex_unlock("A/B")
d_delete("A/B")
detach_item("A")
d_delete("A")
Two bugs:
1/ "A/B/C" and "A/C/E" are created, but never removed while their parent are
removed in the end. The same could happen with symlink() instead of mkdir().
2/ "A" and "A/C" inodes are not locked while detach_item() is called on them,
which may probably confuse VFS.
This commit fixes 1/, tagging new directories with CONFIGFS_USET_CREATING before
building the inode and instantiating the dentry, and validating the whole
group+default groups hierarchy in a second pass by clearing
CONFIGFS_USET_CREATING.
mkdir(), symlink(), lookup(), and dir_open() simply return -ENOENT if
called in (or linking to) a directory tagged with CONFIGFS_USET_CREATING. This
does not prevent userspace from calling stat() successfuly on such directories,
but this prevents userspace from adding (children to | symlinking from/to |
read/write attributes of | listing the contents of) not validated items. In
other words, userspace will not interact with the subsystem on a new item until
the new item creation completes correctly.
It was first proposed to re-use CONFIGFS_USET_IN_MKDIR instead of a new
flag CONFIGFS_USET_CREATING, but this generated conflicts when checking the
target of a new symlink: a valid target directory in the middle of attaching
a new user-created child item could be wrongly detected as being attached.
2/ is fixed by next commit.
Signed-off-by: Louis Rilling <louis.rilling@kerlabs.com>
Signed-off-by: Joel Becker <joel.becker@oracle.com>
Signed-off-by: Mark Fasheh <mfasheh@suse.com>
2008-07-04 18:56:05 +04:00
|
|
|
ret = -EPERM;
|
2005-12-16 01:29:43 +03:00
|
|
|
if (!type || !type->ct_item_ops ||
|
|
|
|
!type->ct_item_ops->allow_link)
|
|
|
|
goto out_put;
|
|
|
|
|
2012-03-18 00:24:54 +04:00
|
|
|
ret = get_target(symname, &path, &target_item, dentry->d_sb);
|
2005-12-16 01:29:43 +03:00
|
|
|
if (ret)
|
|
|
|
goto out_put;
|
|
|
|
|
|
|
|
ret = type->ct_item_ops->allow_link(parent_item, target_item);
|
2008-06-12 19:26:47 +04:00
|
|
|
if (!ret) {
|
2008-06-20 16:09:22 +04:00
|
|
|
mutex_lock(&configfs_symlink_mutex);
|
2005-12-16 01:29:43 +03:00
|
|
|
ret = create_link(parent_item, target_item, dentry);
|
2008-06-20 16:09:22 +04:00
|
|
|
mutex_unlock(&configfs_symlink_mutex);
|
2008-06-12 19:26:47 +04:00
|
|
|
if (ret && type->ct_item_ops->drop_link)
|
|
|
|
type->ct_item_ops->drop_link(parent_item,
|
|
|
|
target_item);
|
|
|
|
}
|
2005-12-16 01:29:43 +03:00
|
|
|
|
|
|
|
config_item_put(target_item);
|
2008-08-02 09:04:36 +04:00
|
|
|
path_put(&path);
|
2005-12-16 01:29:43 +03:00
|
|
|
|
|
|
|
out_put:
|
|
|
|
config_item_put(parent_item);
|
|
|
|
|
|
|
|
out:
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
int configfs_unlink(struct inode *dir, struct dentry *dentry)
|
|
|
|
{
|
|
|
|
struct configfs_dirent *sd = dentry->d_fsdata;
|
|
|
|
struct configfs_symlink *sl;
|
|
|
|
struct config_item *parent_item;
|
2017-10-16 18:18:40 +03:00
|
|
|
const struct config_item_type *type;
|
2005-12-16 01:29:43 +03:00
|
|
|
int ret;
|
|
|
|
|
|
|
|
ret = -EPERM; /* What lack-of-symlink returns */
|
|
|
|
if (!(sd->s_type & CONFIGFS_ITEM_LINK))
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
sl = sd->s_element;
|
|
|
|
|
|
|
|
parent_item = configfs_get_config_item(dentry->d_parent);
|
|
|
|
type = parent_item->ci_type;
|
|
|
|
|
2008-06-16 21:00:58 +04:00
|
|
|
spin_lock(&configfs_dirent_lock);
|
2005-12-16 01:29:43 +03:00
|
|
|
list_del_init(&sd->s_sibling);
|
2008-06-16 21:00:58 +04:00
|
|
|
spin_unlock(&configfs_dirent_lock);
|
2005-12-16 01:29:43 +03:00
|
|
|
configfs_drop_dentry(sd, dentry->d_parent);
|
|
|
|
dput(dentry);
|
|
|
|
configfs_put(sd);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* drop_link() must be called before
|
|
|
|
* list_del_init(&sl->sl_list), so that the order of
|
|
|
|
* drop_link(this, target) and drop_item(target) is preserved.
|
|
|
|
*/
|
|
|
|
if (type && type->ct_item_ops &&
|
|
|
|
type->ct_item_ops->drop_link)
|
|
|
|
type->ct_item_ops->drop_link(parent_item,
|
|
|
|
sl->sl_target);
|
|
|
|
|
2008-06-16 21:00:59 +04:00
|
|
|
spin_lock(&configfs_dirent_lock);
|
2005-12-16 01:29:43 +03:00
|
|
|
list_del_init(&sl->sl_list);
|
2008-06-16 21:00:59 +04:00
|
|
|
spin_unlock(&configfs_dirent_lock);
|
2005-12-16 01:29:43 +03:00
|
|
|
|
|
|
|
/* Put reference from create_link() */
|
|
|
|
config_item_put(sl->sl_target);
|
|
|
|
kfree(sl);
|
|
|
|
|
|
|
|
config_item_put(parent_item);
|
|
|
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
out:
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int configfs_get_target_path(struct config_item * item, struct config_item * target,
|
|
|
|
char *path)
|
|
|
|
{
|
|
|
|
char * s;
|
|
|
|
int depth, size;
|
|
|
|
|
|
|
|
depth = item_depth(item);
|
|
|
|
size = item_path_length(target) + depth * 3 - 1;
|
|
|
|
if (size > PATH_MAX)
|
|
|
|
return -ENAMETOOLONG;
|
|
|
|
|
2008-04-30 11:55:09 +04:00
|
|
|
pr_debug("%s: depth = %d, size = %d\n", __func__, depth, size);
|
2005-12-16 01:29:43 +03:00
|
|
|
|
|
|
|
for (s = path; depth--; s += 3)
|
|
|
|
strcpy(s,"../");
|
|
|
|
|
|
|
|
fill_item_path(target, path, size);
|
2008-04-30 11:55:09 +04:00
|
|
|
pr_debug("%s: path = '%s'\n", __func__, path);
|
2005-12-16 01:29:43 +03:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int configfs_getlink(struct dentry *dentry, char * path)
|
|
|
|
{
|
|
|
|
struct config_item *item, *target_item;
|
|
|
|
int error = 0;
|
|
|
|
|
|
|
|
item = configfs_get_config_item(dentry->d_parent);
|
|
|
|
if (!item)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
target_item = configfs_get_config_item(dentry);
|
|
|
|
if (!target_item) {
|
|
|
|
config_item_put(item);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
|
|
|
down_read(&configfs_rename_sem);
|
|
|
|
error = configfs_get_target_path(item, target_item, path);
|
|
|
|
up_read(&configfs_rename_sem);
|
|
|
|
|
|
|
|
config_item_put(item);
|
|
|
|
config_item_put(target_item);
|
|
|
|
return error;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2015-11-17 18:20:54 +03:00
|
|
|
static const char *configfs_get_link(struct dentry *dentry,
|
2015-12-29 23:58:39 +03:00
|
|
|
struct inode *inode,
|
|
|
|
struct delayed_call *done)
|
2005-12-16 01:29:43 +03:00
|
|
|
{
|
2015-12-29 23:58:39 +03:00
|
|
|
char *body;
|
2015-05-02 20:32:22 +03:00
|
|
|
int error;
|
2005-12-16 01:29:43 +03:00
|
|
|
|
2015-11-17 18:20:54 +03:00
|
|
|
if (!dentry)
|
|
|
|
return ERR_PTR(-ECHILD);
|
|
|
|
|
2015-12-29 23:58:39 +03:00
|
|
|
body = kzalloc(PAGE_SIZE, GFP_KERNEL);
|
|
|
|
if (!body)
|
2015-05-02 20:32:22 +03:00
|
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
|
2015-12-29 23:58:39 +03:00
|
|
|
error = configfs_getlink(dentry, body);
|
2015-05-02 20:32:22 +03:00
|
|
|
if (!error) {
|
2015-12-29 23:58:39 +03:00
|
|
|
set_delayed_call(done, kfree_link, body);
|
|
|
|
return body;
|
2005-12-16 01:29:43 +03:00
|
|
|
}
|
|
|
|
|
2015-12-29 23:58:39 +03:00
|
|
|
kfree(body);
|
2015-05-02 20:32:22 +03:00
|
|
|
return ERR_PTR(error);
|
2005-12-16 01:29:43 +03:00
|
|
|
}
|
|
|
|
|
2007-02-12 11:55:38 +03:00
|
|
|
const struct inode_operations configfs_symlink_inode_operations = {
|
2015-11-17 18:20:54 +03:00
|
|
|
.get_link = configfs_get_link,
|
2006-01-26 00:31:07 +03:00
|
|
|
.setattr = configfs_setattr,
|
2005-12-16 01:29:43 +03:00
|
|
|
};
|
|
|
|
|