summaryrefslogtreecommitdiffstats
path: root/fs
Commit message (Collapse)AuthorAgeFilesLines
* fs: Provide function telling whether file_remove_privs() will do anythingJan Kara2015-06-231-12/+32
| | | | | | | | | Provide function telling whether file_remove_privs() will do anything. Currently we only have should_remove_suid() and that does something slightly different. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* fs: Rename file_remove_suid() to file_remove_privs()Jan Kara2015-06-236-10/+13
| | | | | | | | | | file_remove_suid() is a misnomer since it removes also file capabilities stored in xattrs and sets S_NOSEC flag. Also should_remove_suid() tells something else than whether file_remove_suid() call is necessary which leads to bugs. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* fs: Fix S_NOSEC handlingJan Kara2015-06-231-2/+2
| | | | | | | | | | | | file_remove_suid() could mistakenly set S_NOSEC inode bit when root was modifying the file. As a result following writes to the file by ordinary user would avoid clearing suid or sgid bits. Fix the bug by checking actual mode bits before setting S_NOSEC. CC: stable@vger.kernel.org Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* fs/posix_acl.c: make posix_acl_create() safer and cleanerDan Carpenter2015-06-231-26/+20
| | | | | | | | | | | | | | | | | | | | | If posix_acl_create() returns an error code then "*acl" and "*default_acl" can be uninitialized or point to freed memory. This is a dangerous thing to do. For example, it causes a problem in ocfs2_reflink(): fs/ocfs2/refcounttree.c:4327 ocfs2_reflink() error: potentially using uninitialized 'default_acl'. I've re-written this so we set the pointers to NULL at the start. I've added a temporary "clone" variable to hold the value of "*acl" until end. Setting them to NULL means means we don't need the "no_acl" label. We may as well remove the "apply_umask" stuff forward and remove that label as well. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Joel Becker <jlbec@evilplan.org> Cc: Mark Fasheh <mfasheh@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
* nilfs2_direct_IO(): remove dead codeAl Viro2015-06-231-20/+2
| | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* vfs: add seq_file_path() helperMiklos Szeredi2015-06-234-4/+18
| | | | | | | | | | Turn seq_path(..., &file->f_path, ...); into seq_file_path(..., file, ...); Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* vfs: add file_path() helperMiklos Szeredi2015-06-234-4/+10
| | | | | | | | | | Turn d_path(&file->f_path, ...); into file_path(file, ...); Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* overlayfs: Make f_path always point to the overlay and f_inode to the underlayDavid Howells2015-06-196-32/+39
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make file->f_path always point to the overlay dentry so that the path in /proc/pid/fd is correct and to ensure that label-based LSMs have access to the overlay as well as the underlay (path-based LSMs probably don't need it). Using my union testsuite to set things up, before the patch I see: [root@andromeda union-testsuite]# bash 5</mnt/a/foo107 [root@andromeda union-testsuite]# ls -l /proc/$$/fd/ ... lr-x------. 1 root root 64 Jun 5 14:38 5 -> /a/foo107 [root@andromeda union-testsuite]# stat /mnt/a/foo107 ... Device: 23h/35d Inode: 13381 Links: 1 ... [root@andromeda union-testsuite]# stat -L /proc/$$/fd/5 ... Device: 23h/35d Inode: 13381 Links: 1 ... After the patch: [root@andromeda union-testsuite]# bash 5</mnt/a/foo107 [root@andromeda union-testsuite]# ls -l /proc/$$/fd/ ... lr-x------. 1 root root 64 Jun 5 14:22 5 -> /mnt/a/foo107 [root@andromeda union-testsuite]# stat /mnt/a/foo107 ... Device: 23h/35d Inode: 40346 Links: 1 ... [root@andromeda union-testsuite]# stat -L /proc/$$/fd/5 ... Device: 23h/35d Inode: 40346 Links: 1 ... Note the change in where /proc/$$/fd/5 points to in the ls command. It was pointing to /a/foo107 (which doesn't exist) and now points to /mnt/a/foo107 (which is correct). The inode accessed, however, is the lower layer. The union layer is on device 25h/37d and the upper layer on 24h/36d. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* overlay: Call ovl_drop_write() earlier in ovl_dentry_open()David Howells2015-06-191-10/+4
| | | | | | | | | Call ovl_drop_write() earlier in ovl_dentry_open() before we call vfs_open() as we've done the copy up for which we needed the freeze-write lock by that point. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* Merge branch 'for-linus' into for-nextAl Viro2015-06-179-79/+85
|\
| * fs/ufs: restore s_lock mutex_init()Fabian Frederick2015-06-171-0/+1
| | | | | | | | | | | | | | | | Add last missing line in commit "cdd9eefdf905" ("fs/ufs: restore s_lock mutex") Signed-off-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * ufs: don't touch mtime/ctime of directory being movedAl Viro2015-06-163-5/+12
| | | | | | | | | | | | | | | | See "ext2: Do not update mtime of a moved directory" (and followup in "ext2: fix unbalanced kmap()/kunmap()") for background; this is UFS equivalent - the same problem exists here. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * ufs: don't bother with lock_ufs()/unlock_ufs() for directory accessAl Viro2015-06-161-40/+14
| | | | | | | | | | | | | | | | We are already serialized by ->i_mutex and operations on different directories are independent. These calls are just rudiments of blind BKL conversion and they should've been removed back then. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * ufs: Fix possible deadlock when looking up directoriesJan Kara2015-06-161-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit e4502c63f56aeca88 (ufs: deal with nfsd/iget races) made ufs create inodes with I_NEW flag set. However ufs_mkdir() never cleared this flag. Thus if someone ever tried to lookup the directory by inode number, he would deadlock waiting for I_NEW to be cleared. Luckily this mostly happens only if the filesystem is exported over NFS since otherwise we have the inode attached to dentry and don't look it up by inode number. In rare cases dentry can get freed without inode being freed and then we'd hit the deadlock even without NFS export. Fix the problem by clearing I_NEW before instantiating new directory inode. Fixes: e4502c63f56aeca887ced37f24e0def1ef11cec8 Reported-by: Fabian Frederick <fabf@skynet.be> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * ufs: Fix warning from unlock_new_inode()Jan Kara2015-06-161-1/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit e4502c63f56aeca88 (ufs: deal with nfsd/iget races) introduced unlock_new_inode() call into ufs_add_nondir(). However that function gets called also from ufs_link() which hands it already initialized inode and thus unlock_new_inode() complains. The problem is harmless but annoying. Fix the problem by opencoding necessary stuff in ufs_link() Fixes: e4502c63f56aeca887ced37f24e0def1ef11cec8 Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * fs/ufs: restore s_lock mutexFabian Frederick2015-06-164-25/+36
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Commit 0244756edc4b98c ("ufs: sb mutex merge + mutex_destroy") generated deadlocks in read/write mode on mkdir. This patch partially reverts it keeping fixes by Andrew Morton and mutex_destroy() [AV: fixed a missing bit in ufs_remount()] Signed-off-by: Fabian Frederick <fabf@skynet.be> Reported-by: Ian Campbell <ian.campbell@citrix.com> Suggested-by: Jan Kara <jack@suse.cz> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Evgeniy Dushistov <dushistov@mail.ru> Cc: Alexey Khoroshilov <khoroshilov@ispras.ru> Cc: Roger Pau Monne <roger.pau@citrix.com> Cc: Ian Jackson <Ian.Jackson@eu.citrix.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * fs/ufs: revert "ufs: fix deadlocks introduced by sb mutex merge"Fabian Frederick2015-06-142-7/+12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 9ef7db7f38d0 ("ufs: fix deadlocks introduced by sb mutex merge") That patch tried to solve commit 0244756edc4b98c ("ufs: sb mutex merge + mutex_destroy") which is itself partially reverted due to multiple deadlocks. Signed-off-by: Fabian Frederick <fabf@skynet.be> Suggested-by: Jan Kara <jack@suse.cz> Cc: Ian Campbell <ian.campbell@citrix.com> Cc: Evgeniy Dushistov <dushistov@mail.ru> Cc: Alexey Khoroshilov <khoroshilov@ispras.ru> Cc: Roger Pau Monne <roger.pau@citrix.com> Cc: Ian Jackson <Ian.Jackson@eu.citrix.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
| * ncpfs: successful rename() should invalidate caches for parentsAl Viro2015-06-141-0/+2
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
| * d_walk() might skip too muchAl Viro2015-05-281-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | when we find that a child has died while we'd been trying to ascend, we should go into the first live sibling itself, rather than its sibling. Off-by-one in question had been introduced in "deal with deadlock in d_walk()" and the fix needs to be backported to all branches this one has been backported to. Cc: stable@vger.kernel.org # 3.2 and later Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | turn user_{path_at,path,lpath,path_dir}() into static inlinesAl Viro2015-05-151-7/+1
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: move saved_nd pointer into struct nameidataAl Viro2015-05-151-22/+24
| | | | | | | | | | | | | | | | these guys are always declared next to each other; might as well put the former (pointer to previous instance) into the latter and simplify the calling conventions for {set,restore}_nameidata() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | inline user_path_create()Al Viro2015-05-151-1/+1
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | inline user_path_parent()Al Viro2015-05-151-1/+1
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: trim do_last() argumentsAl Viro2015-05-151-6/+6
| | | | | | | | | | | | | | now that struct filename is stashed in nameidata we have no need to pass it in Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: stash dfd and name into nameidataAl Viro2015-05-151-50/+46
| | | | | | | | | | | | fewer arguments to pass around... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: fold path_cleanup() into terminate_walk()Al Viro2015-05-151-12/+4
| | | | | | | | | | | | | | they are always called next to each other; moreover, terminate_walk() is more symmetrical that way. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: saner calling conventions for filename_parentat()Al Viro2015-05-151-38/+22
| | | | | | | | | | | | | | | | | | | | a) make it reject ERR_PTR() for name b) make it putname(name) on all other failure exits c) make it return name on success again, simplifies the callers Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: saner calling conventions for filename_create()Al Viro2015-05-151-16/+10
| | | | | | | | | | | | | | | | | | a) make it reject ERR_PTR() for name b) make it putname(name) upon return in all other cases. seriously simplifies the callers... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: shift nameidata down into filename_parentat()Al Viro2015-05-151-41/+43
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: make filename_lookup() reject ERR_PTR() passed as nameAl Viro2015-05-151-20/+10
| | | | | | | | | | | | makes for much easier life in callers Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: shift nameidata inside filename_lookup()Al Viro2015-05-151-16/+14
| | | | | | | | | | | | | | pass root instead; non-NULL => copy to nd.root and set LOOKUP_ROOT in flags Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: move putname() call into filename_lookup()Al Viro2015-05-151-23/+15
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: pass the struct path to store the result down into path_lookupat()Al Viro2015-05-151-38/+34
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: uninline set_root{,_rcu}()Al Viro2015-05-151-2/+2
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: be careful with mountpoint crossings in follow_dotdot_rcu()Al Viro2015-05-151-30/+21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Otherwise we are risking a hard error where nonlazy restart would be the right thing to do; it's a very narrow race with mount --move and most of the time it ends up being completely harmless, but it's possible to construct a case when we'll get a bogus hard error instead of falling back to non-lazy walk... For one thing, when crossing _into_ overmount of parent we need to check for mount_lock bumps when we get NULL from __lookup_mnt() as well. For another, and less exotically, we need to make sure that the data fetched in follow_up_rcu() had been consistent. ->mnt_mountpoint is pinned for as long as it is a mountpoint, but we need to check mount_lock after fetching to verify that. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | get rid of assorted nameidata-related debrisAl Viro2015-05-154-7/+4
| | | | | | | | | | | | pointless forward declarations, stale comments Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: unlazy_walk() doesn't need to mess with current->fs anymoreAl Viro2015-05-151-7/+4
| | | | | | | | | | | | | | now that we have ->root_seq, legitimize_path(&nd->root, nd->root_seq) will do just fine... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: handle absolute symlinks without dropping out of RCU modeAl Viro2015-05-151-11/+20
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | enable passing fast relative symlinks without dropping out of RCU modeAl Viro2015-05-151-5/+8
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | VFS/namei: make the use of touch_atime() in get_link() RCU-safe.NeilBrown2015-05-152-12/+30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | touch_atime is not RCU-safe, and so cannot be called on an RCU walk. However, in situations where RCU-walk makes a difference, the symlink will likely to accessed much more often than it is useful to update the atime. So split out the test of "Does the atime actually need to be updated" into atime_needs_update(), and have get_link() unlazy if it finds that it will need to do that update. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: don't unlazy until get_link()Al Viro2015-05-151-11/+26
| | | | | | | | Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: make unlazy_walk and terminate_walk handle nd->stack, add unlazy_linkAl Viro2015-05-151-38/+100
| | | | | | | | | | | | | | | | | | | | | | | | We are almost done - primitives for leaving RCU mode are aware of nd->stack now, a new primitive for going to non-RCU mode when we have a symlink on hands added. The thing we are heavily relying upon is that *any* unlazy failure will be shortly followed by terminate_walk(), with no access to nameidata in between. So it's enough to leave the things in a state terminate_walk() would cope with. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: store seq numbers in nd->stack[]Al Viro2015-05-111-0/+2
| | | | | | | | | | | | we'll need them for unlazy_walk() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | new helper: __legitimize_mnt()Al Viro2015-05-112-8/+20
| | | | | | | | | | | | | | | | | | | | same as legitimize_mnt(), except that it does *not* drop and regain rcu_read_lock; return values are 0 => grabbed a reference, we are fine 1 => failed, just go away -1 => failed, go away and mntput(bastard) when outside of rcu_read_lock Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: make may_follow_link() safe in RCU modeAl Viro2015-05-111-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | We *can't* call that audit garbage in RCU mode - it's doing a weird mix of allocations (GFP_NOFS, immediately followed by GFP_KERNEL) and I'm not touching that... thing again. So if this security sclero^Whardening feature gets triggered when we are in RCU mode, tough - we'll fail with -ECHILD and have everything restarted in non-RCU mode. Only to hit the same test and fail, this time with EACCES and with (oh, rapture) an audit spew produced. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: make put_link() RCU-safeAl Viro2015-05-111-1/+2
| | | | | | | | | | | | | | | | very simple - just make path_put() conditional on !RCU. Note that right now it doesn't get called in RCU mode - we leave it before getting anything into stack. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | new helper: free_page_put_link()Al Viro2015-05-114-18/+9
| | | | | | | | | | | | similar to kfree_put_link() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | switch ->put_link() from dentry to inodeAl Viro2015-05-1110-19/+20
| | | | | | | | | | | | | | only one instance looks at that argument at all; that sole exception wants inode rather than dentry. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | security: make inode_follow_link RCU-walk awareNeilBrown2015-05-111-2/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | inode_follow_link now takes an inode and rcu flag as well as the dentry. inode is used in preference to d_backing_inode(dentry), particularly in RCU-walk mode. selinux_inode_follow_link() gets dentry_has_perm() and inode_has_perm() open-coded into it so that it can call avc_has_perm_flags() in way that is safe if LOOKUP_RCU is set. Calling avc_has_perm_flags() with rcu_read_lock() held means that when avc_has_perm_noaudit calls avc_compute_av(), the attempt to rcu_read_unlock() before calling security_compute_av() will not actually drop the RCU read-lock. However as security_compute_av() is completely in a read_lock()ed region, it should be safe with the RCU read-lock held. Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* | namei: pick_link() callers already have inodeAl Viro2015-05-111-7/+11
| | | | | | | | | | | | no need to refetch (and once we move unlazy out of there, recheck ->d_seq). Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>