1. 09 Oct, 2014 39 commits
    • Al Viro's avatar
      saner perf_atoll() · 8ba7f6c2
      Al Viro authored
      That loop in there is both anti-idiomatic *and* completely pointless.
      strtoll() is there for purpose; use it and compare what's left with
      acceptable suffices.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      8ba7f6c2
    • Al Viro's avatar
      switch /dev/kmsg to ->write_iter() · 849f3127
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      849f3127
    • Al Viro's avatar
      switch logger to ->write_iter() · cd678fce
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      cd678fce
    • Al Viro's avatar
      switch hci_vhci to ->write_iter() · 512b2268
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      512b2268
    • Al Viro's avatar
      switch /dev/zero and /dev/full to ->read_iter() · 13ba33e8
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      13ba33e8
    • Al Viro's avatar
      dma-buf: don't open-code atomic_long_read() · a1f6dbac
      Al Viro authored
      ... not to mention that even atomic_long_read() is too low-level here -
      there's file_count().
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a1f6dbac
    • Al Viro's avatar
      rsxx debugfs inanity · 8e3fb059
      Al Viro authored
      check with the author of that horror...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      8e3fb059
    • Al Viro's avatar
      carma-fpga: switch to simple_read_from_buffer() · d88c2426
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      d88c2426
    • Al Viro's avatar
      carma-fpga: switch to fixed_size_llseek() · 1a37f5ec
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      1a37f5ec
    • Al Viro's avatar
      2ec3a12a
    • Al Viro's avatar
      vme: don't open-code fixed_size_llseek() · 59482291
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      59482291
    • Al Viro's avatar
      ashmem: use vfs_llseek() · 91360b02
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      91360b02
    • Al Viro's avatar
      9p: switch to %p[dD] · 4b8e9923
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      4b8e9923
    • Al Viro's avatar
      cifs: switch to use of %p[dD] · 35c265e0
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      35c265e0
    • Mikulas Patocka's avatar
      fs: make cont_expand_zero interruptible · c2ca0fcd
      Mikulas Patocka authored
      This patch makes it possible to kill a process looping in
      cont_expand_zero. A process may spend a lot of time in this function, so
      it is desirable to be able to kill it.
      
      It happened to me that I wanted to copy a piece data from the disk to a
      file. By mistake, I used the "seek" parameter to dd instead of "skip". Due
      to the "seek" parameter, dd attempted to extend the file and became stuck
      doing so - the only possibility was to reset the machine or wait many
      hours until the filesystem runs out of space and cont_expand_zero fails.
      We need this patch to be able to terminate the process.
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      c2ca0fcd
    • Matthew Wilcox's avatar
      Add copy_to_iter(), copy_from_iter() and iov_iter_zero() · c35e0248
      Matthew Wilcox authored
      For DAX, we want to be able to copy between iovecs and kernel addresses
      that don't necessarily have a struct page.  This is a fairly simple
      rearrangement for bvec iters to kmap the pages outside and pass them in,
      but for user iovecs it gets more complicated because we might try various
      different ways to kmap the memory.  Duplicating the existing logic works
      out best in this case.
      
      We need to be able to write zeroes to an iovec for reads from unwritten
      ranges in a file.  This is performed by the new iov_iter_zero() function,
      again patterned after the existing code that handles iovec iterators.
      
      [AV: and export the buggers...]
      Signed-off-by: default avatarMatthew Wilcox <willy@linux.intel.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      c35e0248
    • Tetsuo Handa's avatar
      fs: Fix theoretical division by 0 in super_cache_scan(). · 475d0db7
      Tetsuo Handa authored
      total_objects could be 0 and is used as a denom.
      
      While total_objects is a "long", total_objects == 0 unlikely happens for
      3.12 and later kernels because 32-bit architectures would not be able to
      hold (1 << 32) objects. However, total_objects == 0 may happen for kernels
      between 3.1 and 3.11 because total_objects in prune_super() was an "int"
      and (e.g.) x86_64 architecture might be able to hold (1 << 32) objects.
      Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Cc: stable <stable@kernel.org> # 3.1+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      475d0db7
    • Daeseok Youn's avatar
      dcache: Fix no spaces at the start of a line in dcache.c · b8314f93
      Daeseok Youn authored
      Fixed coding style in dcache.c
      Signed-off-by: default avatarDaeseok Youn <daeseok.youn@gmail.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b8314f93
    • Al Viro's avatar
      [jffs2] kill wbuf_queued/wbuf_dwork_lock · 99358a1c
      Al Viro authored
      schedule_delayed_work() happening when the work is already pending is
      a cheap no-op.  Don't bother with ->wbuf_queued logics - it's both
      broken (cancelling ->wbuf_dwork leaves it set, as spotted by Jeff Harris)
      and pointless.  It's cheaper to let schedule_delayed_work() handle that
      case.
      Reported-by: default avatarJeff Harris <jefftharris@gmail.com>
      Tested-by: default avatarJeff Harris <jefftharris@gmail.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      99358a1c
    • Kirill Smelkov's avatar
      vfs: fix typo in s_op->alloc_inode() documentation · 4e07ad64
      Kirill Smelkov authored
      The function which calls s_op->alloc_inode() is not inode_alloc(), but
      instead alloc_inode() which lives in fs/inode.c .
      
      The typo was there from the beginning from 5ea626aa (VFS: update
      documentation, 2005) - there was no standalone inode_alloc() for the
      whole kernel history.
      
      Cc: Pekka Enberg <penberg@kernel.org>
      Signed-off-by: Kirill Smelkov's avatarKirill Smelkov <kirr@nexedi.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      4e07ad64
    • Al Viro's avatar
      constify file_inode() · 1fa97e8b
      Al Viro authored
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      1fa97e8b
    • Al Viro's avatar
      handle suicide on late failure exits in execve() in search_binary_handler() · 19d860a1
      Al Viro authored
      ... rather than doing that in the guts of ->load_binary().
      [updated to fix the bug spotted by Shentino - for SIGSEGV we really need
      something stronger than send_sig_info(); again, better do that in one place]
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      19d860a1
    • Al Viro's avatar
      dcache.c: call ->d_prune() regardless of d_unhashed() · 29266201
      Al Viro authored
      the only in-tree instance checks d_unhashed() anyway,
      out-of-tree code can preserve the current behaviour by
      adding such check if they want it and we get an ability
      to use it in cases where we *want* to be notified of
      killing being inevitable before ->d_lock is dropped,
      whether it's unhashed or not.  In particular, autofs
      would benefit from that.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      29266201
    • Al Viro's avatar
      d_prune_alias(): just lock the parent and call __dentry_kill() · 29355c39
      Al Viro authored
      The only reason for games with ->d_prune() was __d_drop(), which
      was needed only to force dput() into killing the sucker off.
      
      Note that lock_parent() can be called under ->i_lock and won't
      drop it, so dentry is safe from somebody managing to kill it
      under us - it won't happen while we are holding ->i_lock.
      
      __dentry_kill() is called only with ->d_lockref.count being 0
      (here and when picked from shrink list) or 1 (dput() and dropping
      the ancestors in shrink_dentry_list()), so it will never be called
      twice - the first thing it's doing is making ->d_lockref.count
      negative and once that happens, nothing will increment it.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      29355c39
    • Eric W. Biederman's avatar
      proc: Update proc_flush_task_mnt to use d_invalidate · bbd51924
      Eric W. Biederman authored
      Now that d_invalidate always succeeds and flushes mount points use
      it in stead of a combination of shrink_dcache_parent and d_drop
      in proc_flush_task_mnt.  This removes the danger of a mount point
      under /proc/<pid>/... becoming unreachable after the d_drop.
      Reviewed-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      bbd51924
    • Eric W. Biederman's avatar
      vfs: Remove d_drop calls from d_revalidate implementations · c143c233
      Eric W. Biederman authored
      Now that d_invalidate always succeeds it is not longer necessary or
      desirable to hard code d_drop calls into filesystem specific
      d_revalidate implementations.
      
      Remove the unnecessary d_drop calls and rely on d_invalidate
      to drop the dentries.  Using d_invalidate ensures that paths
      to mount points will not be dropped.
      Reviewed-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      c143c233
    • Eric W. Biederman's avatar
      vfs: Make d_invalidate return void · 5542aa2f
      Eric W. Biederman authored
      Now that d_invalidate can no longer fail, stop returning a useless
      return code.  For the few callers that checked the return code update
      remove the handling of d_invalidate failure.
      Reviewed-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      5542aa2f
    • Eric W. Biederman's avatar
      vfs: Merge check_submounts_and_drop and d_invalidate · 1ffe46d1
      Eric W. Biederman authored
      Now that d_invalidate is the only caller of check_submounts_and_drop,
      expand check_submounts_and_drop inline in d_invalidate.
      Reviewed-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      1ffe46d1
    • Eric W. Biederman's avatar
      vfs: Remove unnecessary calls of check_submounts_and_drop · 9b053f32
      Eric W. Biederman authored
      Now that check_submounts_and_drop can not fail and is called from
      d_invalidate there is no longer a need to call check_submounts_and_drom
      from filesystem d_revalidate methods so remove it.
      Reviewed-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9b053f32
    • Eric W. Biederman's avatar
      vfs: Lazily remove mounts on unlinked files and directories. · 8ed936b5
      Eric W. Biederman authored
      With the introduction of mount namespaces and bind mounts it became
      possible to access files and directories that on some paths are mount
      points but are not mount points on other paths.  It is very confusing
      when rm -rf somedir returns -EBUSY simply because somedir is mounted
      somewhere else.  With the addition of user namespaces allowing
      unprivileged mounts this condition has gone from annoying to allowing
      a DOS attack on other users in the system.
      
      The possibility for mischief is removed by updating the vfs to support
      rename, unlink and rmdir on a dentry that is a mountpoint and by
      lazily unmounting mountpoints on deleted dentries.
      
      In particular this change allows rename, unlink and rmdir system calls
      on a dentry without a mountpoint in the current mount namespace to
      succeed, and it allows rename, unlink, and rmdir performed on a
      distributed filesystem to update the vfs cache even if when there is a
      mount in some namespace on the original dentry.
      
      There are two common patterns of maintaining mounts: Mounts on trusted
      paths with the parent directory of the mount point and all ancestory
      directories up to / owned by root and modifiable only by root
      (i.e. /media/xxx, /dev, /dev/pts, /proc, /sys, /sys/fs/cgroup/{cpu,
      cpuacct, ...}, /usr, /usr/local).  Mounts on unprivileged directories
      maintained by fusermount.
      
      In the case of mounts in trusted directories owned by root and
      modifiable only by root the current parent directory permissions are
      sufficient to ensure a mount point on a trusted path is not removed
      or renamed by anyone other than root, even if there is a context
      where the there are no mount points to prevent this.
      
      In the case of mounts in directories owned by less privileged users
      races with users modifying the path of a mount point are already a
      danger.  fusermount already uses a combination of chdir,
      /proc/<pid>/fd/NNN, and UMOUNT_NOFOLLOW to prevent these races.  The
      removable of global rename, unlink, and rmdir protection really adds
      nothing new to consider only a widening of the attack window, and
      fusermount is already safe against unprivileged users modifying the
      directory simultaneously.
      
      In principle for perfect userspace programs returning -EBUSY for
      unlink, rmdir, and rename of dentires that have mounts in the local
      namespace is actually unnecessary.  Unfortunately not all userspace
      programs are perfect so retaining -EBUSY for unlink, rmdir and rename
      of dentries that have mounts in the current mount namespace plays an
      important role of maintaining consistency with historical behavior and
      making imperfect userspace applications hard to exploit.
      
      v2: Remove spurious old_dentry.
      v3: Optimized shrink_submounts_and_drop
          Removed unsued afs label
      v4: Simplified the changes to check_submounts_and_drop
          Do not rename check_submounts_and_drop shrink_submounts_and_drop
          Document what why we need atomicity in check_submounts_and_drop
          Rely on the parent inode mutex to make d_revalidate and d_invalidate
          an atomic unit.
      v5: Refcount the mountpoint to detach in case of simultaneous
          renames.
      Reviewed-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      8ed936b5
    • Eric W. Biederman's avatar
      vfs: Add a function to lazily unmount all mounts from any dentry. · 80b5dce8
      Eric W. Biederman authored
      The new function detach_mounts comes in two pieces.  The first piece
      is a static inline test of d_mounpoint that returns immediately
      without taking any locks if d_mounpoint is not set.  In the common
      case when mountpoints are absent this allows the vfs to continue
      running with it's same cacheline foot print.
      
      The second piece of detach_mounts __detach_mounts actually does the
      work and it assumes that a mountpoint is present so it is slow and
      takes namespace_sem for write, and then locks the mount hash (aka
      mount_lock) after a struct mountpoint has been found.
      
      With those two locks held each entry on the list of mounts on a
      mountpoint is selected and lazily unmounted until all of the mount
      have been lazily unmounted.
      
      v7: Wrote a proper change description and removed the changelog
          documenting deleted wrong turns.
      Signed-off-by: default avatarEric W. Biederman <ebiederman@twitter.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      80b5dce8
    • Eric W. Biederman's avatar
      vfs: factor out lookup_mountpoint from new_mountpoint · e2dfa935
      Eric W. Biederman authored
      I am shortly going to add a new user of struct mountpoint that
      needs to look up existing entries but does not want to create
      a struct mountpoint if one does not exist.  Therefore to keep
      the code simple and easy to read split out lookup_mountpoint
      from new_mountpoint.
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      e2dfa935
    • Eric W. Biederman's avatar
      vfs: Keep a list of mounts on a mount point · 0a5eb7c8
      Eric W. Biederman authored
      To spot any possible problems call BUG if a mountpoint
      is put when it's list of mounts is not empty.
      
      AV: use hlist instead of list_head
      Reviewed-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatarEric W. Biederman <ebiederman@twitter.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      0a5eb7c8
    • Eric W. Biederman's avatar
      vfs: Don't allow overwriting mounts in the current mount namespace · 7af1364f
      Eric W. Biederman authored
      In preparation for allowing mountpoints to be renamed and unlinked
      in remote filesystems and in other mount namespaces test if on a dentry
      there is a mount in the local mount namespace before allowing it to
      be renamed or unlinked.
      
      The primary motivation here are old versions of fusermount unmount
      which is not safe if the a path can be renamed or unlinked while it is
      verifying the mount is safe to unmount.  More recent versions are simpler
      and safer by simply using UMOUNT_NOFOLLOW when unmounting a mount
      in a directory owned by an arbitrary user.
      
      Miklos Szeredi <miklos@szeredi.hu> reports this is approach is good
      enough to remove concerns about new kernels mixed with old versions
      of fusermount.
      
      A secondary motivation for restrictions here is that it removing empty
      directories that have non-empty mount points on them appears to
      violate the rule that rmdir can not remove empty directories.  As
      Linus Torvalds pointed out this is useful for programs (like git) that
      test if a directory is empty with rmdir.
      
      Therefore this patch arranges to enforce the existing mount point
      semantics for local mount namespace.
      
      v2: Rewrote the test to be a drop in replacement for d_mountpoint
      v3: Use bool instead of int as the return type of is_local_mountpoint
      Reviewed-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      7af1364f
    • Eric W. Biederman's avatar
      vfs: More precise tests in d_invalidate · bafc9b75
      Eric W. Biederman authored
      The current comments in d_invalidate about what and why it is doing
      what it is doing are wildly off-base.  Which is not surprising as
      the comments date back to last minute bug fix of the 2.2 kernel.
      
      The big fat lie of a comment said: If it's a directory, we can't drop
      it for fear of somebody re-populating it with children (even though
      dropping it would make it unreachable from that root, we still might
      repopulate it if it was a working directory or similar).
      
      [AV] What we really need to avoid is multiple dentry aliases of the
      same directory inode; on all filesystems that have ->d_revalidate()
      we either declare all positive dentries always valid (and thus never
      fed to d_invalidate()) or use d_materialise_unique() and/or d_splice_alias(),
      which take care of alias prevention.
      
      The current rules are:
      - To prevent mount point leaks dentries that are mount points or that
        have childrent that are mount points may not be be unhashed.
      - All dentries may be unhashed.
      - Directories may be rehashed with d_materialise_unique
      
      check_submounts_and_drop implements this already for well maintained
      remote filesystems so implement the current rules in d_invalidate
      by just calling check_submounts_and_drop.
      
      The one difference between d_invalidate and check_submounts_and_drop
      is that d_invalidate must respect it when a d_revalidate method has
      earlier called d_drop so preserve the d_unhashed check in
      d_invalidate.
      Reviewed-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      bafc9b75
    • Eric W. Biederman's avatar
      vfs: Document the effect of d_revalidate on d_find_alias · 3ccb354d
      Eric W. Biederman authored
      d_drop or check_submounts_and_drop called from d_revalidate can result
      in renamed directories with child dentries being unhashed.  These
      renamed and drop directory dentries can be rehashed after
      d_materialise_unique uses d_find_alias to find them.
      Reviewed-by: default avatarMiklos Szeredi <miklos@szeredi.hu>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      3ccb354d
    • Al Viro's avatar
      delayed mntput · 9ea459e1
      Al Viro authored
      On final mntput() we want fs shutdown to happen before return to
      userland; however, the only case where we want it happen right
      there (i.e. where task_work_add won't do) is MNT_INTERNAL victim.
      Those have to be fully synchronous - failure halfway through module
      init might count on having vfsmount killed right there.  Fortunately,
      final mntput on MNT_INTERNAL vfsmounts happens on shallow stack.
      So we handle those synchronously and do an analog of delayed fput
      logics for everything else.
      
      As the result, we are guaranteed that fs shutdown will always happen
      on shallow stack.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      9ea459e1
    • Ian Kent's avatar
      autofs - remove obsolete d_invalidate() from expire · b3ca406f
      Ian Kent authored
      Biederman's umount-on-rmdir series changes d_invalidate() to sumarily remove
      mounts under the passed in dentry regardless of whether they are busy
      or not. So calling this in fs/autofs4/expire.c:autofs4_tree_busy() is
      definitely the wrong thing to do becuase it will silently umount entries
      instead of just cleaning stale dentrys.
      
      But this call shouldn't be needed and testing shows that automounting
      continues to function without it.
      
      As Al Viro correctly surmises the original intent of the call was to
      perform what shrink_dcache_parent() does.
      
      If at some time in the future I see stale dentries accumulating
      following failed mounts I'll revisit the issue and possibly add a
      shrink_dcache_parent() call if needed.
      Signed-off-by: default avatarIan Kent <raven@themaw.net>
      Cc: Al Viro <viro@ZenIV.linux.org.uk>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      b3ca406f
    • Al Viro's avatar
      Allow sharing external names after __d_move() · 8d85b484
      Al Viro authored
      * external dentry names get a small structure prepended to them
      (struct external_name).
      * it contains an atomic refcount, matching the number of struct dentry
      instances that have ->d_name.name pointing to that external name.  The
      first thing free_dentry() does is decrementing refcount of external name,
      so the instances that are between the call of free_dentry() and
      RCU-delayed actual freeing do not contribute.
      * __d_move(x, y, false) makes the name of x equal to the name of y,
      external or not.  If y has an external name, extra reference is grabbed
      and put into x->d_name.name.  If x used to have an external name, the
      reference to the old name is dropped and, should it reach zero, freeing
      is scheduled via kfree_rcu().
      * free_dentry() in dentry with external name decrements the refcount of
      that name and, should it reach zero, does RCU-delayed call that will
      free both the dentry and external name.  Otherwise it does what it
      used to do, except that __d_free() doesn't even look at ->d_name.name;
      it simply frees the dentry.
      
      All non-RCU accesses to dentry external name are safe wrt freeing since they
      all should happen before free_dentry() is called.  RCU accesses might run
      into a dentry seen by free_dentry() or into an old name that got already
      dropped by __d_move(); however, in both cases dentry must have been
      alive and refer to that name at some point after we'd done rcu_read_lock(),
      which means that any freeing must be still pending.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      8d85b484
  2. 29 Sep, 2014 1 commit
    • Al Viro's avatar
      missing data dependency barrier in prepend_name() · 6d13f694
      Al Viro authored
      AFAICS, prepend_name() is broken on SMP alpha.  Disclaimer: I don't have
      SMP alpha boxen to reproduce it on.  However, it really looks like the race
      is real.
      
      CPU1: d_path() on /mnt/ramfs/<255-character>/foo
      CPU2: mv /mnt/ramfs/<255-character> /mnt/ramfs/<63-character>
      
      CPU2 does d_alloc(), which allocates an external name, stores the name there
      including terminating NUL, does smp_wmb() and stores its address in
      dentry->d_name.name.  It proceeds to d_add(dentry, NULL) and d_move()
      old dentry over to that.  ->d_name.name value ends up in that dentry.
      
      In the meanwhile, CPU1 gets to prepend_name() for that dentry.  It fetches
      ->d_name.name and ->d_name.len; the former ends up pointing to new name
      (64-byte kmalloc'ed array), the latter - 255 (length of the old name).
      Nothing to force the ordering there, and normally that would be OK, since we'd
      run into the terminating NUL and stop.  Except that it's alpha, and we'd need
      a data dependency barrier to guarantee that we see that store of NUL
      __d_alloc() has done.  In a similar situation dentry_cmp() would survive; it
      does explicit smp_read_barrier_depends() after fetching ->d_name.name.
      prepend_name() doesn't and it risks walking past the end of kmalloc'ed object
      and possibly oops due to taking a page fault in kernel mode.
      
      Cc: stable@vger.kernel.org # 3.12+
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      6d13f694