2006-01-16 16:50:04 +00:00
/*
* Copyright ( C ) Sistina Software , Inc . 1997 - 2003 All rights reserved .
2006-05-18 15:09:15 -04:00
* Copyright ( C ) 2004 - 2006 Red Hat , Inc . All rights reserved .
2006-01-16 16:50:04 +00:00
*
* This copyrighted material is made available to anyone wishing to use ,
* modify , copy , or redistribute it subject to the terms and conditions
2006-09-01 11:05:15 -04:00
* of the GNU General Public License version 2.
2006-01-16 16:50:04 +00:00
*/
# include <linux/spinlock.h>
# include <linux/completion.h>
# include <linux/buffer_head.h>
2007-07-17 04:04:28 -07:00
# include <linux/exportfs.h>
2006-02-27 17:23:27 -05:00
# include <linux/gfs2_ondisk.h>
2006-03-28 14:14:04 -05:00
# include <linux/crc32.h>
2006-01-16 16:50:04 +00:00
# include "gfs2.h"
2006-02-27 17:23:27 -05:00
# include "incore.h"
2006-01-16 16:50:04 +00:00
# include "dir.h"
# include "glock.h"
# include "glops.h"
# include "inode.h"
2008-10-14 16:05:55 +01:00
# include "super.h"
2006-01-16 16:50:04 +00:00
# include "rgrp.h"
2006-03-20 12:30:04 -05:00
# include "util.h"
2006-01-16 16:50:04 +00:00
2007-06-01 14:11:58 +01:00
# define GFS2_SMALL_FH_SIZE 4
2007-06-27 17:07:53 -04:00
# define GFS2_LARGE_FH_SIZE 8
2007-07-10 12:28:27 +01:00
# define GFS2_OLD_FH_SIZE 10
2007-06-01 14:11:58 +01:00
2012-04-02 14:34:06 -04:00
static int gfs2_encode_fh ( struct inode * inode , __u32 * p , int * len ,
struct inode * parent )
2006-01-16 16:50:04 +00:00
{
2006-10-14 10:46:30 -04:00
__be32 * fh = ( __force __be32 * ) p ;
2006-03-01 15:31:02 -05:00
struct super_block * sb = inode - > i_sb ;
2006-06-14 15:32:57 -04:00
struct gfs2_inode * ip = GFS2_I ( inode ) ;
2006-01-16 16:50:04 +00:00
2012-04-02 14:34:06 -04:00
if ( parent & & ( * len < GFS2_LARGE_FH_SIZE ) ) {
2011-01-29 18:43:25 +05:30
* len = GFS2_LARGE_FH_SIZE ;
2006-01-16 16:50:04 +00:00
return 255 ;
2011-01-29 18:43:25 +05:30
} else if ( * len < GFS2_SMALL_FH_SIZE ) {
* len = GFS2_SMALL_FH_SIZE ;
return 255 ;
}
2006-01-16 16:50:04 +00:00
2007-05-15 15:37:50 +01:00
fh [ 0 ] = cpu_to_be32 ( ip - > i_no_formal_ino > > 32 ) ;
fh [ 1 ] = cpu_to_be32 ( ip - > i_no_formal_ino & 0xFFFFFFFF ) ;
fh [ 2 ] = cpu_to_be32 ( ip - > i_no_addr > > 32 ) ;
fh [ 3 ] = cpu_to_be32 ( ip - > i_no_addr & 0xFFFFFFFF ) ;
2006-09-04 16:16:45 -04:00
* len = GFS2_SMALL_FH_SIZE ;
2006-01-16 16:50:04 +00:00
2012-04-02 14:34:06 -04:00
if ( ! parent | | inode = = sb - > s_root - > d_inode )
2006-01-16 16:50:04 +00:00
return * len ;
2012-04-02 14:34:06 -04:00
ip = GFS2_I ( parent ) ;
2006-01-16 16:50:04 +00:00
2007-05-15 15:37:50 +01:00
fh [ 4 ] = cpu_to_be32 ( ip - > i_no_formal_ino > > 32 ) ;
fh [ 5 ] = cpu_to_be32 ( ip - > i_no_formal_ino & 0xFFFFFFFF ) ;
fh [ 6 ] = cpu_to_be32 ( ip - > i_no_addr > > 32 ) ;
fh [ 7 ] = cpu_to_be32 ( ip - > i_no_addr & 0xFFFFFFFF ) ;
2006-09-04 16:16:45 -04:00
* len = GFS2_LARGE_FH_SIZE ;
2006-01-16 16:50:04 +00:00
return * len ;
}
struct get_name_filldir {
2006-10-13 22:51:24 -04:00
struct gfs2_inum_host inum ;
2006-01-16 16:50:04 +00:00
char * name ;
} ;
2007-01-17 15:09:20 +00:00
static int get_name_filldir ( void * opaque , const char * name , int length ,
loff_t offset , u64 inum , unsigned int type )
2006-01-16 16:50:04 +00:00
{
2007-01-17 15:09:20 +00:00
struct get_name_filldir * gnfd = opaque ;
2006-01-16 16:50:04 +00:00
2007-01-17 15:09:20 +00:00
if ( inum ! = gnfd - > inum . no_addr )
2006-01-16 16:50:04 +00:00
return 0 ;
memcpy ( gnfd - > name , name , length ) ;
gnfd - > name [ length ] = 0 ;
return 1 ;
}
static int gfs2_get_name ( struct dentry * parent , char * name ,
struct dentry * child )
{
struct inode * dir = parent - > d_inode ;
struct inode * inode = child - > d_inode ;
struct gfs2_inode * dip , * ip ;
struct get_name_filldir gnfd ;
struct gfs2_holder gh ;
2006-09-04 12:49:07 -04:00
u64 offset = 0 ;
2006-01-16 16:50:04 +00:00
int error ;
2011-10-27 12:16:06 -04:00
struct file_ra_state f_ra = { . start = 0 } ;
2006-01-16 16:50:04 +00:00
if ( ! dir )
return - EINVAL ;
if ( ! S_ISDIR ( dir - > i_mode ) | | ! inode )
return - EINVAL ;
2006-06-14 15:32:57 -04:00
dip = GFS2_I ( dir ) ;
ip = GFS2_I ( inode ) ;
2006-01-16 16:50:04 +00:00
* name = 0 ;
2007-05-15 15:37:50 +01:00
gnfd . inum . no_addr = ip - > i_no_addr ;
gnfd . inum . no_formal_ino = ip - > i_no_formal_ino ;
2006-01-16 16:50:04 +00:00
gnfd . name = name ;
error = gfs2_glock_nq_init ( dip - > i_gl , LM_ST_SHARED , 0 , & gh ) ;
if ( error )
return error ;
2011-10-27 12:16:06 -04:00
error = gfs2_dir_read ( dir , & offset , & gnfd , get_name_filldir , & f_ra ) ;
2006-01-16 16:50:04 +00:00
gfs2_glock_dq_uninit ( & gh ) ;
if ( ! error & & ! * name )
error = - ENOENT ;
return error ;
}
static struct dentry * gfs2_get_parent ( struct dentry * child )
{
2010-12-18 12:06:56 -05:00
return d_obtain_alias ( gfs2_lookupi ( child - > d_inode , & gfs2_qdotdot , 1 ) ) ;
2006-01-16 16:50:04 +00:00
}
2007-10-21 16:42:14 -07:00
static struct dentry * gfs2_get_dentry ( struct super_block * sb ,
2009-09-08 18:00:30 +01:00
struct gfs2_inum_host * inum )
2006-01-16 16:50:04 +00:00
{
2006-02-27 17:23:27 -05:00
struct gfs2_sbd * sdp = sb - > s_fs_info ;
2006-01-16 16:50:04 +00:00
struct inode * inode ;
2011-04-18 14:18:09 +01:00
inode = gfs2_ilookup ( sb , inum - > no_addr , 0 ) ;
2006-01-16 16:50:04 +00:00
if ( inode ) {
2007-05-15 15:37:50 +01:00
if ( GFS2_I ( inode ) - > i_no_formal_ino ! = inum - > no_formal_ino ) {
2006-01-16 16:50:04 +00:00
iput ( inode ) ;
return ERR_PTR ( - ESTALE ) ;
}
goto out_inode ;
}
2010-11-03 20:01:07 +00:00
inode = gfs2_lookup_by_inum ( sdp , inum - > no_addr , & inum - > no_formal_ino ,
GFS2_BLKST_DINODE ) ;
if ( IS_ERR ( inode ) )
return ERR_CAST ( inode ) ;
2006-01-16 16:50:04 +00:00
2006-06-14 15:32:57 -04:00
out_inode :
2010-12-18 12:06:56 -05:00
return d_obtain_alias ( inode ) ;
2006-01-16 16:50:04 +00:00
}
2007-10-21 16:42:14 -07:00
static struct dentry * gfs2_fh_to_dentry ( struct super_block * sb , struct fid * fid ,
int fh_len , int fh_type )
{
struct gfs2_inum_host this ;
__be32 * fh = ( __force __be32 * ) fid - > raw ;
switch ( fh_type ) {
case GFS2_SMALL_FH_SIZE :
case GFS2_LARGE_FH_SIZE :
case GFS2_OLD_FH_SIZE :
tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking
Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
u64 inum = fid->raw[2];
which is unhelpfully reported as at the end of shmem_alloc_inode():
BUG: unable to handle kernel paging request at ffff880061cd3000
IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Call Trace:
[<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
[<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
[<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
[<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
Right, tmpfs is being stupid to access fid->raw[2] before validating that
fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
fall at the end of a page, and the next page not be present.
But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
could oops in the same way: add the missing fh_len checks to those.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sage Weil <sage@inktank.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-10-07 20:32:51 -07:00
if ( fh_len < GFS2_SMALL_FH_SIZE )
return NULL ;
2007-10-21 16:42:14 -07:00
this . no_formal_ino = ( ( u64 ) be32_to_cpu ( fh [ 0 ] ) ) < < 32 ;
this . no_formal_ino | = be32_to_cpu ( fh [ 1 ] ) ;
this . no_addr = ( ( u64 ) be32_to_cpu ( fh [ 2 ] ) ) < < 32 ;
this . no_addr | = be32_to_cpu ( fh [ 3 ] ) ;
return gfs2_get_dentry ( sb , & this ) ;
default :
return NULL ;
}
}
static struct dentry * gfs2_fh_to_parent ( struct super_block * sb , struct fid * fid ,
int fh_len , int fh_type )
{
struct gfs2_inum_host parent ;
__be32 * fh = ( __force __be32 * ) fid - > raw ;
switch ( fh_type ) {
case GFS2_LARGE_FH_SIZE :
case GFS2_OLD_FH_SIZE :
tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking
Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
u64 inum = fid->raw[2];
which is unhelpfully reported as at the end of shmem_alloc_inode():
BUG: unable to handle kernel paging request at ffff880061cd3000
IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Call Trace:
[<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
[<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
[<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
[<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
Right, tmpfs is being stupid to access fid->raw[2] before validating that
fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
fall at the end of a page, and the next page not be present.
But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
could oops in the same way: add the missing fh_len checks to those.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sage Weil <sage@inktank.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-10-07 20:32:51 -07:00
if ( fh_len < GFS2_LARGE_FH_SIZE )
return NULL ;
2007-10-21 16:42:14 -07:00
parent . no_formal_ino = ( ( u64 ) be32_to_cpu ( fh [ 4 ] ) ) < < 32 ;
parent . no_formal_ino | = be32_to_cpu ( fh [ 5 ] ) ;
parent . no_addr = ( ( u64 ) be32_to_cpu ( fh [ 6 ] ) ) < < 32 ;
parent . no_addr | = be32_to_cpu ( fh [ 7 ] ) ;
return gfs2_get_dentry ( sb , & parent ) ;
default :
return NULL ;
}
}
2007-10-21 16:42:17 -07:00
const struct export_operations gfs2_export_ops = {
2006-01-16 16:50:04 +00:00
. encode_fh = gfs2_encode_fh ,
2007-10-21 16:42:14 -07:00
. fh_to_dentry = gfs2_fh_to_dentry ,
. fh_to_parent = gfs2_fh_to_parent ,
2006-01-16 16:50:04 +00:00
. get_name = gfs2_get_name ,
. get_parent = gfs2_get_parent ,
} ;