1266b4a7ec
Dan reported a new smatch warning [1]
"fs/erofs/inode.c:210 erofs_read_inode() error: double free of 'copied'"
Due to new chunk-based format handling logic, the error path can be
called after kfree(copied).
Set "copied = NULL" after kfree(copied) to fix this.
[1] https://lore.kernel.org/r/202108251030.bELQozR7-lkp@intel.com
Link: https://lore.kernel.org/r/20210825120757.11034-1-hsiangkao@linux.alibaba.com
Fixes: c5aa903a59
("erofs: support reading chunk-based uncompressed files")
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
401 lines
10 KiB
C
401 lines
10 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Copyright (C) 2017-2018 HUAWEI, Inc.
|
|
* https://www.huawei.com/
|
|
* Copyright (C) 2021, Alibaba Cloud
|
|
*/
|
|
#include "xattr.h"
|
|
|
|
#include <trace/events/erofs.h>
|
|
|
|
/*
|
|
* if inode is successfully read, return its inode page (or sometimes
|
|
* the inode payload page if it's an extended inode) in order to fill
|
|
* inline data if possible.
|
|
*/
|
|
static struct page *erofs_read_inode(struct inode *inode,
|
|
unsigned int *ofs)
|
|
{
|
|
struct super_block *sb = inode->i_sb;
|
|
struct erofs_sb_info *sbi = EROFS_SB(sb);
|
|
struct erofs_inode *vi = EROFS_I(inode);
|
|
const erofs_off_t inode_loc = iloc(sbi, vi->nid);
|
|
|
|
erofs_blk_t blkaddr, nblks = 0;
|
|
struct page *page;
|
|
struct erofs_inode_compact *dic;
|
|
struct erofs_inode_extended *die, *copied = NULL;
|
|
unsigned int ifmt;
|
|
int err;
|
|
|
|
blkaddr = erofs_blknr(inode_loc);
|
|
*ofs = erofs_blkoff(inode_loc);
|
|
|
|
erofs_dbg("%s, reading inode nid %llu at %u of blkaddr %u",
|
|
__func__, vi->nid, *ofs, blkaddr);
|
|
|
|
page = erofs_get_meta_page(sb, blkaddr);
|
|
if (IS_ERR(page)) {
|
|
erofs_err(sb, "failed to get inode (nid: %llu) page, err %ld",
|
|
vi->nid, PTR_ERR(page));
|
|
return page;
|
|
}
|
|
|
|
dic = page_address(page) + *ofs;
|
|
ifmt = le16_to_cpu(dic->i_format);
|
|
|
|
if (ifmt & ~EROFS_I_ALL) {
|
|
erofs_err(inode->i_sb, "unsupported i_format %u of nid %llu",
|
|
ifmt, vi->nid);
|
|
err = -EOPNOTSUPP;
|
|
goto err_out;
|
|
}
|
|
|
|
vi->datalayout = erofs_inode_datalayout(ifmt);
|
|
if (vi->datalayout >= EROFS_INODE_DATALAYOUT_MAX) {
|
|
erofs_err(inode->i_sb, "unsupported datalayout %u of nid %llu",
|
|
vi->datalayout, vi->nid);
|
|
err = -EOPNOTSUPP;
|
|
goto err_out;
|
|
}
|
|
|
|
switch (erofs_inode_version(ifmt)) {
|
|
case EROFS_INODE_LAYOUT_EXTENDED:
|
|
vi->inode_isize = sizeof(struct erofs_inode_extended);
|
|
/* check if the inode acrosses page boundary */
|
|
if (*ofs + vi->inode_isize <= PAGE_SIZE) {
|
|
*ofs += vi->inode_isize;
|
|
die = (struct erofs_inode_extended *)dic;
|
|
} else {
|
|
const unsigned int gotten = PAGE_SIZE - *ofs;
|
|
|
|
copied = kmalloc(vi->inode_isize, GFP_NOFS);
|
|
if (!copied) {
|
|
err = -ENOMEM;
|
|
goto err_out;
|
|
}
|
|
memcpy(copied, dic, gotten);
|
|
unlock_page(page);
|
|
put_page(page);
|
|
|
|
page = erofs_get_meta_page(sb, blkaddr + 1);
|
|
if (IS_ERR(page)) {
|
|
erofs_err(sb, "failed to get inode payload page (nid: %llu), err %ld",
|
|
vi->nid, PTR_ERR(page));
|
|
kfree(copied);
|
|
return page;
|
|
}
|
|
*ofs = vi->inode_isize - gotten;
|
|
memcpy((u8 *)copied + gotten, page_address(page), *ofs);
|
|
die = copied;
|
|
}
|
|
vi->xattr_isize = erofs_xattr_ibody_size(die->i_xattr_icount);
|
|
|
|
inode->i_mode = le16_to_cpu(die->i_mode);
|
|
switch (inode->i_mode & S_IFMT) {
|
|
case S_IFREG:
|
|
case S_IFDIR:
|
|
case S_IFLNK:
|
|
vi->raw_blkaddr = le32_to_cpu(die->i_u.raw_blkaddr);
|
|
break;
|
|
case S_IFCHR:
|
|
case S_IFBLK:
|
|
inode->i_rdev =
|
|
new_decode_dev(le32_to_cpu(die->i_u.rdev));
|
|
break;
|
|
case S_IFIFO:
|
|
case S_IFSOCK:
|
|
inode->i_rdev = 0;
|
|
break;
|
|
default:
|
|
goto bogusimode;
|
|
}
|
|
i_uid_write(inode, le32_to_cpu(die->i_uid));
|
|
i_gid_write(inode, le32_to_cpu(die->i_gid));
|
|
set_nlink(inode, le32_to_cpu(die->i_nlink));
|
|
|
|
/* extended inode has its own timestamp */
|
|
inode->i_ctime.tv_sec = le64_to_cpu(die->i_ctime);
|
|
inode->i_ctime.tv_nsec = le32_to_cpu(die->i_ctime_nsec);
|
|
|
|
inode->i_size = le64_to_cpu(die->i_size);
|
|
|
|
/* total blocks for compressed files */
|
|
if (erofs_inode_is_data_compressed(vi->datalayout))
|
|
nblks = le32_to_cpu(die->i_u.compressed_blocks);
|
|
else if (vi->datalayout == EROFS_INODE_CHUNK_BASED)
|
|
/* fill chunked inode summary info */
|
|
vi->chunkformat = le16_to_cpu(die->i_u.c.format);
|
|
kfree(copied);
|
|
copied = NULL;
|
|
break;
|
|
case EROFS_INODE_LAYOUT_COMPACT:
|
|
vi->inode_isize = sizeof(struct erofs_inode_compact);
|
|
*ofs += vi->inode_isize;
|
|
vi->xattr_isize = erofs_xattr_ibody_size(dic->i_xattr_icount);
|
|
|
|
inode->i_mode = le16_to_cpu(dic->i_mode);
|
|
switch (inode->i_mode & S_IFMT) {
|
|
case S_IFREG:
|
|
case S_IFDIR:
|
|
case S_IFLNK:
|
|
vi->raw_blkaddr = le32_to_cpu(dic->i_u.raw_blkaddr);
|
|
break;
|
|
case S_IFCHR:
|
|
case S_IFBLK:
|
|
inode->i_rdev =
|
|
new_decode_dev(le32_to_cpu(dic->i_u.rdev));
|
|
break;
|
|
case S_IFIFO:
|
|
case S_IFSOCK:
|
|
inode->i_rdev = 0;
|
|
break;
|
|
default:
|
|
goto bogusimode;
|
|
}
|
|
i_uid_write(inode, le16_to_cpu(dic->i_uid));
|
|
i_gid_write(inode, le16_to_cpu(dic->i_gid));
|
|
set_nlink(inode, le16_to_cpu(dic->i_nlink));
|
|
|
|
/* use build time for compact inodes */
|
|
inode->i_ctime.tv_sec = sbi->build_time;
|
|
inode->i_ctime.tv_nsec = sbi->build_time_nsec;
|
|
|
|
inode->i_size = le32_to_cpu(dic->i_size);
|
|
if (erofs_inode_is_data_compressed(vi->datalayout))
|
|
nblks = le32_to_cpu(dic->i_u.compressed_blocks);
|
|
else if (vi->datalayout == EROFS_INODE_CHUNK_BASED)
|
|
vi->chunkformat = le16_to_cpu(dic->i_u.c.format);
|
|
break;
|
|
default:
|
|
erofs_err(inode->i_sb,
|
|
"unsupported on-disk inode version %u of nid %llu",
|
|
erofs_inode_version(ifmt), vi->nid);
|
|
err = -EOPNOTSUPP;
|
|
goto err_out;
|
|
}
|
|
|
|
if (vi->datalayout == EROFS_INODE_CHUNK_BASED) {
|
|
if (!(vi->chunkformat & EROFS_CHUNK_FORMAT_ALL)) {
|
|
erofs_err(inode->i_sb,
|
|
"unsupported chunk format %x of nid %llu",
|
|
vi->chunkformat, vi->nid);
|
|
err = -EOPNOTSUPP;
|
|
goto err_out;
|
|
}
|
|
vi->chunkbits = LOG_BLOCK_SIZE +
|
|
(vi->chunkformat & EROFS_CHUNK_FORMAT_BLKBITS_MASK);
|
|
}
|
|
inode->i_mtime.tv_sec = inode->i_ctime.tv_sec;
|
|
inode->i_atime.tv_sec = inode->i_ctime.tv_sec;
|
|
inode->i_mtime.tv_nsec = inode->i_ctime.tv_nsec;
|
|
inode->i_atime.tv_nsec = inode->i_ctime.tv_nsec;
|
|
|
|
inode->i_flags &= ~S_DAX;
|
|
if (test_opt(&sbi->ctx, DAX_ALWAYS) && S_ISREG(inode->i_mode) &&
|
|
vi->datalayout == EROFS_INODE_FLAT_PLAIN)
|
|
inode->i_flags |= S_DAX;
|
|
if (!nblks)
|
|
/* measure inode.i_blocks as generic filesystems */
|
|
inode->i_blocks = roundup(inode->i_size, EROFS_BLKSIZ) >> 9;
|
|
else
|
|
inode->i_blocks = nblks << LOG_SECTORS_PER_BLOCK;
|
|
return page;
|
|
|
|
bogusimode:
|
|
erofs_err(inode->i_sb, "bogus i_mode (%o) @ nid %llu",
|
|
inode->i_mode, vi->nid);
|
|
err = -EFSCORRUPTED;
|
|
err_out:
|
|
DBG_BUGON(1);
|
|
kfree(copied);
|
|
unlock_page(page);
|
|
put_page(page);
|
|
return ERR_PTR(err);
|
|
}
|
|
|
|
static int erofs_fill_symlink(struct inode *inode, void *data,
|
|
unsigned int m_pofs)
|
|
{
|
|
struct erofs_inode *vi = EROFS_I(inode);
|
|
char *lnk;
|
|
|
|
/* if it cannot be handled with fast symlink scheme */
|
|
if (vi->datalayout != EROFS_INODE_FLAT_INLINE ||
|
|
inode->i_size >= PAGE_SIZE) {
|
|
inode->i_op = &erofs_symlink_iops;
|
|
return 0;
|
|
}
|
|
|
|
lnk = kmalloc(inode->i_size + 1, GFP_KERNEL);
|
|
if (!lnk)
|
|
return -ENOMEM;
|
|
|
|
m_pofs += vi->xattr_isize;
|
|
/* inline symlink data shouldn't cross page boundary as well */
|
|
if (m_pofs + inode->i_size > PAGE_SIZE) {
|
|
kfree(lnk);
|
|
erofs_err(inode->i_sb,
|
|
"inline data cross block boundary @ nid %llu",
|
|
vi->nid);
|
|
DBG_BUGON(1);
|
|
return -EFSCORRUPTED;
|
|
}
|
|
|
|
memcpy(lnk, data + m_pofs, inode->i_size);
|
|
lnk[inode->i_size] = '\0';
|
|
|
|
inode->i_link = lnk;
|
|
inode->i_op = &erofs_fast_symlink_iops;
|
|
return 0;
|
|
}
|
|
|
|
static int erofs_fill_inode(struct inode *inode, int isdir)
|
|
{
|
|
struct erofs_inode *vi = EROFS_I(inode);
|
|
struct page *page;
|
|
unsigned int ofs;
|
|
int err = 0;
|
|
|
|
trace_erofs_fill_inode(inode, isdir);
|
|
|
|
/* read inode base data from disk */
|
|
page = erofs_read_inode(inode, &ofs);
|
|
if (IS_ERR(page))
|
|
return PTR_ERR(page);
|
|
|
|
/* setup the new inode */
|
|
switch (inode->i_mode & S_IFMT) {
|
|
case S_IFREG:
|
|
inode->i_op = &erofs_generic_iops;
|
|
if (erofs_inode_is_data_compressed(vi->datalayout))
|
|
inode->i_fop = &generic_ro_fops;
|
|
else
|
|
inode->i_fop = &erofs_file_fops;
|
|
break;
|
|
case S_IFDIR:
|
|
inode->i_op = &erofs_dir_iops;
|
|
inode->i_fop = &erofs_dir_fops;
|
|
break;
|
|
case S_IFLNK:
|
|
err = erofs_fill_symlink(inode, page_address(page), ofs);
|
|
if (err)
|
|
goto out_unlock;
|
|
inode_nohighmem(inode);
|
|
break;
|
|
case S_IFCHR:
|
|
case S_IFBLK:
|
|
case S_IFIFO:
|
|
case S_IFSOCK:
|
|
inode->i_op = &erofs_generic_iops;
|
|
init_special_inode(inode, inode->i_mode, inode->i_rdev);
|
|
goto out_unlock;
|
|
default:
|
|
err = -EFSCORRUPTED;
|
|
goto out_unlock;
|
|
}
|
|
|
|
if (erofs_inode_is_data_compressed(vi->datalayout)) {
|
|
err = z_erofs_fill_inode(inode);
|
|
goto out_unlock;
|
|
}
|
|
inode->i_mapping->a_ops = &erofs_raw_access_aops;
|
|
|
|
out_unlock:
|
|
unlock_page(page);
|
|
put_page(page);
|
|
return err;
|
|
}
|
|
|
|
/*
|
|
* erofs nid is 64bits, but i_ino is 'unsigned long', therefore
|
|
* we should do more for 32-bit platform to find the right inode.
|
|
*/
|
|
static int erofs_ilookup_test_actor(struct inode *inode, void *opaque)
|
|
{
|
|
const erofs_nid_t nid = *(erofs_nid_t *)opaque;
|
|
|
|
return EROFS_I(inode)->nid == nid;
|
|
}
|
|
|
|
static int erofs_iget_set_actor(struct inode *inode, void *opaque)
|
|
{
|
|
const erofs_nid_t nid = *(erofs_nid_t *)opaque;
|
|
|
|
inode->i_ino = erofs_inode_hash(nid);
|
|
return 0;
|
|
}
|
|
|
|
static inline struct inode *erofs_iget_locked(struct super_block *sb,
|
|
erofs_nid_t nid)
|
|
{
|
|
const unsigned long hashval = erofs_inode_hash(nid);
|
|
|
|
return iget5_locked(sb, hashval, erofs_ilookup_test_actor,
|
|
erofs_iget_set_actor, &nid);
|
|
}
|
|
|
|
struct inode *erofs_iget(struct super_block *sb,
|
|
erofs_nid_t nid,
|
|
bool isdir)
|
|
{
|
|
struct inode *inode = erofs_iget_locked(sb, nid);
|
|
|
|
if (!inode)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
if (inode->i_state & I_NEW) {
|
|
int err;
|
|
struct erofs_inode *vi = EROFS_I(inode);
|
|
|
|
vi->nid = nid;
|
|
|
|
err = erofs_fill_inode(inode, isdir);
|
|
if (!err)
|
|
unlock_new_inode(inode);
|
|
else {
|
|
iget_failed(inode);
|
|
inode = ERR_PTR(err);
|
|
}
|
|
}
|
|
return inode;
|
|
}
|
|
|
|
int erofs_getattr(struct user_namespace *mnt_userns, const struct path *path,
|
|
struct kstat *stat, u32 request_mask,
|
|
unsigned int query_flags)
|
|
{
|
|
struct inode *const inode = d_inode(path->dentry);
|
|
|
|
if (erofs_inode_is_data_compressed(EROFS_I(inode)->datalayout))
|
|
stat->attributes |= STATX_ATTR_COMPRESSED;
|
|
|
|
stat->attributes |= STATX_ATTR_IMMUTABLE;
|
|
stat->attributes_mask |= (STATX_ATTR_COMPRESSED |
|
|
STATX_ATTR_IMMUTABLE);
|
|
|
|
generic_fillattr(&init_user_ns, inode, stat);
|
|
return 0;
|
|
}
|
|
|
|
const struct inode_operations erofs_generic_iops = {
|
|
.getattr = erofs_getattr,
|
|
.listxattr = erofs_listxattr,
|
|
.get_acl = erofs_get_acl,
|
|
.fiemap = erofs_fiemap,
|
|
};
|
|
|
|
const struct inode_operations erofs_symlink_iops = {
|
|
.get_link = page_get_link,
|
|
.getattr = erofs_getattr,
|
|
.listxattr = erofs_listxattr,
|
|
.get_acl = erofs_get_acl,
|
|
};
|
|
|
|
const struct inode_operations erofs_fast_symlink_iops = {
|
|
.get_link = simple_get_link,
|
|
.getattr = erofs_getattr,
|
|
.listxattr = erofs_listxattr,
|
|
.get_acl = erofs_get_acl,
|
|
};
|