From: Arnd Bergmann <arnd@arndb.de>
To: Alan Cox <alan@lxorguk.ukuu.org.uk>
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
Jens Axboe <jens.axboe@oracle.com>
Subject: Re: [RFC PATCH] fs code: Push the BKL down into the file system ioctl handlers
Date: Wed, 4 Jun 2008 18:43:20 +0200 [thread overview]
Message-ID: <200806041843.20965.arnd@arndb.de> (raw)
In-Reply-To: <20080522231524.52e21eb8@core>
On Friday 23 May 2008, Alan Cox wrote:
> --- a/drivers/char/raw.c
> +++ b/drivers/char/raw.c
> @@ -116,13 +116,15 @@ static int raw_release(struct inode *inode, struct file *filp)
> /*
> * Forward ioctls to the underlying block device.
> */
> -static int
> -raw_ioctl(struct inode *inode, struct file *filp,
> - unsigned int command, unsigned long arg)
> +static long raw_ioctl(struct file *filp, unsigned int command,
> + unsigned long arg)
> {
> + long ret;
> struct block_device *bdev = filp->private_data;
> -
> - return blkdev_ioctl(bdev->bd_inode, NULL, command, arg);
> + lock_kernel();
> + ret = blkdev_ioctl(bdev->bd_inode, NULL, command, arg);
> + unlock_kernel();
> + return ret;
> }
>
> static void bind_device(struct raw_config_request *rq)
blkdev_ioctl and compat_blkdev_ioctl are converted already (they take
the BKL in all places of doubt), so you can call these directly without
calling lock_kernel() again.
However, reading through that code again, I noticed two nastybits:
* there is no compat_raw_ioctl function, so any user space program
trying 32 bit block ioctl calls on a raw device has been broken ever
since my patch that moved the block compat_ioctl handlers into
the block/compat_ioctl.c file. The same problem seems to exist
on pktcdvd.c.
* If any block driver had implemented unlocked_ioctl, it would be
even worse: The raw driver passes filp->private_data->bd_inode as
the inode and NULL as the file. blkdev_ioctl drops the inode
argument when calling into a driver and only passes filp, so
if a driver then tries to access filp->f_mapping->host,
it gets a NULL pointer dereference.
Fortunately, no block driver to date implements unlocked_ioctl, and
compat_ioctl was protected from this bug by the missing
compat_raw_ioctl.
I suppose the right fix for this will be to make the blkdev
unlocked_ioctl and compat_ioctl take a bdev argument instead
of file and inode.
Arnd <><
next prev parent reply other threads:[~2008-06-04 16:44 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-22 22:15 [RFC PATCH] fs code: Push the BKL down into the file system ioctl handlers Alan Cox
2008-06-04 16:43 ` Arnd Bergmann [this message]
2008-06-05 8:59 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200806041843.20965.arnd@arndb.de \
--to=arnd@arndb.de \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=jens.axboe@oracle.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.