From: Al Viro <viro@ZenIV.linux.org.uk>
To: Guenter Roeck <linux@roeck-us.net>
Cc: Sabrina Dubroca <sd@queasysnail.net>,
Paul Moore <pmoore@redhat.com>,
Stephen Rothwell <sfr@canb.auug.org.au>,
linux-next@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-audit@redhat.com,
Richard Guy Briggs <rgb@redhat.com>
Subject: Re: linux-next: Tree for Jan 20 -- Kernel panic - Unable to mount root fs
Date: Wed, 21 Jan 2015 21:28:33 +0000 [thread overview]
Message-ID: <20150121212833.GS29656@ZenIV.linux.org.uk> (raw)
In-Reply-To: <54C01418.5060204@roeck-us.net>
On Wed, Jan 21, 2015 at 01:03:20PM -0800, Guenter Roeck wrote:
> ok case (putname commented out):
>
> user_path_at_empty lookup usr flags 0x0
> path_lookupat: calling path_init 'usr' flags=40
> path_init: link_path_walk() returned 0
> path_lookupat: path_init 'usr' flags=40[50] returned 0
> walk_component: lookup_fast() returned 1
> walk_component: lookup_slow() returned 0
> walk_component: inode= (null), negative=1
> do_path_lookup(usr, 0x10)
> path_lookupat: calling path_init 'usr' flags=50
> path_init: link_path_walk() returned 0
> path_lookupat: path_init 'usr' flags=50[50] returned 0
> mkdir[c74012a0,/usr] => 0
> user_path_at_empty lookup usr flags 0x1
> path_lookupat: calling path_init 'usr' flags=41
> path_init: link_path_walk() returned 0
> path_lookupat: path_init 'usr' flags=41[51] returned 0
> walk_component: inode=c74004a0, negative=0
> user_path_at_empty lookup usr flags 0x1
> path_lookupat: calling path_init 'usr' flags=41
> path_init: link_path_walk() returned 0
> path_lookupat: path_init 'usr' flags=41[51] returned 0
>
> failing case:
>
> path_lookupat: calling path_init 'usr' flags=40
> path_init: link_path_walk() returned 0
> path_lookupat: path_init 'usr' flags=40[50] returned 0
> walk_component: lookup_fast() returned 1
> walk_component: lookup_slow() returned 0
> walk_component: inode= (null), negative=1
> do_path_lookup(usr, 0x10)
> path_lookupat: calling path_init 'usr' flags=50
> path_init: link_path_walk() returned 0
> path_lookupat: path_init 'usr' flags=50[50] returned 0
> mkdir[c74012a0,/kkk] => 0 <==== SIC!
Cute. 'k' being 0x6b, aka POISON_FREE... OK, the next question is what's
been freed under us - I don't believe that it's dentry itself...
Oh, fuck. OK, I see what happens. Look at kern_path_create(); it does
LOOKUP_PARENT walk, leaving nd->last pointing to the last component of
the *COPY* of the name it's just created, walked and freed.
OK... Fortunately, struct nameidata is completely opaque outside of fs/namei.c,
so we only need to care about a couple of codepaths.
Folks, could you check if the following on top of linux-next fixes the problem?
diff --git a/fs/namei.c b/fs/namei.c
index 323957f..cda89c3 100644
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -2056,13 +2056,22 @@ static int do_path_lookup(int dfd, const char *name,
/* does lookup, returns the object with parent locked */
struct dentry *kern_path_locked(const char *name, struct path *path)
{
+ struct filename *filename = getname_kernel(name);
struct nameidata nd;
struct dentry *d;
- int err = do_path_lookup(AT_FDCWD, name, LOOKUP_PARENT, &nd);
- if (err)
+ int err;
+
+ if (IS_ERR(filename))
+ return ERR_CAST(filename);
+
+ err = filename_lookup(AT_FDCWD, filename, LOOKUP_PARENT, &nd);
+ if (err) {
+ putname(filename);
return ERR_PTR(err);
+ }
if (nd.last_type != LAST_NORM) {
path_put(&nd.path);
+ putname(filename);
return ERR_PTR(-EINVAL);
}
mutex_lock_nested(&nd.path.dentry->d_inode->i_mutex, I_MUTEX_PARENT);
@@ -2070,9 +2079,11 @@ struct dentry *kern_path_locked(const char *name, struct path *path)
if (IS_ERR(d)) {
mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
path_put(&nd.path);
+ putname(filename);
return d;
}
*path = nd.path;
+ putname(filename);
return d;
}
@@ -3314,7 +3325,7 @@ struct file *do_file_open_root(struct dentry *dentry, struct vfsmount *mnt,
return file;
}
-struct dentry *kern_path_create(int dfd, const char *pathname,
+static struct dentry *filename_create(int dfd, struct filename *name,
struct path *path, unsigned int lookup_flags)
{
struct dentry *dentry = ERR_PTR(-EEXIST);
@@ -3329,7 +3340,7 @@ struct dentry *kern_path_create(int dfd, const char *pathname,
*/
lookup_flags &= LOOKUP_REVAL;
- error = do_path_lookup(dfd, pathname, LOOKUP_PARENT|lookup_flags, &nd);
+ error = filename_lookup(dfd, name, LOOKUP_PARENT|lookup_flags, &nd);
if (error)
return ERR_PTR(error);
@@ -3383,6 +3394,19 @@ out:
path_put(&nd.path);
return dentry;
}
+
+struct dentry *kern_path_create(int dfd, const char *pathname,
+ struct path *path, unsigned int lookup_flags)
+{
+ struct filename *filename = getname_kernel(pathname);
+ struct dentry *res = ERR_CAST(filename);
+
+ if (!IS_ERR(filename)) {
+ res = filename_create(dfd, filename, path, lookup_flags);
+ putname(filename);
+ }
+ return res;
+}
EXPORT_SYMBOL(kern_path_create);
void done_path_create(struct path *path, struct dentry *dentry)
@@ -3401,7 +3425,7 @@ struct dentry *user_path_create(int dfd, const char __user *pathname,
struct dentry *res;
if (IS_ERR(tmp))
return ERR_CAST(tmp);
- res = kern_path_create(dfd, tmp->name, path, lookup_flags);
+ res = filename_create(dfd, tmp, path, lookup_flags);
putname(tmp);
return res;
}
next prev parent reply other threads:[~2015-01-21 21:28 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-20 7:53 linux-next: Tree for Jan 20 Stephen Rothwell
2015-01-20 14:16 ` Guenter Roeck
2015-01-20 16:56 ` linux-next: Tree for Jan 20 -- Kernel panic - Unable to mount root fs Sabrina Dubroca
2015-01-20 17:39 ` Paul Moore
2015-01-20 17:51 ` Sabrina Dubroca
2015-01-20 19:54 ` Al Viro
2015-01-20 20:45 ` Sabrina Dubroca
2015-01-20 21:02 ` Al Viro
2015-01-20 21:38 ` Sabrina Dubroca
2015-01-20 21:58 ` Al Viro
2015-01-20 22:08 ` Sabrina Dubroca
2015-01-20 22:13 ` Guenter Roeck
2015-01-20 22:50 ` Al Viro
2015-01-20 23:17 ` Al Viro
2015-01-20 23:27 ` Sabrina Dubroca
2015-01-21 0:04 ` Paul Moore
2015-01-21 0:14 ` Paul Moore
2015-01-21 0:41 ` Al Viro
2015-01-21 2:44 ` Guenter Roeck
2015-01-21 3:36 ` Al Viro
2015-01-21 4:01 ` Guenter Roeck
2015-01-21 4:36 ` Al Viro
2015-01-21 11:05 ` Sabrina Dubroca
2015-01-21 13:32 ` Guenter Roeck
2015-01-21 18:29 ` Al Viro
2015-01-21 19:06 ` Guenter Roeck
2015-01-21 20:06 ` Al Viro
2015-01-21 21:03 ` Guenter Roeck
2015-01-21 21:28 ` Al Viro [this message]
2015-01-21 21:38 ` Guenter Roeck
2015-01-21 21:40 ` Sabrina Dubroca
2015-01-21 21:54 ` Paul Walmsley
2015-01-22 2:28 ` Paul Moore
2015-01-22 4:12 ` Al Viro
2015-01-22 4:49 ` Paul Moore
2015-01-21 21:30 ` Sabrina Dubroca
2015-01-21 14:42 ` Thierry Reding
2015-01-21 15:24 ` Paul Moore
2015-01-21 15:39 ` Thierry Reding
2015-01-21 15:54 ` Sabrina Dubroca
2015-01-21 16:16 ` Paul Moore
2015-01-21 17:38 ` Al Viro
2015-01-21 17:51 ` Guenter Roeck
2015-01-21 16:21 ` Guenter Roeck
2015-01-21 15:06 ` Paul Moore
2015-01-20 21:43 ` Guenter Roeck
2015-01-20 17:54 ` Fabio Estevam
2015-01-20 19:00 ` Ross Zwisler
2015-01-20 19:16 ` Fabio Estevam
2015-01-20 19:24 ` Paul Moore
2015-01-20 19:43 ` Fabio Estevam
2015-01-20 20:10 ` Paul Moore
2015-01-20 20:26 ` linux-next: Tree for Jan 20 Guenter Roeck
2015-01-20 22:54 ` Kirill A. Shutemov
2015-01-21 3:05 ` Guenter Roeck
2015-01-21 10:43 ` Kirill A. Shutemov
2015-01-21 23:34 ` Guenter Roeck
2015-01-22 3:14 ` Guenter Roeck
2015-01-22 17:13 ` linux-next: Tree for Jan 20 -- sparc32: fix broken set_pte() Kirill A. Shutemov
2015-01-22 17:27 ` Kirill A. Shutemov
2015-01-22 17:27 ` Kirill A. Shutemov
2015-01-22 19:34 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150121212833.GS29656@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=linux-audit@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-next@vger.kernel.org \
--cc=linux@roeck-us.net \
--cc=pmoore@redhat.com \
--cc=rgb@redhat.com \
--cc=sd@queasysnail.net \
--cc=sfr@canb.auug.org.au \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.