From mboxrd@z Thu Jan 1 00:00:00 1970 From: OGAWA Hirofumi Subject: Re: Intentionally corrupted vfat fs causing BUG Date: Fri, 24 Oct 2014 02:58:05 +0900 Message-ID: <87oat27jo2.fsf@devron.myhome.or.jp> References: <543B8BC7.1040501@nod.at> <87y4sk5pul.fsf@devron.myhome.or.jp> <543B8FA7.9000106@nod.at> <87r3yc5oqt.fsf@devron.myhome.or.jp> <5443E87A.2060207@nod.at> <87oat29551.fsf@devron.myhome.or.jp> <20141023160106.GB7996@ZenIV.linux.org.uk> <20141023161606.GC7996@ZenIV.linux.org.uk> <877fzq91ky.fsf@devron.myhome.or.jp> <20141023165533.GD7996@ZenIV.linux.org.uk> <20141023172158.GF7996@ZenIV.linux.org.uk> Mime-Version: 1.0 Content-Type: text/plain Cc: Richard Weinberger , Sami Liedes , linux-fsdevel To: Al Viro Return-path: Received: from mail.parknet.co.jp ([210.171.160.6]:45011 "EHLO mail.parknet.co.jp" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752539AbaJWR6I (ORCPT ); Thu, 23 Oct 2014 13:58:08 -0400 In-Reply-To: <20141023172158.GF7996@ZenIV.linux.org.uk> (Al Viro's message of "Thu, 23 Oct 2014 18:21:58 +0100") Sender: linux-fsdevel-owner@vger.kernel.org List-ID: Al Viro writes: > On Thu, Oct 23, 2014 at 05:55:33PM +0100, Al Viro wrote: >> On Fri, Oct 24, 2014 at 01:45:49AM +0900, OGAWA Hirofumi wrote: >> >> > d_splice_alias() calls __d_find_alias() with want_discon==1, so >> > __d_find_alias() doesn't return dentry, and d_splice_alias() doesn't use >> > d_move() path, right? >> >> Hmm... Not in the current mainline (and not because of want_discon - that's >> gone already). However, with the fixes I've got in the local tree it >> will both find and move it - same as d_materialise_unique() would in the >> current mainline. > > Untested interim fix follows; as soon as d_splice_alias()/d_materialise_unique() > merge happens, we'll be able to clean vfat_lookup() a bit more. > > a) don't bother with ->d_time for positives - we only check it for negatives > anyway. > b) make sure to set it at unlink and rmdir time - at *that* point soon-to-be > negative dentry matches then-current directory contents > c) don't go into renaming of old alias in vfat_lookup() unless it has > the same parent (which it will, unless we are seeing corrupted image) *and* > is a non-directory > d) use (for now) d_materialise_unique() instead of d_splice_alias() - that one > will do renames of old directory aliases just fine (and pretty soon so will > d_splice_alias(), but this bug is -stable fodder) Ah, this calls d_move() for directory? I recalled why it didn't change alias if directory. Changing result of getcwd() may become the surprise of apps... If doesn't surprise, looks good. > Signed-off-by: Al Viro > --- > diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c > index 6df8d3d..eed856f 100644 > --- a/fs/fat/namei_vfat.c > +++ b/fs/fat/namei_vfat.c > @@ -736,17 +736,17 @@ static struct dentry *vfat_lookup(struct inode *dir, struct dentry *dentry, > } > > alias = d_find_alias(inode); > - if (alias && !vfat_d_anon_disconn(alias)) { > + if (alias && alias->d_parent == dentry->d_parent && > + !S_ISDIR(inode->i_mode) && !vfat_d_anon_disconn(alias)) { > /* > - * This inode has non anonymous-DCACHE_DISCONNECTED > + * This file has non anonymous-DCACHE_DISCONNECTED > * dentry. This means, the user did ->lookup() by an > * another name (longname vs 8.3 alias of it) in past. > * > * Switch to new one for reason of locality if possible. > */ > BUG_ON(d_unhashed(alias)); > - if (!S_ISDIR(inode->i_mode)) > - d_move(alias, dentry); > + d_move(alias, dentry); > iput(inode); > mutex_unlock(&MSDOS_SB(sb)->s_lock); > return alias; > @@ -755,12 +755,9 @@ static struct dentry *vfat_lookup(struct inode *dir, struct dentry *dentry, > > out: > mutex_unlock(&MSDOS_SB(sb)->s_lock); > - dentry->d_time = dentry->d_parent->d_inode->i_version; > - dentry = d_splice_alias(inode, dentry); > - if (dentry) > - dentry->d_time = dentry->d_parent->d_inode->i_version; > - return dentry; > - > + if (!inode) > + dentry->d_time = dir->i_version; > + return d_materialise_unique(dentry, inode); > error: > mutex_unlock(&MSDOS_SB(sb)->s_lock); > return ERR_PTR(err); > @@ -793,7 +790,6 @@ static int vfat_create(struct inode *dir, struct dentry *dentry, umode_t mode, > inode->i_mtime = inode->i_atime = inode->i_ctime = ts; > /* timestamp is already written, so mark_inode_dirty() is unneeded. */ > > - dentry->d_time = dentry->d_parent->d_inode->i_version; > d_instantiate(dentry, inode); > out: > mutex_unlock(&MSDOS_SB(sb)->s_lock); > @@ -824,6 +820,7 @@ static int vfat_rmdir(struct inode *dir, struct dentry *dentry) > clear_nlink(inode); > inode->i_mtime = inode->i_atime = CURRENT_TIME_SEC; > fat_detach(inode); > + dentry->d_time = dir->i_version; > out: > mutex_unlock(&MSDOS_SB(sb)->s_lock); > > @@ -849,6 +846,7 @@ static int vfat_unlink(struct inode *dir, struct dentry *dentry) > clear_nlink(inode); > inode->i_mtime = inode->i_atime = CURRENT_TIME_SEC; > fat_detach(inode); > + dentry->d_time = dir->i_version; > out: > mutex_unlock(&MSDOS_SB(sb)->s_lock); > > @@ -889,7 +887,6 @@ static int vfat_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) > inode->i_mtime = inode->i_atime = inode->i_ctime = ts; > /* timestamp is already written, so mark_inode_dirty() is unneeded. */ > > - dentry->d_time = dentry->d_parent->d_inode->i_version; > d_instantiate(dentry, inode); > > mutex_unlock(&MSDOS_SB(sb)->s_lock); -- OGAWA Hirofumi