[PATCH 1/6] hfsplus: fix BKL leak in hfsplus_ioctl

[PATCH 1/6] hfsplus: fix BKL leak in hfsplus_ioctl

[Christoph Hellwig]

Currenly the HFSPLUS_IOC_EXT2_GETFLAGS case never unlocks the BKL, which
can lead to easily reproduced lockups when doing multiple GETFLAGS ioctls.

Fix this by only taking the BKL for the HFSPLUS_IOC_EXT2_SETFLAGS case
as neither HFSPLUS_IOC_EXT2_GETFLAGS not the default error case needs it.

This behaviour was introduced by "hfsplus: Push down BKL into ioctl function"
during the 2.6.35-rc series.

Signed-off-by: Christoph Hellwig <hch@tuxera.com>

Index: linux-2.6/fs/hfsplus/ioctl.c
===================================================================
--- linux-2.6.orig/fs/hfsplus/ioctl.c	2010-09-26 01:47:23.992790058 +0900
+++ linux-2.6/fs/hfsplus/ioctl.c	2010-09-26 01:49:16.701790597 +0900
@@ -26,7 +26,6 @@ long hfsplus_ioctl(struct file *filp, un
 	struct inode *inode = filp->f_path.dentry->d_inode;
 	unsigned int flags;
 
-	lock_kernel();
 	switch (cmd) {
 	case HFSPLUS_IOC_EXT2_GETFLAGS:
 		flags = 0;
@@ -39,6 +38,8 @@ long hfsplus_ioctl(struct file *filp, un
 		return put_user(flags, (int __user *)arg);
 	case HFSPLUS_IOC_EXT2_SETFLAGS: {
 		int err = 0;
+
+		lock_kernel();
 		err = mnt_want_write(filp->f_path.mnt);
 		if (err) {
 			unlock_kernel();
@@ -93,7 +94,6 @@ setflags_out:
 		return err;
 	}
 	default:
-		unlock_kernel();
 		return -ENOTTY;
 	}
 }

[PATCH 2/6] hfsplus: split hfsplus_ioctl

[Christoph Hellwig]

Give each ioctl command a function of it's own.

Signed-off-by: Christoph Hellwig <hch@tuxera.com>

Index: linux-2.6/fs/hfsplus/ioctl.c
===================================================================
--- linux-2.6.orig/fs/hfsplus/ioctl.c	2010-09-26 01:49:16.701790597 +0900
+++ linux-2.6/fs/hfsplus/ioctl.c	2010-09-26 02:01:29.927790059 +0900
@@ -21,78 +21,93 @@
 #include <asm/uaccess.h>
 #include "hfsplus_fs.h"
 
-long hfsplus_ioctl(struct file *filp, unsigned int cmd, unsigned long arg)
+static int hfsplus_ioctl_getflags(struct file *file, int __user *user_flags)
 {
-	struct inode *inode = filp->f_path.dentry->d_inode;
+	struct inode *inode = file->f_path.dentry->d_inode;
+	unsigned int flags = 0;
+
+	if (HFSPLUS_I(inode).rootflags & HFSPLUS_FLG_IMMUTABLE)
+		flags |= FS_IMMUTABLE_FL;
+	if (HFSPLUS_I(inode).rootflags & HFSPLUS_FLG_APPEND)
+		flags |= FS_APPEND_FL;
+	if (HFSPLUS_I(inode).userflags & HFSPLUS_FLG_NODUMP)
+		flags |= FS_NODUMP_FL;
+
+	return put_user(flags, user_flags);
+}
+
+static int hfsplus_ioctl_setflags(struct file *file, int __user *user_flags)
+{
+	struct inode *inode = file->f_path.dentry->d_inode;
 	unsigned int flags;
+	int err = 0;
 
-	switch (cmd) {
-	case HFSPLUS_IOC_EXT2_GETFLAGS:
-		flags = 0;
-		if (HFSPLUS_I(inode).rootflags & HFSPLUS_FLG_IMMUTABLE)
-			flags |= FS_IMMUTABLE_FL; /* EXT2_IMMUTABLE_FL */
-		if (HFSPLUS_I(inode).rootflags & HFSPLUS_FLG_APPEND)
-			flags |= FS_APPEND_FL; /* EXT2_APPEND_FL */
-		if (HFSPLUS_I(inode).userflags & HFSPLUS_FLG_NODUMP)
-			flags |= FS_NODUMP_FL; /* EXT2_NODUMP_FL */
-		return put_user(flags, (int __user *)arg);
-	case HFSPLUS_IOC_EXT2_SETFLAGS: {
-		int err = 0;
-
-		lock_kernel();
-		err = mnt_want_write(filp->f_path.mnt);
-		if (err) {
-			unlock_kernel();
-			return err;
-		}
+	lock_kernel();
+	err = mnt_want_write(file->f_path.mnt);
+	if (err)
+		goto out_unlock_kernel;
+
+	if (!is_owner_or_cap(inode)) {
+		err = -EACCES;
+		goto out_drop_write;
+	}
 
-		if (!is_owner_or_cap(inode)) {
-			err = -EACCES;
-			goto setflags_out;
-		}
-		if (get_user(flags, (int __user *)arg)) {
-			err = -EFAULT;
-			goto setflags_out;
-		}
-		if (flags & (FS_IMMUTABLE_FL|FS_APPEND_FL) ||
-		    HFSPLUS_I(inode).rootflags & (HFSPLUS_FLG_IMMUTABLE|HFSPLUS_FLG_APPEND)) {
-			if (!capable(CAP_LINUX_IMMUTABLE)) {
-				err = -EPERM;
-				goto setflags_out;
-			}
-		}
+	if (get_user(flags, user_flags)) {
+		err = -EFAULT;
+		goto out_drop_write;
+	}
 
-		/* don't silently ignore unsupported ext2 flags */
-		if (flags & ~(FS_IMMUTABLE_FL|FS_APPEND_FL|FS_NODUMP_FL)) {
-			err = -EOPNOTSUPP;
-			goto setflags_out;
+	if (flags & (FS_IMMUTABLE_FL|FS_APPEND_FL) ||
+	    HFSPLUS_I(inode).rootflags & (HFSPLUS_FLG_IMMUTABLE|HFSPLUS_FLG_APPEND)) {
+		if (!capable(CAP_LINUX_IMMUTABLE)) {
+			err = -EPERM;
+			goto out_drop_write;
 		}
-		if (flags & FS_IMMUTABLE_FL) { /* EXT2_IMMUTABLE_FL */
-			inode->i_flags |= S_IMMUTABLE;
-			HFSPLUS_I(inode).rootflags |= HFSPLUS_FLG_IMMUTABLE;
-		} else {
-			inode->i_flags &= ~S_IMMUTABLE;
-			HFSPLUS_I(inode).rootflags &= ~HFSPLUS_FLG_IMMUTABLE;
-		}
-		if (flags & FS_APPEND_FL) { /* EXT2_APPEND_FL */
-			inode->i_flags |= S_APPEND;
-			HFSPLUS_I(inode).rootflags |= HFSPLUS_FLG_APPEND;
-		} else {
-			inode->i_flags &= ~S_APPEND;
-			HFSPLUS_I(inode).rootflags &= ~HFSPLUS_FLG_APPEND;
-		}
-		if (flags & FS_NODUMP_FL) /* EXT2_NODUMP_FL */
-			HFSPLUS_I(inode).userflags |= HFSPLUS_FLG_NODUMP;
-		else
-			HFSPLUS_I(inode).userflags &= ~HFSPLUS_FLG_NODUMP;
-
-		inode->i_ctime = CURRENT_TIME_SEC;
-		mark_inode_dirty(inode);
-setflags_out:
-		mnt_drop_write(filp->f_path.mnt);
-		unlock_kernel();
-		return err;
 	}
+
+	/* don't silently ignore unsupported ext2 flags */
+	if (flags & ~(FS_IMMUTABLE_FL|FS_APPEND_FL|FS_NODUMP_FL)) {
+		err = -EOPNOTSUPP;
+		goto out_drop_write;
+	}
+	if (flags & FS_IMMUTABLE_FL) {
+		inode->i_flags |= S_IMMUTABLE;
+		HFSPLUS_I(inode).rootflags |= HFSPLUS_FLG_IMMUTABLE;
+	} else {
+		inode->i_flags &= ~S_IMMUTABLE;
+		HFSPLUS_I(inode).rootflags &= ~HFSPLUS_FLG_IMMUTABLE;
+	}
+	if (flags & FS_APPEND_FL) {
+		inode->i_flags |= S_APPEND;
+		HFSPLUS_I(inode).rootflags |= HFSPLUS_FLG_APPEND;
+	} else {
+		inode->i_flags &= ~S_APPEND;
+		HFSPLUS_I(inode).rootflags &= ~HFSPLUS_FLG_APPEND;
+	}
+	if (flags & FS_NODUMP_FL)
+		HFSPLUS_I(inode).userflags |= HFSPLUS_FLG_NODUMP;
+	else
+		HFSPLUS_I(inode).userflags &= ~HFSPLUS_FLG_NODUMP;
+
+	inode->i_ctime = CURRENT_TIME_SEC;
+	mark_inode_dirty(inode);
+
+out_drop_write:
+	mnt_drop_write(file->f_path.mnt);
+out_unlock_kernel:
+	unlock_kernel();
+	return err;
+}
+
+long hfsplus_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+{
+	void __user *argp = (void __user *)arg;
+
+	switch (cmd) {
+	case HFSPLUS_IOC_EXT2_GETFLAGS:
+		return hfsplus_ioctl_getflags(file, argp);
+	case HFSPLUS_IOC_EXT2_SETFLAGS:
+		return hfsplus_ioctl_setflags(file, argp);
 	default:
 		return -ENOTTY;
 	}

[PATCH 3/6] hfsplus: protect setflags using i_mutex

[Christoph Hellwig]

Use i_mutex for protecting against concurrent setflags ioctls like in
other filesystems and get rid of the BKL in hfsplus_ioctl.

Signed-off-by: Christoph Hellwig <hch@tuxera.com>

Index: linux-2.6/fs/hfsplus/ioctl.c
===================================================================
--- linux-2.6.orig/fs/hfsplus/ioctl.c	2010-09-26 02:01:29.927790059 +0900
+++ linux-2.6/fs/hfsplus/ioctl.c	2010-09-26 02:03:03.013790060 +0900
@@ -17,7 +17,6 @@
 #include <linux/mount.h>
 #include <linux/sched.h>
 #include <linux/xattr.h>
-#include <linux/smp_lock.h>
 #include <asm/uaccess.h>
 #include "hfsplus_fs.h"
 
@@ -42,10 +41,9 @@ static int hfsplus_ioctl_setflags(struct
 	unsigned int flags;
 	int err = 0;
 
-	lock_kernel();
 	err = mnt_want_write(file->f_path.mnt);
 	if (err)
-		goto out_unlock_kernel;
+		goto out;
 
 	if (!is_owner_or_cap(inode)) {
 		err = -EACCES;
@@ -57,18 +55,20 @@ static int hfsplus_ioctl_setflags(struct
 		goto out_drop_write;
 	}
 
+	mutex_lock(&inode->i_mutex);
+
 	if (flags & (FS_IMMUTABLE_FL|FS_APPEND_FL) ||
 	    HFSPLUS_I(inode).rootflags & (HFSPLUS_FLG_IMMUTABLE|HFSPLUS_FLG_APPEND)) {
 		if (!capable(CAP_LINUX_IMMUTABLE)) {
 			err = -EPERM;
-			goto out_drop_write;
+			goto out_unlock_inode;
 		}
 	}
 
 	/* don't silently ignore unsupported ext2 flags */
 	if (flags & ~(FS_IMMUTABLE_FL|FS_APPEND_FL|FS_NODUMP_FL)) {
 		err = -EOPNOTSUPP;
-		goto out_drop_write;
+		goto out_unlock_inode;
 	}
 	if (flags & FS_IMMUTABLE_FL) {
 		inode->i_flags |= S_IMMUTABLE;
@@ -92,10 +92,11 @@ static int hfsplus_ioctl_setflags(struct
 	inode->i_ctime = CURRENT_TIME_SEC;
 	mark_inode_dirty(inode);
 
+out_unlock_inode:
+	mutex_lock(&inode->i_mutex);
 out_drop_write:
 	mnt_drop_write(file->f_path.mnt);
-out_unlock_kernel:
-	unlock_kernel();
+out:
 	return err;
 }
 

[PATCH 4/6] hfsplus: introduce alloc_mutex

[Christoph Hellwig]

Use a new per-sb alloc_mutex instead of abusing i_mutex of the alloc_file
to protect block allocations.  This gets rid of lockdep nesting warnings
and prepares for extending the scope of alloc_mutex.

Signed-off-by: Christoph Hellwig <hch@tuxera.com>

Index: linux-2.6/fs/hfsplus/bitmap.c
===================================================================
--- linux-2.6.orig/fs/hfsplus/bitmap.c	2010-09-27 05:23:50.663327792 +0900
+++ linux-2.6/fs/hfsplus/bitmap.c	2010-09-27 05:24:10.656327794 +0900
@@ -29,7 +29,7 @@ int hfsplus_block_allocate(struct super_
 		return size;
 
 	dprint(DBG_BITMAP, "block_allocate: %u,%u,%u\n", size, offset, len);
-	mutex_lock(&HFSPLUS_SB(sb).alloc_file->i_mutex);
+	mutex_lock(&HFSPLUS_SB(sb).alloc_mutex);
 	mapping = HFSPLUS_SB(sb).alloc_file->i_mapping;
 	page = read_mapping_page(mapping, offset / PAGE_CACHE_BITS, NULL);
 	if (IS_ERR(page)) {
@@ -154,7 +154,7 @@ done:
 	sb->s_dirt = 1;
 	dprint(DBG_BITMAP, "-> %u,%u\n", start, *max);
 out:
-	mutex_unlock(&HFSPLUS_SB(sb).alloc_file->i_mutex);
+	mutex_unlock(&HFSPLUS_SB(sb).alloc_mutex);
 	return start;
 }
 
@@ -175,7 +175,7 @@ int hfsplus_block_free(struct super_bloc
 	if ((offset + count) > HFSPLUS_SB(sb).total_blocks)
 		return -2;
 
-	mutex_lock(&HFSPLUS_SB(sb).alloc_file->i_mutex);
+	mutex_lock(&HFSPLUS_SB(sb).alloc_mutex);
 	mapping = HFSPLUS_SB(sb).alloc_file->i_mapping;
 	pnr = offset / PAGE_CACHE_BITS;
 	page = read_mapping_page(mapping, pnr, NULL);
@@ -226,7 +226,7 @@ out:
 	kunmap(page);
 	HFSPLUS_SB(sb).free_blocks += len;
 	sb->s_dirt = 1;
-	mutex_unlock(&HFSPLUS_SB(sb).alloc_file->i_mutex);
+	mutex_unlock(&HFSPLUS_SB(sb).alloc_mutex);
 
 	return 0;
 }
Index: linux-2.6/fs/hfsplus/hfsplus_fs.h
===================================================================
--- linux-2.6.orig/fs/hfsplus/hfsplus_fs.h	2010-09-27 05:22:44.791327791 +0900
+++ linux-2.6/fs/hfsplus/hfsplus_fs.h	2010-09-27 05:23:22.752327920 +0900
@@ -116,6 +116,9 @@ struct hfsplus_sb_info {
 	struct inode *hidden_dir;
 	struct nls_table *nls;
 
+	/* synchronize block allocations */
+	struct mutex alloc_mutex;
+
 	/* Runtime variables */
 	u32 blockoffset;
 	u32 sect_count;
Index: linux-2.6/fs/hfsplus/super.c
===================================================================
--- linux-2.6.orig/fs/hfsplus/super.c	2010-09-27 05:23:26.520327791 +0900
+++ linux-2.6/fs/hfsplus/super.c	2010-09-27 05:23:46.730327733 +0900
@@ -321,6 +321,7 @@ static int hfsplus_fill_super(struct sup
 
 	sb->s_fs_info = sbi;
 	INIT_HLIST_HEAD(&sbi->rsrc_inodes);
+	mutex_init(&sbi->alloc_mutex);
 	hfsplus_fill_defaults(sbi);
 	if (!hfsplus_parse_options(data, sbi)) {
 		printk(KERN_ERR "hfs: unable to parse mount options\n");

[PATCH 5/6] hfsplus: use alloc_mutex in hfsplus_sync_fs

[Christoph Hellwig]

Use alloc_mutex to protect hfsplus_sync_fs against itself and concurrent
allocations, which allows to get rid of lock_super in hfsplus.

Note that most fields in the superblock still aren't protected against
concurrent allocations, that will follow later.

Signed-off-by: Christoph Hellwig <hch@tuxera.com>

Index: linux-2.6/fs/hfsplus/super.c
===================================================================
--- linux-2.6.orig/fs/hfsplus/super.c	2010-09-27 05:25:07.450327791 +0900
+++ linux-2.6/fs/hfsplus/super.c	2010-09-27 05:26:11.439327789 +0900
@@ -162,7 +162,7 @@ int hfsplus_sync_fs(struct super_block *
 
 	dprint(DBG_SUPER, "hfsplus_write_super\n");
 
-	lock_super(sb);
+	mutex_lock(&HFSPLUS_SB(sb).alloc_mutex);
 	sb->s_dirt = 0;
 
 	vhdr->free_blocks = cpu_to_be32(HFSPLUS_SB(sb).free_blocks);
@@ -195,7 +195,7 @@ int hfsplus_sync_fs(struct super_block *
 		}
 		HFSPLUS_SB(sb).flags &= ~HFSPLUS_SB_WRITEBACKUP;
 	}
-	unlock_super(sb);
+	mutex_unlock(&HFSPLUS_SB(sb).alloc_mutex);
 	return 0;
 }
 

[PATCH 5/6] hfsplus: remove BKL from hfsplus_put_super

[Christoph Hellwig]

Except for ->put_super the BKL is now gone from HFS, which means it's
superflous there too as ->put_super is serialized by the VFS.

Signed-off-by: Christoph Hellwig <hch@tuxera.com>

Index: linux-2.6/fs/hfsplus/super.c
===================================================================
--- linux-2.6.orig/fs/hfsplus/super.c	2010-09-27 05:46:07.172327791 +0900
+++ linux-2.6/fs/hfsplus/super.c	2010-09-27 05:46:21.909327799 +0900
@@ -12,7 +12,6 @@
 #include <linux/pagemap.h>
 #include <linux/fs.h>
 #include <linux/slab.h>
-#include <linux/smp_lock.h>
 #include <linux/vfs.h>
 #include <linux/nls.h>
 
@@ -213,8 +212,6 @@ static void hfsplus_put_super(struct sup
 	if (!sb->s_fs_info)
 		return;
 
-	lock_kernel();
-
 	if (sb->s_dirt)
 		hfsplus_write_super(sb);
 	if (!(sb->s_flags & MS_RDONLY) && HFSPLUS_SB(sb).s_vhdr) {
@@ -235,8 +232,6 @@ static void hfsplus_put_super(struct sup
 	unload_nls(HFSPLUS_SB(sb).nls);
 	kfree(sb->s_fs_info);
 	sb->s_fs_info = NULL;
-
-	unlock_kernel();
 }
 
 static int hfsplus_statfs(struct dentry *dentry, struct kstatfs *buf)