From mboxrd@z Thu Jan  1 00:00:00 1970
From: Al Viro <viro@ZenIV.linux.org.uk>
Subject: Re: Intentionally corrupted vfat fs causing BUG
Date: Thu, 23 Oct 2014 18:21:58 +0100
Message-ID: <20141023172158.GF7996@ZenIV.linux.org.uk>
References: <543B8BC7.1040501@nod.at>
 <87y4sk5pul.fsf@devron.myhome.or.jp>
 <543B8FA7.9000106@nod.at>
 <87r3yc5oqt.fsf@devron.myhome.or.jp>
 <5443E87A.2060207@nod.at>
 <87oat29551.fsf@devron.myhome.or.jp>
 <20141023160106.GB7996@ZenIV.linux.org.uk>
 <20141023161606.GC7996@ZenIV.linux.org.uk>
 <877fzq91ky.fsf@devron.myhome.or.jp>
 <20141023165533.GD7996@ZenIV.linux.org.uk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Cc: Richard Weinberger <richard@nod.at>,
	Sami Liedes <sami.liedes@iki.fi>,
	linux-fsdevel <linux-fsdevel@vger.kernel.org>
To: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from zeniv.linux.org.uk ([195.92.253.2]:37561 "EHLO
	ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752619AbaJWRWE (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Thu, 23 Oct 2014 13:22:04 -0400
Content-Disposition: inline
In-Reply-To: <20141023165533.GD7996@ZenIV.linux.org.uk>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

On Thu, Oct 23, 2014 at 05:55:33PM +0100, Al Viro wrote:
> On Fri, Oct 24, 2014 at 01:45:49AM +0900, OGAWA Hirofumi wrote:
> 
> > d_splice_alias() calls __d_find_alias() with want_discon==1, so
> > __d_find_alias() doesn't return dentry, and d_splice_alias() doesn't use
> > d_move() path, right?
> 
> Hmm...  Not in the current mainline (and not because of want_discon - that's
> gone already).  However, with the fixes I've got in the local tree it
> will both find and move it - same as d_materialise_unique() would in the
> current mainline.

Untested interim fix follows; as soon as d_splice_alias()/d_materialise_unique()
merge happens, we'll be able to clean vfat_lookup() a bit more.

a) don't bother with ->d_time for positives - we only check it for negatives
anyway.
b) make sure to set it at unlink and rmdir time - at *that* point soon-to-be
negative dentry matches then-current directory contents
c) don't go into renaming of old alias in vfat_lookup() unless it has
the same parent (which it will, unless we are seeing corrupted image) *and*
is a non-directory
d) use (for now) d_materialise_unique() instead of d_splice_alias() - that one
will do renames of old directory aliases just fine (and pretty soon so will
d_splice_alias(), but this bug is -stable fodder)

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/fs/fat/namei_vfat.c b/fs/fat/namei_vfat.c
index 6df8d3d..eed856f 100644
--- a/fs/fat/namei_vfat.c
+++ b/fs/fat/namei_vfat.c
@@ -736,17 +736,17 @@ static struct dentry *vfat_lookup(struct inode *dir, struct dentry *dentry,
 	}
 
 	alias = d_find_alias(inode);
-	if (alias && !vfat_d_anon_disconn(alias)) {
+	if (alias && alias->d_parent == dentry->d_parent &&
+	    !S_ISDIR(inode->i_mode) && !vfat_d_anon_disconn(alias)) {
 		/*
-		 * This inode has non anonymous-DCACHE_DISCONNECTED
+		 * This file has non anonymous-DCACHE_DISCONNECTED
 		 * dentry. This means, the user did ->lookup() by an
 		 * another name (longname vs 8.3 alias of it) in past.
 		 *
 		 * Switch to new one for reason of locality if possible.
 		 */
 		BUG_ON(d_unhashed(alias));
-		if (!S_ISDIR(inode->i_mode))
-			d_move(alias, dentry);
+		d_move(alias, dentry);
 		iput(inode);
 		mutex_unlock(&MSDOS_SB(sb)->s_lock);
 		return alias;
@@ -755,12 +755,9 @@ static struct dentry *vfat_lookup(struct inode *dir, struct dentry *dentry,
 
 out:
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);
-	dentry->d_time = dentry->d_parent->d_inode->i_version;
-	dentry = d_splice_alias(inode, dentry);
-	if (dentry)
-		dentry->d_time = dentry->d_parent->d_inode->i_version;
-	return dentry;
-
+	if (!inode)
+		dentry->d_time = dir->i_version;
+	return d_materialise_unique(dentry, inode);
 error:
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);
 	return ERR_PTR(err);
@@ -793,7 +790,6 @@ static int vfat_create(struct inode *dir, struct dentry *dentry, umode_t mode,
 	inode->i_mtime = inode->i_atime = inode->i_ctime = ts;
 	/* timestamp is already written, so mark_inode_dirty() is unneeded. */
 
-	dentry->d_time = dentry->d_parent->d_inode->i_version;
 	d_instantiate(dentry, inode);
 out:
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);
@@ -824,6 +820,7 @@ static int vfat_rmdir(struct inode *dir, struct dentry *dentry)
 	clear_nlink(inode);
 	inode->i_mtime = inode->i_atime = CURRENT_TIME_SEC;
 	fat_detach(inode);
+	dentry->d_time = dir->i_version;
 out:
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);
 
@@ -849,6 +846,7 @@ static int vfat_unlink(struct inode *dir, struct dentry *dentry)
 	clear_nlink(inode);
 	inode->i_mtime = inode->i_atime = CURRENT_TIME_SEC;
 	fat_detach(inode);
+	dentry->d_time = dir->i_version;
 out:
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);
 
@@ -889,7 +887,6 @@ static int vfat_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
 	inode->i_mtime = inode->i_atime = inode->i_ctime = ts;
 	/* timestamp is already written, so mark_inode_dirty() is unneeded. */
 
-	dentry->d_time = dentry->d_parent->d_inode->i_version;
 	d_instantiate(dentry, inode);
 
 	mutex_unlock(&MSDOS_SB(sb)->s_lock);