[PATCH] AFS: Stop readlink() on AFS crashing because file not passed to afs_readpage()

[PATCH] AFS: Stop readlink() on AFS crashing because file not passed to afs_readpage()

[David Howells]

kAFS crashes when asked to read a symbolic link because page_getlink() passes a
NULL file pointer to read_mapping_page(), but afs_readpage() expects a file
pointer from which to extract a key.

Modify afs_readpage() to request the appropriate key from the calling process's
keyrings if a file struct is not supplied with one attached.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Anton Blanchard <anton@samba.org>
---

 fs/afs/file.c |   18 +++++++++++++++---
 1 files changed, 15 insertions(+), 3 deletions(-)


diff --git a/fs/afs/file.c b/fs/afs/file.c
index 0149dab..681c2a7 100644
--- a/fs/afs/file.c
+++ b/fs/afs/file.c
@@ -134,9 +134,16 @@ static int afs_readpage(struct file *file, struct page *page)
 
 	inode = page->mapping->host;
 
-	ASSERT(file != NULL);
-	key = file->private_data;
-	ASSERT(key != NULL);
+	if (file) {
+		key = file->private_data;
+		ASSERT(key != NULL);
+	} else {
+		key = afs_request_key(AFS_FS_S(inode->i_sb)->volume->cell);
+		if (IS_ERR(key)) {
+			ret = PTR_ERR(key);
+			goto error_nokey;
+		}
+	}
 
 	_enter("{%x},{%lu},{%lu}", key_serial(key), inode->i_ino, page->index);
 
@@ -207,12 +214,17 @@ static int afs_readpage(struct file *file, struct page *page)
 		unlock_page(page);
 	}
 
+	if (!file)
+		key_put(key);
 	_leave(" = 0");
 	return 0;
 
 error:
 	SetPageError(page);
 	unlock_page(page);
+	if (!file)
+		key_put(key);
+error_nokey:
 	_leave(" = %d", ret);
 	return ret;
 }

[PATCH] AFS: Stop readlink() on AFS crashing because file not passed to afs_readpage()

[David Howells]

kAFS crashes when asked to read a symbolic link because page_getlink() passes a
NULL file pointer to read_mapping_page(), but afs_readpage() expects a file
pointer from which to extract a key.

Modify afs_readpage() to request the appropriate key from the calling process's
keyrings if a file struct is not supplied with one attached.

Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Anton Blanchard <anton@samba.org>
---

 fs/afs/file.c |   18 +++++++++++++++---
 1 files changed, 15 insertions(+), 3 deletions(-)


diff --git a/fs/afs/file.c b/fs/afs/file.c
index 0149dab..681c2a7 100644
--- a/fs/afs/file.c
+++ b/fs/afs/file.c
@@ -134,9 +134,16 @@ static int afs_readpage(struct file *file, struct page *page)
 
 	inode = page->mapping->host;
 
-	ASSERT(file != NULL);
-	key = file->private_data;
-	ASSERT(key != NULL);
+	if (file) {
+		key = file->private_data;
+		ASSERT(key != NULL);
+	} else {
+		key = afs_request_key(AFS_FS_S(inode->i_sb)->volume->cell);
+		if (IS_ERR(key)) {
+			ret = PTR_ERR(key);
+			goto error_nokey;
+		}
+	}
 
 	_enter("{%x},{%lu},{%lu}", key_serial(key), inode->i_ino, page->index);
 
@@ -207,12 +214,17 @@ static int afs_readpage(struct file *file, struct page *page)
 		unlock_page(page);
 	}
 
+	if (!file)
+		key_put(key);
 	_leave(" = 0");
 	return 0;
 
 error:
 	SetPageError(page);
 	unlock_page(page);
+	if (!file)
+		key_put(key);
+error_nokey:
 	_leave(" = %d", ret);
 	return ret;
 }

Re: [PATCH] AFS: Stop readlink() on AFS crashing because file not passed to afs_readpage()

[David Howells]

[Oops - I got the list address wrong; I've sent it again with the right
 address].

Re: [PATCH] AFS: Stop readlink() on AFS crashing because file not passed to afs_readpage()

[Andrew Morton]

On Thu, 27 Aug 2009 13:22:31 +0100
David Howells <dhowells@redhat.com> wrote:

> kAFS crashes when asked to read a symbolic link because page_getlink() passes a
> NULL file pointer to read_mapping_page(), but afs_readpage() expects a file
> pointer from which to extract a key.
> 
> Modify afs_readpage() to request the appropriate key from the calling process's
> keyrings if a file struct is not supplied with one attached.

That seems like a rather large bug.

To which kernel version(s) should we apply this?

Thanks.

Re: [PATCH] AFS: Stop readlink() on AFS crashing because file not passed to afs_readpage()

[David Howells]

Andrew Morton <akpm@linux-foundation.org> wrote:

> That seems like a rather large bug.

Indeed.

I've not seen this happen because when a symlink inode is filled in,
afs_mntpt_check_symlink() is called to see whether it's actually a mountpoint,
and *that* calls read_mapping_page() correctly to read the contents of the
symlink.

The contents of the symlink then hang around in the pagecache, preventing
further calls to afs_readpage() by page_getlink().

However, if you wait long enough, as presumably Anton has, the contents of the
symlink get ejected from the pagecache, but the inode is retained, and thus
the next readlink will oops.

> To which kernel version(s) should we apply this?

kAFS isn't that widely used yet, so only the latest, I think.

David