From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org, torvalds@osdl.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
akpm@osdl.org, alan@lxorguk.ukuu.org.uk, miklos@szeredi.hu
Subject: [patch 22/23] fuse: fix Oops in lookup
Date: Wed, 29 Nov 2006 14:00:33 -0800 [thread overview]
Message-ID: <20061129220655.352656000@sous-sol.org> (raw)
In-Reply-To: 20061129220111.137430000@sous-sol.org
[-- Attachment #1: fuse-fix-oops-in-lookup.patch --]
[-- Type: text/plain, Size: 4799 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Miklos Szeredi <miklos@szeredi.hu>
Fix bug in certain error paths of lookup routines. The request object was
reused for sending FORGET, which is illegal. This bug could cause an Oops
in 2.6.18. In earlier versions it might silently corrupt memory, but this
is very unlikely.
These error paths are never triggered by libfuse, so this wasn't noticed
even with the 2.6.18 kernel, only with a filesystem using the raw kernel
interface.
Thanks to Russ Cox for the bug report and test filesystem.
Signed-off-by: Miklos Szeredi <miklos@szeredi.hu>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
[chrisw: backport to 2.6.18 -stable]
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
fs/fuse/dir.c | 52 ++++++++++++++++++++++++++++++++++++++--------------
1 file changed, 38 insertions(+), 14 deletions(-)
--- linux-2.6.18.4.orig/fs/fuse/dir.c
+++ linux-2.6.18.4/fs/fuse/dir.c
@@ -138,6 +138,7 @@ static int fuse_dentry_revalidate(struct
struct fuse_entry_out outarg;
struct fuse_conn *fc;
struct fuse_req *req;
+ struct fuse_req *forget_req;
/* Doesn't hurt to "reset" the validity timeout */
fuse_invalidate_entry_cache(entry);
@@ -151,21 +152,29 @@ static int fuse_dentry_revalidate(struct
if (IS_ERR(req))
return 0;
+ forget_req = fuse_get_req(fc);
+ if (IS_ERR(forget_req)) {
+ fuse_put_request(fc, req);
+ return 0;
+ }
+
fuse_lookup_init(req, entry->d_parent->d_inode, entry, &outarg);
request_send(fc, req);
err = req->out.h.error;
+ fuse_put_request(fc, req);
/* Zero nodeid is same as -ENOENT */
if (!err && !outarg.nodeid)
err = -ENOENT;
if (!err) {
struct fuse_inode *fi = get_fuse_inode(inode);
if (outarg.nodeid != get_node_id(inode)) {
- fuse_send_forget(fc, req, outarg.nodeid, 1);
+ fuse_send_forget(fc, forget_req,
+ outarg.nodeid, 1);
return 0;
}
fi->nlookup ++;
}
- fuse_put_request(fc, req);
+ fuse_put_request(fc, forget_req);
if (err || (outarg.attr.mode ^ inode->i_mode) & S_IFMT)
return 0;
@@ -214,6 +223,7 @@ static struct dentry *fuse_lookup(struct
struct inode *inode = NULL;
struct fuse_conn *fc = get_fuse_conn(dir);
struct fuse_req *req;
+ struct fuse_req *forget_req;
if (entry->d_name.len > FUSE_NAME_MAX)
return ERR_PTR(-ENAMETOOLONG);
@@ -222,9 +232,16 @@ static struct dentry *fuse_lookup(struct
if (IS_ERR(req))
return ERR_PTR(PTR_ERR(req));
+ forget_req = fuse_get_req(fc);
+ if (IS_ERR(forget_req)) {
+ fuse_put_request(fc, req);
+ return ERR_PTR(PTR_ERR(forget_req));
+ }
+
fuse_lookup_init(req, dir, entry, &outarg);
request_send(fc, req);
err = req->out.h.error;
+ fuse_put_request(fc, req);
/* Zero nodeid is same as -ENOENT, but with valid timeout */
if (!err && outarg.nodeid &&
(invalid_nodeid(outarg.nodeid) || !valid_mode(outarg.attr.mode)))
@@ -233,11 +250,11 @@ static struct dentry *fuse_lookup(struct
inode = fuse_iget(dir->i_sb, outarg.nodeid, outarg.generation,
&outarg.attr);
if (!inode) {
- fuse_send_forget(fc, req, outarg.nodeid, 1);
+ fuse_send_forget(fc, forget_req, outarg.nodeid, 1);
return ERR_PTR(-ENOMEM);
}
}
- fuse_put_request(fc, req);
+ fuse_put_request(fc, forget_req);
if (err && err != -ENOENT)
return ERR_PTR(err);
@@ -375,6 +392,13 @@ static int create_new_entry(struct fuse_
struct fuse_entry_out outarg;
struct inode *inode;
int err;
+ struct fuse_req *forget_req;
+
+ forget_req = fuse_get_req(fc);
+ if (IS_ERR(forget_req)) {
+ fuse_put_request(fc, req);
+ return PTR_ERR(forget_req);
+ }
req->in.h.nodeid = get_node_id(dir);
req->out.numargs = 1;
@@ -382,24 +406,24 @@ static int create_new_entry(struct fuse_
req->out.args[0].value = &outarg;
request_send(fc, req);
err = req->out.h.error;
- if (err) {
- fuse_put_request(fc, req);
- return err;
- }
+ fuse_put_request(fc, req);
+ if (err)
+ goto out_put_forget_req;
+
err = -EIO;
if (invalid_nodeid(outarg.nodeid))
- goto out_put_request;
+ goto out_put_forget_req;
if ((outarg.attr.mode ^ mode) & S_IFMT)
- goto out_put_request;
+ goto out_put_forget_req;
inode = fuse_iget(dir->i_sb, outarg.nodeid, outarg.generation,
&outarg.attr);
if (!inode) {
- fuse_send_forget(fc, req, outarg.nodeid, 1);
+ fuse_send_forget(fc, forget_req, outarg.nodeid, 1);
return -ENOMEM;
}
- fuse_put_request(fc, req);
+ fuse_put_request(fc, forget_req);
if (dir_alias(inode)) {
iput(inode);
@@ -411,8 +435,8 @@ static int create_new_entry(struct fuse_
fuse_invalidate_attr(dir);
return 0;
- out_put_request:
- fuse_put_request(fc, req);
+ out_put_forget_req:
+ fuse_put_request(fc, forget_req);
return err;
}
--
next prev parent reply other threads:[~2006-11-29 22:06 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-29 22:00 [patch 00/23] -stable review Chris Wright
2006-11-29 22:00 ` [patch 01/23] scsi: clear garbage after CDBs on SG_IO Chris Wright
2006-11-29 22:00 ` [patch 02/23] NETFILTER: Missing check for CAP_NET_ADMIN in iptables compat layer Chris Wright
2006-11-29 22:00 ` [patch 03/23] NETFILTER: ip_tables: compat error way cleanup Chris Wright
2006-11-29 22:00 ` [patch 04/23] NETFILTER: ip_tables: fix module refcount leaks in compat error paths Chris Wright
2006-11-29 22:00 ` [patch 05/23] NETFILTER: Missed and reordered checks in {arp,ip,ip6}_tables Chris Wright
2006-11-29 22:00 ` [patch 06/23] NETFILTER: arp_tables: missing unregistration on module unload Chris Wright
2006-11-29 22:00 ` [patch 07/23] NETFILTER: Honour source routing for LVS-NAT Chris Wright
2006-11-29 22:00 ` [patch 08/23] NETFILTER: Kconfig: fix xt_physdev dependencies Chris Wright
2006-11-29 22:00 ` [patch 09/23] NETFILTER: xt_CONNSECMARK: fix Kconfig dependencies Chris Wright
2006-11-29 22:00 ` [patch 10/23] bcm43xx: Drain TX status before starting IRQs Chris Wright
2006-11-29 22:00 ` [patch 11/23] NETFILTER: H.323 conntrack: fix crash with CONFIG_IP_NF_CT_ACCT Chris Wright
2006-11-29 22:00 ` [patch 12/23] pcmcia: fix rmmod pcmcia with unbound devices Chris Wright
2006-11-29 22:00 ` [patch 13/23] V4L: Do not enable VIDEO_V4L2 unconditionally Chris Wright
2006-11-29 22:00 ` [patch 14/23] x86 microcode: dont check the size Chris Wright
2006-12-02 6:44 ` Willy Tarreau
2006-12-03 1:28 ` Bill Davidsen
2006-12-04 1:04 ` Shaohua Li
2006-12-04 1:31 ` Willy Tarreau
2006-11-29 22:00 ` [patch 15/23] alpha: Fix ALPHA_EV56 dependencies typo Chris Wright
2006-11-29 22:00 ` [patch 16/23] softmac: fix a slab corruption in WEP restricted key association Chris Wright
2006-11-29 22:00 ` [patch 17/23] TG3: Add missing unlock in tg3_open() error path Chris Wright
2006-11-29 22:00 ` [patch 18/23] IPV6: Fix address/interface handling in UDP and DCCP, according to the scoping architecture Chris Wright
2006-11-29 22:00 ` [patch 19/23] IA64: bte_unaligned_copy() transfers one extra cache line Chris Wright
2006-11-29 22:00 ` [patch 20/23] BLUETOOTH: Fix unaligned access in hci_send_to_sock Chris Wright
2006-11-29 22:00 ` [patch 21/23] AGP: Allocate AGP pages with GFP_DMA32 by default Chris Wright
2006-11-29 22:00 ` Chris Wright [this message]
2006-11-29 22:00 ` [patch 23/23] UDP: Make udp_encap_rcv use pskb_may_pull Chris Wright
2006-11-29 22:40 ` [patch 00/23] -stable review Dave Jones
2006-11-29 23:24 ` [stable] " Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061129220655.352656000@sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=akpm@osdl.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@osdl.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox