[PATCH] dcache: error out if the name buffer is too short

[PATCH] dcache: error out if the name buffer is too short

[Denys Vlasenko]

This change makes __dentry_path() and d_path()
immediately return ENAMETOOLONG if buflen < 2.

Cc: Jan Kratochvil <jan.kratochvil@redhat.com>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com>
---
 fs/dcache.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/fs/dcache.c b/fs/dcache.c
index cb4a106..2fba276 100644
--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -3055,6 +3055,9 @@ char *d_path(const struct path *path, char *buf, int buflen)
 	struct path root;
 	int error;
 
+	if (buflen < 2)
+		return ERR_PTR(-ENAMETOOLONG);
+
 	/*
 	 * We have various synthetic filesystems that never get mounted.  On
 	 * these filesystems dentries are never used for lookup purposes, and
@@ -3122,13 +3125,14 @@ static char *__dentry_path(struct dentry *dentry, char *buf, int buflen)
 	int len, seq = 0;
 	int error = 0;
 
+	if (buflen < 2)
+		goto Elong;
+
 	rcu_read_lock();
 restart:
 	end = buf + buflen;
 	len = buflen;
 	prepend(&end, &len, "\0", 1);
-	if (buflen < 1)
-		goto Elong;
 	/* Get '/' right */
 	retval = end-1;
 	*retval = '/';
-- 
1.8.1.4

Re: [PATCH] dcache: error out if the name buffer is too short

[Oleg Nesterov]

On 01/24, Denys Vlasenko wrote:
>
> This change makes __dentry_path() and d_path()
> immediately return ENAMETOOLONG if buflen < 2.

I am not sure about d_path, but as for __dentry_path:

> @@ -3122,13 +3125,14 @@ static char *__dentry_path(struct dentry *dentry, char *buf, int buflen)
>  	int len, seq = 0;
>  	int error = 0;
>  
> +	if (buflen < 2)
> +		goto Elong;
> +
>  	rcu_read_lock();
>  restart:
>  	end = buf + buflen;
>  	len = buflen;
>  	prepend(&end, &len, "\0", 1);
> -	if (buflen < 1)
> -		goto Elong;

you forgot to mention that this change fixes a bug, this "goto Elong"
leaks rcu_read_lock().

And probably you are right, the fix should be as simple as possible.
But can't we also simplify __dentry_path? Unless I missed something
we can move prepend() up, before rcu_read_lock(), "move Get '/' right"
into that prepend, and even kill retval... OK, most probably I missed
something, but at first glance we can do something like

	static char *__dentry_path(struct dentry *dentry, char *buf, int buflen)
	{
		int len, seq = 0;
		int error = 0;
		char *end;

		buf += buflen;
		/* Get '/' right, write "/\0" at the end */
		if (prepend(&buf, &buflen, "/", 2))
			goto Elong;

		rcu_read_lock();
	restart:
		end = buf;
		len = buflen;
		read_seqbegin_or_lock(&rename_lock, &seq);
		while (!IS_ROOT(dentry)) {
			struct dentry *parent = dentry->d_parent;
			int error;

			prefetch(parent);
			error = prepend_name(&end, &len, &dentry->d_name);
			if (error)
				break;

			dentry = parent;
		}
		if (!(seq & 1))
			rcu_read_unlock();
		if (need_seqretry(&rename_lock, seq)) {
			seq = 1;
			goto restart;
		}
		done_seqretry(&rename_lock, seq);
		if (!error)
			return end;
	Elong:
		return ERR_PTR(-ENAMETOOLONG);
	}

Oleg.

Re: [PATCH] dcache: error out if the name buffer is too short

[Oleg Nesterov]

On 01/24, Oleg Nesterov wrote:
>
> And probably you are right, the fix should be as simple as possible.
> But can't we also simplify __dentry_path? Unless I missed something
> we can move prepend() up, before rcu_read_lock(), "move Get '/' right"
> into that prepend, and even kill retval... OK, most probably I missed
> something,

Of course I missed something ;)

> but at first glance we can do something like
>
> 	static char *__dentry_path(struct dentry *dentry, char *buf, int buflen)
> 	{
> 		int len, seq = 0;
> 		int error = 0;
> 		char *end;
>
> 		buf += buflen;
> 		/* Get '/' right, write "/\0" at the end */
> 		if (prepend(&buf, &buflen, "/", 2))
> 			goto Elong;

Heh. Not sure what I was thinking about, but this looks obviously wrong
when I re-read my email. This will add the extra "/" at the end, unless
IS_ROOT().

Sorry for noise.

Oleg.

Re: [PATCH] dcache: error out if the name buffer is too short

[Oleg Nesterov]

On 01/26, Oleg Nesterov wrote:
>
> Heh. Not sure what I was thinking about, but this looks obviously wrong
> when I re-read my email. This will add the extra "/" at the end, unless
> IS_ROOT().

And this motivated me to try to actually read __dentry_path().

Al, Denys, unless I am totally confused the "restart" logic is very broken.
We can't simply restart because the main loop changes dentry?

Oleg.

Re: [PATCH] dcache: error out if the name buffer is too short

[Oleg Nesterov]

On 01/26, Oleg Nesterov wrote:
>
> Al, Denys, unless I am totally confused the "restart" logic is very broken.
> We can't simply restart because the main loop changes dentry?

Plus prepend_name() can't actually return -ENAMETOOLONG,
"int error" inside the loop is wrong.

I believe the minimal fix is something like below. I'll try to test
this change (currently I can't) later and resend. And I still think
it can be cleanuped a bit, but this is minor.

Oleg.


--- a/fs/dcache.c
+++ b/fs/dcache.c
@@ -3103,7 +3103,7 @@ char *simple_dname(struct dentry *dentry, char *buffer, int buflen)
 	/* these dentries are never renamed, so d_lock is not needed */
 	if (prepend(&end, &buflen, " (deleted)", 11) ||
 	    prepend(&end, &buflen, dentry->d_name.name, dentry->d_name.len) ||
-	    prepend(&end, &buflen, "/", 1))  
+	    prepend(&end, &buflen, "/", 1))
 		end = ERR_PTR(-ENAMETOOLONG);
 	return end;
 }
@@ -3113,32 +3113,34 @@ char *simple_dname(struct dentry *dentry, char *buffer, int buflen)
  */
 static char *__dentry_path(struct dentry *dentry, char *buf, int buflen)
 {
+	struct dentry *de;
 	char *end, *retval;
 	int len, seq = 0;
 	int error = 0;
 
+	if (buflen < 2)
+		goto Elong;
+
 	rcu_read_lock();
 restart:
 	end = buf + buflen;
 	len = buflen;
 	prepend(&end, &len, "\0", 1);
-	if (buflen < 1)
-		goto Elong;
 	/* Get '/' right */
 	retval = end-1;
 	*retval = '/';
+	de = dentry;
 	read_seqbegin_or_lock(&rename_lock, &seq);
-	while (!IS_ROOT(dentry)) {
-		struct dentry *parent = dentry->d_parent;
-		int error;
+	while (!IS_ROOT(de)) {
+		struct dentry *parent = de->d_parent;
 
 		prefetch(parent);
-		error = prepend_name(&end, &len, &dentry->d_name);
+		error = prepend_name(&end, &len, &de->d_name);
 		if (error)
 			break;
 
 		retval = end;
-		dentry = parent;
+		de = parent;
 	}
 	if (!(seq & 1))
 		rcu_read_unlock();

Re: [PATCH] dcache: error out if the name buffer is too short

[Al Viro]

On Sun, Jan 26, 2014 at 05:35:36PM +0100, Oleg Nesterov wrote:
> On 01/26, Oleg Nesterov wrote:
> >
> > Al, Denys, unless I am totally confused the "restart" logic is very broken.
> > We can't simply restart because the main loop changes dentry?
> 
> Plus prepend_name() can't actually return -ENAMETOOLONG,
> "int error" inside the loop is wrong.

... and already fixed.  Said that, the point about restarts is definitely
true.  See vfs.git#for-linus - it should propagate in a few

Re: [PATCH] dcache: error out if the name buffer is too short

[Oleg Nesterov]

On 01/26, Al Viro wrote:
>
> ... and already fixed.  Said that, the point about restarts is definitely
> true.  See vfs.git#for-linus - it should propagate in a few

Yes, http://git.kernel.org/cgit/linux/kernel/git/viro/vfs.git/commit/?h=for-linus&id=f6500801522c61782d4990fa1ad96154cb397cd4
should obviously fix both problems.

Thanks,

Oleg.