Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5f21c96d authored by Sage Weil's avatar Sage Weil
Browse files

ceph: protect access to d_parent 



d_parent is protected by d_lock: use it when looking up a dentry's parent
directory inode.  Also take a reference and drop it in the caller to avoid
a use-after-free.

Reported-by: default avatarAl Viro <viro@ZenIV.linux.org.uk>
Reviewed-by: default avatarYehuda Sadeh <yehuda@hq.newdream.net>
Signed-off-by: default avatarSage Weil <sage@newdream.net>
parent 48d0cbd1

fs/ceph/dir.c

+15 −0
Original line number Diff line number Diff line
@@ -71,6 +71,21 @@ int ceph_init_dentry(struct dentry *dentry) 
	return 0;

}



struct inode *ceph_get_dentry_parent_inode(struct dentry *dentry)

{

	struct inode *inode = NULL;



	if (!dentry)

		return NULL;



	spin_lock(&dentry->d_lock);

	if (dentry->d_parent) {

		inode = dentry->d_parent->d_inode;

		ihold(inode);

	}

	spin_unlock(&dentry->d_lock);

	return inode;

}





/*

fs/ceph/file.c

+5 −3
Original line number Diff line number Diff line
@@ -122,7 +122,7 @@ int ceph_open(struct inode *inode, struct file *file) 
	struct ceph_mds_client *mdsc = fsc->mdsc;

	struct ceph_mds_request *req;

	struct ceph_file_info *cf = file->private_data;

	struct inode *parent_inode = file->f_dentry->d_parent->d_inode;

	struct inode *parent_inode = NULL;

	int err;

	int flags, fmode, wanted;
@@ -194,8 +194,10 @@ int ceph_open(struct inode *inode, struct file *file) 
	req->r_inode = inode;

	ihold(inode);

	req->r_num_caps = 1;

	err = ceph_mdsc_do_request(mdsc, (flags & (O_CREAT|O_TRUNC)) ?

				   parent_inode : NULL, req);

	if (flags & (O_CREAT|O_TRUNC))

		parent_inode = ceph_get_dentry_parent_inode(file->f_dentry);

	err = ceph_mdsc_do_request(mdsc, parent_inode, req);

	iput(parent_inode);

	if (!err)

		err = ceph_init_file(inode, file, req->r_fmode);

	ceph_mdsc_put_request(req);

fs/ceph/inode.c

+3 −1
Original line number Diff line number Diff line
@@ -1562,7 +1562,7 @@ int ceph_setattr(struct dentry *dentry, struct iattr *attr) 
{

	struct inode *inode = dentry->d_inode;

	struct ceph_inode_info *ci = ceph_inode(inode);

	struct inode *parent_inode = dentry->d_parent->d_inode;

	struct inode *parent_inode;

	const unsigned int ia_valid = attr->ia_valid;

	struct ceph_mds_request *req;

	struct ceph_mds_client *mdsc = ceph_sb_to_client(dentry->d_sb)->mdsc;
@@ -1745,7 +1745,9 @@ int ceph_setattr(struct dentry *dentry, struct iattr *attr) 
		req->r_inode_drop = release;

		req->r_args.setattr.mask = cpu_to_le32(mask);

		req->r_num_caps = 1;

		parent_inode = ceph_get_dentry_parent_inode(dentry);

		err = ceph_mdsc_do_request(mdsc, parent_inode, req);

		iput(parent_inode);

	}

	dout("setattr %p result=%d (%s locally, %d remote)\n", inode, err,

	     ceph_cap_string(dirtied), mask);

fs/ceph/ioctl.c

+3 −1
Original line number Diff line number Diff line
@@ -38,7 +38,7 @@ static long ceph_ioctl_get_layout(struct file *file, void __user *arg) 
static long ceph_ioctl_set_layout(struct file *file, void __user *arg)

{

	struct inode *inode = file->f_dentry->d_inode;

	struct inode *parent_inode = file->f_dentry->d_parent->d_inode;

	struct inode *parent_inode;

	struct ceph_mds_client *mdsc = ceph_sb_to_client(inode->i_sb)->mdsc;

	struct ceph_mds_request *req;

	struct ceph_ioctl_layout l;
@@ -87,7 +87,9 @@ static long ceph_ioctl_set_layout(struct file *file, void __user *arg) 
	req->r_args.setlayout.layout.fl_pg_preferred =

		cpu_to_le32(l.preferred_osd);



	parent_inode = ceph_get_dentry_parent_inode(file->f_dentry);

	err = ceph_mdsc_do_request(mdsc, parent_inode, req);

	iput(parent_inode);

	ceph_mdsc_put_request(req);

	return err;

}

fs/ceph/super.h

+1 −8
Original line number Diff line number Diff line
@@ -801,6 +801,7 @@ extern void ceph_dentry_lru_touch(struct dentry *dn); 
extern void ceph_dentry_lru_del(struct dentry *dn);

extern void ceph_invalidate_dentry_lease(struct dentry *dentry);

extern unsigned ceph_dentry_hash(struct dentry *dn);

extern struct inode *ceph_get_dentry_parent_inode(struct dentry *dentry);



/*

 * our d_ops vary depending on whether the inode is live,
@@ -823,14 +824,6 @@ extern int ceph_encode_locks(struct inode *i, struct ceph_pagelist *p, 
			     int p_locks, int f_locks);

extern int lock_to_ceph_filelock(struct file_lock *fl, struct ceph_filelock *c);



static inline struct inode *get_dentry_parent_inode(struct dentry *dentry)

{

	if (dentry && dentry->d_parent)

		return dentry->d_parent->d_inode;



	return NULL;

}



/* debugfs.c */

extern int ceph_fs_debugfs_init(struct ceph_fs_client *client);

extern void ceph_fs_debugfs_cleanup(struct ceph_fs_client *client);