X-Git-Url: http://ftp.safe.ca/?a=blobdiff_plain;f=fs%2Fnamei.c;h=b55440baf7ab832e9d05ae8fdddc2337da57b5ed;hb=2c761270d5520dd84ab0b4e47c24d99ff8503c38;hp=b2b22f244180ee6420e8acd9a30f60befae99edc;hpb=2dd6d1f41852bbb1f66d66b3634ddfdaeddcf9bc;p=safe%2Fjmp%2Flinux-2.6 diff --git a/fs/namei.c b/fs/namei.c index b2b22f2..b55440b 100644 --- a/fs/namei.c +++ b/fs/namei.c @@ -35,7 +35,7 @@ #include #include -#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE]) +#include "internal.h" /* [Feb-1997 T. Schoebel-Theuer] * Fundamental changes in the pathname lookup mechanisms (namei) @@ -232,6 +232,7 @@ int generic_permission(struct inode *inode, int mask, /* * Searching includes executable on directories, else just read. */ + mask &= MAY_READ | MAY_WRITE | MAY_EXEC; if (mask == MAY_READ || (S_ISDIR(inode->i_mode) && !(mask & MAY_WRITE))) if (capable(CAP_DAC_READ_SEARCH)) return 0; @@ -412,36 +413,55 @@ do_revalidate(struct dentry *dentry, struct nameidata *nd) } /* - * Internal lookup() using the new generic dcache. - * SMP-safe + * force_reval_path - force revalidation of a dentry + * + * In some situations the path walking code will trust dentries without + * revalidating them. This causes problems for filesystems that depend on + * d_revalidate to handle file opens (e.g. NFSv4). When FS_REVAL_DOT is set + * (which indicates that it's possible for the dentry to go stale), force + * a d_revalidate call before proceeding. + * + * Returns 0 if the revalidation was successful. If the revalidation fails, + * either return the error returned by d_revalidate or -ESTALE if the + * revalidation it just returned 0. If d_revalidate returns 0, we attempt to + * invalidate the dentry. It's up to the caller to handle putting references + * to the path if necessary. */ -static struct dentry * cached_lookup(struct dentry * parent, struct qstr * name, struct nameidata *nd) +static int +force_reval_path(struct path *path, struct nameidata *nd) { - struct dentry * dentry = __d_lookup(parent, name); + int status; + struct dentry *dentry = path->dentry; - /* lockess __d_lookup may fail due to concurrent d_move() - * in some unrelated directory, so try with d_lookup + /* + * only check on filesystems where it's possible for the dentry to + * become stale. It's assumed that if this flag is set then the + * d_revalidate op will also be defined. */ - if (!dentry) - dentry = d_lookup(parent, name); + if (!(dentry->d_sb->s_type->fs_flags & FS_REVAL_DOT)) + return 0; - if (dentry && dentry->d_op && dentry->d_op->d_revalidate) - dentry = do_revalidate(dentry, nd); + status = dentry->d_op->d_revalidate(dentry, nd); + if (status > 0) + return 0; - return dentry; + if (!status) { + d_invalidate(dentry); + status = -ESTALE; + } + return status; } /* - * Short-cut version of permission(), for calling by - * path_walk(), when dcache lock is held. Combines parts - * of permission() and generic_permission(), and tests ONLY for - * MAY_EXEC permission. + * Short-cut version of permission(), for calling on directories + * during pathname resolution. Combines parts of permission() + * and generic_permission(), and tests ONLY for MAY_EXEC permission. * * If appropriate, check DAC only. If not appropriate, or - * short-cut DAC fails, then call permission() to do more + * short-cut DAC fails, then call ->permission() to do more * complete permission check. */ -static int exec_permission_lite(struct inode *inode) +static int exec_permission(struct inode *inode) { int ret; @@ -463,70 +483,6 @@ ok: return security_inode_permission(inode, MAY_EXEC); } -/* - * This is called when everything else fails, and we actually have - * to go to the low-level filesystem to find out what we should do.. - * - * We get the directory semaphore, and after getting that we also - * make sure that nobody added the entry to the dcache in the meantime.. - * SMP-safe - */ -static struct dentry * real_lookup(struct dentry * parent, struct qstr * name, struct nameidata *nd) -{ - struct dentry * result; - struct inode *dir = parent->d_inode; - - mutex_lock(&dir->i_mutex); - /* - * First re-do the cached lookup just in case it was created - * while we waited for the directory semaphore.. - * - * FIXME! This could use version numbering or similar to - * avoid unnecessary cache lookups. - * - * The "dcache_lock" is purely to protect the RCU list walker - * from concurrent renames at this point (we mustn't get false - * negatives from the RCU list walk here, unlike the optimistic - * fast walk). - * - * so doing d_lookup() (with seqlock), instead of lockfree __d_lookup - */ - result = d_lookup(parent, name); - if (!result) { - struct dentry *dentry; - - /* Don't create child dentry for a dead directory. */ - result = ERR_PTR(-ENOENT); - if (IS_DEADDIR(dir)) - goto out_unlock; - - dentry = d_alloc(parent, name); - result = ERR_PTR(-ENOMEM); - if (dentry) { - result = dir->i_op->lookup(dir, dentry, nd); - if (result) - dput(dentry); - else - result = dentry; - } -out_unlock: - mutex_unlock(&dir->i_mutex); - return result; - } - - /* - * Uhhuh! Nasty case: the cache was re-populated while - * we waited on the semaphore. Need to revalidate. - */ - mutex_unlock(&dir->i_mutex); - if (result->d_op && result->d_op->d_revalidate) { - result = do_revalidate(result, nd); - if (!result) - result = ERR_PTR(-ENOENT); - } - return result; -} - static __always_inline void set_root(struct nameidata *nd) { if (!nd->root.mnt) { @@ -612,6 +568,11 @@ static __always_inline int __do_follow_link(struct path *path, struct nameidata error = 0; if (s) error = __vfs_follow_link(nd, s); + else if (nd->last_type == LAST_BIND) { + error = force_reval_path(&nd->path, nd); + if (error) + path_put(&nd->path); + } if (dentry->d_inode->i_op->put_link) dentry->d_inode->i_op->put_link(dentry, nd, cookie); } @@ -767,7 +728,8 @@ static int do_lookup(struct nameidata *nd, struct qstr *name, struct path *path) { struct vfsmount *mnt = nd->path.mnt; - struct dentry *dentry; + struct dentry *dentry, *parent; + struct inode *dir; /* * See if the low-level filesystem might want * to use its own hash.. @@ -790,7 +752,59 @@ done: return 0; need_lookup: - dentry = real_lookup(nd->path.dentry, name, nd); + parent = nd->path.dentry; + dir = parent->d_inode; + + mutex_lock(&dir->i_mutex); + /* + * First re-do the cached lookup just in case it was created + * while we waited for the directory semaphore.. + * + * FIXME! This could use version numbering or similar to + * avoid unnecessary cache lookups. + * + * The "dcache_lock" is purely to protect the RCU list walker + * from concurrent renames at this point (we mustn't get false + * negatives from the RCU list walk here, unlike the optimistic + * fast walk). + * + * so doing d_lookup() (with seqlock), instead of lockfree __d_lookup + */ + dentry = d_lookup(parent, name); + if (!dentry) { + struct dentry *new; + + /* Don't create child dentry for a dead directory. */ + dentry = ERR_PTR(-ENOENT); + if (IS_DEADDIR(dir)) + goto out_unlock; + + new = d_alloc(parent, name); + dentry = ERR_PTR(-ENOMEM); + if (new) { + dentry = dir->i_op->lookup(dir, new, nd); + if (dentry) + dput(new); + else + dentry = new; + } +out_unlock: + mutex_unlock(&dir->i_mutex); + if (IS_ERR(dentry)) + goto fail; + goto done; + } + + /* + * Uhhuh! Nasty case: the cache was re-populated while + * we waited on the semaphore. Need to revalidate. + */ + mutex_unlock(&dir->i_mutex); + if (dentry->d_op && dentry->d_op->d_revalidate) { + dentry = do_revalidate(dentry, nd); + if (!dentry) + dentry = ERR_PTR(-ENOENT); + } if (IS_ERR(dentry)) goto fail; goto done; @@ -838,7 +852,7 @@ static int link_path_walk(const char *name, struct nameidata *nd) unsigned int c; nd->flags |= LOOKUP_CONTINUE; - err = exec_permission_lite(inode); + err = exec_permission(inode); if (err) break; @@ -1144,7 +1158,17 @@ static struct dentry *__lookup_hash(struct qstr *name, goto out; } - dentry = cached_lookup(base, name, nd); + dentry = __d_lookup(base, name); + + /* lockess __d_lookup may fail due to concurrent d_move() + * in some unrelated directory, so try with d_lookup + */ + if (!dentry) + dentry = d_lookup(base, name); + + if (dentry && dentry->d_op && dentry->d_op->d_revalidate) + dentry = do_revalidate(dentry, nd); + if (!dentry) { struct dentry *new; @@ -1176,7 +1200,7 @@ static struct dentry *lookup_hash(struct nameidata *nd) { int err; - err = inode_permission(nd->path.dentry->d_inode, MAY_EXEC); + err = exec_permission(nd->path.dentry->d_inode); if (err) return ERR_PTR(err); return __lookup_hash(&nd->last, nd->path.dentry, nd); @@ -1226,7 +1250,7 @@ struct dentry *lookup_one_len(const char *name, struct dentry *base, int len) if (err) return ERR_PTR(err); - err = inode_permission(base->d_inode, MAY_EXEC); + err = exec_permission(base->d_inode); if (err) return ERR_PTR(err); return __lookup_hash(&this, base, NULL); @@ -1464,69 +1488,45 @@ int may_open(struct path *path, int acc_mode, int flag) if (error) return error; - error = ima_path_check(path, acc_mode ? - acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC) : - ACC_MODE(flag) & (MAY_READ | MAY_WRITE), - IMA_COUNT_UPDATE); - - if (error) - return error; /* * An append-only file must be opened in append mode for writing. */ if (IS_APPEND(inode)) { - error = -EPERM; if ((flag & FMODE_WRITE) && !(flag & O_APPEND)) - goto err_out; + return -EPERM; if (flag & O_TRUNC) - goto err_out; + return -EPERM; } /* O_NOATIME can only be set by the owner or superuser */ - if (flag & O_NOATIME) - if (!is_owner_or_cap(inode)) { - error = -EPERM; - goto err_out; - } + if (flag & O_NOATIME && !is_owner_or_cap(inode)) + return -EPERM; /* * Ensure there are no outstanding leases on the file. */ - error = break_lease(inode, flag); - if (error) - goto err_out; - - if (flag & O_TRUNC) { - error = get_write_access(inode); - if (error) - goto err_out; - - /* - * Refuse to truncate files with mandatory locks held on them. - */ - error = locks_verify_locked(inode); - if (!error) - error = security_path_truncate(path, 0, - ATTR_MTIME|ATTR_CTIME|ATTR_OPEN); - if (!error) { - vfs_dq_init(inode); - - error = do_truncate(dentry, 0, - ATTR_MTIME|ATTR_CTIME|ATTR_OPEN, - NULL); - } - put_write_access(inode); - if (error) - goto err_out; - } else - if (flag & FMODE_WRITE) - vfs_dq_init(inode); + return break_lease(inode, flag); +} - return 0; -err_out: - ima_counts_put(path, acc_mode ? - acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC) : - ACC_MODE(flag) & (MAY_READ | MAY_WRITE)); +static int handle_truncate(struct path *path) +{ + struct inode *inode = path->dentry->d_inode; + int error = get_write_access(inode); + if (error) + return error; + /* + * Refuse to truncate files with mandatory locks held on them. + */ + error = locks_verify_locked(inode); + if (!error) + error = security_path_truncate(path, 0, + ATTR_MTIME|ATTR_CTIME|ATTR_OPEN); + if (!error) { + error = do_truncate(path->dentry, 0, + ATTR_MTIME|ATTR_CTIME|ATTR_OPEN, + NULL); + } + put_write_access(inode); return error; } @@ -1581,7 +1581,7 @@ static inline int open_to_namei_flags(int flag) return flag; } -static int open_will_write_to_fs(int flag, struct inode *inode) +static int open_will_truncate(int flag, struct inode *inode) { /* * We'll never write to the fs underlying @@ -1606,7 +1606,7 @@ struct file *do_filp_open(int dfd, const char *pathname, struct path path, save; struct dentry *dir; int count = 0; - int will_write; + int will_truncate; int flag = open_to_namei_flags(open_flag); /* @@ -1639,6 +1639,7 @@ struct file *do_filp_open(int dfd, const char *pathname, if (filp == NULL) return ERR_PTR(-ENFILE); nd.intent.open.file = filp; + filp->f_flags = open_flag; nd.intent.open.flags = flag; nd.intent.open.create_mode = 0; error = do_path_lookup(dfd, pathname, @@ -1684,6 +1685,7 @@ struct file *do_filp_open(int dfd, const char *pathname, if (filp == NULL) goto exit_parent; nd.intent.open.file = filp; + filp->f_flags = open_flag; nd.intent.open.flags = flag; nd.intent.open.create_mode = mode; dir = nd.path.dentry; @@ -1724,14 +1726,18 @@ do_last: mnt_drop_write(nd.path.mnt); goto exit; } - filp = nameidata_to_filp(&nd, open_flag); - if (IS_ERR(filp)) - ima_counts_put(&nd.path, - acc_mode & (MAY_READ | MAY_WRITE | - MAY_EXEC)); + filp = nameidata_to_filp(&nd); mnt_drop_write(nd.path.mnt); if (nd.root.mnt) path_put(&nd.root); + if (!IS_ERR(filp)) { + error = ima_path_check(&filp->f_path, filp->f_mode & + (MAY_READ | MAY_WRITE | MAY_EXEC)); + if (error) { + fput(filp); + filp = ERR_PTR(error); + } + } return filp; } @@ -1759,7 +1765,7 @@ do_last: path_to_nameidata(&path, &nd); error = -EISDIR; - if (path.dentry->d_inode && S_ISDIR(path.dentry->d_inode->i_mode)) + if (S_ISDIR(path.dentry->d_inode->i_mode)) goto exit; ok: /* @@ -1772,28 +1778,45 @@ ok: * be avoided. Taking this mnt write here * ensures that (2) can not occur. */ - will_write = open_will_write_to_fs(flag, nd.path.dentry->d_inode); - if (will_write) { + will_truncate = open_will_truncate(flag, nd.path.dentry->d_inode); + if (will_truncate) { error = mnt_want_write(nd.path.mnt); if (error) goto exit; } error = may_open(&nd.path, acc_mode, flag); if (error) { - if (will_write) + if (will_truncate) mnt_drop_write(nd.path.mnt); goto exit; } - filp = nameidata_to_filp(&nd, open_flag); - if (IS_ERR(filp)) - ima_counts_put(&nd.path, - acc_mode & (MAY_READ | MAY_WRITE | MAY_EXEC)); + filp = nameidata_to_filp(&nd); + if (!IS_ERR(filp)) { + error = ima_path_check(&filp->f_path, filp->f_mode & + (MAY_READ | MAY_WRITE | MAY_EXEC)); + if (error) { + fput(filp); + filp = ERR_PTR(error); + } + } + if (!IS_ERR(filp)) { + if (acc_mode & MAY_WRITE) + vfs_dq_init(nd.path.dentry->d_inode); + + if (will_truncate) { + error = handle_truncate(&nd.path); + if (error) { + fput(filp); + filp = ERR_PTR(error); + } + } + } /* * It is now safe to drop the mnt write * because the filp has had a write taken * on its behalf. */ - if (will_write) + if (will_truncate) mnt_drop_write(nd.path.mnt); if (nd.root.mnt) path_put(&nd.root);