1. 29 Apr, 2015 2 commits
  2. 07 Jul, 2014 1 commit
    • Jeff Mahoney's avatar
      reiserfs: call truncate_setsize under tailpack mutex · 4660efb8
      Jeff Mahoney authored
      commit 22e7478ddbcb670e33fab72d0bbe7c394c3a2c84 upstream.
      
      Prior to commit 0e4f6a79 (Fix reiserfs_file_release()), reiserfs
      truncates serialized on i_mutex. They mostly still do, with the exception
      of reiserfs_file_release. That blocks out other writers via the tailpack
      mutex and the inode openers counter adjusted in reiserfs_file_open.
      
      However, NFS will call reiserfs_setattr without having called ->open, so
      we end up with a race when nfs is calling ->setattr while another
      process is releasing the file. Ultimately, it triggers the
      BUG_ON(inode->i_size != new_file_size) check in maybe_indirect_to_direct.
      
      The solution is to pull the lock into reiserfs_setattr to encompass the
      truncate_setsize call as well.
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      4660efb8
  3. 06 May, 2014 1 commit
  4. 15 Aug, 2013 1 commit
    • Al Viro's avatar
      reiserfs: fix deadlock in umount · 71986ee0
      Al Viro authored
      commit 672fe15d091ce76d6fb98e489962e9add7c1ba4c upstream.
      
      Since remove_proc_entry() started to wait for IO in progress (i.e.
      since 2007 or so), the locking in fs/reiserfs/proc.c became wrong;
      if procfs read happens between the moment when umount() locks the
      victim superblock and removal of /proc/fs/reiserfs/<device>/*,
      we'll get a deadlock - read will wait for s_umount (in sget(),
      called by r_start()), while umount will wait in remove_proc_entry()
      for that read to finish, holding s_umount all along.
      
      Fortunately, the same change allows a much simpler race avoidance -
      all we need to do is remove the procfs entries in the very beginning
      of reiserfs ->kill_sb(); that'll guarantee that pointer to superblock
      will remain valid for the duration for procfs IO, so we don't need
      sget() to keep the sucker alive.  As the matter of fact, we can
      get rid of the home-grown iterator completely, and use single_open()
      instead.
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      71986ee0
  5. 31 May, 2013 3 commits
    • Jeff Mahoney's avatar
      reiserfs: fix deadlock with nfs racing on create/lookup · a1457c0c
      Jeff Mahoney authored
      Reiserfs is currently able to be deadlocked by having two NFS clients
      where one has removed and recreated a file and another is accessing the
      file with an open file handle.
      
      If one client deletes and recreates a file with timing such that the
      recreated file obtains the same [dirid, objectid] pair as the original
      file while another client accesses the file via file handle, the create
      and lookup can race and deadlock if the lookup manages to create the
      in-memory inode first.
      
      The create thread, in insert_inode_locked4, will hold the write lock
      while waiting on the other inode to be unlocked. The lookup thread,
      anywhere in the iget path, will release and reacquire the write lock while
      it schedules. If it needs to reacquire the lock while the create thread
      has it, it will never be able to make forward progress because it needs
      to reacquire the lock before ultimately unlocking the inode.
      
      This patch drops the write lock across the insert_inode_locked4 call so
      that the ordering of inode_wait -> write lock is retained. Since this
      would have been the case before the BKL push-down, this is safe.
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      a1457c0c
    • Jeff Mahoney's avatar
      reiserfs: fix problems with chowning setuid file w/ xattrs · 4a857011
      Jeff Mahoney authored
      reiserfs_chown_xattrs() takes the iattr struct passed into ->setattr
      and uses it to iterate over all the attrs associated with a file to change
      ownership of xattrs (and transfer quota associated with the xattr files).
      
      When the setuid bit is cleared during chown, ATTR_MODE and iattr->ia_mode
      are passed to all the xattrs as well. This means that the xattr directory
      will have S_IFREG added to its mode bits.
      
      This has been prevented in practice by a missing IS_PRIVATE check
      in reiserfs_acl_chmod, which caused a double-lock to occur while holding
      the write lock. Since the file system was completely locked up, the
      writeout of the corrupted mode never happened.
      
      This patch temporarily clears everything but ATTR_UID|ATTR_GID for the
      calls to reiserfs_setattr and adds the missing IS_PRIVATE check.
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      4a857011
    • Jeff Mahoney's avatar
      reiserfs: fix spurious multiple-fill in reiserfs_readdir_dentry · 0bdc7acb
      Jeff Mahoney authored
      After sleeping for filldir(), we check to see if the file system has
      changed and research. The next_pos pointer is updated but its value
      isn't pushed into the key used for the search itself. As a result,
      the search returns the same item that the last cycle of the loop did
      and filldir() is called multiple times with the same data.
      
      The end result is that the buffer can contain the same name multiple
      times. This can be returned to userspace or used internally in the
      xattr code where it can manifest with the following warning:
      
      jdm-20004 reiserfs_delete_xattrs: Couldn't delete all xattrs (-2)
      
      reiserfs_for_each_xattr uses reiserfs_readdir_dentry to iterate over
      the xattr names and ends up trying to unlink the same name twice. The
      second attempt fails with -ENOENT and the error is returned. At some
      point I'll need to add support into reiserfsck to remove the orphaned
      directories left behind when this occurs.
      
      The fix is to push the value into the key before researching.
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      0bdc7acb
  6. 08 May, 2013 1 commit
  7. 07 May, 2013 1 commit
  8. 01 May, 2013 2 commits
  9. 09 Apr, 2013 2 commits
  10. 29 Mar, 2013 1 commit
    • Jan Kara's avatar
      reiserfs: Fix warning and inode leak when deleting inode with xattrs · 35e5cbc0
      Jan Kara authored
      After commit 21d8a15a (lookup_one_len: don't accept . and ..) reiserfs
      started failing to delete xattrs from inode. This was due to a buggy
      test for '.' and '..' in fill_with_dentries() which resulted in passing
      '.' and '..' entries to lookup_one_len() in some cases. That returned
      error and so we failed to iterate over all xattrs of and inode.
      
      Fix the test in fill_with_dentries() along the lines of the one in
      lookup_one_len().
      Reported-by: default avatarPawel Zawora <pzawora@gmail.com>
      CC: stable@vger.kernel.org
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      35e5cbc0
  11. 11 Mar, 2013 1 commit
  12. 04 Mar, 2013 1 commit
    • Eric W. Biederman's avatar
      fs: Limit sys_mount to only request filesystem modules. · 7f78e035
      Eric W. Biederman authored
      Modify the request_module to prefix the file system type with "fs-"
      and add aliases to all of the filesystems that can be built as modules
      to match.
      
      A common practice is to build all of the kernel code and leave code
      that is not commonly needed as modules, with the result that many
      users are exposed to any bug anywhere in the kernel.
      
      Looking for filesystems with a fs- prefix limits the pool of possible
      modules that can be loaded by mount to just filesystems trivially
      making things safer with no real cost.
      
      Using aliases means user space can control the policy of which
      filesystem modules are auto-loaded by editing /etc/modprobe.d/*.conf
      with blacklist and alias directives.  Allowing simple, safe,
      well understood work-arounds to known problematic software.
      
      This also addresses a rare but unfortunate problem where the filesystem
      name is not the same as it's module name and module auto-loading
      would not work.  While writing this patch I saw a handful of such
      cases.  The most significant being autofs that lives in the module
      autofs4.
      
      This is relevant to user namespaces because we can reach the request
      module in get_fs_type() without having any special permissions, and
      people get uncomfortable when a user specified string (in this case
      the filesystem type) goes all of the way to request_module.
      
      After having looked at this issue I don't think there is any
      particular reason to perform any filtering or permission checks beyond
      making it clear in the module request that we want a filesystem
      module.  The common pattern in the kernel is to call request_module()
      without regards to the users permissions.  In general all a filesystem
      module does once loaded is call register_filesystem() and go to sleep.
      Which means there is not much attack surface exposed by loading a
      filesytem module unless the filesystem is mounted.  In a user
      namespace filesystems are not mounted unless .fs_flags = FS_USERNS_MOUNT,
      which most filesystems do not set today.
      Acked-by: default avatarSerge Hallyn <serge.hallyn@canonical.com>
      Acked-by: default avatarKees Cook <keescook@chromium.org>
      Reported-by: default avatarKees Cook <keescook@google.com>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      7f78e035
  13. 26 Feb, 2013 1 commit
  14. 23 Feb, 2013 1 commit
  15. 20 Dec, 2012 1 commit
  16. 19 Nov, 2012 4 commits
  17. 10 Oct, 2012 1 commit
    • Hugh Dickins's avatar
      tmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking · 35c2a7f4
      Hugh Dickins authored
      Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
      	u64 inum = fid->raw[2];
      which is unhelpfully reported as at the end of shmem_alloc_inode():
      
      BUG: unable to handle kernel paging request at ffff880061cd3000
      IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
      Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      Call Trace:
       [<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
       [<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
       [<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
       [<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
      
      Right, tmpfs is being stupid to access fid->raw[2] before validating that
      fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
      fall at the end of a page, and the next page not be present.
      
      But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
      careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
      could oops in the same way: add the missing fh_len checks to those.
      Reported-by: default avatarSasha Levin <levinsasha928@gmail.com>
      Signed-off-by: default avatarHugh Dickins <hughd@google.com>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Cc: Sage Weil <sage@inktank.com>
      Cc: Steven Whitehouse <swhiteho@redhat.com>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      35c2a7f4
  18. 03 Oct, 2012 1 commit
  19. 21 Sep, 2012 1 commit
  20. 18 Sep, 2012 1 commit
    • Eric W. Biederman's avatar
      userns: Pass a userns parameter into posix_acl_to_xattr and posix_acl_from_xattr · 5f3a4a28
      Eric W. Biederman authored
       - Pass the user namespace the uid and gid values in the xattr are stored
         in into posix_acl_from_xattr.
      
       - Pass the user namespace kuid and kgid values should be converted into
         when storing uid and gid values in an xattr in posix_acl_to_xattr.
      
      - Modify all callers of posix_acl_from_xattr and posix_acl_to_xattr to
        pass in &init_user_ns.
      
      In the short term this change is not strictly needed but it makes the
      code clearer.  In the longer term this change is necessary to be able to
      mount filesystems outside of the initial user namespace that natively
      store posix acls in the linux xattr format.
      
      Cc: Theodore Tso <tytso@mit.edu>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andreas Dilger <adilger.kernel@dilger.ca>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatar"Eric W. Biederman" <ebiederm@xmission.com>
      5f3a4a28
  21. 03 Sep, 2012 1 commit
  22. 14 Aug, 2012 1 commit
    • Jeff Mahoney's avatar
      reiserfs: fix deadlocks with quotas · 48d17884
      Jeff Mahoney authored
      The BKL push-down for reiserfs made lock recursion a special case that needs
      to be handled explicitly. One of the cases that was unhandled is dropping
      the quota during inode eviction. Both reiserfs_evict_inode and
      reiserfs_write_dquot take the write lock, but when the journal lock is
      taken it only drops one the references. The locking rules are that the journal
      lock be acquired before the write lock so leaving the reference open leads
      to a ABBA deadlock.
      
      This patch pushes the unlock up before clear_inode and avoids the recursive
      locking.
      
      Another ABBA situation can occur when the write lock is dropped while reading
      the bitmap buffer while in the quota code. When the lock is reacquired, it
      will deadlock against dquot->dq_lock and dqopt->dqio_mutex in the dquot_acquire
      path. It's safe to retain the lock across the read and should be cached under
      write load.
      Signed-off-by: default avatarJeff Mahoney <jeffm@suse.com>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      48d17884
  23. 22 Jul, 2012 2 commits
    • Al Viro's avatar
      don't expose I_NEW inodes via dentry->d_inode · 8fc37ec5
      Al Viro authored
      	d_instantiate(dentry, inode);
      	unlock_new_inode(inode);
      
      is a bad idea; do it the other way round...
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      8fc37ec5
    • Jan Kara's avatar
      quota: Move quota syncing to ->sync_fs method · a1177825
      Jan Kara authored
      Since the moment writes to quota files are using block device page cache and
      space for quota structures is reserved at the moment they are first accessed we
      have no reason to sync quota before inode writeback. In fact this order is now
      only harmful since quota information can easily change during inode writeback
      (either because conversion of delayed-allocated extents or simply because of
      allocation of new blocks for simple filesystems not using page_mkwrite).
      
      So move syncing of quota information after writeback of inodes into ->sync_fs
      method. This way we do not have to use ->quota_sync callback which is primarily
      intended for use by quotactl syscall anyway and we get rid of calling
      ->sync_fs() twice unnecessarily. We skip quota syncing for OCFS2 since it does
      proper quota journalling in all cases (unlike ext3, ext4, and reiserfs which
      also support legacy non-journalled quotas) and thus there are no dirty quota
      structures.
      
      CC: "Theodore Ts'o" <tytso@mit.edu>
      CC: Joel Becker <jlbec@evilplan.org>
      CC: reiserfs-devel@vger.kernel.org
      Acked-by: default avatarSteven Whitehouse <swhiteho@redhat.com>
      Acked-by: default avatarDave Kleikamp <shaggy@kernel.org>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarJan Kara <jack@suse.cz>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      a1177825
  24. 14 Jul, 2012 4 commits
  25. 01 Jun, 2012 4 commits