From 695c60f21c69e525a89279a5f35bae4ff237afbc Mon Sep 17 00:00:00 2001 From: Thomas Meyer Date: Mon, 19 Dec 2011 17:11:55 -0800 Subject: nilfs2: unbreak compat ioctl commit 828b1c50ae ("nilfs2: add compat ioctl") incidentally broke all other NILFS compat ioctls. Make them work again. Signed-off-by: Thomas Meyer Signed-off-by: Ryusuke Konishi Tested-by: Ryusuke Konishi Cc: [3.0+] Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- fs/nilfs2/ioctl.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'fs/nilfs2/ioctl.c') diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c index 41d6743d303c..3e654273cfc2 100644 --- a/fs/nilfs2/ioctl.c +++ b/fs/nilfs2/ioctl.c @@ -842,6 +842,19 @@ long nilfs_compat_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) case FS_IOC32_GETVERSION: cmd = FS_IOC_GETVERSION; break; + case NILFS_IOCTL_CHANGE_CPMODE: + case NILFS_IOCTL_DELETE_CHECKPOINT: + case NILFS_IOCTL_GET_CPINFO: + case NILFS_IOCTL_GET_CPSTAT: + case NILFS_IOCTL_GET_SUINFO: + case NILFS_IOCTL_GET_SUSTAT: + case NILFS_IOCTL_GET_VINFO: + case NILFS_IOCTL_GET_BDESCS: + case NILFS_IOCTL_CLEAN_SEGMENTS: + case NILFS_IOCTL_SYNC: + case NILFS_IOCTL_RESIZE: + case NILFS_IOCTL_SET_ALLOC_RANGE: + break; default: return -ENOIOCTLCMD; } -- cgit From 481fe17e973fb97aa3edf17c69557afe88d8334f Mon Sep 17 00:00:00 2001 From: Haogang Chen Date: Mon, 19 Dec 2011 17:11:56 -0800 Subject: nilfs2: potential integer overflow in nilfs_ioctl_clean_segments() There is a potential integer overflow in nilfs_ioctl_clean_segments(). When a large argv[n].v_nmembs is passed from the userspace, the subsequent call to vmalloc() will allocate a buffer smaller than expected, which leads to out-of-bound access in nilfs_ioctl_move_blocks() and lfs_clean_segments(). The following check does not prevent the overflow because nsegs is also controlled by the userspace and could be very large. if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; This patch clamps argv[n].v_nmembs to UINT_MAX / argv[n].v_size, and returns -EINVAL when overflow. Signed-off-by: Haogang Chen Signed-off-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- fs/nilfs2/ioctl.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'fs/nilfs2/ioctl.c') diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c index 3e654273cfc2..ac258beeda3c 100644 --- a/fs/nilfs2/ioctl.c +++ b/fs/nilfs2/ioctl.c @@ -625,6 +625,9 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp, if (argv[n].v_nmembs > nsegs * nilfs->ns_blocks_per_segment) goto out_free; + if (argv[n].v_nmembs >= UINT_MAX / argv[n].v_size) + goto out_free; + len = argv[n].v_size * argv[n].v_nmembs; base = (void __user *)(unsigned long)argv[n].v_base; if (len == 0) { -- cgit From a561be7100cd610bd2e082f3211c1dfb45835817 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Wed, 23 Nov 2011 11:57:51 -0500 Subject: switch a bunch of places to mnt_want_write_file() it's both faster (in case when file has been opened for write) and cleaner. Signed-off-by: Al Viro --- fs/btrfs/ioctl.c | 10 +++++----- fs/ext2/ioctl.c | 6 +++--- fs/ext3/ioctl.c | 10 +++++----- fs/ext4/ioctl.c | 14 +++++++------- fs/fat/file.c | 2 +- fs/gfs2/file.c | 2 +- fs/hfsplus/ioctl.c | 2 +- fs/jfs/ioctl.c | 2 +- fs/nfsd/nfs4recover.c | 6 +++--- fs/nilfs2/ioctl.c | 12 ++++++------ fs/ocfs2/ioctl.c | 2 +- fs/ocfs2/move_extents.c | 2 +- fs/reiserfs/ioctl.c | 4 ++-- fs/ubifs/ioctl.c | 2 +- fs/xfs/xfs_ioctl.c | 4 ++-- fs/xfs/xfs_ioctl32.c | 4 ++-- 16 files changed, 42 insertions(+), 42 deletions(-) (limited to 'fs/nilfs2/ioctl.c') diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index c04f02c7d5bb..20dd8f3b6c72 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -201,7 +201,7 @@ static int btrfs_ioctl_setflags(struct file *file, void __user *arg) } } - ret = mnt_want_write(file->f_path.mnt); + ret = mnt_want_write_file(file); if (ret) goto out_unlock; @@ -1855,7 +1855,7 @@ static noinline int btrfs_ioctl_snap_destroy(struct file *file, goto out; } - err = mnt_want_write(file->f_path.mnt); + err = mnt_want_write_file(file); if (err) goto out; @@ -1987,7 +1987,7 @@ static int btrfs_ioctl_defrag(struct file *file, void __user *argp) if (btrfs_root_readonly(root)) return -EROFS; - ret = mnt_want_write(file->f_path.mnt); + ret = mnt_want_write_file(file); if (ret) return ret; @@ -2195,7 +2195,7 @@ static noinline long btrfs_ioctl_clone(struct file *file, unsigned long srcfd, if (btrfs_root_readonly(root)) return -EROFS; - ret = mnt_want_write(file->f_path.mnt); + ret = mnt_want_write_file(file); if (ret) return ret; @@ -2549,7 +2549,7 @@ static long btrfs_ioctl_trans_start(struct file *file) if (btrfs_root_readonly(root)) goto out; - ret = mnt_want_write(file->f_path.mnt); + ret = mnt_want_write_file(file); if (ret) goto out; diff --git a/fs/ext2/ioctl.c b/fs/ext2/ioctl.c index f81e250ac5c4..61a3f9661728 100644 --- a/fs/ext2/ioctl.c +++ b/fs/ext2/ioctl.c @@ -35,7 +35,7 @@ long ext2_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) case EXT2_IOC_SETFLAGS: { unsigned int oldflags; - ret = mnt_want_write(filp->f_path.mnt); + ret = mnt_want_write_file(filp); if (ret) return ret; @@ -91,7 +91,7 @@ setflags_out: case EXT2_IOC_SETVERSION: if (!inode_owner_or_capable(inode)) return -EPERM; - ret = mnt_want_write(filp->f_path.mnt); + ret = mnt_want_write_file(filp); if (ret) return ret; if (get_user(inode->i_generation, (int __user *) arg)) { @@ -121,7 +121,7 @@ setflags_out: if (get_user(rsv_window_size, (int __user *)arg)) return -EFAULT; - ret = mnt_want_write(filp->f_path.mnt); + ret = mnt_want_write_file(filp); if (ret) return ret; diff --git a/fs/ext3/ioctl.c b/fs/ext3/ioctl.c index ba1b54e23cae..a02863a080d3 100644 --- a/fs/ext3/ioctl.c +++ b/fs/ext3/ioctl.c @@ -44,7 +44,7 @@ long ext3_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) if (get_user(flags, (int __user *) arg)) return -EFAULT; - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; @@ -126,7 +126,7 @@ flags_out: if (!inode_owner_or_capable(inode)) return -EPERM; - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; if (get_user(generation, (int __user *) arg)) { @@ -164,7 +164,7 @@ setversion_out: if (!test_opt(inode->i_sb, RESERVATION) ||!S_ISREG(inode->i_mode)) return -ENOTTY; - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; @@ -206,7 +206,7 @@ setrsvsz_out: if (!capable(CAP_SYS_RESOURCE)) return -EPERM; - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; @@ -232,7 +232,7 @@ group_extend_out: if (!capable(CAP_SYS_RESOURCE)) return -EPERM; - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c index a56796814d6a..9a49760b554d 100644 --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c @@ -45,7 +45,7 @@ long ext4_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) if (get_user(flags, (int __user *) arg)) return -EFAULT; - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; @@ -150,7 +150,7 @@ flags_out: if (!inode_owner_or_capable(inode)) return -EPERM; - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; if (get_user(generation, (int __user *) arg)) { @@ -192,7 +192,7 @@ setversion_out: return -EOPNOTSUPP; } - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; @@ -240,7 +240,7 @@ setversion_out: return -EOPNOTSUPP; } - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) goto mext_out; @@ -277,7 +277,7 @@ mext_out: return -EOPNOTSUPP; } - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; @@ -301,7 +301,7 @@ mext_out: if (!inode_owner_or_capable(inode)) return -EACCES; - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; /* @@ -323,7 +323,7 @@ mext_out: if (!inode_owner_or_capable(inode)) return -EACCES; - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; err = ext4_alloc_da_blocks(inode); diff --git a/fs/fat/file.c b/fs/fat/file.c index c118acf16e43..50746a1a0789 100644 --- a/fs/fat/file.c +++ b/fs/fat/file.c @@ -44,7 +44,7 @@ static int fat_ioctl_set_attributes(struct file *file, u32 __user *user_attr) goto out; mutex_lock(&inode->i_mutex); - err = mnt_want_write(file->f_path.mnt); + err = mnt_want_write_file(file); if (err) goto out_unlock_inode; diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c index ce36a56dfeac..28fc6e3855f3 100644 --- a/fs/gfs2/file.c +++ b/fs/gfs2/file.c @@ -223,7 +223,7 @@ static int do_gfs2_set_flags(struct file *filp, u32 reqflags, u32 mask) int error; u32 new_flags, flags; - error = mnt_want_write(filp->f_path.mnt); + error = mnt_want_write_file(filp); if (error) return error; diff --git a/fs/hfsplus/ioctl.c b/fs/hfsplus/ioctl.c index fbaa6690c8e0..31d3fe576429 100644 --- a/fs/hfsplus/ioctl.c +++ b/fs/hfsplus/ioctl.c @@ -43,7 +43,7 @@ static int hfsplus_ioctl_setflags(struct file *file, int __user *user_flags) unsigned int flags; int err = 0; - err = mnt_want_write(file->f_path.mnt); + err = mnt_want_write_file(file); if (err) goto out; diff --git a/fs/jfs/ioctl.c b/fs/jfs/ioctl.c index 6f98a1866776..73d9eaa91c05 100644 --- a/fs/jfs/ioctl.c +++ b/fs/jfs/ioctl.c @@ -68,7 +68,7 @@ long jfs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) unsigned int oldflags; int err; - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) return err; diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c index ed083b9a731b..a9aa2f161262 100644 --- a/fs/nfsd/nfs4recover.c +++ b/fs/nfsd/nfs4recover.c @@ -147,7 +147,7 @@ nfsd4_create_clid_dir(struct nfs4_client *clp) status = -EEXIST; if (dentry->d_inode) goto out_put; - status = mnt_want_write(rec_file->f_path.mnt); + status = mnt_want_write_file(rec_file); if (status) goto out_put; status = vfs_mkdir(dir->d_inode, dentry, S_IRWXU); @@ -268,7 +268,7 @@ nfsd4_remove_clid_dir(struct nfs4_client *clp) if (!rec_file || !clp->cl_firststate) return; - status = mnt_want_write(rec_file->f_path.mnt); + status = mnt_want_write_file(rec_file); if (status) goto out; clp->cl_firststate = 0; @@ -311,7 +311,7 @@ nfsd4_recdir_purge_old(void) { if (!rec_file) return; - status = mnt_want_write(rec_file->f_path.mnt); + status = mnt_want_write_file(rec_file); if (status) goto out; status = nfsd4_list_rec_dir(purge_old); diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c index ac258beeda3c..b7697d1ccd61 100644 --- a/fs/nilfs2/ioctl.c +++ b/fs/nilfs2/ioctl.c @@ -27,7 +27,7 @@ #include /* copy_from_user(), copy_to_user() */ #include #include /* compat_ptr() */ -#include /* mnt_want_write(), mnt_drop_write() */ +#include /* mnt_want_write_file(), mnt_drop_write() */ #include #include #include "nilfs.h" @@ -119,7 +119,7 @@ static int nilfs_ioctl_setflags(struct inode *inode, struct file *filp, if (get_user(flags, (int __user *)argp)) return -EFAULT; - ret = mnt_want_write(filp->f_path.mnt); + ret = mnt_want_write_file(filp); if (ret) return ret; @@ -174,7 +174,7 @@ static int nilfs_ioctl_change_cpmode(struct inode *inode, struct file *filp, if (!capable(CAP_SYS_ADMIN)) return -EPERM; - ret = mnt_want_write(filp->f_path.mnt); + ret = mnt_want_write_file(filp); if (ret) return ret; @@ -210,7 +210,7 @@ nilfs_ioctl_delete_checkpoint(struct inode *inode, struct file *filp, if (!capable(CAP_SYS_ADMIN)) return -EPERM; - ret = mnt_want_write(filp->f_path.mnt); + ret = mnt_want_write_file(filp); if (ret) return ret; @@ -591,7 +591,7 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp, if (!capable(CAP_SYS_ADMIN)) return -EPERM; - ret = mnt_want_write(filp->f_path.mnt); + ret = mnt_want_write_file(filp); if (ret) return ret; @@ -710,7 +710,7 @@ static int nilfs_ioctl_resize(struct inode *inode, struct file *filp, if (!capable(CAP_SYS_ADMIN)) goto out; - ret = mnt_want_write(filp->f_path.mnt); + ret = mnt_want_write_file(filp); if (ret) goto out; diff --git a/fs/ocfs2/ioctl.c b/fs/ocfs2/ioctl.c index 726ff265b296..892ace253f97 100644 --- a/fs/ocfs2/ioctl.c +++ b/fs/ocfs2/ioctl.c @@ -906,7 +906,7 @@ long ocfs2_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) if (get_user(flags, (int __user *) arg)) return -EFAULT; - status = mnt_want_write(filp->f_path.mnt); + status = mnt_want_write_file(filp); if (status) return status; status = ocfs2_set_inode_attr(inode, flags, diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c index 184c76b8c293..1d3bf83f8b85 100644 --- a/fs/ocfs2/move_extents.c +++ b/fs/ocfs2/move_extents.c @@ -1059,7 +1059,7 @@ int ocfs2_ioctl_move_extents(struct file *filp, void __user *argp) struct ocfs2_move_extents range; struct ocfs2_move_extents_context *context = NULL; - status = mnt_want_write(filp->f_path.mnt); + status = mnt_want_write_file(filp); if (status) return status; diff --git a/fs/reiserfs/ioctl.c b/fs/reiserfs/ioctl.c index 4e153051bc75..0b94d7b2b11f 100644 --- a/fs/reiserfs/ioctl.c +++ b/fs/reiserfs/ioctl.c @@ -55,7 +55,7 @@ long reiserfs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) break; } - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) break; @@ -107,7 +107,7 @@ setflags_out: err = -EPERM; break; } - err = mnt_want_write(filp->f_path.mnt); + err = mnt_want_write_file(filp); if (err) break; if (get_user(inode->i_generation, (int __user *)arg)) { diff --git a/fs/ubifs/ioctl.c b/fs/ubifs/ioctl.c index 548acf494afd..e52c84598feb 100644 --- a/fs/ubifs/ioctl.c +++ b/fs/ubifs/ioctl.c @@ -173,7 +173,7 @@ long ubifs_ioctl(struct file *file, unsigned int cmd, unsigned long arg) * Make sure the file-system is read-write and make sure it * will not become read-only while we are changing the flags. */ - err = mnt_want_write(file->f_path.mnt); + err = mnt_want_write_file(file); if (err) return err; dbg_gen("set flags: %#x, i_flags %#x", flags, inode->i_flags); diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index d99a90518909..b436e17c753e 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -559,7 +559,7 @@ xfs_attrmulti_by_handle( ops[i].am_flags); break; case ATTR_OP_SET: - ops[i].am_error = mnt_want_write(parfilp->f_path.mnt); + ops[i].am_error = mnt_want_write_file(parfilp); if (ops[i].am_error) break; ops[i].am_error = xfs_attrmulti_attr_set( @@ -569,7 +569,7 @@ xfs_attrmulti_by_handle( mnt_drop_write(parfilp->f_path.mnt); break; case ATTR_OP_REMOVE: - ops[i].am_error = mnt_want_write(parfilp->f_path.mnt); + ops[i].am_error = mnt_want_write_file(parfilp); if (ops[i].am_error) break; ops[i].am_error = xfs_attrmulti_attr_remove( diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c index 54e623bfbb85..dd4ba1d4c582 100644 --- a/fs/xfs/xfs_ioctl32.c +++ b/fs/xfs/xfs_ioctl32.c @@ -454,7 +454,7 @@ xfs_compat_attrmulti_by_handle( &ops[i].am_length, ops[i].am_flags); break; case ATTR_OP_SET: - ops[i].am_error = mnt_want_write(parfilp->f_path.mnt); + ops[i].am_error = mnt_want_write_file(parfilp); if (ops[i].am_error) break; ops[i].am_error = xfs_attrmulti_attr_set( @@ -464,7 +464,7 @@ xfs_compat_attrmulti_by_handle( mnt_drop_write(parfilp->f_path.mnt); break; case ATTR_OP_REMOVE: - ops[i].am_error = mnt_want_write(parfilp->f_path.mnt); + ops[i].am_error = mnt_want_write_file(parfilp); if (ops[i].am_error) break; ops[i].am_error = xfs_attrmulti_attr_remove( -- cgit From 2a79f17e4a641a2f463cb512cb0ec349844a147b Mon Sep 17 00:00:00 2001 From: Al Viro Date: Fri, 9 Dec 2011 08:06:57 -0500 Subject: vfs: mnt_drop_write_file() new helper (wrapper around mnt_drop_write()) to be used in pair with mnt_want_write_file(). Signed-off-by: Al Viro --- fs/btrfs/ioctl.c | 12 ++++++------ fs/ext2/ioctl.c | 6 +++--- fs/ext3/ioctl.c | 10 +++++----- fs/ext4/ioctl.c | 14 +++++++------- fs/fat/file.c | 2 +- fs/gfs2/file.c | 2 +- fs/hfsplus/ioctl.c | 2 +- fs/inode.c | 2 +- fs/jfs/ioctl.c | 2 +- fs/namespace.c | 6 ++++++ fs/ncpfs/ioctl.c | 2 +- fs/nfsd/nfs4recover.c | 6 +++--- fs/nilfs2/ioctl.c | 12 ++++++------ fs/ocfs2/ioctl.c | 2 +- fs/ocfs2/move_extents.c | 2 +- fs/open.c | 2 +- fs/reiserfs/ioctl.c | 4 ++-- fs/ubifs/ioctl.c | 2 +- fs/xattr.c | 4 ++-- fs/xfs/xfs_ioctl.c | 4 ++-- fs/xfs/xfs_ioctl32.c | 4 ++-- include/linux/mount.h | 1 + 22 files changed, 55 insertions(+), 48 deletions(-) (limited to 'fs/nilfs2/ioctl.c') diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index 20dd8f3b6c72..5441ff1480fd 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -259,7 +259,7 @@ static int btrfs_ioctl_setflags(struct file *file, void __user *arg) btrfs_end_transaction(trans, root); - mnt_drop_write(file->f_path.mnt); + mnt_drop_write_file(file); ret = 0; out_unlock: @@ -1971,7 +1971,7 @@ out_dput: dput(dentry); out_unlock_dir: mutex_unlock(&dir->i_mutex); - mnt_drop_write(file->f_path.mnt); + mnt_drop_write_file(file); out: kfree(vol_args); return err; @@ -2040,7 +2040,7 @@ static int btrfs_ioctl_defrag(struct file *file, void __user *argp) ret = -EINVAL; } out: - mnt_drop_write(file->f_path.mnt); + mnt_drop_write_file(file); return ret; } @@ -2510,7 +2510,7 @@ out_unlock: out_fput: fput(src_file); out_drop_write: - mnt_drop_write(file->f_path.mnt); + mnt_drop_write_file(file); return ret; } @@ -2565,7 +2565,7 @@ static long btrfs_ioctl_trans_start(struct file *file) out_drop: atomic_dec(&root->fs_info->open_ioctl_trans); - mnt_drop_write(file->f_path.mnt); + mnt_drop_write_file(file); out: return ret; } @@ -2800,7 +2800,7 @@ long btrfs_ioctl_trans_end(struct file *file) atomic_dec(&root->fs_info->open_ioctl_trans); - mnt_drop_write(file->f_path.mnt); + mnt_drop_write_file(file); return 0; } diff --git a/fs/ext2/ioctl.c b/fs/ext2/ioctl.c index 61a3f9661728..1089f760c847 100644 --- a/fs/ext2/ioctl.c +++ b/fs/ext2/ioctl.c @@ -83,7 +83,7 @@ long ext2_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) inode->i_ctime = CURRENT_TIME_SEC; mark_inode_dirty(inode); setflags_out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return ret; } case EXT2_IOC_GETVERSION: @@ -100,7 +100,7 @@ setflags_out: inode->i_ctime = CURRENT_TIME_SEC; mark_inode_dirty(inode); } - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return ret; case EXT2_IOC_GETRSVSZ: if (test_opt(inode->i_sb, RESERVATION) @@ -145,7 +145,7 @@ setflags_out: rsv->rsv_goal_size = rsv_window_size; } mutex_unlock(&ei->truncate_mutex); - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return 0; } default: diff --git a/fs/ext3/ioctl.c b/fs/ext3/ioctl.c index a02863a080d3..8e37c41a071b 100644 --- a/fs/ext3/ioctl.c +++ b/fs/ext3/ioctl.c @@ -110,7 +110,7 @@ flags_err: err = ext3_change_inode_journal_flag(inode, jflag); flags_out: mutex_unlock(&inode->i_mutex); - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return err; } case EXT3_IOC_GETVERSION: @@ -147,7 +147,7 @@ flags_out: } ext3_journal_stop(handle); setversion_out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return err; } case EXT3_IOC_GETRSVSZ: @@ -195,7 +195,7 @@ setversion_out: } mutex_unlock(&ei->truncate_mutex); setrsvsz_out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return err; } case EXT3_IOC_GROUP_EXTEND: { @@ -221,7 +221,7 @@ setrsvsz_out: if (err == 0) err = err2; group_extend_out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return err; } case EXT3_IOC_GROUP_ADD: { @@ -249,7 +249,7 @@ group_extend_out: if (err == 0) err = err2; group_add_out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return err; } case FITRIM: { diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c index 9a49760b554d..d37b3bb2a3b8 100644 --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c @@ -134,7 +134,7 @@ flags_err: err = ext4_ext_migrate(inode); flags_out: mutex_unlock(&inode->i_mutex); - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return err; } case EXT4_IOC_GETVERSION: @@ -171,7 +171,7 @@ flags_out: } ext4_journal_stop(handle); setversion_out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return err; } case EXT4_IOC_GROUP_EXTEND: { @@ -204,7 +204,7 @@ setversion_out: } if (err == 0) err = err2; - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); ext4_resize_end(sb); return err; @@ -246,7 +246,7 @@ setversion_out: err = ext4_move_extents(filp, donor_filp, me.orig_start, me.donor_start, me.len, &me.moved_len); - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); if (me.moved_len > 0) file_remove_suid(donor_filp); @@ -289,7 +289,7 @@ mext_out: } if (err == 0) err = err2; - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); ext4_resize_end(sb); return err; @@ -313,7 +313,7 @@ mext_out: mutex_lock(&(inode->i_mutex)); err = ext4_ext_migrate(inode); mutex_unlock(&(inode->i_mutex)); - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return err; } @@ -327,7 +327,7 @@ mext_out: if (err) return err; err = ext4_alloc_da_blocks(inode); - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return err; } diff --git a/fs/fat/file.c b/fs/fat/file.c index 50746a1a0789..d81d01a99b2c 100644 --- a/fs/fat/file.c +++ b/fs/fat/file.c @@ -108,7 +108,7 @@ static int fat_ioctl_set_attributes(struct file *file, u32 __user *user_attr) fat_save_attrs(inode, attr); mark_inode_dirty(inode); out_drop_write: - mnt_drop_write(file->f_path.mnt); + mnt_drop_write_file(file); out_unlock_inode: mutex_unlock(&inode->i_mutex); out: diff --git a/fs/gfs2/file.c b/fs/gfs2/file.c index 28fc6e3855f3..b8927d4f3bf2 100644 --- a/fs/gfs2/file.c +++ b/fs/gfs2/file.c @@ -285,7 +285,7 @@ out_trans_end: out: gfs2_glock_dq_uninit(&gh); out_drop_write: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return error; } diff --git a/fs/hfsplus/ioctl.c b/fs/hfsplus/ioctl.c index 31d3fe576429..f66c7655b3f7 100644 --- a/fs/hfsplus/ioctl.c +++ b/fs/hfsplus/ioctl.c @@ -94,7 +94,7 @@ static int hfsplus_ioctl_setflags(struct file *file, int __user *user_flags) out_unlock_inode: mutex_unlock(&inode->i_mutex); out_drop_write: - mnt_drop_write(file->f_path.mnt); + mnt_drop_write_file(file); out: return err; } diff --git a/fs/inode.c b/fs/inode.c index ee4e66b998f4..4fda5ee85518 100644 --- a/fs/inode.c +++ b/fs/inode.c @@ -1508,7 +1508,7 @@ void file_update_time(struct file *file) if (sync_it & S_MTIME) inode->i_mtime = now; mark_inode_dirty_sync(inode); - mnt_drop_write(file->f_path.mnt); + mnt_drop_write_file(file); } EXPORT_SYMBOL(file_update_time); diff --git a/fs/jfs/ioctl.c b/fs/jfs/ioctl.c index 73d9eaa91c05..f19d1e04a374 100644 --- a/fs/jfs/ioctl.c +++ b/fs/jfs/ioctl.c @@ -120,7 +120,7 @@ long jfs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) inode->i_ctime = CURRENT_TIME_SEC; mark_inode_dirty(inode); setflags_out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return err; } default: diff --git a/fs/namespace.c b/fs/namespace.c index 7a8f949cec1b..86b4f6406470 100644 --- a/fs/namespace.c +++ b/fs/namespace.c @@ -392,6 +392,12 @@ void mnt_drop_write(struct vfsmount *mnt) } EXPORT_SYMBOL_GPL(mnt_drop_write); +void mnt_drop_write_file(struct file *file) +{ + mnt_drop_write(file->f_path.mnt); +} +EXPORT_SYMBOL(mnt_drop_write_file); + static int mnt_make_readonly(struct vfsmount *mnt) { int ret = 0; diff --git a/fs/ncpfs/ioctl.c b/fs/ncpfs/ioctl.c index 790e92a9ec63..6958adfaff08 100644 --- a/fs/ncpfs/ioctl.c +++ b/fs/ncpfs/ioctl.c @@ -901,7 +901,7 @@ long ncp_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) ret = __ncp_ioctl(inode, cmd, arg); outDropWrite: if (need_drop_write) - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); out: return ret; } diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c index a9aa2f161262..80a0be9ed008 100644 --- a/fs/nfsd/nfs4recover.c +++ b/fs/nfsd/nfs4recover.c @@ -151,7 +151,7 @@ nfsd4_create_clid_dir(struct nfs4_client *clp) if (status) goto out_put; status = vfs_mkdir(dir->d_inode, dentry, S_IRWXU); - mnt_drop_write(rec_file->f_path.mnt); + mnt_drop_write_file(rec_file); out_put: dput(dentry); out_unlock: @@ -281,7 +281,7 @@ nfsd4_remove_clid_dir(struct nfs4_client *clp) nfs4_reset_creds(original_cred); if (status == 0) vfs_fsync(rec_file, 0); - mnt_drop_write(rec_file->f_path.mnt); + mnt_drop_write_file(rec_file); out: if (status) printk("NFSD: Failed to remove expired client state directory" @@ -317,7 +317,7 @@ nfsd4_recdir_purge_old(void) { status = nfsd4_list_rec_dir(purge_old); if (status == 0) vfs_fsync(rec_file, 0); - mnt_drop_write(rec_file->f_path.mnt); + mnt_drop_write_file(rec_file); out: if (status) printk("nfsd4: failed to purge old clients from recovery" diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c index b7697d1ccd61..886649627c3d 100644 --- a/fs/nilfs2/ioctl.c +++ b/fs/nilfs2/ioctl.c @@ -27,7 +27,7 @@ #include /* copy_from_user(), copy_to_user() */ #include #include /* compat_ptr() */ -#include /* mnt_want_write_file(), mnt_drop_write() */ +#include /* mnt_want_write_file(), mnt_drop_write_file() */ #include #include #include "nilfs.h" @@ -154,7 +154,7 @@ static int nilfs_ioctl_setflags(struct inode *inode, struct file *filp, ret = nilfs_transaction_commit(inode->i_sb); out: mutex_unlock(&inode->i_mutex); - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return ret; } @@ -194,7 +194,7 @@ static int nilfs_ioctl_change_cpmode(struct inode *inode, struct file *filp, up_read(&inode->i_sb->s_umount); out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return ret; } @@ -225,7 +225,7 @@ nilfs_ioctl_delete_checkpoint(struct inode *inode, struct file *filp, else nilfs_transaction_commit(inode->i_sb); /* never fails */ out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return ret; } @@ -675,7 +675,7 @@ out_free: vfree(kbufs[n]); kfree(kbufs[4]); out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return ret; } @@ -721,7 +721,7 @@ static int nilfs_ioctl_resize(struct inode *inode, struct file *filp, ret = nilfs_resize_fs(inode->i_sb, newsize); out_drop_write: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); out: return ret; } diff --git a/fs/ocfs2/ioctl.c b/fs/ocfs2/ioctl.c index 892ace253f97..a6fda3c188aa 100644 --- a/fs/ocfs2/ioctl.c +++ b/fs/ocfs2/ioctl.c @@ -911,7 +911,7 @@ long ocfs2_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) return status; status = ocfs2_set_inode_attr(inode, flags, OCFS2_FL_MODIFIABLE); - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return status; case OCFS2_IOC_RESVSP: case OCFS2_IOC_RESVSP64: diff --git a/fs/ocfs2/move_extents.c b/fs/ocfs2/move_extents.c index 1d3bf83f8b85..b1e3fce72ea4 100644 --- a/fs/ocfs2/move_extents.c +++ b/fs/ocfs2/move_extents.c @@ -1145,7 +1145,7 @@ out: kfree(context); - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); return status; } diff --git a/fs/open.c b/fs/open.c index 22c41b543f2d..4ef8d868a448 100644 --- a/fs/open.c +++ b/fs/open.c @@ -608,7 +608,7 @@ SYSCALL_DEFINE3(fchown, unsigned int, fd, uid_t, user, gid_t, group) dentry = file->f_path.dentry; audit_inode(NULL, dentry); error = chown_common(&file->f_path, user, group); - mnt_drop_write(file->f_path.mnt); + mnt_drop_write_file(file); out_fput: fput(file); out: diff --git a/fs/reiserfs/ioctl.c b/fs/reiserfs/ioctl.c index 0b94d7b2b11f..950e3d1b5c9e 100644 --- a/fs/reiserfs/ioctl.c +++ b/fs/reiserfs/ioctl.c @@ -96,7 +96,7 @@ long reiserfs_ioctl(struct file *filp, unsigned int cmd, unsigned long arg) inode->i_ctime = CURRENT_TIME_SEC; mark_inode_dirty(inode); setflags_out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); break; } case REISERFS_IOC_GETVERSION: @@ -117,7 +117,7 @@ setflags_out: inode->i_ctime = CURRENT_TIME_SEC; mark_inode_dirty(inode); setversion_out: - mnt_drop_write(filp->f_path.mnt); + mnt_drop_write_file(filp); break; default: err = -ENOTTY; diff --git a/fs/ubifs/ioctl.c b/fs/ubifs/ioctl.c index e52c84598feb..1a7e2d8bdbe9 100644 --- a/fs/ubifs/ioctl.c +++ b/fs/ubifs/ioctl.c @@ -178,7 +178,7 @@ long ubifs_ioctl(struct file *file, unsigned int cmd, unsigned long arg) return err; dbg_gen("set flags: %#x, i_flags %#x", flags, inode->i_flags); err = setflags(inode, flags); - mnt_drop_write(file->f_path.mnt); + mnt_drop_write_file(file); return err; } diff --git a/fs/xattr.c b/fs/xattr.c index 67583de8218c..82f43376c7cd 100644 --- a/fs/xattr.c +++ b/fs/xattr.c @@ -397,7 +397,7 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, const char __user *, name, error = mnt_want_write_file(f); if (!error) { error = setxattr(dentry, name, value, size, flags); - mnt_drop_write(f->f_path.mnt); + mnt_drop_write_file(f); } fput(f); return error; @@ -624,7 +624,7 @@ SYSCALL_DEFINE2(fremovexattr, int, fd, const char __user *, name) error = mnt_want_write_file(f); if (!error) { error = removexattr(dentry, name); - mnt_drop_write(f->f_path.mnt); + mnt_drop_write_file(f); } fput(f); return error; diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c index b436e17c753e..76f3ca5cfc36 100644 --- a/fs/xfs/xfs_ioctl.c +++ b/fs/xfs/xfs_ioctl.c @@ -566,7 +566,7 @@ xfs_attrmulti_by_handle( dentry->d_inode, attr_name, ops[i].am_attrvalue, ops[i].am_length, ops[i].am_flags); - mnt_drop_write(parfilp->f_path.mnt); + mnt_drop_write_file(parfilp); break; case ATTR_OP_REMOVE: ops[i].am_error = mnt_want_write_file(parfilp); @@ -575,7 +575,7 @@ xfs_attrmulti_by_handle( ops[i].am_error = xfs_attrmulti_attr_remove( dentry->d_inode, attr_name, ops[i].am_flags); - mnt_drop_write(parfilp->f_path.mnt); + mnt_drop_write_file(parfilp); break; default: ops[i].am_error = EINVAL; diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c index dd4ba1d4c582..f9ccb7b7c043 100644 --- a/fs/xfs/xfs_ioctl32.c +++ b/fs/xfs/xfs_ioctl32.c @@ -461,7 +461,7 @@ xfs_compat_attrmulti_by_handle( dentry->d_inode, attr_name, compat_ptr(ops[i].am_attrvalue), ops[i].am_length, ops[i].am_flags); - mnt_drop_write(parfilp->f_path.mnt); + mnt_drop_write_file(parfilp); break; case ATTR_OP_REMOVE: ops[i].am_error = mnt_want_write_file(parfilp); @@ -470,7 +470,7 @@ xfs_compat_attrmulti_by_handle( ops[i].am_error = xfs_attrmulti_attr_remove( dentry->d_inode, attr_name, ops[i].am_flags); - mnt_drop_write(parfilp->f_path.mnt); + mnt_drop_write_file(parfilp); break; default: ops[i].am_error = EINVAL; diff --git a/include/linux/mount.h b/include/linux/mount.h index 65c1bb013836..00f5c4f2160b 100644 --- a/include/linux/mount.h +++ b/include/linux/mount.h @@ -94,6 +94,7 @@ extern int mnt_want_write(struct vfsmount *mnt); extern int mnt_want_write_file(struct file *file); extern int mnt_clone_write(struct vfsmount *mnt); extern void mnt_drop_write(struct vfsmount *mnt); +extern void mnt_drop_write_file(struct file *file); extern void mntput(struct vfsmount *mnt); extern struct vfsmount *mntget(struct vfsmount *mnt); extern void mnt_pin(struct vfsmount *mnt); -- cgit From 1ecd3c7ea76488c63b4b0a2561fd7eaf96cc8028 Mon Sep 17 00:00:00 2001 From: Xi Wang Date: Wed, 8 Feb 2012 17:13:37 -0800 Subject: nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments() nsegs is read from userspace. Limit its value and avoid overflowing nsegs * sizeof(__u64) in the subsequent call to memdup_user(). This patch complements 481fe17e973fb9 ("nilfs2: potential integer overflow in nilfs_ioctl_clean_segments()"). Signed-off-by: Xi Wang Cc: Haogang Chen Acked-by: Ryusuke Konishi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds --- fs/nilfs2/ioctl.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'fs/nilfs2/ioctl.c') diff --git a/fs/nilfs2/ioctl.c b/fs/nilfs2/ioctl.c index 886649627c3d..2a70fce70c65 100644 --- a/fs/nilfs2/ioctl.c +++ b/fs/nilfs2/ioctl.c @@ -603,6 +603,8 @@ static int nilfs_ioctl_clean_segments(struct inode *inode, struct file *filp, nsegs = argv[4].v_nmembs; if (argv[4].v_size != argsz[4]) goto out; + if (nsegs > UINT_MAX / sizeof(__u64)) + goto out; /* * argv[4] points to segment numbers this ioctl cleans. We -- cgit