linux/fs/ceph/export.c, branch v3.4.19Linux kernel source treehttps://git.amat.us/linux/atom/fs/ceph/export.c?h=v3.4.192012-10-21T16:27:57Ztmpfs,ceph,gfs2,isofs,reiserfs,xfs: fix fh_len checking2012-10-21T16:27:57ZHugh Dickinshughd@google.com2012-10-08T03:32:51Zurn:sha1:530258fceacd8c17075906c648c1ba20928c940b
commit 35c2a7f4908d404c9124c2efc6ada4640ca4d5d5 upstream.
Fuzzing with trinity oopsed on the 1st instruction of shmem_fh_to_dentry(),
u64 inum = fid->raw[2];
which is unhelpfully reported as at the end of shmem_alloc_inode():
BUG: unable to handle kernel paging request at ffff880061cd3000
IP: [<ffffffff812190d0>] shmem_alloc_inode+0x40/0x40
Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Call Trace:
[<ffffffff81488649>] ? exportfs_decode_fh+0x79/0x2d0
[<ffffffff812d77c3>] do_handle_open+0x163/0x2c0
[<ffffffff812d792c>] sys_open_by_handle_at+0xc/0x10
[<ffffffff83a5f3f8>] tracesys+0xe1/0xe6
Right, tmpfs is being stupid to access fid->raw[2] before validating that
fh_len includes it: the buffer kmalloc'ed by do_sys_name_to_handle() may
fall at the end of a page, and the next page not be present.
But some other filesystems (ceph, gfs2, isofs, reiserfs, xfs) are being
careless about fh_len too, in fh_to_dentry() and/or fh_to_parent(), and
could oops in the same way: add the missing fh_len checks to those.
Reported-by: Sasha Levin <levinsasha928@gmail.com>
Signed-off-by: Hugh Dickins <hughd@google.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Sage Weil <sage@inktank.com>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ceph: avoid useless dget/dput in encode_fh2012-01-10T16:57:00ZSage Weilsage@newdream.net2012-01-03T16:20:40Zurn:sha1:ee6b1baf67591b6d7ce1a6a07544343433d5ec9e
Nothing we do here sleeps, so just do it under d_lock and avoid the dget/
dput entirely.
Reported-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Sage Weil <sage@newdream.net>
ceph: avoid d_parent in ceph_dentry_hash; fix ceph_encode_fh() hashing bug2011-07-26T18:30:55ZSage Weilsage@newdream.net2011-07-26T18:30:55Zurn:sha1:e5f86dc377e7ff2b4195831153a85a3e76fefff2
Have caller pass in a safely-obtained reference to the parent directory
for calculating a dentry's hash valud.
While we're here, simpify the flow through ceph_encode_fh() so that there
is a single exit point and cleanup.
Also fix a bug with the dentry hash calculation: calculate the hash for the
dentry we were given, not its parent.
Reviewed-by: Yehuda Sadeh <yehuda@hq.newdream.net>
Signed-off-by: Sage Weil <sage@newdream.net>
ceph: use ihold when we already have an inode ref2011-06-08T04:34:11ZSage Weilsage@newdream.net2011-05-27T16:24:26Zurn:sha1:70b666c3b4cb2b96098d80e6f515e4bc6d37db5a
We should use ihold whenever we already have a stable inode ref, even
when we aren't holding i_lock. This avoids adding new and unnecessary
locking dependencies.
Signed-off-by: Sage Weil <sage@newdream.net>
ceph: avoid inode lookup on nfs fh reconnect2011-05-24T18:52:06ZSage Weilsage@newdream.net2011-04-06T16:35:00Zurn:sha1:45e3d3eeb6578e523e100622266945ecd71723bb
If we get the inode from the MDS, we have a reference in req; don't do a
fresh lookup.
Signed-off-by: Sage Weil <sage@newdream.net>
ceph: use LOOKUPINO to make unconnected nfs fh more reliable2011-05-24T18:52:05ZSage Weilsage@newdream.net2011-04-06T16:31:40Zurn:sha1:3c454cf21645bc96668e286f6352ac2c4c895fa2
If we are unable to locate an inode by ino, ask the MDS using the new
LOOKUPINO command.
Signed-off-by: Sage Weil <sage@newdream.net>
ceph: add dir_layout to inode2011-01-12T23:15:12ZSage Weilsage@newdream.net2010-11-16T19:14:34Zurn:sha1:6c0f3af72cb1622a66962a1180c36ef8c41be8e2
Add a ceph_dir_layout to the inode, and calculate dentry hash values based
on the parent directory's specified dir_hash function. This is needed
because the old default Linux dcache hash function is extremely week and
leads to a poor distribution of files among dir fragments.
Signed-off-by: Sage Weil <sage@newdream.net>
ceph: factor out libceph from Ceph file system2010-10-20T22:37:28ZYehuda Sadehyehuda@hq.newdream.net2010-04-06T22:14:15Zurn:sha1:3d14c5d2b6e15c21d8e5467dc62d33127c23a644
This factors out protocol and low-level storage parts of ceph into a
separate libceph module living in net/ceph and include/linux/ceph. This
is mostly a matter of moving files around. However, a few key pieces
of the interface change as well:
- ceph_client becomes ceph_fs_client and ceph_client, where the latter
captures the mon and osd clients, and the fs_client gets the mds client
and file system specific pieces.
- Mount option parsing and debugfs setup is correspondingly broken into
two pieces.
- The mon client gets a generic handler callback for otherwise unknown
messages (mds map, in this case).
- The basic supported/required feature bits can be expanded (and are by
ceph_fs_client).
No functional change, aside from some subtle error handling cases that got
cleaned up in the refactoring process.
Signed-off-by: Sage Weil <sage@newdream.net>
ceph: Update max_len with minimum required size2010-10-07T15:00:24ZAneesh Kumar K.Vaneesh.kumar@linux.vnet.ibm.com2010-10-05T10:33:42Zurn:sha1:bba0cd0e3d97472855840af817b766e3f632a501
encode_fh on error should update max_len with minimum required
size, so that caller can redo the call with the reallocated buffer.
This is required with open by handle patch series
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Sage Weil <sage@newdream.net>
ceph: Fix return value of encode_fh function2010-10-07T15:00:23ZAneesh Kumar K.Vaneesh.kumar@linux.vnet.ibm.com2010-10-05T10:33:41Zurn:sha1:92923dcbfcad107b0e0469f579a2455729ccf10e
encode_fh function should return 255 on error as done by other file
system to indicate EOVERFLOW. Also max_len is in sizeof(u32) units
and not in bytes.
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: Sage Weil <sage@newdream.net>