[PATCH] sanitize anon_inode_getfd()

a) none of the callers even looks at inode or file returned by anon_inode_getfd()
b) any caller that would try to look at those would be racy, since by the time
it returns we might have raced with close() from another thread and that
file would be pining for fjords.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
Al Viro 2008-02-23 06:46:49 -05:00
parent 9f3acc3140
commit 2030a42cec
7 changed files with 29 additions and 74 deletions

View file

@ -57,9 +57,6 @@ static struct dentry_operations anon_inodefs_dentry_operations = {
* anonymous inode, and a dentry that describe the "class" * anonymous inode, and a dentry that describe the "class"
* of the file * of the file
* *
* @pfd: [out] pointer to the file descriptor
* @dpinode: [out] pointer to the inode
* @pfile: [out] pointer to the file struct
* @name: [in] name of the "class" of the new file * @name: [in] name of the "class" of the new file
* @fops [in] file operations for the new file * @fops [in] file operations for the new file
* @priv [in] private data for the new file (will be file's private_data) * @priv [in] private data for the new file (will be file's private_data)
@ -68,10 +65,9 @@ static struct dentry_operations anon_inodefs_dentry_operations = {
* that do not need to have a full-fledged inode in order to operate correctly. * that do not need to have a full-fledged inode in order to operate correctly.
* All the files created with anon_inode_getfd() will share a single inode, * All the files created with anon_inode_getfd() will share a single inode,
* hence saving memory and avoiding code duplication for the file/inode/dentry * hence saving memory and avoiding code duplication for the file/inode/dentry
* setup. * setup. Returns new descriptor or -error.
*/ */
int anon_inode_getfd(int *pfd, struct inode **pinode, struct file **pfile, int anon_inode_getfd(const char *name, const struct file_operations *fops,
const char *name, const struct file_operations *fops,
void *priv) void *priv)
{ {
struct qstr this; struct qstr this;
@ -125,10 +121,7 @@ int anon_inode_getfd(int *pfd, struct inode **pinode, struct file **pfile,
fd_install(fd, file); fd_install(fd, file);
*pfd = fd; return fd;
*pinode = anon_inode_inode;
*pfile = file;
return 0;
err_dput: err_dput:
dput(dentry); dput(dentry);

View file

@ -200,10 +200,8 @@ struct file *eventfd_fget(int fd)
asmlinkage long sys_eventfd(unsigned int count) asmlinkage long sys_eventfd(unsigned int count)
{ {
int error, fd; int fd;
struct eventfd_ctx *ctx; struct eventfd_ctx *ctx;
struct file *file;
struct inode *inode;
ctx = kmalloc(sizeof(*ctx), GFP_KERNEL); ctx = kmalloc(sizeof(*ctx), GFP_KERNEL);
if (!ctx) if (!ctx)
@ -216,12 +214,9 @@ asmlinkage long sys_eventfd(unsigned int count)
* When we call this, the initialization must be complete, since * When we call this, the initialization must be complete, since
* anon_inode_getfd() will install the fd. * anon_inode_getfd() will install the fd.
*/ */
error = anon_inode_getfd(&fd, &inode, &file, "[eventfd]", fd = anon_inode_getfd("[eventfd]", &eventfd_fops, ctx);
&eventfd_fops, ctx); if (fd < 0)
if (!error) kfree(ctx);
return fd; return fd;
kfree(ctx);
return error;
} }

View file

@ -1050,8 +1050,6 @@ asmlinkage long sys_epoll_create(int size)
{ {
int error, fd = -1; int error, fd = -1;
struct eventpoll *ep; struct eventpoll *ep;
struct inode *inode;
struct file *file;
DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d)\n", DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d)\n",
current, size)); current, size));
@ -1061,29 +1059,24 @@ asmlinkage long sys_epoll_create(int size)
* structure ( "struct eventpoll" ). * structure ( "struct eventpoll" ).
*/ */
error = -EINVAL; error = -EINVAL;
if (size <= 0 || (error = ep_alloc(&ep)) != 0) if (size <= 0 || (error = ep_alloc(&ep)) < 0) {
fd = error;
goto error_return; goto error_return;
}
/* /*
* Creates all the items needed to setup an eventpoll file. That is, * Creates all the items needed to setup an eventpoll file. That is,
* a file structure, and inode and a free file descriptor. * a file structure and a free file descriptor.
*/ */
error = anon_inode_getfd(&fd, &inode, &file, "[eventpoll]", fd = anon_inode_getfd("[eventpoll]", &eventpoll_fops, ep);
&eventpoll_fops, ep); if (fd < 0)
if (error) ep_free(ep);
goto error_free;
error_return:
DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d) = %d\n", DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d) = %d\n",
current, size, fd)); current, size, fd));
return fd; return fd;
error_free:
ep_free(ep);
error_return:
DNPRINTK(3, (KERN_INFO "[%p] eventpoll: sys_epoll_create(%d) = %d\n",
current, size, error));
return error;
} }
/* /*

View file

@ -207,11 +207,8 @@ static const struct file_operations signalfd_fops = {
asmlinkage long sys_signalfd(int ufd, sigset_t __user *user_mask, size_t sizemask) asmlinkage long sys_signalfd(int ufd, sigset_t __user *user_mask, size_t sizemask)
{ {
int error;
sigset_t sigmask; sigset_t sigmask;
struct signalfd_ctx *ctx; struct signalfd_ctx *ctx;
struct file *file;
struct inode *inode;
if (sizemask != sizeof(sigset_t) || if (sizemask != sizeof(sigset_t) ||
copy_from_user(&sigmask, user_mask, sizeof(sigmask))) copy_from_user(&sigmask, user_mask, sizeof(sigmask)))
@ -230,12 +227,11 @@ asmlinkage long sys_signalfd(int ufd, sigset_t __user *user_mask, size_t sizemas
* When we call this, the initialization must be complete, since * When we call this, the initialization must be complete, since
* anon_inode_getfd() will install the fd. * anon_inode_getfd() will install the fd.
*/ */
error = anon_inode_getfd(&ufd, &inode, &file, "[signalfd]", ufd = anon_inode_getfd("[signalfd]", &signalfd_fops, ctx);
&signalfd_fops, ctx); if (ufd < 0)
if (error) kfree(ctx);
goto err_fdalloc;
} else { } else {
file = fget(ufd); struct file *file = fget(ufd);
if (!file) if (!file)
return -EBADF; return -EBADF;
ctx = file->private_data; ctx = file->private_data;
@ -252,9 +248,4 @@ asmlinkage long sys_signalfd(int ufd, sigset_t __user *user_mask, size_t sizemas
} }
return ufd; return ufd;
err_fdalloc:
kfree(ctx);
return error;
} }

View file

@ -181,10 +181,8 @@ static struct file *timerfd_fget(int fd)
asmlinkage long sys_timerfd_create(int clockid, int flags) asmlinkage long sys_timerfd_create(int clockid, int flags)
{ {
int error, ufd; int ufd;
struct timerfd_ctx *ctx; struct timerfd_ctx *ctx;
struct file *file;
struct inode *inode;
if (flags) if (flags)
return -EINVAL; return -EINVAL;
@ -200,12 +198,9 @@ asmlinkage long sys_timerfd_create(int clockid, int flags)
ctx->clockid = clockid; ctx->clockid = clockid;
hrtimer_init(&ctx->tmr, clockid, HRTIMER_MODE_ABS); hrtimer_init(&ctx->tmr, clockid, HRTIMER_MODE_ABS);
error = anon_inode_getfd(&ufd, &inode, &file, "[timerfd]", ufd = anon_inode_getfd("[timerfd]", &timerfd_fops, ctx);
&timerfd_fops, ctx); if (ufd < 0)
if (error) {
kfree(ctx); kfree(ctx);
return error;
}
return ufd; return ufd;
} }

View file

@ -8,8 +8,7 @@
#ifndef _LINUX_ANON_INODES_H #ifndef _LINUX_ANON_INODES_H
#define _LINUX_ANON_INODES_H #define _LINUX_ANON_INODES_H
int anon_inode_getfd(int *pfd, struct inode **pinode, struct file **pfile, int anon_inode_getfd(const char *name, const struct file_operations *fops,
const char *name, const struct file_operations *fops,
void *priv); void *priv);
#endif /* _LINUX_ANON_INODES_H */ #endif /* _LINUX_ANON_INODES_H */

View file

@ -834,16 +834,9 @@ static const struct file_operations kvm_vcpu_fops = {
*/ */
static int create_vcpu_fd(struct kvm_vcpu *vcpu) static int create_vcpu_fd(struct kvm_vcpu *vcpu)
{ {
int fd, r; int fd = anon_inode_getfd("kvm-vcpu", &kvm_vcpu_fops, vcpu);
struct inode *inode; if (fd < 0)
struct file *file;
r = anon_inode_getfd(&fd, &inode, &file,
"kvm-vcpu", &kvm_vcpu_fops, vcpu);
if (r) {
kvm_put_kvm(vcpu->kvm); kvm_put_kvm(vcpu->kvm);
return r;
}
return fd; return fd;
} }
@ -1168,19 +1161,15 @@ static const struct file_operations kvm_vm_fops = {
static int kvm_dev_ioctl_create_vm(void) static int kvm_dev_ioctl_create_vm(void)
{ {
int fd, r; int fd;
struct inode *inode;
struct file *file;
struct kvm *kvm; struct kvm *kvm;
kvm = kvm_create_vm(); kvm = kvm_create_vm();
if (IS_ERR(kvm)) if (IS_ERR(kvm))
return PTR_ERR(kvm); return PTR_ERR(kvm);
r = anon_inode_getfd(&fd, &inode, &file, "kvm-vm", &kvm_vm_fops, kvm); fd = anon_inode_getfd("kvm-vm", &kvm_vm_fops, kvm);
if (r) { if (fd < 0)
kvm_put_kvm(kvm); kvm_put_kvm(kvm);
return r;
}
return fd; return fd;
} }