From 2c48b9c45579a9b5e3e74694eebf3d2451f3dbd3 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 9 Aug 2009 00:52:35 +0400 Subject: [PATCH] switch alloc_file() to passing struct path ... and have the caller grab both mnt and dentry; kill leak in infiniband, while we are at it. Signed-off-by: Al Viro --- arch/ia64/kernel/perfmon.c | 15 ++++++++------- drivers/infiniband/core/uverbs_main.c | 9 +++++++-- fs/anon_inodes.c | 18 +++++++++--------- fs/file_table.c | 13 ++++++------- fs/hugetlbfs/inode.c | 15 ++++++++------- fs/notify/inotify/inotify_user.c | 8 ++++++-- fs/pipe.c | 17 +++++++++-------- include/linux/file.h | 5 +++-- ipc/shm.c | 10 +++++----- mm/shmem.c | 14 ++++++++------ net/socket.c | 17 +++++++++-------- 11 files changed, 78 insertions(+), 63 deletions(-) diff --git a/arch/ia64/kernel/perfmon.c b/arch/ia64/kernel/perfmon.c index 599b233bef7..5246285a95f 100644 --- a/arch/ia64/kernel/perfmon.c +++ b/arch/ia64/kernel/perfmon.c @@ -2200,7 +2200,7 @@ pfm_alloc_file(pfm_context_t *ctx) { struct file *file; struct inode *inode; - struct dentry *dentry; + struct path path; char name[32]; struct qstr this; @@ -2225,18 +2225,19 @@ pfm_alloc_file(pfm_context_t *ctx) /* * allocate a new dcache entry */ - dentry = d_alloc(pfmfs_mnt->mnt_sb->s_root, &this); - if (!dentry) { + path.dentry = d_alloc(pfmfs_mnt->mnt_sb->s_root, &this); + if (!path.dentry) { iput(inode); return ERR_PTR(-ENOMEM); } + path.mnt = mntget(pfmfs_mnt); - dentry->d_op = &pfmfs_dentry_operations; - d_add(dentry, inode); + path.dentry->d_op = &pfmfs_dentry_operations; + d_add(path.dentry, inode); - file = alloc_file(pfmfs_mnt, dentry, FMODE_READ, &pfm_file_ops); + file = alloc_file(&path, FMODE_READ, &pfm_file_ops); if (!file) { - dput(dentry); + path_put(&path); return ERR_PTR(-ENFILE); } diff --git a/drivers/infiniband/core/uverbs_main.c b/drivers/infiniband/core/uverbs_main.c index aec0fbdfe7f..5f284ffd430 100644 --- a/drivers/infiniband/core/uverbs_main.c +++ b/drivers/infiniband/core/uverbs_main.c @@ -492,6 +492,7 @@ struct file *ib_uverbs_alloc_event_file(struct ib_uverbs_file *uverbs_file, int is_async, int *fd) { struct ib_uverbs_event_file *ev_file; + struct path path; struct file *filp; int ret; @@ -519,8 +520,10 @@ struct file *ib_uverbs_alloc_event_file(struct ib_uverbs_file *uverbs_file, * system call on a uverbs file, which will already have a * module reference. */ - filp = alloc_file(uverbs_event_mnt, dget(uverbs_event_mnt->mnt_root), - FMODE_READ, fops_get(&uverbs_event_fops)); + path.mnt = uverbs_event_mnt; + path.dentry = uverbs_event_mnt->mnt_root; + path_get(&path); + filp = alloc_file(&path, FMODE_READ, fops_get(&uverbs_event_fops)); if (!filp) { ret = -ENFILE; goto err_fd; @@ -531,6 +534,8 @@ struct file *ib_uverbs_alloc_event_file(struct ib_uverbs_file *uverbs_file, return filp; err_fd: + fops_put(&uverbs_event_fops); + path_put(&path); put_unused_fd(*fd); err: diff --git a/fs/anon_inodes.c b/fs/anon_inodes.c index 2ca7a7cafdb..94f5110c465 100644 --- a/fs/anon_inodes.c +++ b/fs/anon_inodes.c @@ -88,7 +88,7 @@ struct file *anon_inode_getfile(const char *name, void *priv, int flags) { struct qstr this; - struct dentry *dentry; + struct path path; struct file *file; int error; @@ -106,10 +106,11 @@ struct file *anon_inode_getfile(const char *name, this.name = name; this.len = strlen(name); this.hash = 0; - dentry = d_alloc(anon_inode_mnt->mnt_sb->s_root, &this); - if (!dentry) + path.dentry = d_alloc(anon_inode_mnt->mnt_sb->s_root, &this); + if (!path.dentry) goto err_module; + path.mnt = mntget(anon_inode_mnt); /* * We know the anon_inode inode count is always greater than zero, * so we can avoid doing an igrab() and we can use an open-coded @@ -117,14 +118,13 @@ struct file *anon_inode_getfile(const char *name, */ atomic_inc(&anon_inode_inode->i_count); - dentry->d_op = &anon_inodefs_dentry_operations; + path.dentry->d_op = &anon_inodefs_dentry_operations; /* Do not publish this dentry inside the global dentry hash table */ - dentry->d_flags &= ~DCACHE_UNHASHED; - d_instantiate(dentry, anon_inode_inode); + path.dentry->d_flags &= ~DCACHE_UNHASHED; + d_instantiate(path.dentry, anon_inode_inode); error = -ENFILE; - file = alloc_file(anon_inode_mnt, dentry, - FMODE_READ | FMODE_WRITE, fops); + file = alloc_file(&path, FMODE_READ | FMODE_WRITE, fops); if (!file) goto err_dput; file->f_mapping = anon_inode_inode->i_mapping; @@ -137,7 +137,7 @@ struct file *anon_inode_getfile(const char *name, return file; err_dput: - dput(dentry); + path_put(&path); err_module: module_put(fops->owner); return ERR_PTR(error); diff --git a/fs/file_table.c b/fs/file_table.c index 602a9ee3023..163cd28314e 100644 --- a/fs/file_table.c +++ b/fs/file_table.c @@ -162,8 +162,8 @@ fail: * If all the callers of init_file() are eliminated, its * code should be moved into this function. */ -struct file *alloc_file(struct vfsmount *mnt, struct dentry *dentry, - fmode_t mode, const struct file_operations *fop) +struct file *alloc_file(struct path *path, fmode_t mode, + const struct file_operations *fop) { struct file *file; @@ -171,9 +171,8 @@ struct file *alloc_file(struct vfsmount *mnt, struct dentry *dentry, if (!file) return NULL; - file->f_path.dentry = dentry; - file->f_path.mnt = mntget(mnt); - file->f_mapping = dentry->d_inode->i_mapping; + file->f_path = *path; + file->f_mapping = path->dentry->d_inode->i_mapping; file->f_mode = mode; file->f_op = fop; @@ -183,10 +182,10 @@ struct file *alloc_file(struct vfsmount *mnt, struct dentry *dentry, * visible. We do this for consistency, and so * that we can do debugging checks at __fput() */ - if ((mode & FMODE_WRITE) && !special_file(dentry->d_inode->i_mode)) { + if ((mode & FMODE_WRITE) && !special_file(path->dentry->d_inode->i_mode)) { int error = 0; file_take_write(file); - error = mnt_clone_write(mnt); + error = mnt_clone_write(path->mnt); WARN_ON(error); } return file; diff --git a/fs/hugetlbfs/inode.c b/fs/hugetlbfs/inode.c index 87a1258953b..6bd41525cd7 100644 --- a/fs/hugetlbfs/inode.c +++ b/fs/hugetlbfs/inode.c @@ -922,7 +922,8 @@ struct file *hugetlb_file_setup(const char *name, size_t size, int acctflag, int error = -ENOMEM; struct file *file; struct inode *inode; - struct dentry *dentry, *root; + struct path path; + struct dentry *root; struct qstr quick_string; *user = NULL; @@ -944,10 +945,11 @@ struct file *hugetlb_file_setup(const char *name, size_t size, int acctflag, quick_string.name = name; quick_string.len = strlen(quick_string.name); quick_string.hash = 0; - dentry = d_alloc(root, &quick_string); - if (!dentry) + path.dentry = d_alloc(root, &quick_string); + if (!path.dentry) goto out_shm_unlock; + path.mnt = mntget(hugetlbfs_vfsmount); error = -ENOSPC; inode = hugetlbfs_get_inode(root->d_sb, current_fsuid(), current_fsgid(), S_IFREG | S_IRWXUGO, 0); @@ -960,13 +962,12 @@ struct file *hugetlb_file_setup(const char *name, size_t size, int acctflag, acctflag)) goto out_inode; - d_instantiate(dentry, inode); + d_instantiate(path.dentry, inode); inode->i_size = size; inode->i_nlink = 0; error = -ENFILE; - file = alloc_file(hugetlbfs_vfsmount, dentry, - FMODE_WRITE | FMODE_READ, + file = alloc_file(&path, FMODE_WRITE | FMODE_READ, &hugetlbfs_file_operations); if (!file) goto out_dentry; /* inode is already attached */ @@ -977,7 +978,7 @@ struct file *hugetlb_file_setup(const char *name, size_t size, int acctflag, out_inode: iput(inode); out_dentry: - dput(dentry); + path_put(&path); out_shm_unlock: if (*user) { user_shm_unlock(size, *user); diff --git a/fs/notify/inotify/inotify_user.c b/fs/notify/inotify/inotify_user.c index 9e4f90042ea..8271cf05c95 100644 --- a/fs/notify/inotify/inotify_user.c +++ b/fs/notify/inotify/inotify_user.c @@ -646,6 +646,7 @@ SYSCALL_DEFINE1(inotify_init1, int, flags) struct fsnotify_group *group; struct user_struct *user; struct file *filp; + struct path path; int fd, ret; /* Check the IN_* constants for consistency. */ @@ -675,8 +676,10 @@ SYSCALL_DEFINE1(inotify_init1, int, flags) atomic_inc(&user->inotify_devs); - filp = alloc_file(inotify_mnt, dget(inotify_mnt->mnt_root), - FMODE_READ, &inotify_fops); + path.mnt = inotify_mnt; + path.dentry = inotify_mnt->mnt_root; + path_get(&path); + filp = alloc_file(&path, FMODE_READ, &inotify_fops); if (!filp) goto Enfile; @@ -689,6 +692,7 @@ SYSCALL_DEFINE1(inotify_init1, int, flags) Enfile: ret = -ENFILE; + path_put(&path); atomic_dec(&user->inotify_devs); out_free_uid: free_uid(user); diff --git a/fs/pipe.c b/fs/pipe.c index ae17d026aaa..81288bc2bcb 100644 --- a/fs/pipe.c +++ b/fs/pipe.c @@ -974,7 +974,7 @@ struct file *create_write_pipe(int flags) int err; struct inode *inode; struct file *f; - struct dentry *dentry; + struct path path; struct qstr name = { .name = "" }; err = -ENFILE; @@ -983,21 +983,22 @@ struct file *create_write_pipe(int flags) goto err; err = -ENOMEM; - dentry = d_alloc(pipe_mnt->mnt_sb->s_root, &name); - if (!dentry) + path.dentry = d_alloc(pipe_mnt->mnt_sb->s_root, &name); + if (!path.dentry) goto err_inode; + path.mnt = mntget(pipe_mnt); - dentry->d_op = &pipefs_dentry_operations; + path.dentry->d_op = &pipefs_dentry_operations; /* * We dont want to publish this dentry into global dentry hash table. * We pretend dentry is already hashed, by unsetting DCACHE_UNHASHED * This permits a working /proc/$pid/fd/XXX on pipes */ - dentry->d_flags &= ~DCACHE_UNHASHED; - d_instantiate(dentry, inode); + path.dentry->d_flags &= ~DCACHE_UNHASHED; + d_instantiate(path.dentry, inode); err = -ENFILE; - f = alloc_file(pipe_mnt, dentry, FMODE_WRITE, &write_pipefifo_fops); + f = alloc_file(&path, FMODE_WRITE, &write_pipefifo_fops); if (!f) goto err_dentry; f->f_mapping = inode->i_mapping; @@ -1009,7 +1010,7 @@ struct file *create_write_pipe(int flags) err_dentry: free_pipe_info(inode); - dput(dentry); + path_put(&path); return ERR_PTR(err); err_inode: diff --git a/include/linux/file.h b/include/linux/file.h index 6a8d3612eb2..5555508fd51 100644 --- a/include/linux/file.h +++ b/include/linux/file.h @@ -18,8 +18,9 @@ extern void drop_file_write_access(struct file *file); struct file_operations; struct vfsmount; struct dentry; -extern struct file *alloc_file(struct vfsmount *, struct dentry *dentry, - fmode_t mode, const struct file_operations *fop); +struct path; +extern struct file *alloc_file(struct path *, fmode_t mode, + const struct file_operations *fop); static inline void fput_light(struct file *file, int fput_needed) { diff --git a/ipc/shm.c b/ipc/shm.c index 11bec626c22..16e39230aa0 100644 --- a/ipc/shm.c +++ b/ipc/shm.c @@ -878,8 +878,8 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr) if (err) goto out_unlock; - path.dentry = dget(shp->shm_file->f_path.dentry); - path.mnt = shp->shm_file->f_path.mnt; + path = shp->shm_file->f_path; + path_get(&path); shp->shm_nattch++; size = i_size_read(path.dentry->d_inode); shm_unlock(shp); @@ -889,8 +889,8 @@ long do_shmat(int shmid, char __user *shmaddr, int shmflg, ulong *raddr) if (!sfd) goto out_put_dentry; - file = alloc_file(path.mnt, path.dentry, f_mode, - is_file_hugepages(shp->shm_file) ? + file = alloc_file(&path, f_mode, + is_file_hugepages(shp->shm_file) ? &shm_file_operations_huge : &shm_file_operations); if (!file) @@ -950,7 +950,7 @@ out_unlock: out_free: kfree(sfd); out_put_dentry: - dput(path.dentry); + path_put(&path); goto out_nattch; } diff --git a/mm/shmem.c b/mm/shmem.c index ef8f47473c5..d2ec7f029ff 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2626,7 +2626,8 @@ struct file *shmem_file_setup(const char *name, loff_t size, unsigned long flags int error; struct file *file; struct inode *inode; - struct dentry *dentry, *root; + struct path path; + struct dentry *root; struct qstr this; if (IS_ERR(shm_mnt)) @@ -2643,16 +2644,17 @@ struct file *shmem_file_setup(const char *name, loff_t size, unsigned long flags this.len = strlen(name); this.hash = 0; /* will go */ root = shm_mnt->mnt_root; - dentry = d_alloc(root, &this); - if (!dentry) + path.dentry = d_alloc(root, &this); + if (!path.dentry) goto put_memory; + path.mnt = mntget(shm_mnt); error = -ENOSPC; inode = shmem_get_inode(root->d_sb, S_IFREG | S_IRWXUGO, 0, flags); if (!inode) goto put_dentry; - d_instantiate(dentry, inode); + d_instantiate(path.dentry, inode); inode->i_size = size; inode->i_nlink = 0; /* It is unlinked */ #ifndef CONFIG_MMU @@ -2662,7 +2664,7 @@ struct file *shmem_file_setup(const char *name, loff_t size, unsigned long flags #endif error = -ENFILE; - file = alloc_file(shm_mnt, dentry, FMODE_WRITE | FMODE_READ, + file = alloc_file(&path, FMODE_WRITE | FMODE_READ, &shmem_file_operations); if (!file) goto put_dentry; @@ -2671,7 +2673,7 @@ struct file *shmem_file_setup(const char *name, loff_t size, unsigned long flags return file; put_dentry: - dput(dentry); + path_put(&path); put_memory: shmem_unacct_size(flags, size); return ERR_PTR(error); diff --git a/net/socket.c b/net/socket.c index eaaba3510e8..dbfdfa96d29 100644 --- a/net/socket.c +++ b/net/socket.c @@ -358,7 +358,7 @@ static const struct dentry_operations sockfs_dentry_operations = { static int sock_alloc_file(struct socket *sock, struct file **f, int flags) { struct qstr name = { .name = "" }; - struct dentry *dentry; + struct path path; struct file *file; int fd; @@ -366,28 +366,29 @@ static int sock_alloc_file(struct socket *sock, struct file **f, int flags) if (unlikely(fd < 0)) return fd; - dentry = d_alloc(sock_mnt->mnt_sb->s_root, &name); - if (unlikely(!dentry)) { + path.dentry = d_alloc(sock_mnt->mnt_sb->s_root, &name); + if (unlikely(!path.dentry)) { put_unused_fd(fd); return -ENOMEM; } + path.mnt = mntget(sock_mnt); - dentry->d_op = &sockfs_dentry_operations; + path.dentry->d_op = &sockfs_dentry_operations; /* * We dont want to push this dentry into global dentry hash table. * We pretend dentry is already hashed, by unsetting DCACHE_UNHASHED * This permits a working /proc/$pid/fd/XXX on sockets */ - dentry->d_flags &= ~DCACHE_UNHASHED; - d_instantiate(dentry, SOCK_INODE(sock)); + path.dentry->d_flags &= ~DCACHE_UNHASHED; + d_instantiate(path.dentry, SOCK_INODE(sock)); SOCK_INODE(sock)->i_fop = &socket_file_ops; - file = alloc_file(sock_mnt, dentry, FMODE_READ | FMODE_WRITE, + file = alloc_file(&path, FMODE_READ | FMODE_WRITE, &socket_file_ops); if (unlikely(!file)) { /* drop dentry, keep inode */ atomic_inc(&path.dentry->d_inode->i_count); - dput(dentry); + path_put(&path); put_unused_fd(fd); return -ENFILE; }