1. 22 5月, 2014 2 次提交
    • J
      cifs: fix potential races in cifs_revalidate_mapping · 4f73c7d3
      Jeff Layton 提交于
      The handling of the CIFS_INO_INVALID_MAPPING flag is racy. It's possible
      for two tasks to attempt to revalidate the mapping at the same time. The
      first sees that CIFS_INO_INVALID_MAPPING is set. It clears the flag and
      then calls invalidate_inode_pages2 to start shooting down the pagecache.
      
      While that's going on, another task checks the flag and sees that it's
      clear. It then ends up trusting the pagecache to satisfy a read when it
      shouldn't.
      
      Fix this by adding a bitlock to ensure that the clearing of the flag is
      atomic with respect to the actual cache invalidation. Also, move the
      other existing users of cifs_invalidate_mapping to use a new
      cifs_zap_mapping() function that just sets the INVALID_MAPPING bit and
      then uses the standard codepath to handle the invalidation.
      Signed-off-by: NJeff Layton <jlayton@poochiereds.net>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      4f73c7d3
    • J
      cifs: convert booleans in cifsInodeInfo to a flags field · aff8d5ca
      Jeff Layton 提交于
      In later patches, we'll need to have a bitlock, so go ahead and convert
      these bools to use atomic bitops instead.
      
      Also, clean up the initialization of the flags field. There's no need
      to unset each bit individually just after it was zeroed on allocation.
      Signed-off-by: NJeff Layton <jlayton@poochiereds.net>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      aff8d5ca
  2. 17 4月, 2014 3 次提交
    • M
      cif: fix dead code · 1f80c0cc
      Michael Opdenacker 提交于
      This issue was found by Coverity (CID 1202536)
      
      This proposes a fix for a statement that creates dead code.
      The "rc < 0" statement is within code that is run
      with "rc > 0".
      
      It seems like "err < 0" was meant to be used here.
      This way, the error code is returned by the function.
      Signed-off-by: NMichael Opdenacker <michael.opdenacker@free-electrons.com>
      Acked-by: NAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      1f80c0cc
    • J
      cifs: fix error handling cifs_user_readv · bae9f746
      Jeff Layton 提交于
      Coverity says:
      
      *** CID 1202537:  Dereference after null check  (FORWARD_NULL)
      /fs/cifs/file.c: 2873 in cifs_user_readv()
      2867     		cur_len = min_t(const size_t, len - total_read, cifs_sb->rsize);
      2868     		npages = DIV_ROUND_UP(cur_len, PAGE_SIZE);
      2869
      2870     		/* allocate a readdata struct */
      2871     		rdata = cifs_readdata_alloc(npages,
      2872     					    cifs_uncached_readv_complete);
      >>>     CID 1202537:  Dereference after null check  (FORWARD_NULL)
      >>>     Comparing "rdata" to null implies that "rdata" might be null.
      2873     		if (!rdata) {
      2874     			rc = -ENOMEM;
      2875     			goto error;
      2876     		}
      2877
      2878     		rc = cifs_read_allocate_pages(rdata, npages);
      
      ...when we "goto error", rc will be non-zero, and then we end up trying
      to do a kref_put on the rdata (which is NULL). Fix this by replacing
      the "goto error" with a "break".
      
      Reported-by: <scan-admin@coverity.com>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      bae9f746
    • S
      cifs: Wait for writebacks to complete before attempting write. · c11f1df5
      Sachin Prabhu 提交于
      Problem reported in Red Hat bz 1040329 for strict writes where we cache
      only when we hold oplock and write direct to the server when we don't.
      
      When we receive an oplock break, we first change the oplock value for
      the inode in cifsInodeInfo->oplock to indicate that we no longer hold
      the oplock before we enqueue a task to flush changes to the backing
      device. Once we have completed flushing the changes, we return the
      oplock to the server.
      
      There are 2 ways here where we can have data corruption
      1) While we flush changes to the backing device as part of the oplock
      break, we can have processes write to the file. These writes check for
      the oplock, find none and attempt to write directly to the server.
      These direct writes made while we are flushing from cache could be
      overwritten by data being flushed from the cache causing data
      corruption.
      2) While a thread runs in cifs_strict_writev, the machine could receive
      and process an oplock break after the thread has checked the oplock and
      found that it allows us to cache and before we have made changes to the
      cache. In that case, we end up with a dirty page in cache when we
      shouldn't have any. This will be flushed later and will overwrite all
      subsequent writes to the part of the file represented by this page.
      
      Before making any writes to the server, we need to confirm that we are
      not in the process of flushing data to the server and if we are, we
      should wait until the process is complete before we attempt the write.
      We should also wait for existing writes to complete before we process
      an oplock break request which changes oplock values.
      
      We add a version specific  downgrade_oplock() operation to allow for
      differences in the oplock values set for the different smb versions.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NSachin Prabhu <sprabhu@redhat.com>
      Reviewed-by: NJeff Layton <jlayton@redhat.com>
      Reviewed-by: NPavel Shilovsky <piastry@etersoft.ru>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      c11f1df5
  3. 14 4月, 2014 1 次提交
  4. 12 4月, 2014 1 次提交
    • A
      cifs: fix the race in cifs_writev() · 19dfc1f5
      Al Viro 提交于
      O_APPEND handling there hadn't been completely fixed by Pavel's
      patch; it checks the right value, but it's racy - we can't really
      do that until i_mutex has been taken.
      
      Fix by switching to __generic_file_aio_write() (open-coding
      generic_file_aio_write(), actually) and pulling mutex_lock() above
      inode_size_read().
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      19dfc1f5
  5. 08 4月, 2014 1 次提交
  6. 02 4月, 2014 3 次提交
  7. 24 2月, 2014 1 次提交
  8. 15 2月, 2014 1 次提交
    • J
      cifs: ensure that uncached writes handle unmapped areas correctly · 5d81de8e
      Jeff Layton 提交于
      It's possible for userland to pass down an iovec via writev() that has a
      bogus user pointer in it. If that happens and we're doing an uncached
      write, then we can end up getting less bytes than we expect from the
      call to iov_iter_copy_from_user. This is CVE-2014-0069
      
      cifs_iovec_write isn't set up to handle that situation however. It'll
      blindly keep chugging through the page array and not filling those pages
      with anything useful. Worse yet, we'll later end up with a negative
      number in wdata->tailsz, which will confuse the sending routines and
      cause an oops at the very least.
      
      Fix this by having the copy phase of cifs_iovec_write stop copying data
      in this situation and send the last write as a short one. At the same
      time, we want to avoid sending a zero-length write to the server, so
      break out of the loop and set rc to -EFAULT if that happens. This also
      allows us to handle the case where no address in the iovec is valid.
      
      [Note: Marking this for stable on v3.4+ kernels, but kernels as old as
             v2.6.38 may have a similar problem and may need similar fix]
      
      Cc: <stable@vger.kernel.org> # v3.4+
      Reviewed-by: NPavel Shilovsky <piastry@etersoft.ru>
      Reported-by: NAl Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      5d81de8e
  9. 11 2月, 2014 1 次提交
    • S
      [CIFS] Fix cifsacl mounts over smb2 to not call cifs · 42eacf9e
      Steve French 提交于
      When mounting with smb2/smb3 (e.g. vers=2.1) and cifsacl mount option,
      it was trying to get the mode by querying the acl over the cifs
      rather than smb2 protocol.  This patch makes that protocol
      independent and makes cifsacl smb2 mounts return a more intuitive
      operation not supported error (until we add a worker function
      for smb2_get_acl).
      
      Note that a previous patch fixed getxattr/setxattr for the CIFSACL xattr
      which would unconditionally call cifs_get_acl and cifs_set_acl (even when
      mounted smb2). I made those protocol independent last week (new protocol
      version operations "get_acl" and "set_acl" but did not add an
      smb2_get_acl and smb2_set_acl yet so those now simply return EOPNOTSUPP
      which at least is better than sending cifs requests on smb2 mount)
      
      The previous patches did not fix the one remaining case though ie
      mounting with "cifsacl" when getting mode from acl would unconditionally
      end up calling "cifs_get_acl_from_fid" even for smb2 - so made that protocol
      independent but to make that protocol independent had to make sure that the callers
      were passing the protocol independent handle structure (cifs_fid) instead
      of cifs specific _u16 network file handle (ie cifs_fid instead of cifs_fid->fid)
      
      Now mount with smb2 and cifsacl mount options will return EOPNOTSUP (instead
      of timing out) and a future patch will add smb2 operations (e.g. get_smb2_acl)
      to enable this.
      Signed-off-by: NSteve French <smfrench@gmail.com>
      42eacf9e
  10. 10 2月, 2014 1 次提交
    • A
      fix O_SYNC|O_APPEND syncing the wrong range on write() · d311d79d
      Al Viro 提交于
      It actually goes back to 2004 ([PATCH] Concurrent O_SYNC write support)
      when sync_page_range() had been introduced; generic_file_write{,v}() correctly
      synced
      	pos_after_write - written .. pos_after_write - 1
      but generic_file_aio_write() synced
      	pos_before_write .. pos_before_write + written - 1
      instead.  Which is not the same thing with O_APPEND, obviously.
      A couple of years later correct variant had been killed off when
      everything switched to use of generic_file_aio_write().
      
      All users of generic_file_aio_write() are affected, and the same bug
      has been copied into other instances of ->aio_write().
      
      The fix is trivial; the only subtle point is that generic_write_sync()
      ought to be inlined to avoid calculations useless for the majority of
      calls.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      d311d79d
  11. 08 2月, 2014 1 次提交
  12. 20 1月, 2014 1 次提交
  13. 12 11月, 2013 1 次提交
    • S
      [CIFS] O_DIRECT opens should work on directio mounts · dca69288
      Steve French 提交于
      Opens on current cifs/smb2/smb3 mounts with O_DIRECT flag fail
      even when caching is disabled on the mount.  This was
      reported by those running SMB2 benchmarks who need to
      be able to pass O_DIRECT on many of their open calls to
      reduce caching effects, but would also be needed by other
      applications.
      
      When mounting with forcedirectio ("cache=none") cifs and smb2/smb3
      do not go through the page cache and thus opens with O_DIRECT flag
      should work (when posix extensions are negotiated we even are
      able to send the flag to the server). This patch fixes that
      in a simple way.
      
      The 9P client has a similar situation (caching is often disabled)
      and takes the same approach to O_DIRECT support ie works if caching
      disabled, but if client caching enabled it fails with EINVAL.
      
      A followon idea for a future patch as Pavel noted, could
      be that files opened with O_DIRECT could cause us to change
      inode->i_fop on the fly from
      
      cifs_file_strict_ops
      
      to
      
      cifs_file_direct_ops
      
      which would allow us to support this on non-forcedirectio mounts
      (cache=strict and cache=loose) as well.
      Reviewed-by: NPavel Shilovsky <piastry@etersoft.ru>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      dca69288
  14. 18 9月, 2013 1 次提交
  15. 14 9月, 2013 2 次提交
  16. 10 9月, 2013 2 次提交
  17. 09 9月, 2013 1 次提交
  18. 04 9月, 2013 1 次提交
  19. 31 7月, 2013 1 次提交
  20. 12 7月, 2013 2 次提交
  21. 11 7月, 2013 2 次提交
  22. 29 6月, 2013 2 次提交
    • J
      locks: protect most of the file_lock handling with i_lock · 1c8c601a
      Jeff Layton 提交于
      Having a global lock that protects all of this code is a clear
      scalability problem. Instead of doing that, move most of the code to be
      protected by the i_lock instead. The exceptions are the global lists
      that the ->fl_link sits on, and the ->fl_block list.
      
      ->fl_link is what connects these structures to the
      global lists, so we must ensure that we hold those locks when iterating
      over or updating these lists.
      
      Furthermore, sound deadlock detection requires that we hold the
      blocked_list state steady while checking for loops. We also must ensure
      that the search and update to the list are atomic.
      
      For the checking and insertion side of the blocked_list, push the
      acquisition of the global lock into __posix_lock_file and ensure that
      checking and update of the  blocked_list is done without dropping the
      lock in between.
      
      On the removal side, when waking up blocked lock waiters, take the
      global lock before walking the blocked list and dequeue the waiters from
      the global list prior to removal from the fl_block list.
      
      With this, deadlock detection should be race free while we minimize
      excessive file_lock_lock thrashing.
      
      Finally, in order to avoid a lock inversion problem when handling
      /proc/locks output we must ensure that manipulations of the fl_block
      list are also protected by the file_lock_lock.
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      1c8c601a
    • J
      cifs: use posix_unblock_lock instead of locks_delete_block · 1a9e64a7
      Jeff Layton 提交于
      commit 66189be7 (CIFS: Fix VFS lock usage for oplocked files) exported
      the locks_delete_block symbol. There's already an exported helper
      function that provides this capability however, so make cifs use that
      instead and turn locks_delete_block back into a static function.
      
      Note that if fl->fl_next == NULL then this lock has already been through
      locks_delete_block(), so we should be OK to ignore an ENOENT error here
      and simply not retry the lock.
      
      Cc: Pavel Shilovsky <piastryyy@gmail.com>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Acked-by: NJ. Bruce Fields <bfields@fieldses.org>
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      1a9e64a7
  23. 22 5月, 2013 1 次提交
    • L
      mm: change invalidatepage prototype to accept length · d47992f8
      Lukas Czerner 提交于
      Currently there is no way to truncate partial page where the end
      truncate point is not at the end of the page. This is because it was not
      needed and the functionality was enough for file system truncate
      operation to work properly. However more file systems now support punch
      hole feature and it can benefit from mm supporting truncating page just
      up to the certain point.
      
      Specifically, with this functionality truncate_inode_pages_range() can
      be changed so it supports truncating partial page at the end of the
      range (currently it will BUG_ON() if 'end' is not at the end of the
      page).
      
      This commit changes the invalidatepage() address space operation
      prototype to accept range to be invalidated and update all the instances
      for it.
      
      We also change the block_invalidatepage() in the same way and actually
      make a use of the new length argument implementing range invalidation.
      
      Actual file system implementations will follow except the file systems
      where the changes are really simple and should not change the behaviour
      in any way .Implementation for truncate_page_range() which will be able
      to accept page unaligned ranges will follow as well.
      Signed-off-by: NLukas Czerner <lczerner@redhat.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Hugh Dickins <hughd@google.com>
      d47992f8
  24. 05 5月, 2013 1 次提交
    • J
      [CIFS] cifs: Rename cERROR and cFYI to cifs_dbg · f96637be
      Joe Perches 提交于
      It's not obvious from reading the macro names that these macros
      are for debugging.  Convert the names to a single more typical
      kernel style cifs_dbg macro.
      
      	cERROR(1, ...)   -> cifs_dbg(VFS, ...)
      	cFYI(1, ...)     -> cifs_dbg(FYI, ...)
      	cFYI(DBG2, ...)  -> cifs_dbg(NOISY, ...)
      
      Move the terminating format newline from the macro to the call site.
      
      Add CONFIG_CIFS_DEBUG function cifs_vfs_err to emit the
      "CIFS VFS: " prefix for VFS messages.
      
      Size is reduced ~ 1% when CONFIG_CIFS_DEBUG is set (default y)
      
      $ size fs/cifs/cifs.ko*
         text    data     bss     dec     hex filename
       265245	   2525	    132	 267902	  4167e	fs/cifs/cifs.ko.new
       268359    2525     132  271016   422a8 fs/cifs/cifs.ko.old
      
      Other miscellaneous changes around these conversions:
      
      o Miscellaneous typo fixes
      o Add terminating \n's to almost all formats and remove them
        from the macros to be more kernel style like.  A few formats
        previously had defective \n's
      o Remove unnecessary OOM messages as kmalloc() calls dump_stack
      o Coalesce formats to make grep easier,
        added missing spaces when coalescing formats
      o Use %s, __func__ instead of embedded function name
      o Removed unnecessary "cifs: " prefixes
      o Convert kzalloc with multiply to kcalloc
      o Remove unused cifswarn macro
      Signed-off-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NJeff Layton <jlayton@redhat.com>
      Signed-off-by: NSteve French <smfrench@gmail.com>
      f96637be
  25. 10 4月, 2013 1 次提交
  26. 14 3月, 2013 1 次提交
    • M
      cifs: delay super block destruction until all cifsFileInfo objects are gone · 24261fc2
      Mateusz Guzik 提交于
      cifsFileInfo objects hold references to dentries and it is possible that
      these will still be around in workqueues when VFS decides to kill super
      block during unmount.
      
      This results in panics like this one:
      BUG: Dentry ffff88001f5e76c0{i=66b4a,n=1M-2} still in use (1) [unmount of cifs cifs]
      ------------[ cut here ]------------
      kernel BUG at fs/dcache.c:943!
      [..]
      Process umount (pid: 1781, threadinfo ffff88003d6e8000, task ffff880035eeaec0)
      [..]
      Call Trace:
       [<ffffffff811b44f3>] shrink_dcache_for_umount+0x33/0x60
       [<ffffffff8119f7fc>] generic_shutdown_super+0x2c/0xe0
       [<ffffffff8119f946>] kill_anon_super+0x16/0x30
       [<ffffffffa036623a>] cifs_kill_sb+0x1a/0x30 [cifs]
       [<ffffffff8119fcc7>] deactivate_locked_super+0x57/0x80
       [<ffffffff811a085e>] deactivate_super+0x4e/0x70
       [<ffffffff811bb417>] mntput_no_expire+0xd7/0x130
       [<ffffffff811bc30c>] sys_umount+0x9c/0x3c0
       [<ffffffff81657c19>] system_call_fastpath+0x16/0x1b
      
      Fix this by making each cifsFileInfo object hold a reference to cifs
      super block, which implicitly keeps VFS super block around as well.
      Signed-off-by: NMateusz Guzik <mguzik@redhat.com>
      Reviewed-by: NJeff Layton <jlayton@redhat.com>
      Cc: <stable@vger.kernel.org>
      Reported-and-Tested-by: NBen Greear <greearb@candelatech.com>
      Signed-off-by: NSteve French <sfrench@us.ibm.com>
      24261fc2
  27. 28 2月, 2013 1 次提交
  28. 23 2月, 2013 1 次提交
  29. 13 2月, 2013 2 次提交