+ nfs-replace-null-dentries-that-appear-in-readdirs-list-2.patch added to -mm tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



The patch titled

     NFS: Replace null dentries that appear in readdir's list

has been added to the -mm tree.  Its filename is

     nfs-replace-null-dentries-that-appear-in-readdirs-list-2.patch

See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this

------------------------------------------------------
Subject: NFS: Replace null dentries that appear in readdir's list
From: David Howells <dhowells@xxxxxxxxxx>

Have nfs_readdir_lookup() drop and replace any null dentry when it
that gets listed by a READDIR RPC call.

This can be caused by an optimisation in nfs_lookup() that causes a dentry to
be incorrectly left as negative when mkdir() or similar is aborted by SELinux
mid-procedure.

This can be triggered by mounting through autofs4 a server:/ NFS share for
which there are other exports available on that server.  SELinux also has to
be turned on in enforcing mode to abort mid-flow the mkdir operation performed
by autofs4.

The problematic sequence of events is this:

 (1) nfs_lookup() is called by sys_mkdirat() -> lookup_create() ->
     __lookup_hash() with intent to create exclusively set in the nameidata:

	nd->flags == LOOKUP_CREATE
	nd->intent.open.flags == O_EXCL

 (2) nfs_lookup() has an optimisation to avoid going to the server in this
     case, presumably since the nfs_mkdir() op or whatever will deal with the
     conflict.

 (3) nfs_lookup() returns successfully, leaving the dentry in a negative state,
     but attached to the parent directory.

 (4) sys_mkdirat() calls vfs_mkdir() which calls may_create().  may_create()
     checks that the directory has MAY_WRITE and MAY_EXEC permissions.

 (5) may_create() calls nfs_permission(), which grants permission.

 (6) may_create() calls security_inode_permission(), which calls SELinux, which
     then _DENIES_ permission.

 (7) may_create() fails, and vfs_mkdir() then fails and sys_mkdirat() then
     fails (as does sys_mkdir).

     _However_, the new dentry is left in the negative state, with no
     consultation of the server.

 (8) The parent directory is listed, and the name of the new dentry is
     returned.

 (9) stat on the new dentry fails (because it's negative), and "ls -l" returns
     "?---------" as the file type and mode.

This fix makes step (8) replace the dentry looked up in steps (1) - (3).

Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

 fs/nfs/dir.c |   27 ++++++++++++++++++++-------
 1 files changed, 20 insertions(+), 7 deletions(-)

diff -puN fs/nfs/dir.c~nfs-replace-null-dentries-that-appear-in-readdirs-list-2 fs/nfs/dir.c
--- a/fs/nfs/dir.c~nfs-replace-null-dentries-that-appear-in-readdirs-list-2
+++ a/fs/nfs/dir.c
@@ -1105,14 +1105,27 @@ static struct dentry *nfs_readdir_lookup
 	}
 	name.hash = full_name_hash(name.name, name.len);
 	dentry = d_lookup(parent, &name);
-	if (dentry != NULL)
-		return dentry;
-	if (!desc->plus || !(entry->fattr->valid & NFS_ATTR_FATTR))
-		return NULL;
-	/* Note: caller is already holding the dir->i_mutex! */
-	dentry = d_alloc(parent, &name);
-	if (dentry == NULL)
+	if (dentry != NULL) {
+		if (IS_ERR(dentry) || dentry->d_inode)
+			return dentry;
+
+		/* this negative dentry matched a dirent obtained from readdir
+		 * and so needs reconsideration */
+		d_drop(dentry);
+
+		if (!desc->plus || !(entry->fattr->valid & NFS_ATTR_FATTR)) {
+			dput(dentry);
+			return NULL;
+		}
+	} else if (!desc->plus || !(entry->fattr->valid & NFS_ATTR_FATTR)) {
 		return NULL;
+	} else {
+		/* Note: caller is already holding the dir->i_mutex! */
+		dentry = d_alloc(parent, &name);
+		if (dentry == NULL)
+			return NULL;
+	}
+
 	dentry->d_op = NFS_PROTO(dir)->dentry_ops;
 	inode = nfs_fhget(dentry->d_sb, entry->fh, entry->fattr);
 	if (IS_ERR(inode)) {
_

Patches currently in -mm which might be from dhowells@xxxxxxxxxx are

git-gfs2.patch
git-nfs.patch
nfs-replace-null-dentries-that-appear-in-readdirs-list-2.patch
binfmt_elf-consistently-use-loff_t.patch
afs-add-lock-annotations-to-afs_proc_cell_servers_startstop.patch
elf_fdpic_core_dump-dont-take-tasklist_lock.patch
reiserfs-make-sure-all-dentries-refs-are-released-before-calling-kill_block_super-try-2.patch
fs-cache-provide-a-filesystem-specific-syncable-page-bit.patch
fs-cache-generic-filesystem-caching-facility.patch
fs-cache-release-page-private-in-failed-readahead.patch
fs-cache-make-kafs-use-fs-cache.patch
fs-cache-make-kafs-use-fs-cache-fix.patch
fs-cache-make-kafs-use-fs-cache-vs-streamline-generic_file_-interfaces-and-filemap.patch
nfs-use-local-caching.patch
fs-cache-cachefiles-ia64-missing-copy_page-export.patch
fs-cache-cachefiles-a-cache-that-backs-onto-a-mounted-filesystem.patch
fs-cache-cachefiles-a-cache-that-backs-onto-a-mounted-filesystem-cachefiles-printk-format-warning.patch
autofs-make-sure-all-dentries-refs-are-released-before-calling-kill_anon_super.patch
vfs-destroy-the-dentries-contributed-by-a-superblock-on-unmounting.patch
vfs-make-filldir_t-and-struct-kstat-deal-in-64-bit-inode-numbers.patch
nfs-represent-64-bit-fileids-as-64-bit-inode-numbers-on-32-bit-systems.patch
ecryptfs-get_sb_dev-fix.patch
reiser4-get_sb_dev-fix.patch
mutex-subsystem-synchro-test-module.patch

-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Kernel Newbies FAQ]     [Kernel Archive]     [IETF Annouce]     [DCCP]     [Netdev]     [Networking]     [Security]     [Bugtraq]     [Photo]     [Yosemite]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux SCSI]

  Powered by Linux