1. 04 Jan, 2020 1 commit
  2. 21 May, 2019 1 commit
  3. 03 Jan, 2018 1 commit
    • Elena Reshetova's avatar
      posix_acl: convert posix_acl.a_refcount from atomic_t to refcount_t · 66717260
      Elena Reshetova authored
      atomic_t variables are currently used to implement reference
      counters with the following properties:
       - counter is initialized to 1 using atomic_set()
       - a resource is freed upon counter reaching zero
       - once counter reaches zero, its further
         increments aren't allowed
       - counter schema uses basic atomic operations
         (set, inc, inc_not_zero, dec_and_test, etc.)
      Such atomic variables should be converted to a newly provided
      refcount_t type and API that prevents accidental counter overflows
      and underflows. This is important since overflows and underflows
      can lead to use-after-free situation and be exploitable.
      The variable posix_acl.a_refcount is used as pure reference counter.
      Convert it to refcount_t and fix up the operations.
      **Important note for maintainers:
      Some functions from refcount_t API defined in lib/refcount.c
      have different memory ordering guarantees than their atomic
      The full comparison can be seen in
      https://lkml.org/lkml/2017/11/15/57 and it is hopefully soon
      in state to be merged to the documentation tree.
      Normally the differences should not matter since refcount_t provides
      enough guarantees to satisfy the refcounting use cases, but in
      some rare cases it might matter.
      Please double check that you don't have some undocumented
      memory guarantees for this variable usage.
      For the posix_acl.a_refcount it might make a difference
      in following places:
       - get_cached_acl(): increment in refcount_inc_not_zero() only
         guarantees control dependency on success vs. fully ordered
         atomic counterpart. However this operation is performed under
         rcu_read_lock(), so this should be fine.
       - posix_acl_release(): decrement in refcount_dec_and_test() only
         provides RELEASE ordering and control dependency on success
         vs. fully ordered atomic counterpart
      Suggested-by: default avatarKees Cook <keescook@chromium.org>
      Reviewed-by: default avatarDavid Windsor <dwindsor@gmail.com>
      Reviewed-by: default avatarHans Liljestrand <ishkamiel@gmail.com>
      Signed-off-by: default avatarElena Reshetova <elena.reshetova@intel.com>
      Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
  4. 02 Mar, 2017 1 commit
  5. 10 Jan, 2017 1 commit
  6. 28 Sep, 2016 2 commits
  7. 22 Sep, 2016 1 commit
  8. 16 Sep, 2016 1 commit
  9. 30 Jun, 2016 1 commit
  10. 24 Jun, 2016 1 commit
  11. 27 May, 2016 1 commit
  12. 11 Apr, 2016 1 commit
  13. 31 Mar, 2016 2 commits
    • Andreas Gruenbacher's avatar
      posix_acl: Unexport acl_by_type and make it static · 04c57f45
      Andreas Gruenbacher authored
      acl_by_type(inode, type) returns a pointer to either inode->i_acl or
      inode->i_default_acl depending on type.  This is useful in
      fs/posix_acl.c, but should never have been visible outside that file.
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
    • Andreas Gruenbacher's avatar
      posix_acl: Inode acl caching fixes · b8a7a3a6
      Andreas Gruenbacher authored
      When get_acl() is called for an inode whose ACL is not cached yet, the
      get_acl inode operation is called to fetch the ACL from the filesystem.
      The inode operation is responsible for updating the cached acl with
      set_cached_acl().  This is done without locking at the VFS level, so
      another task can call set_cached_acl() or forget_cached_acl() before the
      get_acl inode operation gets to calling set_cached_acl(), and then
      get_acl's call to set_cached_acl() results in caching an outdate ACL.
      Prevent this from happening by setting the cached ACL pointer to a
      task-specific sentinel value before calling the get_acl inode operation.
      Move the responsibility for updating the cached ACL from the get_acl
      inode operations to get_acl().  There, only set the cached ACL if the
      sentinel value hasn't changed.
      The sentinel values are chosen to have odd values.  Likewise, the value
      of ACL_NOT_CACHED is odd.  In contrast, ACL object pointers always have
      an even value (ACLs are aligned in memory).  This allows to distinguish
      uncached ACLs values from ACL objects.
      In addition, switch from guarding inode->i_acl and inode->i_default_acl
      upates by the inode->i_lock spinlock to using xchg() and cmpxchg().
      Filesystems that do not want ACLs returned from their get_acl inode
      operations to be cached must call forget_cached_acl() to prevent the VFS
      from doing so.
      (Patch written by Al Viro and Andreas Gruenbacher.)
      Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
  14. 14 Dec, 2015 1 commit
  15. 07 Dec, 2015 2 commits
  16. 14 Nov, 2015 3 commits
  17. 23 Jun, 2015 1 commit
    • Dan Carpenter's avatar
      fs/posix_acl.c: make posix_acl_create() safer and cleaner · c0c3a718
      Dan Carpenter authored
      If posix_acl_create() returns an error code then "*acl" and "*default_acl"
      can be uninitialized or point to freed memory.  This is a dangerous thing
      to do.  For example, it causes a problem in ocfs2_reflink():
      	fs/ocfs2/refcounttree.c:4327 ocfs2_reflink()
      	error: potentially using uninitialized 'default_acl'.
      I've re-written this so we set the pointers to NULL at the start.  I've
      added a temporary "clone" variable to hold the value of "*acl" until end.
      Setting them to NULL means means we don't need the "no_acl" label.  We may
      as well remove the "apply_umask" stuff forward and remove that label as
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Mark Fasheh <mfasheh@suse.com>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
  18. 15 Apr, 2015 1 commit
  19. 22 Feb, 2015 1 commit
    • David Howells's avatar
      VFS: (Scripted) Convert S_ISLNK/DIR/REG(dentry->d_inode) to d_is_*(dentry) · e36cb0b8
      David Howells authored
      Convert the following where appropriate:
       (1) S_ISLNK(dentry->d_inode) to d_is_symlink(dentry).
       (2) S_ISREG(dentry->d_inode) to d_is_reg(dentry).
       (3) S_ISDIR(dentry->d_inode) to d_is_dir(dentry).  This is actually more
           complicated than it appears as some calls should be converted to
           d_can_lookup() instead.  The difference is whether the directory in
           question is a real dir with a ->lookup op or whether it's a fake dir with
           a ->d_automount op.
      In some circumstances, we can subsume checks for dentry->d_inode not being
      NULL into this, provided we the code isn't in a filesystem that expects
      d_inode to be NULL if the dirent really *is* negative (ie. if we're going to
      use d_inode() rather than d_backing_inode() to get the inode pointer).
      Note that the dentry type field may be set to something other than
      DCACHE_MISS_TYPE when d_inode is NULL in the case of unionmount, where the VFS
      manages the fall-through from a negative dentry to a lower layer.  In such a
      case, the dentry type of the negative union dentry is set to the same as the
      type of the lower dentry.
      However, if you know d_inode is not NULL at the call site, then you can use
      the d_is_xxx() functions even in a filesystem.
      There is one further complication: a 0,0 chardev dentry may be labelled
      DCACHE_WHITEOUT_TYPE rather than DCACHE_SPECIAL_TYPE.  Strictly, this was
      intended for special directory entry types that don't have attached inodes.
      The following perl+coccinelle script was used:
      use strict;
      my @callers;
      open($fd, 'git grep -l \'S_IS[A-Z].*->d_inode\' |') ||
          die "Can't grep for S_ISDIR and co. callers";
      @callers = <$fd>;
      unless (@callers) {
          print "No matches\n";
      my @cocci = (
          'expression E;',
          '- S_ISLNK(E->d_inode->i_mode)',
          '+ d_is_symlink(E)',
          'expression E;',
          '- S_ISDIR(E->d_inode->i_mode)',
          '+ d_is_dir(E)',
          'expression E;',
          '- S_ISREG(E->d_inode->i_mode)',
          '+ d_is_reg(E)' );
      my $coccifile = "tmp.sp.cocci";
      open($fd, ">$coccifile") || die $coccifile;
      print($fd "$_\n") || die $coccifile foreach (@cocci);
      foreach my $file (@callers) {
          chomp $file;
          print "Processing ", $file, "\n";
          system("spatch", "--sp-file", $coccifile, $file, "--in-place", "--no-show-diff") == 0 ||
      	die "spatch failed";
      [AV: overlayfs parts skipped]
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
  20. 20 Feb, 2015 1 commit
  21. 06 May, 2014 1 commit
    • Christoph Hellwig's avatar
      posix_acl: handle NULL ACL in posix_acl_equiv_mode · 50c6e282
      Christoph Hellwig authored
      Various filesystems don't bother checking for a NULL ACL in
      posix_acl_equiv_mode, and thus can dereference a NULL pointer when it
      gets passed one. This usually happens from the NFS server, as the ACL tools
      never pass a NULL ACL, but instead of one representing the mode bits.
      Instead of adding boilerplat to all filesystems put this check into one place,
      which will allow us to remove the check from other filesystems as well later
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reported-by: default avatarBen Greear <greearb@candelatech.com>
      Reported-by: Marco Munderloh <munderl@tnt.uni-hannover.de>,
      Cc: Chuck Lever <chuck.lever@oracle.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
  22. 25 Feb, 2014 1 commit
  23. 03 Feb, 2014 1 commit
  24. 26 Jan, 2014 6 commits
  25. 24 Jan, 2014 1 commit
    • Andreas Gruenbacher's avatar
      userns: relax the posix_acl_valid() checks · 949b9c3d
      Andreas Gruenbacher authored
      So far, POSIX ACLs are using a canonical representation that keeps all ACL
      entries in a strict order; the ACL_USER and ACL_GROUP entries for specific
      users and groups are ordered by user and group identifier, respectively.
      The user-space code provides ACL entries in this order; the kernel
      verifies that the ACL entry order is correct in posix_acl_valid().
      User namespaces allow to arbitrary map user and group identifiers which
      can cause the ACL_USER and ACL_GROUP entry order to differ between user
      space and the kernel; posix_acl_valid() would then fail.
      Work around this by allowing ACL_USER and ACL_GROUP entries to be in any
      order in the kernel.  The effect is only minor: file permission checks
      will pick the first matching ACL_USER entry, and check all matching
      ACL_GROUP entries.
      (The libacl user-space library and getfacl / setfacl tools will not create
      ACLs with duplicate user or group idenfifiers; they will handle ACLs with
      entries in an arbitrary order correctly.)
      Signed-off-by: default avatarAndreas Gruenbacher <agruen@linbit.com>
      Cc: Eric W. Biederman <ebiederm@xmission.com>
      Cc: Theodore Tso <tytso@mit.edu>
      Cc: Christoph Hellwig <hch@infradead.org>
      Cc: Andreas Dilger <adilger.kernel@dilger.ca>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
  26. 22 Jan, 2014 1 commit
  27. 18 Sep, 2012 1 commit
    • Eric W. Biederman's avatar
      userns: Convert vfs posix_acl support to use kuids and kgids · 2f6f0654
      Eric W. Biederman authored
      - In setxattr if we are setting a posix acl convert uids and gids from
        the current user namespace into the initial user namespace, before
        the xattrs are passed to the underlying filesystem.
        Untranslatable uids and gids are represented as -1 which
        posix_acl_from_xattr will represent as INVALID_UID or INVALID_GID.
        posix_acl_valid will fail if an acl from userspace has any
        INVALID_UID or INVALID_GID values.  In net this guarantees that
        untranslatable posix acls will not be stored by filesystems.
      - In getxattr if we are reading a posix acl convert uids and gids from
        the initial user namespace into the current user namespace.
        Uids and gids that can not be tranlsated into the current user namespace
        will be represented as -1.
      - Replace e_id in struct posix_acl_entry with an anymouns union of
        e_uid and e_gid.  For the short term retain the e_id field
        until all of the users are converted.
      - Don't set struct posix_acl.e_id in the cases where the acl type
        does not use e_id.  Greatly reducing the use of ACL_UNDEFINED_ID.
      - Rework the ordering checks in posix_acl_valid so that I use kuid_t
        and kgid_t types throughout the code, and so that I don't need
        arithmetic on uid and gid types.
      Cc: Theodore Tso <tytso@mit.edu>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Andreas Dilger <adilger.kernel@dilger.ca>
      Cc: Jan Kara <jack@suse.cz>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarEric W. Biederman <ebiederm@xmission.com>
  28. 29 Feb, 2012 1 commit
  29. 28 Oct, 2011 1 commit
  30. 01 Aug, 2011 1 commit