[PATCH] r/o bind mounts: elevate write count for ioctls()

Some ioctl()s can cause writes to the filesystem. Take these, and make them use mnt_want/drop_write() instead. [AV: updated] Acked-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Dave Hansen <haveblue@us.ibm.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
author: Dave Hansen <haveblue@us.ibm.com> 2008-02-15 17:37:46 -0500
committer: Al Viro <viro@zeniv.linux.org.uk> 2008-04-19 00:29:24 -0400
commit: 42a74f206b914db13ee1f5ae932dcd91a77c8579 (patch)
tree: 24e3dbe55edaacc750067ab9e01778255a6bff08 /fs/ext4/ioctl.c
parent: 20ddee2c75339cc095f6191c3115f81da8955e96 (diff)
1 files changed, 49 insertions, 37 deletions
diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c
index 2ed7c37f897..25b13ede808 100644
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -15,6 +15,7 @@
 #include <linux/time.h>
 #include <linux/compat.h>
 #include <linux/smp_lock.h>
+#include <linux/mount.h>
 #include <asm/uaccess.h>
 int ext4_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
@@ -38,24 +39,25 @@ int ext4_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
                unsigned int oldflags;
                unsigned int jflag;
-                if (IS_RDONLY(inode))
-                        return -EROFS;
                if (!is_owner_or_cap(inode))
                        return -EACCES;
                if (get_user(flags, (int __user *) arg))
                        return -EFAULT;
+                err = mnt_want_write(filp->f_path.mnt);
+                if (err)
+                        return err;
                if (!S_ISDIR(inode->i_mode))
                        flags &= ~EXT4_DIRSYNC_FL;
+                err = -EPERM;
                mutex_lock(&inode->i_mutex);
                /* Is it quota file? Do not allow user to mess with it */
-                if (IS_NOQUOTA(inode)) {
+                if (IS_NOQUOTA(inode))
-                        mutex_unlock(&inode->i_mutex);
+                        goto flags_out;
-                        return -EPERM;
-                }
                oldflags = ei->i_flags;
                /* The JOURNAL_DATA flag is modifiable only by root */
@@ -68,10 +70,8 @@ int ext4_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
                 * This test looks nicer. Thanks to Pauline Middelink
                 */
                if ((flags ^ oldflags) & (EXT4_APPEND_FL | EXT4_IMMUTABLE_FL)) {
-                        if (!capable(CAP_LINUX_IMMUTABLE)) {
+                        if (!capable(CAP_LINUX_IMMUTABLE))
-                                mutex_unlock(&inode->i_mutex);
+                                goto flags_out;
-                                return -EPERM;
-                        }
                }
                /*
@@ -79,17 +79,14 @@ int ext4_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
                 * the relevant capability.
                 */
                if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL)) {
-                        if (!capable(CAP_SYS_RESOURCE)) {
+                        if (!capable(CAP_SYS_RESOURCE))
-                                mutex_unlock(&inode->i_mutex);
+                                goto flags_out;
-                                return -EPERM;
-                        }
                }
                handle = ext4_journal_start(inode, 1);
                if (IS_ERR(handle)) {
-                        mutex_unlock(&inode->i_mutex);
+                        err = PTR_ERR(handle);
-                        return PTR_ERR(handle);
+                        goto flags_out;
                }
                if (IS_SYNC(inode))
                        handle->h_sync = 1;
@@ -107,14 +104,14 @@ int ext4_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
                err = ext4_mark_iloc_dirty(handle, inode, &iloc);
 flags_err:
                ext4_journal_stop(handle);
-                if (err) {
+                if (err)
-                        mutex_unlock(&inode->i_mutex);
+                        goto flags_out;
-                        return err;
-                }
                if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL))
                        err = ext4_change_inode_journal_flag(inode, jflag);
+flags_out:
                mutex_unlock(&inode->i_mutex);
+                mnt_drop_write(filp->f_path.mnt);
                return err;
        }
        case EXT4_IOC_GETVERSION:
@@ -129,14 +126,20 @@ flags_err:
                if (!is_owner_or_cap(inode))
                        return -EPERM;
-                if (IS_RDONLY(inode))
-                        return -EROFS;
+                err = mnt_want_write(filp->f_path.mnt);
-                if (get_user(generation, (int __user *) arg))
+                if (err)
-                        return -EFAULT;
+                        return err;
+                if (get_user(generation, (int __user *) arg)) {
+                        err = -EFAULT;
+                        goto setversion_out;
+                }
                handle = ext4_journal_start(inode, 1);
-                if (IS_ERR(handle))
+                if (IS_ERR(handle)) {
-                        return PTR_ERR(handle);
+                        err = PTR_ERR(handle);
+                        goto setversion_out;
+                }
                err = ext4_reserve_inode_write(handle, inode, &iloc);
                if (err == 0) {
                        inode->i_ctime = ext4_current_time(inode);
@@ -144,6 +147,8 @@ flags_err:
                        err = ext4_mark_iloc_dirty(handle, inode, &iloc);
                }
                ext4_journal_stop(handle);
+setversion_out:
+                mnt_drop_write(filp->f_path.mnt);
                return err;
        }
 #ifdef CONFIG_JBD2_DEBUG
@@ -179,19 +184,21 @@ flags_err:
                }
                return -ENOTTY;
        case EXT4_IOC_SETRSVSZ: {
+                int err;
                if (!test_opt(inode->i_sb, RESERVATION) ||!S_ISREG(inode->i_mode))
                        return -ENOTTY;
-                if (IS_RDONLY(inode))
-                        return -EROFS;
                if (!is_owner_or_cap(inode))
                        return -EACCES;
                if (get_user(rsv_window_size, (int __user *)arg))
                        return -EFAULT;
+                err = mnt_want_write(filp->f_path.mnt);
+                if (err)
+                        return err;
                if (rsv_window_size > EXT4_MAX_RESERVE_BLOCKS)
                        rsv_window_size = EXT4_MAX_RESERVE_BLOCKS;
@@ -208,6 +215,7 @@ flags_err:
                        rsv->rsv_goal_size = rsv_window_size;
                }
                up_write(&ei->i_data_sem);
+                mnt_drop_write(filp->f_path.mnt);
                return 0;
        }
        case EXT4_IOC_GROUP_EXTEND: {
@@ -218,16 +226,18 @@ flags_err:
                if (!capable(CAP_SYS_RESOURCE))
                        return -EPERM;
-                if (IS_RDONLY(inode))
-                        return -EROFS;
                if (get_user(n_blocks_count, (__u32 __user *)arg))
                        return -EFAULT;
+                err = mnt_want_write(filp->f_path.mnt);
+                if (err)
+                        return err;
                err = ext4_group_extend(sb, EXT4_SB(sb)->s_es, n_blocks_count);
                jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);
                jbd2_journal_flush(EXT4_SB(sb)->s_journal);
                jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
+                mnt_drop_write(filp->f_path.mnt);
                return err;
        }
@@ -239,17 +249,19 @@ flags_err:
                if (!capable(CAP_SYS_RESOURCE))
                        return -EPERM;
-                if (IS_RDONLY(inode))
-                        return -EROFS;
                if (copy_from_user(&input, (struct ext4_new_group_input __user *)arg,
                                sizeof(input)))
                        return -EFAULT;
+                err = mnt_want_write(filp->f_path.mnt);
+                if (err)
+                        return err;
                err = ext4_group_add(sb, &input);
                jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);
                jbd2_journal_flush(EXT4_SB(sb)->s_journal);
                jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
+                mnt_drop_write(filp->f_path.mnt);
                return err;
        }
author	Dave Hansen <haveblue@us.ibm.com>	2008-02-15 17:37:46 -0500
committer	Al Viro <viro@zeniv.linux.org.uk>	2008-04-19 00:29:24 -0400
commit	42a74f206b914db13ee1f5ae932dcd91a77c8579 (patch)
tree	24e3dbe55edaacc750067ab9e01778255a6bff08 /fs/ext4/ioctl.c
parent	20ddee2c75339cc095f6191c3115f81da8955e96 (diff)

diff --git a/fs/ext4/ioctl.c b/fs/ext4/ioctl.c index 2ed7c37f897..25b13ede808 100644 --- a/fs/ext4/ioctl.c +++ b/fs/ext4/ioctl.c
@@ -15,6 +15,7 @@
15	#include <linux/time.h>	15	#include <linux/time.h>
16	#include <linux/compat.h>	16	#include <linux/compat.h>
17	#include <linux/smp_lock.h>	17	#include <linux/smp_lock.h>
		18	#include <linux/mount.h>
18	#include <asm/uaccess.h>	19	#include <asm/uaccess.h>
19		20
20	int ext4_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,	21	int ext4_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
@@ -38,24 +39,25 @@ int ext4_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
38	unsigned int oldflags;	39	unsigned int oldflags;
39	unsigned int jflag;	40	unsigned int jflag;
40		41
41	if (IS_RDONLY(inode))
42	return -EROFS;
43
44	if (!is_owner_or_cap(inode))	42	if (!is_owner_or_cap(inode))
45	return -EACCES;	43	return -EACCES;
46		44
47	if (get_user(flags, (int __user *) arg))	45	if (get_user(flags, (int __user *) arg))
48	return -EFAULT;	46	return -EFAULT;
49		47
		48	err = mnt_want_write(filp->f_path.mnt);
		49	if (err)
		50	return err;
		51
50	if (!S_ISDIR(inode->i_mode))	52	if (!S_ISDIR(inode->i_mode))
51	flags &= ~EXT4_DIRSYNC_FL;	53	flags &= ~EXT4_DIRSYNC_FL;
52		54
		55	err = -EPERM;
53	mutex_lock(&inode->i_mutex);	56	mutex_lock(&inode->i_mutex);
54	/* Is it quota file? Do not allow user to mess with it */	57	/* Is it quota file? Do not allow user to mess with it */
55	if (IS_NOQUOTA(inode)) {	58	if (IS_NOQUOTA(inode))
56	mutex_unlock(&inode->i_mutex);	59	goto flags_out;
57	return -EPERM;	60
58	}
59	oldflags = ei->i_flags;	61	oldflags = ei->i_flags;
60		62
61	/* The JOURNAL_DATA flag is modifiable only by root */	63	/* The JOURNAL_DATA flag is modifiable only by root */
@@ -68,10 +70,8 @@ int ext4_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
68	* This test looks nicer. Thanks to Pauline Middelink	70	* This test looks nicer. Thanks to Pauline Middelink
69	*/	71	*/
70	if ((flags ^ oldflags) & (EXT4_APPEND_FL \| EXT4_IMMUTABLE_FL)) {	72	if ((flags ^ oldflags) & (EXT4_APPEND_FL \| EXT4_IMMUTABLE_FL)) {
71	if (!capable(CAP_LINUX_IMMUTABLE)) {	73	if (!capable(CAP_LINUX_IMMUTABLE))
72	mutex_unlock(&inode->i_mutex);	74	goto flags_out;
73	return -EPERM;
74	}
75	}	75	}
76		76
77	/*	77	/*
@@ -79,17 +79,14 @@ int ext4_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
79	* the relevant capability.	79	* the relevant capability.
80	*/	80	*/
81	if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL)) {	81	if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL)) {
82	if (!capable(CAP_SYS_RESOURCE)) {	82	if (!capable(CAP_SYS_RESOURCE))
83	mutex_unlock(&inode->i_mutex);	83	goto flags_out;
84	return -EPERM;
85	}
86	}	84	}
87		85
88
89	handle = ext4_journal_start(inode, 1);	86	handle = ext4_journal_start(inode, 1);
90	if (IS_ERR(handle)) {	87	if (IS_ERR(handle)) {
91	mutex_unlock(&inode->i_mutex);	88	err = PTR_ERR(handle);
92	return PTR_ERR(handle);	89	goto flags_out;
93	}	90	}
94	if (IS_SYNC(inode))	91	if (IS_SYNC(inode))
95	handle->h_sync = 1;	92	handle->h_sync = 1;
@@ -107,14 +104,14 @@ int ext4_ioctl (struct inode * inode, struct file * filp, unsigned int cmd,
107	err = ext4_mark_iloc_dirty(handle, inode, &iloc);	104	err = ext4_mark_iloc_dirty(handle, inode, &iloc);
108	flags_err:	105	flags_err:
109	ext4_journal_stop(handle);	106	ext4_journal_stop(handle);
110	if (err) {	107	if (err)
111	mutex_unlock(&inode->i_mutex);	108	goto flags_out;
112	return err;
113	}
114		109
115	if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL))	110	if ((jflag ^ oldflags) & (EXT4_JOURNAL_DATA_FL))
116	err = ext4_change_inode_journal_flag(inode, jflag);	111	err = ext4_change_inode_journal_flag(inode, jflag);
		112	flags_out:
117	mutex_unlock(&inode->i_mutex);	113	mutex_unlock(&inode->i_mutex);
		114	mnt_drop_write(filp->f_path.mnt);
118	return err;	115	return err;
119	}	116	}
120	case EXT4_IOC_GETVERSION:	117	case EXT4_IOC_GETVERSION:
@@ -129,14 +126,20 @@ flags_err:
129		126
130	if (!is_owner_or_cap(inode))	127	if (!is_owner_or_cap(inode))
131	return -EPERM;	128	return -EPERM;
132	if (IS_RDONLY(inode))	129
133	return -EROFS;	130	err = mnt_want_write(filp->f_path.mnt);
134	if (get_user(generation, (int __user *) arg))	131	if (err)
135	return -EFAULT;	132	return err;
		133	if (get_user(generation, (int __user *) arg)) {
		134	err = -EFAULT;
		135	goto setversion_out;
		136	}
136		137
137	handle = ext4_journal_start(inode, 1);	138	handle = ext4_journal_start(inode, 1);
138	if (IS_ERR(handle))	139	if (IS_ERR(handle)) {
139	return PTR_ERR(handle);	140	err = PTR_ERR(handle);
		141	goto setversion_out;
		142	}
140	err = ext4_reserve_inode_write(handle, inode, &iloc);	143	err = ext4_reserve_inode_write(handle, inode, &iloc);
141	if (err == 0) {	144	if (err == 0) {
142	inode->i_ctime = ext4_current_time(inode);	145	inode->i_ctime = ext4_current_time(inode);
@@ -144,6 +147,8 @@ flags_err:
144	err = ext4_mark_iloc_dirty(handle, inode, &iloc);	147	err = ext4_mark_iloc_dirty(handle, inode, &iloc);
145	}	148	}
146	ext4_journal_stop(handle);	149	ext4_journal_stop(handle);
		150	setversion_out:
		151	mnt_drop_write(filp->f_path.mnt);
147	return err;	152	return err;
148	}	153	}
149	#ifdef CONFIG_JBD2_DEBUG	154	#ifdef CONFIG_JBD2_DEBUG
@@ -179,19 +184,21 @@ flags_err:
179	}	184	}
180	return -ENOTTY;	185	return -ENOTTY;
181	case EXT4_IOC_SETRSVSZ: {	186	case EXT4_IOC_SETRSVSZ: {
		187	int err;
182		188
183	if (!test_opt(inode->i_sb, RESERVATION) \|\|!S_ISREG(inode->i_mode))	189	if (!test_opt(inode->i_sb, RESERVATION) \|\|!S_ISREG(inode->i_mode))
184	return -ENOTTY;	190	return -ENOTTY;
185		191
186	if (IS_RDONLY(inode))
187	return -EROFS;
188
189	if (!is_owner_or_cap(inode))	192	if (!is_owner_or_cap(inode))
190	return -EACCES;	193	return -EACCES;
191		194
192	if (get_user(rsv_window_size, (int __user *)arg))	195	if (get_user(rsv_window_size, (int __user *)arg))
193	return -EFAULT;	196	return -EFAULT;
194		197
		198	err = mnt_want_write(filp->f_path.mnt);
		199	if (err)
		200	return err;
		201
195	if (rsv_window_size > EXT4_MAX_RESERVE_BLOCKS)	202	if (rsv_window_size > EXT4_MAX_RESERVE_BLOCKS)
196	rsv_window_size = EXT4_MAX_RESERVE_BLOCKS;	203	rsv_window_size = EXT4_MAX_RESERVE_BLOCKS;
197		204
@@ -208,6 +215,7 @@ flags_err:
208	rsv->rsv_goal_size = rsv_window_size;	215	rsv->rsv_goal_size = rsv_window_size;
209	}	216	}
210	up_write(&ei->i_data_sem);	217	up_write(&ei->i_data_sem);
		218	mnt_drop_write(filp->f_path.mnt);
211	return 0;	219	return 0;
212	}	220	}
213	case EXT4_IOC_GROUP_EXTEND: {	221	case EXT4_IOC_GROUP_EXTEND: {
@@ -218,16 +226,18 @@ flags_err:
218	if (!capable(CAP_SYS_RESOURCE))	226	if (!capable(CAP_SYS_RESOURCE))
219	return -EPERM;	227	return -EPERM;
220		228
221	if (IS_RDONLY(inode))
222	return -EROFS;
223
224	if (get_user(n_blocks_count, (__u32 __user *)arg))	229	if (get_user(n_blocks_count, (__u32 __user *)arg))
225	return -EFAULT;	230	return -EFAULT;
226		231
		232	err = mnt_want_write(filp->f_path.mnt);
		233	if (err)
		234	return err;
		235
227	err = ext4_group_extend(sb, EXT4_SB(sb)->s_es, n_blocks_count);	236	err = ext4_group_extend(sb, EXT4_SB(sb)->s_es, n_blocks_count);
228	jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);	237	jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);
229	jbd2_journal_flush(EXT4_SB(sb)->s_journal);	238	jbd2_journal_flush(EXT4_SB(sb)->s_journal);
230	jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);	239	jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
		240	mnt_drop_write(filp->f_path.mnt);
231		241
232	return err;	242	return err;
233	}	243	}
@@ -239,17 +249,19 @@ flags_err:
239	if (!capable(CAP_SYS_RESOURCE))	249	if (!capable(CAP_SYS_RESOURCE))
240	return -EPERM;	250	return -EPERM;
241		251
242	if (IS_RDONLY(inode))
243	return -EROFS;
244
245	if (copy_from_user(&input, (struct ext4_new_group_input __user *)arg,	252	if (copy_from_user(&input, (struct ext4_new_group_input __user *)arg,
246	sizeof(input)))	253	sizeof(input)))
247	return -EFAULT;	254	return -EFAULT;
248		255
		256	err = mnt_want_write(filp->f_path.mnt);
		257	if (err)
		258	return err;
		259
249	err = ext4_group_add(sb, &input);	260	err = ext4_group_add(sb, &input);
250	jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);	261	jbd2_journal_lock_updates(EXT4_SB(sb)->s_journal);
251	jbd2_journal_flush(EXT4_SB(sb)->s_journal);	262	jbd2_journal_flush(EXT4_SB(sb)->s_journal);
252	jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);	263	jbd2_journal_unlock_updates(EXT4_SB(sb)->s_journal);
		264	mnt_drop_write(filp->f_path.mnt);
253		265
254	return err;	266	return err;
255	}	267	}