diff options
author | Neil Brown <neilb@suse.de> | 2006-07-30 06:03:01 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@g5.osdl.org> | 2006-07-31 16:28:36 -0400 |
commit | 2ccb48ebb4de139eef4fcefd5f2bb823cb0d81b9 (patch) | |
tree | e06a83c7306e143175a87df2328b45e1ef34da5b | |
parent | f712c0c7e1796f92e45e4de144e247816d974b8f (diff) |
[PATCH] ext3: avoid triggering ext3_error on bad NFS file handle
The inode number out of an NFS file handle gets passed eventually to
ext3_get_inode_block() without any checking. If ext3_get_inode_block()
allows it to trigger an error, then bad filehandles can have unpleasant
effect - ext3_error() will usually cause a forced read-only remount, or a
panic if `errors=panic' was used.
So remove the call to ext3_error there and put a matching check in
ext3/namei.c where inode numbers are read off storage.
[akpm@osdl.org: fix off-by-one error]
Signed-off-by: Neil Brown <neilb@suse.de>
Signed-off-by: Jan Kara <jack@suse.cz>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: <stable@kernel.org>
Cc: "Stephen C. Tweedie" <sct@redhat.com>
Cc: Eric Sandeen <esandeen@redhat.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
-rw-r--r-- | fs/ext3/inode.c | 13 | ||||
-rw-r--r-- | fs/ext3/namei.c | 15 | ||||
-rw-r--r-- | include/linux/ext3_fs.h | 9 |
3 files changed, 29 insertions, 8 deletions
diff --git a/fs/ext3/inode.c b/fs/ext3/inode.c index f804d5e9d60c..ab034d3053ea 100644 --- a/fs/ext3/inode.c +++ b/fs/ext3/inode.c | |||
@@ -2402,14 +2402,15 @@ static ext3_fsblk_t ext3_get_inode_block(struct super_block *sb, | |||
2402 | struct buffer_head *bh; | 2402 | struct buffer_head *bh; |
2403 | struct ext3_group_desc * gdp; | 2403 | struct ext3_group_desc * gdp; |
2404 | 2404 | ||
2405 | 2405 | if (!ext3_valid_inum(sb, ino)) { | |
2406 | if ((ino != EXT3_ROOT_INO && ino != EXT3_JOURNAL_INO && | 2406 | /* |
2407 | ino != EXT3_RESIZE_INO && ino < EXT3_FIRST_INO(sb)) || | 2407 | * This error is already checked for in namei.c unless we are |
2408 | ino > le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count)) { | 2408 | * looking at an NFS filehandle, in which case no error |
2409 | ext3_error(sb, "ext3_get_inode_block", | 2409 | * report is needed |
2410 | "bad inode number: %lu", ino); | 2410 | */ |
2411 | return 0; | 2411 | return 0; |
2412 | } | 2412 | } |
2413 | |||
2413 | block_group = (ino - 1) / EXT3_INODES_PER_GROUP(sb); | 2414 | block_group = (ino - 1) / EXT3_INODES_PER_GROUP(sb); |
2414 | if (block_group >= EXT3_SB(sb)->s_groups_count) { | 2415 | if (block_group >= EXT3_SB(sb)->s_groups_count) { |
2415 | ext3_error(sb,"ext3_get_inode_block","group >= groups count"); | 2416 | ext3_error(sb,"ext3_get_inode_block","group >= groups count"); |
diff --git a/fs/ext3/namei.c b/fs/ext3/namei.c index d9176dba3698..2aa7101b27cd 100644 --- a/fs/ext3/namei.c +++ b/fs/ext3/namei.c | |||
@@ -1000,7 +1000,12 @@ static struct dentry *ext3_lookup(struct inode * dir, struct dentry *dentry, str | |||
1000 | if (bh) { | 1000 | if (bh) { |
1001 | unsigned long ino = le32_to_cpu(de->inode); | 1001 | unsigned long ino = le32_to_cpu(de->inode); |
1002 | brelse (bh); | 1002 | brelse (bh); |
1003 | inode = iget(dir->i_sb, ino); | 1003 | if (!ext3_valid_inum(dir->i_sb, ino)) { |
1004 | ext3_error(dir->i_sb, "ext3_lookup", | ||
1005 | "bad inode number: %lu", ino); | ||
1006 | inode = NULL; | ||
1007 | } else | ||
1008 | inode = iget(dir->i_sb, ino); | ||
1004 | 1009 | ||
1005 | if (!inode) | 1010 | if (!inode) |
1006 | return ERR_PTR(-EACCES); | 1011 | return ERR_PTR(-EACCES); |
@@ -1028,7 +1033,13 @@ struct dentry *ext3_get_parent(struct dentry *child) | |||
1028 | return ERR_PTR(-ENOENT); | 1033 | return ERR_PTR(-ENOENT); |
1029 | ino = le32_to_cpu(de->inode); | 1034 | ino = le32_to_cpu(de->inode); |
1030 | brelse(bh); | 1035 | brelse(bh); |
1031 | inode = iget(child->d_inode->i_sb, ino); | 1036 | |
1037 | if (!ext3_valid_inum(child->d_inode->i_sb, ino)) { | ||
1038 | ext3_error(child->d_inode->i_sb, "ext3_get_parent", | ||
1039 | "bad inode number: %lu", ino); | ||
1040 | inode = NULL; | ||
1041 | } else | ||
1042 | inode = iget(child->d_inode->i_sb, ino); | ||
1032 | 1043 | ||
1033 | if (!inode) | 1044 | if (!inode) |
1034 | return ERR_PTR(-EACCES); | 1045 | return ERR_PTR(-EACCES); |
diff --git a/include/linux/ext3_fs.h b/include/linux/ext3_fs.h index 5607e6457a65..9f9cce7bd86d 100644 --- a/include/linux/ext3_fs.h +++ b/include/linux/ext3_fs.h | |||
@@ -492,6 +492,15 @@ static inline struct ext3_inode_info *EXT3_I(struct inode *inode) | |||
492 | { | 492 | { |
493 | return container_of(inode, struct ext3_inode_info, vfs_inode); | 493 | return container_of(inode, struct ext3_inode_info, vfs_inode); |
494 | } | 494 | } |
495 | |||
496 | static inline int ext3_valid_inum(struct super_block *sb, unsigned long ino) | ||
497 | { | ||
498 | return ino == EXT3_ROOT_INO || | ||
499 | ino == EXT3_JOURNAL_INO || | ||
500 | ino == EXT3_RESIZE_INO || | ||
501 | (ino >= EXT3_FIRST_INO(sb) && | ||
502 | ino <= le32_to_cpu(EXT3_SB(sb)->s_es->s_inodes_count)); | ||
503 | } | ||
495 | #else | 504 | #else |
496 | /* Assume that user mode programs are passing in an ext3fs superblock, not | 505 | /* Assume that user mode programs are passing in an ext3fs superblock, not |
497 | * a kernel struct super_block. This will allow us to call the feature-test | 506 | * a kernel struct super_block. This will allow us to call the feature-test |