diff options
| author | Al Viro <viro@zeniv.linux.org.uk> | 2008-08-01 04:29:18 -0400 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2008-08-01 11:25:25 -0400 |
| commit | 77e69dac3cefacee939cb107ae9cd520a62338e0 (patch) | |
| tree | 02ddee5ac85ceb632eab2aff994ffbd3233e51eb /fs/dquot.c | |
| parent | 1b7e190b4764ea3ca1080404dd593eae5230d2b3 (diff) | |
[PATCH] fix races and leaks in vfs_quota_on() users
* new helper: vfs_quota_on_path(); equivalent of vfs_quota_on() sans the
pathname resolution.
* callers of vfs_quota_on() that do their own pathname resolution and
checks based on it are switched to vfs_quota_on_path(); that way we
avoid the races.
* reiserfs leaked dentry/vfsmount references on several failure exits.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/dquot.c')
| -rw-r--r-- | fs/dquot.c | 33 |
1 files changed, 20 insertions, 13 deletions
diff --git a/fs/dquot.c b/fs/dquot.c index 1346eebe74ce..8ec4d6cc7633 100644 --- a/fs/dquot.c +++ b/fs/dquot.c | |||
| @@ -1793,6 +1793,21 @@ static int vfs_quota_on_remount(struct super_block *sb, int type) | |||
| 1793 | return ret; | 1793 | return ret; |
| 1794 | } | 1794 | } |
| 1795 | 1795 | ||
| 1796 | int vfs_quota_on_path(struct super_block *sb, int type, int format_id, | ||
| 1797 | struct path *path) | ||
| 1798 | { | ||
| 1799 | int error = security_quota_on(path->dentry); | ||
| 1800 | if (error) | ||
| 1801 | return error; | ||
| 1802 | /* Quota file not on the same filesystem? */ | ||
| 1803 | if (path->mnt->mnt_sb != sb) | ||
| 1804 | error = -EXDEV; | ||
| 1805 | else | ||
| 1806 | error = vfs_quota_on_inode(path->dentry->d_inode, type, | ||
| 1807 | format_id); | ||
| 1808 | return error; | ||
| 1809 | } | ||
| 1810 | |||
| 1796 | /* Actual function called from quotactl() */ | 1811 | /* Actual function called from quotactl() */ |
| 1797 | int vfs_quota_on(struct super_block *sb, int type, int format_id, char *path, | 1812 | int vfs_quota_on(struct super_block *sb, int type, int format_id, char *path, |
| 1798 | int remount) | 1813 | int remount) |
| @@ -1804,19 +1819,10 @@ int vfs_quota_on(struct super_block *sb, int type, int format_id, char *path, | |||
| 1804 | return vfs_quota_on_remount(sb, type); | 1819 | return vfs_quota_on_remount(sb, type); |
| 1805 | 1820 | ||
| 1806 | error = path_lookup(path, LOOKUP_FOLLOW, &nd); | 1821 | error = path_lookup(path, LOOKUP_FOLLOW, &nd); |
| 1807 | if (error < 0) | 1822 | if (!error) { |
| 1808 | return error; | 1823 | error = vfs_quota_on_path(sb, type, format_id, &nd.path); |
| 1809 | error = security_quota_on(nd.path.dentry); | 1824 | path_put(&nd.path); |
| 1810 | if (error) | 1825 | } |
| 1811 | goto out_path; | ||
| 1812 | /* Quota file not on the same filesystem? */ | ||
| 1813 | if (nd.path.mnt->mnt_sb != sb) | ||
| 1814 | error = -EXDEV; | ||
| 1815 | else | ||
| 1816 | error = vfs_quota_on_inode(nd.path.dentry->d_inode, type, | ||
| 1817 | format_id); | ||
| 1818 | out_path: | ||
| 1819 | path_put(&nd.path); | ||
| 1820 | return error; | 1826 | return error; |
| 1821 | } | 1827 | } |
| 1822 | 1828 | ||
| @@ -2185,6 +2191,7 @@ EXPORT_SYMBOL(unregister_quota_format); | |||
| 2185 | EXPORT_SYMBOL(dqstats); | 2191 | EXPORT_SYMBOL(dqstats); |
| 2186 | EXPORT_SYMBOL(dq_data_lock); | 2192 | EXPORT_SYMBOL(dq_data_lock); |
| 2187 | EXPORT_SYMBOL(vfs_quota_on); | 2193 | EXPORT_SYMBOL(vfs_quota_on); |
| 2194 | EXPORT_SYMBOL(vfs_quota_on_path); | ||
| 2188 | EXPORT_SYMBOL(vfs_quota_on_mount); | 2195 | EXPORT_SYMBOL(vfs_quota_on_mount); |
| 2189 | EXPORT_SYMBOL(vfs_quota_off); | 2196 | EXPORT_SYMBOL(vfs_quota_off); |
| 2190 | EXPORT_SYMBOL(vfs_quota_sync); | 2197 | EXPORT_SYMBOL(vfs_quota_sync); |