diff options
author | Carlos Maiolino <cmaiolino@redhat.com> | 2012-10-02 22:59:23 -0400 |
---|---|---|
committer | Jan Kara <jack@suse.cz> | 2012-10-09 17:21:42 -0400 |
commit | c3d59ad6ab0b3d01c10f326bbc9b089424a3a5c4 (patch) | |
tree | d2f67c0b1b7a3fd7b601fd85ca7f21f607fdb55b /fs | |
parent | aa9660196b250b850c9d06046c9f3b1eb965a708 (diff) |
ext3: ext3_bread usage audit
This is the ext3 version of the same patch applied to Ext4, where such goal is
to audit the usage of ext3_bread() due a possible misinterpretion of its return
value.
Focused on directory blocks, a NULL value returned from ext3_bread() means a
hole, which cannot exist into a directory inode. It can pass undetected after a
fix in an uninitialized error variable.
The (now) initialized variable into ext3_getblk() may lead to a zero'ed return
value of ext3_bread() to its callers, which can make the caller do not detect
the hole in the directory inode.
This patch creates a new wrapper function ext3_dir_bread() which checks for
holes properly, reports error, and returns EIO in that case.
Signed-off-by: Carlos Maiolino <cmaiolino@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/ext3/namei.c | 38 | ||||
-rw-r--r-- | fs/ext3/namei.h | 19 |
2 files changed, 39 insertions, 18 deletions
diff --git a/fs/ext3/namei.c b/fs/ext3/namei.c index 7f6c9384ee72..890b8947c546 100644 --- a/fs/ext3/namei.c +++ b/fs/ext3/namei.c | |||
@@ -46,8 +46,7 @@ static struct buffer_head *ext3_append(handle_t *handle, | |||
46 | 46 | ||
47 | *block = inode->i_size >> inode->i_sb->s_blocksize_bits; | 47 | *block = inode->i_size >> inode->i_sb->s_blocksize_bits; |
48 | 48 | ||
49 | bh = ext3_bread(handle, inode, *block, 1, err); | 49 | if ((bh = ext3_dir_bread(handle, inode, *block, 1, err))) { |
50 | if (bh) { | ||
51 | inode->i_size += inode->i_sb->s_blocksize; | 50 | inode->i_size += inode->i_sb->s_blocksize; |
52 | EXT3_I(inode)->i_disksize = inode->i_size; | 51 | EXT3_I(inode)->i_disksize = inode->i_size; |
53 | *err = ext3_journal_get_write_access(handle, bh); | 52 | *err = ext3_journal_get_write_access(handle, bh); |
@@ -339,8 +338,10 @@ dx_probe(struct qstr *entry, struct inode *dir, | |||
339 | u32 hash; | 338 | u32 hash; |
340 | 339 | ||
341 | frame->bh = NULL; | 340 | frame->bh = NULL; |
342 | if (!(bh = ext3_bread (NULL,dir, 0, 0, err))) | 341 | if (!(bh = ext3_dir_bread(NULL, dir, 0, 0, err))) { |
342 | *err = ERR_BAD_DX_DIR; | ||
343 | goto fail; | 343 | goto fail; |
344 | } | ||
344 | root = (struct dx_root *) bh->b_data; | 345 | root = (struct dx_root *) bh->b_data; |
345 | if (root->info.hash_version != DX_HASH_TEA && | 346 | if (root->info.hash_version != DX_HASH_TEA && |
346 | root->info.hash_version != DX_HASH_HALF_MD4 && | 347 | root->info.hash_version != DX_HASH_HALF_MD4 && |
@@ -436,8 +437,10 @@ dx_probe(struct qstr *entry, struct inode *dir, | |||
436 | frame->entries = entries; | 437 | frame->entries = entries; |
437 | frame->at = at; | 438 | frame->at = at; |
438 | if (!indirect--) return frame; | 439 | if (!indirect--) return frame; |
439 | if (!(bh = ext3_bread (NULL,dir, dx_get_block(at), 0, err))) | 440 | if (!(bh = ext3_dir_bread(NULL, dir, dx_get_block(at), 0, err))) { |
441 | *err = ERR_BAD_DX_DIR; | ||
440 | goto fail2; | 442 | goto fail2; |
443 | } | ||
441 | at = entries = ((struct dx_node *) bh->b_data)->entries; | 444 | at = entries = ((struct dx_node *) bh->b_data)->entries; |
442 | if (dx_get_limit(entries) != dx_node_limit (dir)) { | 445 | if (dx_get_limit(entries) != dx_node_limit (dir)) { |
443 | ext3_warning(dir->i_sb, __func__, | 446 | ext3_warning(dir->i_sb, __func__, |
@@ -535,8 +538,8 @@ static int ext3_htree_next_block(struct inode *dir, __u32 hash, | |||
535 | * block so no check is necessary | 538 | * block so no check is necessary |
536 | */ | 539 | */ |
537 | while (num_frames--) { | 540 | while (num_frames--) { |
538 | if (!(bh = ext3_bread(NULL, dir, dx_get_block(p->at), | 541 | if (!(bh = ext3_dir_bread(NULL, dir, dx_get_block(p->at), |
539 | 0, &err))) | 542 | 0, &err))) |
540 | return err; /* Failure */ | 543 | return err; /* Failure */ |
541 | p++; | 544 | p++; |
542 | brelse (p->bh); | 545 | brelse (p->bh); |
@@ -562,7 +565,8 @@ static int htree_dirblock_to_tree(struct file *dir_file, | |||
562 | int err = 0, count = 0; | 565 | int err = 0, count = 0; |
563 | 566 | ||
564 | dxtrace(printk("In htree dirblock_to_tree: block %d\n", block)); | 567 | dxtrace(printk("In htree dirblock_to_tree: block %d\n", block)); |
565 | if (!(bh = ext3_bread (NULL, dir, block, 0, &err))) | 568 | |
569 | if (!(bh = ext3_dir_bread(NULL, dir, block, 0, &err))) | ||
566 | return err; | 570 | return err; |
567 | 571 | ||
568 | de = (struct ext3_dir_entry_2 *) bh->b_data; | 572 | de = (struct ext3_dir_entry_2 *) bh->b_data; |
@@ -976,7 +980,7 @@ static struct buffer_head * ext3_dx_find_entry(struct inode *dir, | |||
976 | return NULL; | 980 | return NULL; |
977 | do { | 981 | do { |
978 | block = dx_get_block(frame->at); | 982 | block = dx_get_block(frame->at); |
979 | if (!(bh = ext3_bread (NULL,dir, block, 0, err))) | 983 | if (!(bh = ext3_dir_bread (NULL, dir, block, 0, err))) |
980 | goto errout; | 984 | goto errout; |
981 | 985 | ||
982 | retval = search_dirblock(bh, dir, entry, | 986 | retval = search_dirblock(bh, dir, entry, |
@@ -1458,9 +1462,9 @@ static int ext3_add_entry (handle_t *handle, struct dentry *dentry, | |||
1458 | } | 1462 | } |
1459 | blocks = dir->i_size >> sb->s_blocksize_bits; | 1463 | blocks = dir->i_size >> sb->s_blocksize_bits; |
1460 | for (block = 0; block < blocks; block++) { | 1464 | for (block = 0; block < blocks; block++) { |
1461 | bh = ext3_bread(handle, dir, block, 0, &retval); | 1465 | if (!(bh = ext3_dir_bread(handle, dir, block, 0, &retval))) |
1462 | if(!bh) | ||
1463 | return retval; | 1466 | return retval; |
1467 | |||
1464 | retval = add_dirent_to_buf(handle, dentry, inode, NULL, bh); | 1468 | retval = add_dirent_to_buf(handle, dentry, inode, NULL, bh); |
1465 | if (retval != -ENOSPC) | 1469 | if (retval != -ENOSPC) |
1466 | return retval; | 1470 | return retval; |
@@ -1500,7 +1504,7 @@ static int ext3_dx_add_entry(handle_t *handle, struct dentry *dentry, | |||
1500 | entries = frame->entries; | 1504 | entries = frame->entries; |
1501 | at = frame->at; | 1505 | at = frame->at; |
1502 | 1506 | ||
1503 | if (!(bh = ext3_bread(handle,dir, dx_get_block(frame->at), 0, &err))) | 1507 | if (!(bh = ext3_dir_bread(handle, dir, dx_get_block(frame->at), 0, &err))) |
1504 | goto cleanup; | 1508 | goto cleanup; |
1505 | 1509 | ||
1506 | BUFFER_TRACE(bh, "get_write_access"); | 1510 | BUFFER_TRACE(bh, "get_write_access"); |
@@ -1790,8 +1794,7 @@ retry: | |||
1790 | inode->i_op = &ext3_dir_inode_operations; | 1794 | inode->i_op = &ext3_dir_inode_operations; |
1791 | inode->i_fop = &ext3_dir_operations; | 1795 | inode->i_fop = &ext3_dir_operations; |
1792 | inode->i_size = EXT3_I(inode)->i_disksize = inode->i_sb->s_blocksize; | 1796 | inode->i_size = EXT3_I(inode)->i_disksize = inode->i_sb->s_blocksize; |
1793 | dir_block = ext3_bread (handle, inode, 0, 1, &err); | 1797 | if (!(dir_block = ext3_dir_bread(handle, inode, 0, 1, &err))) |
1794 | if (!dir_block) | ||
1795 | goto out_clear_inode; | 1798 | goto out_clear_inode; |
1796 | 1799 | ||
1797 | BUFFER_TRACE(dir_block, "get_write_access"); | 1800 | BUFFER_TRACE(dir_block, "get_write_access"); |
@@ -1859,7 +1862,7 @@ static int empty_dir (struct inode * inode) | |||
1859 | 1862 | ||
1860 | sb = inode->i_sb; | 1863 | sb = inode->i_sb; |
1861 | if (inode->i_size < EXT3_DIR_REC_LEN(1) + EXT3_DIR_REC_LEN(2) || | 1864 | if (inode->i_size < EXT3_DIR_REC_LEN(1) + EXT3_DIR_REC_LEN(2) || |
1862 | !(bh = ext3_bread (NULL, inode, 0, 0, &err))) { | 1865 | !(bh = ext3_dir_bread(NULL, inode, 0, 0, &err))) { |
1863 | if (err) | 1866 | if (err) |
1864 | ext3_error(inode->i_sb, __func__, | 1867 | ext3_error(inode->i_sb, __func__, |
1865 | "error %d reading directory #%lu offset 0", | 1868 | "error %d reading directory #%lu offset 0", |
@@ -1890,9 +1893,8 @@ static int empty_dir (struct inode * inode) | |||
1890 | (void *) de >= (void *) (bh->b_data+sb->s_blocksize)) { | 1893 | (void *) de >= (void *) (bh->b_data+sb->s_blocksize)) { |
1891 | err = 0; | 1894 | err = 0; |
1892 | brelse (bh); | 1895 | brelse (bh); |
1893 | bh = ext3_bread (NULL, inode, | 1896 | if (!(bh = ext3_dir_bread (NULL, inode, |
1894 | offset >> EXT3_BLOCK_SIZE_BITS(sb), 0, &err); | 1897 | offset >> EXT3_BLOCK_SIZE_BITS(sb), 0, &err))) { |
1895 | if (!bh) { | ||
1896 | if (err) | 1898 | if (err) |
1897 | ext3_error(sb, __func__, | 1899 | ext3_error(sb, __func__, |
1898 | "error %d reading directory" | 1900 | "error %d reading directory" |
@@ -2388,7 +2390,7 @@ static int ext3_rename (struct inode * old_dir, struct dentry *old_dentry, | |||
2388 | goto end_rename; | 2390 | goto end_rename; |
2389 | } | 2391 | } |
2390 | retval = -EIO; | 2392 | retval = -EIO; |
2391 | dir_bh = ext3_bread (handle, old_inode, 0, 0, &retval); | 2393 | dir_bh = ext3_dir_bread(handle, old_inode, 0, 0, &retval); |
2392 | if (!dir_bh) | 2394 | if (!dir_bh) |
2393 | goto end_rename; | 2395 | goto end_rename; |
2394 | if (le32_to_cpu(PARENT_INO(dir_bh->b_data)) != old_dir->i_ino) | 2396 | if (le32_to_cpu(PARENT_INO(dir_bh->b_data)) != old_dir->i_ino) |
diff --git a/fs/ext3/namei.h b/fs/ext3/namei.h index f2ce2b0065c9..46304d8c9f0a 100644 --- a/fs/ext3/namei.h +++ b/fs/ext3/namei.h | |||
@@ -6,3 +6,22 @@ | |||
6 | */ | 6 | */ |
7 | 7 | ||
8 | extern struct dentry *ext3_get_parent(struct dentry *child); | 8 | extern struct dentry *ext3_get_parent(struct dentry *child); |
9 | |||
10 | static inline struct buffer_head *ext3_dir_bread(handle_t *handle, | ||
11 | struct inode *inode, | ||
12 | int block, int create, | ||
13 | int *err) | ||
14 | { | ||
15 | struct buffer_head *bh; | ||
16 | |||
17 | bh = ext3_bread(handle, inode, block, create, err); | ||
18 | |||
19 | if (!bh && !(*err)) { | ||
20 | *err = -EIO; | ||
21 | ext3_error(inode->i_sb, __func__, | ||
22 | "Directory hole detected on inode %lu\n", | ||
23 | inode->i_ino); | ||
24 | return NULL; | ||
25 | } | ||
26 | return bh; | ||
27 | } | ||