diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2011-03-08 01:25:28 -0500 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2011-03-08 02:22:27 -0500 |
commit | dfef6dcd35cb4a251f6322ca9b2c06f0bb1aa1f4 (patch) | |
tree | 65e8a25d4ed913658db35c4b97ab0a021c2124eb /fs | |
parent | 1858efd471624ecb37e6b5462cab8076f47d1cee (diff) |
unfuck proc_sysctl ->d_compare()
a) struct inode is not going to be freed under ->d_compare();
however, the thing PROC_I(inode)->sysctl points to just might.
Fortunately, it's enough to make freeing that sucker delayed,
provided that we don't step on its ->unregistering, clear
the pointer to it in PROC_I(inode) before dropping the reference
and check if it's NULL in ->d_compare().
b) I'm not sure that we *can* walk into NULL inode here (we recheck
dentry->seq between verifying that it's still hashed / fetching
dentry->d_inode and passing it to ->d_compare() and there's no
negative hashed dentries in /proc/sys/*), but if we can walk into
that, we really should not have ->d_compare() return 0 on it!
Said that, I really suspect that this check can be simply killed.
Nick?
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/proc/inode.c | 8 | ||||
-rw-r--r-- | fs/proc/proc_sysctl.c | 7 |
2 files changed, 11 insertions, 4 deletions
diff --git a/fs/proc/inode.c b/fs/proc/inode.c index 176ce4cda68a..d6a7ca1fdac5 100644 --- a/fs/proc/inode.c +++ b/fs/proc/inode.c | |||
@@ -27,6 +27,7 @@ | |||
27 | static void proc_evict_inode(struct inode *inode) | 27 | static void proc_evict_inode(struct inode *inode) |
28 | { | 28 | { |
29 | struct proc_dir_entry *de; | 29 | struct proc_dir_entry *de; |
30 | struct ctl_table_header *head; | ||
30 | 31 | ||
31 | truncate_inode_pages(&inode->i_data, 0); | 32 | truncate_inode_pages(&inode->i_data, 0); |
32 | end_writeback(inode); | 33 | end_writeback(inode); |
@@ -38,8 +39,11 @@ static void proc_evict_inode(struct inode *inode) | |||
38 | de = PROC_I(inode)->pde; | 39 | de = PROC_I(inode)->pde; |
39 | if (de) | 40 | if (de) |
40 | pde_put(de); | 41 | pde_put(de); |
41 | if (PROC_I(inode)->sysctl) | 42 | head = PROC_I(inode)->sysctl; |
42 | sysctl_head_put(PROC_I(inode)->sysctl); | 43 | if (head) { |
44 | rcu_assign_pointer(PROC_I(inode)->sysctl, NULL); | ||
45 | sysctl_head_put(head); | ||
46 | } | ||
43 | } | 47 | } |
44 | 48 | ||
45 | struct vfsmount *proc_mnt; | 49 | struct vfsmount *proc_mnt; |
diff --git a/fs/proc/proc_sysctl.c b/fs/proc/proc_sysctl.c index 09a1f92a34ef..8eb2522111c5 100644 --- a/fs/proc/proc_sysctl.c +++ b/fs/proc/proc_sysctl.c | |||
@@ -408,15 +408,18 @@ static int proc_sys_compare(const struct dentry *parent, | |||
408 | const struct dentry *dentry, const struct inode *inode, | 408 | const struct dentry *dentry, const struct inode *inode, |
409 | unsigned int len, const char *str, const struct qstr *name) | 409 | unsigned int len, const char *str, const struct qstr *name) |
410 | { | 410 | { |
411 | struct ctl_table_header *head; | ||
411 | /* Although proc doesn't have negative dentries, rcu-walk means | 412 | /* Although proc doesn't have negative dentries, rcu-walk means |
412 | * that inode here can be NULL */ | 413 | * that inode here can be NULL */ |
414 | /* AV: can it, indeed? */ | ||
413 | if (!inode) | 415 | if (!inode) |
414 | return 0; | 416 | return 1; |
415 | if (name->len != len) | 417 | if (name->len != len) |
416 | return 1; | 418 | return 1; |
417 | if (memcmp(name->name, str, len)) | 419 | if (memcmp(name->name, str, len)) |
418 | return 1; | 420 | return 1; |
419 | return !sysctl_is_seen(PROC_I(inode)->sysctl); | 421 | head = rcu_dereference(PROC_I(inode)->sysctl); |
422 | return !head || !sysctl_is_seen(head); | ||
420 | } | 423 | } |
421 | 424 | ||
422 | static const struct dentry_operations proc_sys_dentry_operations = { | 425 | static const struct dentry_operations proc_sys_dentry_operations = { |