aboutsummaryrefslogtreecommitdiff
path: root/fs/hostfs
AgeCommit message (Collapse)Author
2015-09-04fs: create and use seq_show_option for escapingKees Cook
Many file systems that implement the show_options hook fail to correctly escape their output which could lead to unescaped characters (e.g. new lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files. This could lead to confusion, spoofed entries (resulting in things like systemd issuing false d-bus "mount" notifications), and who knows what else. This looks like it would only be the root user stepping on themselves, but it's possible weird things could happen in containers or in other situations with delegated mount privileges. Here's an example using overlay with setuid fusermount trusting the contents of /proc/mounts (via the /etc/mtab symlink). Imagine the use of "sudo" is something more sneaky: $ BASE="ovl" $ MNT="$BASE/mnt" $ LOW="$BASE/lower" $ UP="$BASE/upper" $ WORK="$BASE/work/ 0 0 none /proc fuse.pwn user_id=1000" $ mkdir -p "$LOW" "$UP" "$WORK" $ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt $ cat /proc/mounts none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0 none /proc fuse.pwn user_id=1000 0 0 $ fusermount -u /proc $ cat /proc/mounts cat: /proc/mounts: No such file or directory This fixes the problem by adding new seq_show_option and seq_show_option_n helpers, and updating the vulnerable show_option handlers to use them as needed. Some, like SELinux, need to be open coded due to unusual existing escape mechanisms. [akpm@linux-foundation.org: add lost chunk, per Kees] [keescook@chromium.org: seq_show_option should be using const parameters] Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Acked-by: Jan Kara <jack@suse.com> Acked-by: Paul Moore <paul@paul-moore.com> Cc: J. R. Okajima <hooanon05g@gmail.com> Signed-off-by: Kees Cook <keescook@chromium.org> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-06-22Merge branch 'for-linus-1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull vfs updates from Al Viro: "In this pile: pathname resolution rewrite. - recursion in link_path_walk() is gone. - nesting limits on symlinks are gone (the only limit remaining is that the total amount of symlinks is no more than 40, no matter how nested). - "fast" (inline) symlinks are handled without leaving rcuwalk mode. - stack footprint (independent of the nesting) is below kilobyte now, about on par with what it used to be with one level of nested symlinks and ~2.8 times lower than it used to be in the worst case. - struct nameidata is entirely private to fs/namei.c now (not even opaque pointers are being passed around). - ->follow_link() and ->put_link() calling conventions had been changed; all in-tree filesystems converted, out-of-tree should be able to follow reasonably easily. For out-of-tree conversions, see Documentation/filesystems/porting for details (and in-tree filesystems for examples of conversion). That has sat in -next since mid-May, seems to survive all testing without regressions and merges clean with v4.1" * 'for-linus-1' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (131 commits) turn user_{path_at,path,lpath,path_dir}() into static inlines namei: move saved_nd pointer into struct nameidata inline user_path_create() inline user_path_parent() namei: trim do_last() arguments namei: stash dfd and name into nameidata namei: fold path_cleanup() into terminate_walk() namei: saner calling conventions for filename_parentat() namei: saner calling conventions for filename_create() namei: shift nameidata down into filename_parentat() namei: make filename_lookup() reject ERR_PTR() passed as name namei: shift nameidata inside filename_lookup() namei: move putname() call into filename_lookup() namei: pass the struct path to store the result down into path_lookupat() namei: uninline set_root{,_rcu}() namei: be careful with mountpoint crossings in follow_dotdot_rcu() Documentation: remove outdated information from automount-support.txt get rid of assorted nameidata-related debris lustre: kill unused helper lustre: kill unused macro (LOOKUP_CONTINUE) ...
2015-05-11switch ->put_link() from dentry to inodeAl Viro
only one instance looks at that argument at all; that sole exception wants inode rather than dentry. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2015-05-10don't pass nameidata to ->follow_link()Al Viro
its only use is getting passed to nd_jump_link(), which can obtain it from current->nameidata Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2015-05-10new ->follow_link() and ->put_link() calling conventionsAl Viro
a) instead of storing the symlink body (via nd_set_link()) and returning an opaque pointer later passed to ->put_link(), ->follow_link() _stores_ that opaque pointer (into void * passed by address by caller) and returns the symlink body. Returning ERR_PTR() on error, NULL on jump (procfs magic symlinks) and pointer to symlink body for normal symlinks. Stored pointer is ignored in all cases except the last one. Storing NULL for opaque pointer (or not storing it at all) means no call of ->put_link(). b) the body used to be passed to ->put_link() implicitly (via nameidata). Now only the opaque pointer is. In the cases when we used the symlink body to free stuff, ->follow_link() now should store it as opaque pointer in addition to returning it. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2015-05-04hostfs: Use correct mask for file modeRichard Weinberger
S_IFMT is obviously wrong and needs to be 0777. We're interested in the file mode, not the type. Fixes: b98b91029c (hostfs: No need to box and later unbox the file mode) Reported-by: Markus Stenberg <markus.stenberg@iki.fi> Signed-off-by: Richard Weinberger <richard@nod.at>
2015-04-26Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs Pull fourth vfs update from Al Viro: "d_inode() annotations from David Howells (sat in for-next since before the beginning of merge window) + four assorted fixes" * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: RCU pathwalk breakage when running into a symlink overmounting something fix I_DIO_WAKEUP definition direct-io: only inc/dec inode->i_dio_count for file systems fs/9p: fix readdir() VFS: assorted d_backing_inode() annotations VFS: fs/inode.c helpers: d_inode() annotations VFS: fs/cachefiles: d_backing_inode() annotations VFS: fs library helpers: d_inode() annotations VFS: assorted weird filesystems: d_inode() annotations VFS: normal filesystems (and lustre): d_inode() annotations VFS: security/: d_inode() annotations VFS: security/: d_backing_inode() annotations VFS: net/: d_inode() annotations VFS: net/unix: d_backing_inode() annotations VFS: kernel/: d_inode() annotations VFS: audit: d_backing_inode() annotations VFS: Fix up some ->d_inode accesses in the chelsio driver VFS: Cachefiles should perform fs modifications on the top layer only VFS: AF_UNIX sockets should call mknod on the top layer only
2015-04-15Merge tag 'for-linus-4.1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml Pull UML updates from Richard Weinberger: - hostfs saw a face lifting - old/broken stuff was removed (SMP, HIGHMEM, SKAS3/4) - random cleanups and bug fixes * tag 'for-linus-4.1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml: (26 commits) um: Print minimum physical memory requirement um: Move uml_postsetup in the init_thread stack um: add a kmsg_dumper x86, UML: fix integer overflow in ELF_ET_DYN_BASE um: hostfs: Reduce number of syscalls in readdir um: Remove broken highmem support um: Remove broken SMP support um: Remove SKAS3/4 support um: Remove ppc cruft um: Remove ia64 cruft um: Remove dead code from stacktrace hostfs: No need to box and later unbox the file mode hostfs: Use page_offset() hostfs: Set page flags in hostfs_readpage() correctly hostfs: Remove superfluous initializations in hostfs_open() hostfs: hostfs_open: Reset open flags upon each retry hostfs: Remove superfluous test in hostfs_open() hostfs: Report append flag in ->show_options() hostfs: Use __getname() in follow_link hostfs: Remove open coded strcpy() ...
2015-04-15VFS: normal filesystems (and lustre): d_inode() annotationsDavid Howells
that's the bulk of filesystem drivers dealing with inodes of their own Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2015-04-13um: hostfs: Reduce number of syscalls in readdirRichard Weinberger
Currently hostfs issues every time a seekdir(), in fact it has to do this only upon the first call. Also telldir() can be omitted as we can obtain the directory offset from readdir(). Signed-off-by: Richard Weinberger <richard@nod.at>
2015-04-11make new_sync_{read,write}() staticAl Viro
All places outside of core VFS that checked ->read and ->write for being NULL or called the methods directly are gone now, so NULL {read,write} with non-NULL {read,write}_iter will do the right thing in all cases. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2015-03-26hostfs: No need to box and later unbox the file modeRichard Weinberger
There is really no point in having a function with 10 arguments. Reported-by: Daniel Walter <d.walter@0x90.at> Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: Use page_offset()Richard Weinberger
The kernel offers a helper function for that, use it. Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: Set page flags in hostfs_readpage() correctlyRichard Weinberger
In case of an error set the page error flag and clear the up-to-date flag. If the read was successful clear the error flag unconditionally. Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: Remove superfluous initializations in hostfs_open()Richard Weinberger
Only initialize what we really need. Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: hostfs_open: Reset open flags upon each retryRichard Weinberger
...otherwise we might end up with an incorrect mode mode. Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: Remove superfluous test in hostfs_open()Richard Weinberger
Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: Report append flag in ->show_options()Richard Weinberger
hostfs has an "append" mount option. Report it. Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: Use __getname() in follow_linkRichard Weinberger
Be consistent with all other functions in hostfs and just use __getname(). Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: Remove open coded strcpy()Richard Weinberger
Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: Add a BUG_ON to detect behavior changes of dentry_path_raw()Richard Weinberger
hostfs' __dentry_name() relies on the fact that dentry_path_raw() will place the path name at the end of the provided buffer. While this is okay, add a BUG_ON() to detect behavior changes as soon as possible. Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: Make hostfs_readpage more readableRichard Weinberger
...to make life easier for future readers of that code. Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: Handle bogus st.modeRichard Weinberger
Make sure that we return EIO if one passes an invalid st.mode into hostfs. Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: Allow fsync on directoriesRichard Weinberger
Historically hostfs did not open directories on the host filesystem for performance and memory reasons. But it turned out that this optimization has a drawback. Calling fsync() on a hostfs directory returns immediately with -EINVAL as fsync is not implemented. While this is behavior is strictly speaking correct common userspace like dpkg(1) stumbles over that and makes it impossible to use hostfs as root filesystem. The fix is easy, wire up the existing host open/fsync functions to the directory file operations. Reported-by: Daniel Gröber <dxld@darkboxed.org> Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: hostfs_file_open: Fix a fd leak in hostfs_file_openRichard Weinberger
In case of a race between to callers of hostfs_file_open() it can happen that a file describtor is leaked. Signed-off-by: Richard Weinberger <richard@nod.at>
2015-03-26hostfs: hostfs_file_open: Switch to data locking modelRichard Weinberger
Instead of serializing hostfs_file_open() we can use a per inode mutex to protect ->mode. Signed-off-by: Richard Weinberger <richard@nod.at>
2014-08-07hostfs: support rename flagsMiklos Szeredi
Support RENAME_NOREPLACE and RENAME_EXCHANGE flags on hostfs if the underlying filesystem supports it. Since renameat2(2) is not yet in any libc, use syscall(2) to invoke the renameat2 syscall. Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Cc: Richard Weinberger <richard@nod.at> Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-05-06write_iter variants of {__,}generic_file_aio_write()Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-05-06switch simple generic_file_aio_read() users to ->read_iter()Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2014-04-03mm + fs: store shadow entries in page cacheJohannes Weiner
Reclaim will be leaving shadow entries in the page cache radix tree upon evicting the real page. As those pages are found from the LRU, an iput() can lead to the inode being freed concurrently. At this point, reclaim must no longer install shadow pages because the inode freeing code needs to ensure the page tree is really empty. Add an address_space flag, AS_EXITING, that the inode freeing code sets under the tree lock before doing the final truncate. Reclaim will check for this flag before installing shadow pages. Signed-off-by: Johannes Weiner <hannes@cmpxchg.org> Reviewed-by: Rik van Riel <riel@redhat.com> Reviewed-by: Minchan Kim <minchan@kernel.org> Cc: Andrea Arcangeli <aarcange@redhat.com> Cc: Bob Liu <bob.liu@oracle.com> Cc: Christoph Hellwig <hch@infradead.org> Cc: Dave Chinner <david@fromorbit.com> Cc: Greg Thelen <gthelen@google.com> Cc: Hugh Dickins <hughd@google.com> Cc: Jan Kara <jack@suse.cz> Cc: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com> Cc: Luigi Semenzato <semenzato@google.com> Cc: Mel Gorman <mgorman@suse.de> Cc: Metin Doslu <metin@citusdata.com> Cc: Michel Lespinasse <walken@google.com> Cc: Ozgun Erdogan <ozgun@citusdata.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Roman Gushchin <klamm@yandex-team.ru> Cc: Ryan Mallon <rmallon@gmail.com> Cc: Tejun Heo <tj@kernel.org> Cc: Vlastimil Babka <vbabka@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2014-01-26um: hostfs: make functions staticJames Hogan
The hostfs_*() callback functions are all only used within hostfs_kern.c, so make them static. Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Jeff Dike <jdike@addtoit.com> Cc: Richard Weinberger <richard@nod.at> Cc: user-mode-linux-devel@lists.sourceforge.net Signed-off-by: Richard Weinberger <richard@nod.at>
2013-11-15consolidate simple ->d_delete() instancesAl Viro
Rename simple_delete_dentry() to always_delete_dentry() and export it. Export simple_dentry_operations, while we are at it, and get rid of their duplicates Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-09-07um: hostfs: Fix writebackRichard Weinberger
We have to implement ->release() and trigger writeback from it. Otherwise we might lose dirty pages at munmap(). Signed-off-by: Richard Weinberger <richard@nod.at>
2013-06-29[readdir] convert hostfsAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-05-04hostfs: use kmalloc instead of kzallocJames Hogan
The inode info structure is zeroed at allocation with kzalloc, and then all but one of the fields (including the largest, vfs_inode) are initialised explicitly. Switch to using kmalloc and initialise the remaining field too. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Hogan <james.hogan@imgtec.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-05-04hostfs: move HOSTFS_SUPER_MAGIC to <linux/magic.h>James Hogan
Move HOSTFS_SUPER_MAGIC to <linux/magic.h> to be with it's magical friends from other file systems. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Hogan <james.hogan@imgtec.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-05-04hostfs: remove "will unlock" commentJames Hogan
A "will unlock" comment was added to hostfs in the following commit, along with a spinlock: Commit e9193059b1b3733695d5b80e667778311695aa73 ("hostfs: fix races in dentry_name() and inode_name()"). But the spinlock was subsequently removed in the following commit: Commit ec2447c278ee973d35f38e53ca16ba7f965ae33d ("hostfs: simplify locking"). Since the comment is no longer applicable, remove it. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: James Hogan <james.hogan@imgtec.com> Cc: Nick Piggin <npiggin@kernel.dk> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-03-13Merge branch 'for-linus' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace Pull namespace bugfixes from Eric Biederman: "This tree includes a partial revert for "fs: Limit sys_mount to only request filesystem modules." When I added the new style module aliases to the filesystems I deleted the old ones. A bad move. It turns out that distributions like Arch linux use module aliases when constructing ramdisks. Which meant ultimately that an ext3 filesystem mounted with ext4 would not result in the ext4 module being put into the ramdisk. The other change in this tree adds a handful of filesystem module alias I simply failed to add the first time. Which inconvinienced a few folks using cifs. I don't want to inconvinience folks any longer than I have to so here are these trivial fixes." * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace: fs: Readd the fs module aliases. fs: Limit sys_mount to only request filesystem modules. (Part 3)
2013-03-11fs: Limit sys_mount to only request filesystem modules. (Part 3)Eric W. Biederman
Somehow I failed to add the MODULE_ALIAS_FS for cifs, hostfs, hpfs, squashfs, and udf despite what I thought were my careful checks :( Add them now. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
2013-03-11hostfs: fix a not needed double checkMarco Stornelli
With the commit 3be2be0a32c18b0fd6d623cda63174a332ca0de1 we removed vmtruncate, but actaully there is no need to call inode_newsize_ok() because the checks are already done in inode_change_ok() at the begin of the function. Signed-off-by: Marco Stornelli <marco.stornelli@gmail.com> Signed-off-by: Richard Weinberger <richard@nod.at>
2013-02-22hostfs: directory methods have no business in non-directory inode_operationsAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2013-02-22new helper: file_inode(file)Al Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-10-10Merge branch 'for-linus-37rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml Pull UML changes from Richard Weinberger: "UML receives this time only cleanups. The most outstanding change is the 'include "foo.h"' do 'include <foo.h>' conversion done by Al Viro. It touches many files, that's why the diffstat is rather big." * 'for-linus-37rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml: typo in UserModeLinux-HOWTO hppfs: fix the return value of get_inode() hostfs: drop vmtruncate um: get rid of pointless include "..." where include <...> will do um: move sysrq.h out of include/shared um/x86: merge 32 and 64 bit variants of ptrace.h um/x86: merge 32 and 64bit variants of checksum.h
2012-10-09hostfs: drop vmtruncateMarco Stornelli
Removed vmtruncate. Signed-off-by: Marco Stornelli <marco.stornelli@gmail.com> Signed-off-by: Richard Weinberger <richard@nod.at>
2012-10-09um: get rid of pointless include "..." where include <...> will doAl Viro
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Richard Weinberger <richard@nod.at>
2012-09-21userns: Convert hostfs to use kuid and kgid where appropriateEric W. Biederman
Cc: Jeff Dike <jdike@addtoit.com> Cc: Richard Weinberger <richard@nod.at> Acked-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
2012-07-14don't pass nameidata to ->create()Al Viro
boolean "does it have to be exclusive?" flag is passed instead; Local filesystem should just ignore it - the object is guaranteed not to be there yet. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-07-14stop passing nameidata to ->lookup()Al Viro
Just the flags; only NFS cares even about that, but there are legitimate uses for such argument. And getting rid of that completely would require splitting ->lookup() into a couple of methods (at least), so let's leave that alone for now... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2012-05-06vfs: Rename end_writeback() to clear_inode()Jan Kara
After we moved inode_sync_wait() from end_writeback() it doesn't make sense to call the function end_writeback() anymore. Rename it to clear_inode() which well says what the function really does - set I_CLEAR flag. Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
2012-03-27Merge branch 'for-linus-3.4-rc1' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml Pull UML changes from Richard Weinberger: "Mostly bug fixes and cleanups" * 'for-linus-3.4-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/rw/uml: (35 commits) um: Update defconfig um: Switch to large mcmodel on x86_64 MTD: Relax dependencies um: Wire CONFIG_GENERIC_IO up um: Serve io_remap_pfn_range() Introduce CONFIG_GENERIC_IO um: allow SUBARCH=x86 um: most of the SUBARCH uses can be killed um: deadlock in line_write_interrupt() um: don't bother trying to rebuild CHECKFLAGS for USER_OBJS um: use the right ifdef around exports in user_syms.c um: a bunch of headers can be killed by using generic-y um: ptrace-generic.h doesn't need user.h um: kill HOST_TASK_PID um: remove pointless include of asm/fixmap.h from asm/pgtable.h um: asm-offsets.h might as well come from underlying arch... um: merge processor_{32,64}.h a bit... um: switch close_chan() to struct line um: race fix: initialize delayed_work *before* registering IRQ um: line->have_irq is never checked... ...