Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v6.12.80 2024-08-13T02:00:43+00:00 2024-08-13T02:00:43+00:00 Al Viro viro@zeniv.linux.org.uk 2024-05-31T18:12:01+00:00 urn:sha1:1da91ea87aefe2c25b68c9f96947a9271ba6325d For any changes of struct fd representation we need to turn existing accesses to fields into calls of wrappers. Accesses to struct fd::flags are very few (3 in linux/file.h, 1 in net/socket.c, 3 in fs/overlayfs/file.c and 3 more in explicit initializers). Those can be dealt with in the commit converting to new layout; accesses to struct fd::file are too many for that. This commit converts (almost) all of f.file to fd_file(f). It's not entirely mechanical ('file' is used as a member name more than just in struct fd) and it does not even attempt to distinguish the uses in pointer context from those in boolean context; the latter will be eventually turned into a separate helper (fd_empty()). NOTE: mass conversion to fd_empty(), tempting as it might be, is a bad idea; better do that piecewise in commit that convert from fdget...() to CLASS(...). [conflicts in fs/fhandle.c, kernel/bpf/syscall.c, mm/memcontrol.c caught by git; fs/stat.c one got caught by git grep] [fs/xattr.c conflict] Reviewed-by: Christian Brauner <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2024-06-03T13:49:26+00:00 Thorsten Blum thorsten.blum@toblux.com 2024-06-02T00:47:30+00:00 urn:sha1:992f03ff8661bb0427f1db59c283f3fa63182b09 Add a missing double quote in the unsafe_copy_dirent_name() macro comment. Signed-off-by: Thorsten Blum <thorsten.blum@toblux.com> Link: https://lore.kernel.org/r/20240602004729.229634-2-thorsten.blum@toblux.com Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org> 2024-06-03T13:48:39+00:00 Thorsten Blum thorsten.blum@toblux.com 2024-06-02T10:15:35+00:00 urn:sha1:c12c0bb031cbaccf4f7d375db466b6457453bfa8 Since commit c512c6918719 ("uaccess: implement a proper unsafe_copy_to_user() and switch filldir over to it") the header file is no longer needed. Signed-off-by: Thorsten Blum <thorsten.blum@toblux.com> Link: https://lore.kernel.org/r/20240602101534.348159-2-thorsten.blum@toblux.com Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Christian Brauner <brauner@kernel.org> 2023-12-12T15:20:02+00:00 Amir Goldstein amir73il@gmail.com 2023-12-12T09:44:40+00:00 urn:sha1:d9e5d31084b024734e64307521414ef0ae1d5333 In preparation for pre-content permission events with file access range, move fsnotify_file_perm() hook out of security_file_permission() and into the callers. Callers that have the access range information call the new hook fsnotify_file_area_perm() with the access range. Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Amir Goldstein <amir73il@gmail.com> Link: https://lore.kernel.org/r/20231212094440.250945-6-amir73il@gmail.com Signed-off-by: Christian Brauner <brauner@kernel.org> 2023-08-06T13:08:35+00:00 Linus Torvalds torvalds@linux-foundation.org 2023-08-05T19:25:01+00:00 urn:sha1:3e3271549670783be20e233a2b78a87a0b04c715 All users now just use '->iterate_shared()', which only takes the directory inode lock for reading. Filesystems that never got convered to shared mode now instead use a wrapper that drops the lock, re-takes it in write mode, calls the old function, and then downgrades the lock back to read mode. This way the VFS layer and other callers no longer need to care about filesystems that never got converted to the modern era. The filesystems that use the new wrapper are ceph, coda, exfat, jfs, ntfs, ocfs2, overlayfs, and vboxsf. Honestly, several of them look like they really could just iterate their directories in shared mode and skip the wrapper entirely, but the point of this change is to not change semantics or fix filesystems that haven't been fixed in the last 7+ years, but to finally get rid of the dual iterators. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Christian Brauner <brauner@kernel.org> 2023-06-21T07:06:59+00:00 Gustavo A. R. Silva gustavoars@kernel.org 2023-06-20T17:30:36+00:00 urn:sha1:2507135e4ff231a368eae38000a501da0b96c662 One-element arrays are deprecated, and we are replacing them with flexible array members instead. So, replace one-element arrays with flexible-array members in multiple structures. Address the following -Wstringop-overflow warnings seen when built m68k architecture with m5307c3_defconfig configuration: In function '__put_user_fn', inlined from 'fillonedir' at fs/readdir.c:170:2: include/asm-generic/uaccess.h:49:35: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 49 | *(u8 __force *)to = *(u8 *)from; | ~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~ fs/readdir.c: In function 'fillonedir': fs/readdir.c:134:25: note: at offset 1 into destination object 'd_name' of size 1 134 | char d_name[1]; | ^~~~~~ In function '__put_user_fn', inlined from 'filldir' at fs/readdir.c:257:2: include/asm-generic/uaccess.h:49:35: warning: writing 1 byte into a region of size 0 [-Wstringop-overflow=] 49 | *(u8 __force *)to = *(u8 *)from; | ~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~ fs/readdir.c: In function 'filldir': fs/readdir.c:211:25: note: at offset 1 into destination object 'd_name' of size 1 211 | char d_name[1]; | ^~~~~~ This helps with the ongoing efforts to globally enable -Wstringop-overflow. This results in no differences in binary output. Link: https://github.com/KSPP/linux/issues/79 Link: https://github.com/KSPP/linux/issues/312 Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Message-Id: <ZJHiPJkNKwxkKz1c@work> Signed-off-by: Christian Brauner <brauner@kernel.org> 2022-08-17T21:25:04+00:00 Al Viro viro@zeniv.linux.org.uk 2022-08-16T15:57:56+00:00 urn:sha1:25885a35a72007cf28ec5f9ba7169c5c798f7167 filldir_t instances (directory iterators callbacks) used to return 0 for "OK, keep going" or -E... for "stop". Note that it's *NOT* how the error values are reported - the rules for those are callback-dependent and ->iterate{,_shared}() instances only care about zero vs. non-zero (look at emit_dir() and friends). So let's just return bool ("should we keep going?") - it's less confusing that way. The choice between "true means keep going" and "true means stop" is bikesheddable; we have two groups of callbacks - do something for everything in directory, until we run into problem and find an entry in directory and do something to it. The former tended to use 0/-E... conventions - -E<something> on failure. The latter tended to use 0/1, 1 being "stop, we are done". The callers treated anything non-zero as "stop", ignoring which non-zero value did they get. "true means stop" would be more natural for the second group; "true means keep going" - for the first one. I tried both variants and the things like if allocation failed something = -ENOMEM; return true; just looked unnatural and asking for trouble. [folded suggestion from Matthew Wilcox <willy@infradead.org>] Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> 2021-04-17T18:39:49+00:00 Linus Torvalds torvalds@linux-foundation.org 2021-04-17T16:27:04+00:00 urn:sha1:0c93ac69407d63a85be0129aa55ffaec27ffebd3 This does the directory entry name verification for the legacy "fillonedir" (and compat) interface that goes all the way back to the dark ages before we had a proper dirent, and the readdir() system call returned just a single entry at a time. Nobody should use this interface unless you still have binaries from 1991, but let's do it right. This came up during discussions about unsafe_copy_to_user() and proper checking of all the inputs to it, as the networking layer is looking to use it in a few new places. So let's make sure the _old_ users do it all right and proper, before we add new ones. See also commit 8a23eb804ca4 ("Make filldir[64]() verify the directory entry filename is valid") which did the proper modern interfaces that people actually use. It had a note: Note that I didn't bother adding the checks to any legacy interfaces that nobody uses. which this now corrects. Note that we really don't care about POSIX and the presense of '/' in a directory entry, but verify_dirent_name() also ends up doing the proper name length verification which is what the input checking discussion was about. [ Another option would be to remove the support for this particular very old interface: any binaries that use it are likely a.out binaries, and they will no longer run anyway since we removed a.out binftm support in commit eac616557050 ("x86: Deprecate a.out support"). But I'm not sure which came first: getdents() or ELF support, so let's pretend somebody might still have a working binary that uses the legacy readdir() case.. ] Link: https://lore.kernel.org/lkml/CAHk-=wjbvzCAhAtvG0d81W5o0-KT5PPTHhfJ5ieDFq+bGtgOYg@mail.gmail.com/ Acked-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2020-07-31T06:16:00+00:00 Christoph Hellwig hch@lst.de 2020-07-14T07:02:07+00:00 urn:sha1:fb2da16cd70a5140acdd7a102e5cd3b697c3404f Just open code it in the only caller. Signed-off-by: Christoph Hellwig <hch@lst.de> Acked-by: Linus Torvalds <torvalds@linux-foundation.org> 2020-05-02T00:29:54+00:00 Al Viro viro@zeniv.linux.org.uk 2020-02-19T03:34:07+00:00 urn:sha1:5fb1514164de20ddb21886ffceda4cb54d6538f6 Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>