| Message ID | 1470081437-5008-1-git-send-email-johannes@sipsolutions.net (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Headers | show |
On Mon, Aug 01, 2016 at 09:57:17PM +0200, Johannes Berg wrote: > The introduction of v9fs_parent_fid() broke v9fs_vfs_rename() > since that doesn't just do v9fs_fid_lookup() but rather uses > v9fs_fid_clone() on the ->d_parent. > > I suppose it'd be possible to introduce v9fs_clone_parent_fid() > but I decided that just reverting the broken change was better > for now. Sorry for the braino; FWIW, I'd rather add static inline struct p9_fid *fid_clone(struct p9_fid *fid) { if (IS_ERR(fid)) return fid; return p9_client_walk(fid, 0, NULL, 1); } and turn those into fid_clone(v9fs_parent_fid(old_dentry)), etc. Has an extra benefit of simplifying several other places. I'll fix and post (with credits to you for spotting the bug in question, of course). ------------------------------------------------------------------------------
On Tue, 2016-08-02 at 01:30 +0100, Al Viro wrote: > On Mon, Aug 01, 2016 at 09:57:17PM +0200, Johannes Berg wrote: > > The introduction of v9fs_parent_fid() broke v9fs_vfs_rename() > > since that doesn't just do v9fs_fid_lookup() but rather uses > > v9fs_fid_clone() on the ->d_parent. > > > > I suppose it'd be possible to introduce v9fs_clone_parent_fid() > > but I decided that just reverting the broken change was better > > for now. > > Sorry for the braino; FWIW, I'd rather add > > static inline struct p9_fid *fid_clone(struct p9_fid *fid) > { > if (IS_ERR(fid)) > return fid; > return p9_client_walk(fid, 0, NULL, 1); > } > > and turn those into fid_clone(v9fs_parent_fid(old_dentry)), etc. That would have required much more looking into what happens than I was about to do :) > Has an extra benefit of simplifying several other places. I'll fix > and post (with credits to you for spotting the bug in question, of > course). No objection, I just did the minimum necessary to make my setup not crash on use-after-free all the time (thanks to slab debug) :) Thanks, johannes ------------------------------------------------------------------------------
diff --git a/fs/9p/vfs_inode.c b/fs/9p/vfs_inode.c index 7da9a8354fad..d6488fb95dbf 100644 --- a/fs/9p/vfs_inode.c +++ b/fs/9p/vfs_inode.c @@ -975,13 +975,13 @@ v9fs_vfs_rename(struct inode *old_dir, struct dentry *old_dentry, if (IS_ERR(oldfid)) return PTR_ERR(oldfid); - olddirfid = v9fs_parent_fid(old_dentry); + olddirfid = v9fs_fid_clone(old_dentry->d_parent); if (IS_ERR(olddirfid)) { retval = PTR_ERR(olddirfid); goto done; } - newdirfid = v9fs_parent_fid(new_dentry); + newdirfid = v9fs_fid_clone(new_dentry->d_parent); if (IS_ERR(newdirfid)) { retval = PTR_ERR(newdirfid); goto clunk_olddir;
The introduction of v9fs_parent_fid() broke v9fs_vfs_rename() since that doesn't just do v9fs_fid_lookup() but rather uses v9fs_fid_clone() on the ->d_parent. I suppose it'd be possible to introduce v9fs_clone_parent_fid() but I decided that just reverting the broken change was better for now. Fixes: 77d5a6b7d992 ("9p: new helper - v9fs_parent_fid()") Signed-off-by: Johannes Berg <johannes@sipsolutions.net> --- fs/9p/vfs_inode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)