search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
iget-stop-freevxfs-from-using-iget-and-read_inode-fix
[linux-2.6/linux-trees-mm.git] / fs / revoke.c
blob4c23ecd70ce6727dbf49de53f9d21c82c6c4697f
1 /*
2 * fs/revoke.c - Invalidate all current open file descriptors of an inode.
3 *
4 * Copyright (C) 2006-2007 Pekka Enberg
5 *
6 * This file is released under the GPLv2.
7 */
8
9 #include <linux/file.h>
10 #include <linux/fs.h>
11 #include <linux/namei.h>
12 #include <linux/magic.h>
13 #include <linux/mm.h>
14 #include <linux/mman.h>
15 #include <linux/module.h>
16 #include <linux/mount.h>
17 #include <linux/sched.h>
18 #include <linux/revoked_fs_i.h>
19 #include <linux/syscalls.h>
20
21 /**
22 * fileset - an array of file pointers.
23 * @files: the array of file pointers
24 * @nr: number of elements in the array
25 * @end: index to next unused file pointer
26 */
27 struct fileset {
28 struct file **files;
29 unsigned long nr;
30 unsigned long end;
31 };
32
33 /**
34 * revoke_details - details of the revoke operation
35 * @inode: invalidate open file descriptors of this inode
36 * @fset: set of files that point to a revoked inode
37 * @restore_start: index to the first file pointer that is currently in
38 * use by a file descriptor but the real file has not
39 * been revoked
40 */
41 struct revoke_details {
42 struct fileset *fset;
43 unsigned long restore_start;
44 };
45
46 static struct kmem_cache *revokefs_inode_cache;
47
48 static inline bool fset_is_full(struct fileset *set)
49 {
50 return set->nr == set->end;
51 }
52
53 static inline struct file *fset_get_filp(struct fileset *set)
54 {
55 return set->files[set->end++];
56 }
57
58 static struct fileset *alloc_fset(unsigned long size)
59 {
60 struct fileset *fset;
61
62 fset = kzalloc(sizeof *fset, GFP_KERNEL);
63 if (!fset)
64 return NULL;
65
66 fset->files = kcalloc(size, sizeof(struct file *), GFP_KERNEL);
67 if (!fset->files) {
68 kfree(fset);
69 return NULL;
70 }
71 fset->nr = size;
72 return fset;
73 }
74
75 static void free_fset(struct fileset *fset)
76 {
77 int i;
78
79 for (i = fset->end; i < fset->nr; i++)
80 fput(fset->files[i]);
81
82 kfree(fset->files);
83 kfree(fset);
84 }
85
86 /*
87 * Revoked file descriptors point to inodes in the revokefs filesystem.
88 */
89 static struct vfsmount *revokefs_mnt;
90
91 static struct file *get_revoked_file(void)
92 {
93 struct dentry *dentry;
94 struct inode *inode;
95 struct file *filp;
96 struct qstr name;
97
98 filp = get_empty_filp();
99 if (!filp)
100 goto err;
101
102 inode = new_inode(revokefs_mnt->mnt_sb);
103 if (!inode)
104 goto err_inode;
105
106 name.name = "revoked_file";
107 name.len = strlen(name.name);
108 dentry = d_alloc(revokefs_mnt->mnt_sb->s_root, &name);
109 if (!dentry)
110 goto err_dentry;
111
112 d_instantiate(dentry, inode);
113
114 filp->f_mapping = inode->i_mapping;
115 filp->f_dentry = dget(dentry);
116 filp->f_vfsmnt = mntget(revokefs_mnt);
117 filp->f_op = fops_get(inode->i_fop);
118 filp->f_pos = 0;
119
120 return filp;
121
122 err_dentry:
123 iput(inode);
124 err_inode:
125 fput(filp);
126 err:
127 return NULL;
128 }
129
130 static inline bool can_revoke_file(struct file *file, struct inode *inode,
131 struct file *to_exclude)
132 {
133 if (!file || file == to_exclude)
134 return false;
135
136 return file->f_dentry->d_inode == inode;
137 }
138
139 /*
140 * LOCKING: task_lock(owner)
141 */
142 static int revoke_fds(struct task_struct *owner,
143 struct inode *inode,
144 struct file *to_exclude, struct fileset *fset)
145 {
146 struct files_struct *files;
147 struct fdtable *fdt;
148 unsigned int fd;
149 int err = 0;
150
151 files = get_files_struct(owner);
152 if (!files)
153 goto out;
154
155 spin_lock(&files->file_lock);
156 fdt = files_fdtable(files);
157
158 for (fd = 0; fd < fdt->max_fds; fd++) {
159 struct revokefs_inode_info *info;
160 struct file *filp, *new_filp;
161 struct inode *new_inode;
162
163 filp = fcheck_files(files, fd);
164 if (!can_revoke_file(filp, inode, to_exclude))
165 continue;
166
167 if (!filp->f_op->revoke) {
168 err = -EOPNOTSUPP;
169 goto failed;
170 }
171
172 if (fset_is_full(fset)) {
173 err = -ENOMEM;
174 goto failed;
175 }
176
177 new_filp = fset_get_filp(fset);
178
179 /*
180 * Replace original struct file pointer with a pointer to
181 * a 'revoked file.' After this point, we don't need to worry
182 * about racing with sys_close or sys_dup.
183 */
184 rcu_assign_pointer(fdt->fd[fd], new_filp);
185
186 /*
187 * Hold on to task until we can take down the file and its
188 * mmap.
189 */
190 get_task_struct(owner);
191
192 new_inode = new_filp->f_dentry->d_inode;
193 make_revoked_inode(new_inode, inode->i_mode & S_IFMT);
194
195 info = revokefs_i(new_inode);
196 info->fd = fd;
197 info->file = filp;
198 info->owner = owner;
199 }
200 failed:
201 spin_unlock(&files->file_lock);
202 put_files_struct(files);
203 out:
204 return err;
205 }
206
207 static inline bool can_revoke_vma(struct vm_area_struct *vma,
208 struct inode *inode, struct file *to_exclude)
209 {
210 struct file *file = vma->vm_file;
211
212 if (vma->vm_flags & VM_REVOKED)
213 return false;
214
215 if (!file || file == to_exclude)
216 return false;
217
218 return file->f_path.dentry->d_inode == inode;
219 }
220
221 static int __revoke_break_cow(struct task_struct *tsk, struct inode *inode,
222 struct file *to_exclude)
223 {
224 struct mm_struct *mm = tsk->mm;
225 struct vm_area_struct *vma;
226 int err = 0;
227
228 down_read(&mm->mmap_sem);
229 for (vma = mm->mmap; vma != NULL; vma = vma->vm_next) {
230 int ret;
231
232 if (vma->vm_flags & VM_SHARED)
233 continue;
234
235 if (!can_revoke_vma(vma, inode, to_exclude))
236 continue;
237
238 ret = get_user_pages(tsk, tsk->mm, vma->vm_start,
239 vma_pages(vma), 1, 1, NULL, NULL);
240 if (ret < 0) {
241 err = ret;
242 break;
243 }
244
245 unlink_file_vma(vma);
246 fput(vma->vm_file);
247 vma->vm_file = NULL;
248 }
249 up_read(&mm->mmap_sem);
250 return err;
251 }
252
253 static int revoke_break_cow(struct fileset *fset, struct inode *inode,
254 struct file *to_exclude)
255 {
256 unsigned long i;
257 int err = 0;
258
259 for (i = 0; i < fset->end; i++) {
260 struct revokefs_inode_info *info;
261 struct file *this;
262
263 this = fset->files[i];
264 info = revokefs_i(this->f_dentry->d_inode);
265
266 err = __revoke_break_cow(info->owner, inode, to_exclude);
267 if (err)
268 break;
269 }
270 return err;
271 }
272
273 /*
274 * LOCKING: down_write(&mm->mmap_sem)
275 * -> spin_lock(&mapping->i_mmap_lock)
276 */
277 static int revoke_vma(struct vm_area_struct *vma, struct zap_details *details)
278 {
279 unsigned long restart_addr, start_addr, end_addr;
280 int need_break;
281
282 start_addr = vma->vm_start;
283 end_addr = vma->vm_end;
284
285 again:
286 restart_addr = zap_page_range(vma, start_addr, end_addr - start_addr,
287 details);
288
289 need_break = need_resched() || need_lockbreak(details->i_mmap_lock);
290 if (need_break)
291 goto out_need_break;
292
293 if (restart_addr < end_addr) {
294 start_addr = restart_addr;
295 goto again;
296 }
297 vma->vm_flags |= VM_REVOKED;
298 return 0;
299
300 out_need_break:
301 spin_unlock(details->i_mmap_lock);
302 cond_resched();
303 spin_lock(details->i_mmap_lock);
304 return -EINTR;
305 }
306
307 /*
308 * LOCKING: spin_lock(&mapping->i_mmap_lock)
309 */
310 static int revoke_mm(struct mm_struct *mm, struct address_space *mapping,
311 struct file *to_exclude)
312 {
313 struct vm_area_struct *vma;
314 struct zap_details details;
315 int err = 0;
316
317 details.i_mmap_lock = &mapping->i_mmap_lock;
318
319 /*
320 * If ->mmap_sem is under contention, we continue scanning other
321 * mms and try again later.
322 */
323 if (!down_write_trylock(&mm->mmap_sem)) {
324 err = -EAGAIN;
325 goto out;
326 }
327 for (vma = mm->mmap; vma != NULL; vma = vma->vm_next) {
328 if (!(vma->vm_flags & VM_SHARED))
329 continue;
330
331 if (!can_revoke_vma(vma, mapping->host, to_exclude))
332 continue;
333
334 err = revoke_vma(vma, &details);
335 if (err)
336 break;
337
338 __unlink_file_vma(vma);
339 fput(vma->vm_file);
340 vma->vm_file = NULL;
341 }
342 up_write(&mm->mmap_sem);
343 out:
344 return err;
345 }
346
347 /*
348 * LOCKING: spin_lock(&mapping->i_mmap_lock)
349 */
350 static void revoke_mapping_tree(struct address_space *mapping,
351 struct file *to_exclude)
352 {
353 struct vm_area_struct *vma;
354 struct prio_tree_iter iter;
355 int try_again = 0;
356
357 restart:
358 vma_prio_tree_foreach(vma, &iter, &mapping->i_mmap, 0, ULONG_MAX) {
359 int err;
360
361 if (!(vma->vm_flags & VM_SHARED))
362 continue;
363
364 if (likely(!can_revoke_vma(vma, mapping->host, to_exclude)))
365 continue;
366
367 err = revoke_mm(vma->vm_mm, mapping, to_exclude);
368 if (err == -EAGAIN)
369 try_again = 1;
370
371 goto restart;
372 }
373 if (try_again) {
374 cond_resched();
375 goto restart;
376 }
377 }
378
379 /*
380 * LOCKING: spin_lock(&mapping->i_mmap_lock)
381 */
382 static void revoke_mapping_list(struct address_space *mapping,
383 struct file *to_exclude)
384 {
385 struct vm_area_struct *vma;
386 int try_again = 0;
387
388 restart:
389 list_for_each_entry(vma, &mapping->i_mmap_nonlinear, shared.vm_set.list) {
390 int err;
391
392 if (likely(!can_revoke_vma(vma, mapping->host, to_exclude)))
393 continue;
394
395 err = revoke_mm(vma->vm_mm, mapping, to_exclude);
396 if (err == -EAGAIN) {
397 try_again = 1;
398 continue;
399 }
400 if (err == -EINTR)
401 goto restart;
402 }
403 if (try_again) {
404 cond_resched();
405 goto restart;
406 }
407 }
408
409 static void revoke_mapping(struct address_space *mapping, struct file *to_exclude)
410 {
411 spin_lock(&mapping->i_mmap_lock);
412 if (unlikely(!prio_tree_empty(&mapping->i_mmap)))
413 revoke_mapping_tree(mapping, to_exclude);
414 if (unlikely(!list_empty(&mapping->i_mmap_nonlinear)))
415 revoke_mapping_list(mapping, to_exclude);
416 spin_unlock(&mapping->i_mmap_lock);
417 }
418
419 static void restore_file(struct revokefs_inode_info *info)
420 {
421 struct files_struct *files;
422
423 files = get_files_struct(info->owner);
424 if (files) {
425 struct fdtable *fdt;
426 struct file *filp;
427
428 spin_lock(&files->file_lock);
429 fdt = files_fdtable(files);
430
431 filp = fdt->fd[info->fd];
432 if (filp)
433 fput(filp);
434
435 rcu_assign_pointer(fdt->fd[info->fd], info->file);
436 FD_SET(info->fd, fdt->close_on_exec);
437 spin_unlock(&files->file_lock);
438 put_files_struct(files);
439 }
440 put_task_struct(info->owner);
441 info->owner = NULL; /* To avoid double-restore. */
442 }
443
444 static void restore_files(struct revoke_details *details)
445 {
446 unsigned long i;
447
448 for (i = details->restore_start; i < details->fset->end; i++) {
449 struct revokefs_inode_info *info;
450 struct file *filp;
451
452 filp = details->fset->files[i];
453 info = revokefs_i(filp->f_dentry->d_inode);
454
455 restore_file(info);
456 }
457 }
458
459 static int revoke_files(struct revoke_details *details)
460 {
461 unsigned long i;
462 int err = 0;
463
464 for (i = 0; i < details->fset->end; i++) {
465 struct revokefs_inode_info *info;
466 struct file *this, *filp;
467 struct inode *inode;
468
469 this = details->fset->files[i];
470 inode = this->f_dentry->d_inode;
471 info = revokefs_i(inode);
472
473 /*
474 * Increase count before attempting to close file as
475 * an partially closed file can no longer be restored.
476 */
477 details->restore_start++;
478 filp = info->file;
479 err = filp->f_op->revoke(filp, inode->i_mapping);
480 put_task_struct(info->owner);
481 info->owner = NULL; /* To avoid restoring closed file. */
482 if (err)
483 goto out;
484 }
485 out:
486 return err;
487 }
488
489 /*
490 * Returns the maximum number of file descriptors pointing to an inode.
491 *
492 * LOCKING: read_lock(&tasklist_lock)
493 */
494 static unsigned long inode_fds(struct inode *inode, struct file *to_exclude)
495 {
496 struct task_struct *g, *p;
497 unsigned long nr_fds = 0;
498
499 do_each_thread(g, p) {
500 struct files_struct *files;
501 struct fdtable *fdt;
502 unsigned int fd;
503
504 files = get_files_struct(p);
505 if (!files)
506 continue;
507
508 spin_lock(&files->file_lock);
509 fdt = files_fdtable(files);
510 for (fd = 0; fd < fdt->max_fds; fd++) {
511 struct file *file;
512
513 file = fcheck_files(files, fd);
514 if (can_revoke_file(file, inode, to_exclude)) {
515 nr_fds += fdt->max_fds;
516 break;
517 }
518 }
519 spin_unlock(&files->file_lock);
520 put_files_struct(files);
521 }
522 while_each_thread(g, p);
523 return nr_fds;
524 }
525
526 static struct fileset *__alloc_revoke_fset(unsigned long size)
527 {
528 struct fileset *fset;
529 int i;
530
531 fset = alloc_fset(size);
532 if (!fset)
533 return NULL;
534
535 for (i = 0; i < fset->nr; i++) {
536 struct file *filp;
537
538 filp = get_revoked_file();
539 if (!filp)
540 goto err;
541
542 fset->files[i] = filp;
543 }
544 return fset;
545 err:
546 free_fset(fset);
547 return NULL;
548 }
549
550 static int do_revoke(struct inode *inode, struct file *to_exclude)
551 {
552 struct revoke_details details;
553 struct fileset *fset = NULL;
554 struct task_struct *g, *p;
555 unsigned long nr_fds;
556 int err = 0;
557
558 if (current->fsuid != inode->i_uid && !capable(CAP_FOWNER)) {
559 err = -EPERM;
560 goto out;
561 }
562
563 retry:
564 if (signal_pending(current)) {
565 err = -ERESTARTSYS;
566 goto out;
567 }
568
569 read_lock(&tasklist_lock);
570 nr_fds = inode_fds(inode, to_exclude);
571 read_unlock(&tasklist_lock);
572
573 if (!nr_fds)
574 goto out;
575
576 /*
577 * Pre-allocate memory because the first pass is done under
578 * tasklist_lock.
579 */
580 fset = __alloc_revoke_fset(nr_fds);
581 if (!fset) {
582 err = -ENOMEM;
583 goto out;
584 }
585
586 read_lock(&tasklist_lock);
587
588 /*
589 * If someone forked while we were allocating memory, try again.
590 */
591 if (inode_fds(inode, to_exclude) > fset->nr) {
592 read_unlock(&tasklist_lock);
593 free_fset(fset);
594 goto retry;
595 }
596
597 details.fset = fset;
598 details.restore_start = 0;
599
600 /*
601 * First revoke the descriptors. After we are done, no one can start
602 * new operations on them.
603 */
604 do_each_thread(g, p) {
605 err = revoke_fds(p, inode, to_exclude, fset);
606 if (err)
607 goto exit_loop;
608 }
609 while_each_thread(g, p);
610 exit_loop:
611 read_unlock(&tasklist_lock);
612
613 if (err)
614 goto out_restore;
615
616 /*
617 * Take down shared memory mappings.
618 */
619 revoke_mapping(inode->i_mapping, to_exclude);
620
621 /*
622 * Break COW for private mappings.
623 */
624 err = revoke_break_cow(fset, inode, to_exclude);
625 if (err)
626 goto out_restore;
627
628 /*
629 * Now, revoke the files for good.
630 */
631 err = revoke_files(&details);
632 if (err)
633 goto out_restore;
634
635 out_free_table:
636 free_fset(fset);
637 out:
638 return err;
639
640 out_restore:
641 restore_files(&details);
642 goto out_free_table;
643 }
644
645 asmlinkage long sys_revokeat(int dfd, const char __user * filename)
646 {
647 struct nameidata nd;
648 int err;
649
650 err = __user_walk_fd(dfd, filename, 0, &nd);
651 if (!err) {
652 err = do_revoke(nd.dentry->d_inode, NULL);
653 path_release(&nd);
654 }
655 return err;
656 }
657
658 asmlinkage long sys_frevoke(unsigned int fd)
659 {
660 struct file *file = fget(fd);
661 int err = -EBADF;
662
663 if (file) {
664 err = do_revoke(file->f_dentry->d_inode, file);
665 fput(file);
666 }
667 return err;
668 }
669
670 int generic_file_revoke(struct file *file, struct address_space *new_mapping)
671 {
672 struct address_space *mapping = file->f_mapping;
673 int err;
674
675 /*
676 * Flush pending writes.
677 */
678 err = do_fsync(file, 1);
679 if (err)
680 goto out;
681
682 file->f_mapping = new_mapping;
683
684 /*
685 * Make pending reads fail.
686 */
687 err = invalidate_inode_pages2(mapping);
688
689 out:
690 return err;
691 }
692 EXPORT_SYMBOL(generic_file_revoke);
693
694 /*
695 * Filesystem for revoked files.
696 */
697
698 static struct inode *revokefs_alloc_inode(struct super_block *sb)
699 {
700 struct revokefs_inode_info *info;
701
702 info = kmem_cache_alloc(revokefs_inode_cache, GFP_KERNEL);
703 if (!info)
704 return NULL;
705
706 return &info->vfs_inode;
707 }
708
709 static void revokefs_destroy_inode(struct inode *inode)
710 {
711 kmem_cache_free(revokefs_inode_cache, revokefs_i(inode));
712 }
713
714 static struct super_operations revokefs_super_ops = {
715 .alloc_inode = revokefs_alloc_inode,
716 .destroy_inode = revokefs_destroy_inode,
717 .drop_inode = generic_delete_inode,
718 };
719
720 static int revokefs_get_sb(struct file_system_type *fs_type,
721 int flags, const char *dev_name, void *data,
722 struct vfsmount *mnt)
723 {
724 return get_sb_pseudo(fs_type, "revoke:", &revokefs_super_ops,
725 REVOKEFS_MAGIC, mnt);
726 }
727
728 static struct file_system_type revokefs_fs_type = {
729 .name = "revokefs",
730 .get_sb = revokefs_get_sb,
731 .kill_sb = kill_anon_super
732 };
733
734 static void revokefs_init_inode(struct kmem_cache *cache, void *obj)
735 {
736 struct revokefs_inode_info *info = obj;
737
738 info->owner = NULL;
739 inode_init_once(&info->vfs_inode);
740 }
741
742 static int __init revokefs_init(void)
743 {
744 int err = -ENOMEM;
745
746 revokefs_inode_cache =
747 kmem_cache_create("revokefs_inode_cache",
748 sizeof(struct revokefs_inode_info),
749 0,
750 (SLAB_HWCACHE_ALIGN | SLAB_RECLAIM_ACCOUNT |
751 SLAB_MEM_SPREAD), revokefs_init_inode);
752 if (!revokefs_inode_cache)
753 goto out;
754
755 err = register_filesystem(&revokefs_fs_type);
756 if (err)
757 goto err_register;
758
759 revokefs_mnt = kern_mount(&revokefs_fs_type);
760 if (IS_ERR(revokefs_mnt)) {
761 err = PTR_ERR(revokefs_mnt);
762 goto err_mnt;
763 }
764 out:
765 return err;
766 err_mnt:
767 unregister_filesystem(&revokefs_fs_type);
768 err_register:
769 kmem_cache_destroy(revokefs_inode_cache);
770 return err;
771 }
772
773 late_initcall(revokefs_init);
Linux -mm trees (mirror)