HID: hiddev: Fix slab-out-of-bounds write in hiddev_ioctl_usage()
[linux/fpc-iii.git] / fs / xfs / xfs_itable.c
blob99a4891c00abd4b4a8672aa48252610d1fda9951
1 /*
2 * Copyright (c) 2000-2002,2005 Silicon Graphics, Inc.
3 * All Rights Reserved.
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License as
7 * published by the Free Software Foundation.
9 * This program is distributed in the hope that it would be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write the Free Software Foundation,
16 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
18 #include "xfs.h"
19 #include "xfs_fs.h"
20 #include "xfs_shared.h"
21 #include "xfs_format.h"
22 #include "xfs_log_format.h"
23 #include "xfs_trans_resv.h"
24 #include "xfs_mount.h"
25 #include "xfs_inode.h"
26 #include "xfs_btree.h"
27 #include "xfs_ialloc.h"
28 #include "xfs_ialloc_btree.h"
29 #include "xfs_itable.h"
30 #include "xfs_error.h"
31 #include "xfs_trace.h"
32 #include "xfs_icache.h"
34 STATIC int
35 xfs_internal_inum(
36 xfs_mount_t *mp,
37 xfs_ino_t ino)
39 return (ino == mp->m_sb.sb_rbmino || ino == mp->m_sb.sb_rsumino ||
40 (xfs_sb_version_hasquota(&mp->m_sb) &&
41 xfs_is_quota_inode(&mp->m_sb, ino)));
45 * Return stat information for one inode.
46 * Return 0 if ok, else errno.
48 int
49 xfs_bulkstat_one_int(
50 struct xfs_mount *mp, /* mount point for filesystem */
51 xfs_ino_t ino, /* inode to get data for */
52 void __user *buffer, /* buffer to place output in */
53 int ubsize, /* size of buffer */
54 bulkstat_one_fmt_pf formatter, /* formatter, copy to user */
55 int *ubused, /* bytes used by me */
56 int *stat) /* BULKSTAT_RV_... */
58 struct xfs_icdinode *dic; /* dinode core info pointer */
59 struct xfs_inode *ip; /* incore inode pointer */
60 struct xfs_bstat *buf; /* return buffer */
61 int error = 0; /* error value */
63 *stat = BULKSTAT_RV_NOTHING;
65 if (!buffer || xfs_internal_inum(mp, ino))
66 return -EINVAL;
68 buf = kmem_alloc(sizeof(*buf), KM_SLEEP | KM_MAYFAIL);
69 if (!buf)
70 return -ENOMEM;
72 error = xfs_iget(mp, NULL, ino,
73 (XFS_IGET_DONTCACHE | XFS_IGET_UNTRUSTED),
74 XFS_ILOCK_SHARED, &ip);
75 if (error)
76 goto out_free;
78 ASSERT(ip != NULL);
79 ASSERT(ip->i_imap.im_blkno != 0);
81 dic = &ip->i_d;
83 /* xfs_iget returns the following without needing
84 * further change.
86 buf->bs_nlink = dic->di_nlink;
87 buf->bs_projid_lo = dic->di_projid_lo;
88 buf->bs_projid_hi = dic->di_projid_hi;
89 buf->bs_ino = ino;
90 buf->bs_mode = dic->di_mode;
91 buf->bs_uid = dic->di_uid;
92 buf->bs_gid = dic->di_gid;
93 buf->bs_size = dic->di_size;
94 buf->bs_atime.tv_sec = dic->di_atime.t_sec;
95 buf->bs_atime.tv_nsec = dic->di_atime.t_nsec;
96 buf->bs_mtime.tv_sec = dic->di_mtime.t_sec;
97 buf->bs_mtime.tv_nsec = dic->di_mtime.t_nsec;
98 buf->bs_ctime.tv_sec = dic->di_ctime.t_sec;
99 buf->bs_ctime.tv_nsec = dic->di_ctime.t_nsec;
100 buf->bs_xflags = xfs_ip2xflags(ip);
101 buf->bs_extsize = dic->di_extsize << mp->m_sb.sb_blocklog;
102 buf->bs_extents = dic->di_nextents;
103 buf->bs_gen = dic->di_gen;
104 memset(buf->bs_pad, 0, sizeof(buf->bs_pad));
105 buf->bs_dmevmask = dic->di_dmevmask;
106 buf->bs_dmstate = dic->di_dmstate;
107 buf->bs_aextents = dic->di_anextents;
108 buf->bs_forkoff = XFS_IFORK_BOFF(ip);
110 switch (dic->di_format) {
111 case XFS_DINODE_FMT_DEV:
112 buf->bs_rdev = ip->i_df.if_u2.if_rdev;
113 buf->bs_blksize = BLKDEV_IOSIZE;
114 buf->bs_blocks = 0;
115 break;
116 case XFS_DINODE_FMT_LOCAL:
117 case XFS_DINODE_FMT_UUID:
118 buf->bs_rdev = 0;
119 buf->bs_blksize = mp->m_sb.sb_blocksize;
120 buf->bs_blocks = 0;
121 break;
122 case XFS_DINODE_FMT_EXTENTS:
123 case XFS_DINODE_FMT_BTREE:
124 buf->bs_rdev = 0;
125 buf->bs_blksize = mp->m_sb.sb_blocksize;
126 buf->bs_blocks = dic->di_nblocks + ip->i_delayed_blks;
127 break;
129 xfs_iunlock(ip, XFS_ILOCK_SHARED);
130 IRELE(ip);
132 error = formatter(buffer, ubsize, ubused, buf);
133 if (!error)
134 *stat = BULKSTAT_RV_DIDONE;
136 out_free:
137 kmem_free(buf);
138 return error;
141 /* Return 0 on success or positive error */
142 STATIC int
143 xfs_bulkstat_one_fmt(
144 void __user *ubuffer,
145 int ubsize,
146 int *ubused,
147 const xfs_bstat_t *buffer)
149 if (ubsize < sizeof(*buffer))
150 return -ENOMEM;
151 if (copy_to_user(ubuffer, buffer, sizeof(*buffer)))
152 return -EFAULT;
153 if (ubused)
154 *ubused = sizeof(*buffer);
155 return 0;
159 xfs_bulkstat_one(
160 xfs_mount_t *mp, /* mount point for filesystem */
161 xfs_ino_t ino, /* inode number to get data for */
162 void __user *buffer, /* buffer to place output in */
163 int ubsize, /* size of buffer */
164 int *ubused, /* bytes used by me */
165 int *stat) /* BULKSTAT_RV_... */
167 return xfs_bulkstat_one_int(mp, ino, buffer, ubsize,
168 xfs_bulkstat_one_fmt, ubused, stat);
172 * Loop over all clusters in a chunk for a given incore inode allocation btree
173 * record. Do a readahead if there are any allocated inodes in that cluster.
175 STATIC void
176 xfs_bulkstat_ichunk_ra(
177 struct xfs_mount *mp,
178 xfs_agnumber_t agno,
179 struct xfs_inobt_rec_incore *irec)
181 xfs_agblock_t agbno;
182 struct blk_plug plug;
183 int blks_per_cluster;
184 int inodes_per_cluster;
185 int i; /* inode chunk index */
187 agbno = XFS_AGINO_TO_AGBNO(mp, irec->ir_startino);
188 blks_per_cluster = xfs_icluster_size_fsb(mp);
189 inodes_per_cluster = blks_per_cluster << mp->m_sb.sb_inopblog;
191 blk_start_plug(&plug);
192 for (i = 0; i < XFS_INODES_PER_CHUNK;
193 i += inodes_per_cluster, agbno += blks_per_cluster) {
194 if (xfs_inobt_maskn(i, inodes_per_cluster) & ~irec->ir_free) {
195 xfs_btree_reada_bufs(mp, agno, agbno, blks_per_cluster,
196 &xfs_inode_buf_ops);
199 blk_finish_plug(&plug);
203 * Lookup the inode chunk that the given inode lives in and then get the record
204 * if we found the chunk. If the inode was not the last in the chunk and there
205 * are some left allocated, update the data for the pointed-to record as well as
206 * return the count of grabbed inodes.
208 STATIC int
209 xfs_bulkstat_grab_ichunk(
210 struct xfs_btree_cur *cur, /* btree cursor */
211 xfs_agino_t agino, /* starting inode of chunk */
212 int *icount,/* return # of inodes grabbed */
213 struct xfs_inobt_rec_incore *irec) /* btree record */
215 int idx; /* index into inode chunk */
216 int stat;
217 int error = 0;
219 /* Lookup the inode chunk that this inode lives in */
220 error = xfs_inobt_lookup(cur, agino, XFS_LOOKUP_LE, &stat);
221 if (error)
222 return error;
223 if (!stat) {
224 *icount = 0;
225 return error;
228 /* Get the record, should always work */
229 error = xfs_inobt_get_rec(cur, irec, &stat);
230 if (error)
231 return error;
232 XFS_WANT_CORRUPTED_RETURN(cur->bc_mp, stat == 1);
234 /* Check if the record contains the inode in request */
235 if (irec->ir_startino + XFS_INODES_PER_CHUNK <= agino) {
236 *icount = 0;
237 return 0;
240 idx = agino - irec->ir_startino + 1;
241 if (idx < XFS_INODES_PER_CHUNK &&
242 (xfs_inobt_maskn(idx, XFS_INODES_PER_CHUNK - idx) & ~irec->ir_free)) {
243 int i;
245 /* We got a right chunk with some left inodes allocated at it.
246 * Grab the chunk record. Mark all the uninteresting inodes
247 * free -- because they're before our start point.
249 for (i = 0; i < idx; i++) {
250 if (XFS_INOBT_MASK(i) & ~irec->ir_free)
251 irec->ir_freecount++;
254 irec->ir_free |= xfs_inobt_maskn(0, idx);
255 *icount = irec->ir_count - irec->ir_freecount;
258 return 0;
261 #define XFS_BULKSTAT_UBLEFT(ubleft) ((ubleft) >= statstruct_size)
263 struct xfs_bulkstat_agichunk {
264 char __user **ac_ubuffer;/* pointer into user's buffer */
265 int ac_ubleft; /* bytes left in user's buffer */
266 int ac_ubelem; /* spaces used in user's buffer */
270 * Process inodes in chunk with a pointer to a formatter function
271 * that will iget the inode and fill in the appropriate structure.
273 static int
274 xfs_bulkstat_ag_ichunk(
275 struct xfs_mount *mp,
276 xfs_agnumber_t agno,
277 struct xfs_inobt_rec_incore *irbp,
278 bulkstat_one_pf formatter,
279 size_t statstruct_size,
280 struct xfs_bulkstat_agichunk *acp,
281 xfs_agino_t *last_agino)
283 char __user **ubufp = acp->ac_ubuffer;
284 int chunkidx;
285 int error = 0;
286 xfs_agino_t agino = irbp->ir_startino;
288 for (chunkidx = 0; chunkidx < XFS_INODES_PER_CHUNK;
289 chunkidx++, agino++) {
290 int fmterror;
291 int ubused;
293 /* inode won't fit in buffer, we are done */
294 if (acp->ac_ubleft < statstruct_size)
295 break;
297 /* Skip if this inode is free */
298 if (XFS_INOBT_MASK(chunkidx) & irbp->ir_free)
299 continue;
301 /* Get the inode and fill in a single buffer */
302 ubused = statstruct_size;
303 error = formatter(mp, XFS_AGINO_TO_INO(mp, agno, agino),
304 *ubufp, acp->ac_ubleft, &ubused, &fmterror);
306 if (fmterror == BULKSTAT_RV_GIVEUP ||
307 (error && error != -ENOENT && error != -EINVAL)) {
308 acp->ac_ubleft = 0;
309 ASSERT(error);
310 break;
313 /* be careful not to leak error if at end of chunk */
314 if (fmterror == BULKSTAT_RV_NOTHING || error) {
315 error = 0;
316 continue;
319 *ubufp += ubused;
320 acp->ac_ubleft -= ubused;
321 acp->ac_ubelem++;
325 * Post-update *last_agino. At this point, agino will always point one
326 * inode past the last inode we processed successfully. Hence we
327 * substract that inode when setting the *last_agino cursor so that we
328 * return the correct cookie to userspace. On the next bulkstat call,
329 * the inode under the lastino cookie will be skipped as we have already
330 * processed it here.
332 *last_agino = agino - 1;
334 return error;
338 * Return stat information in bulk (by-inode) for the filesystem.
340 int /* error status */
341 xfs_bulkstat(
342 xfs_mount_t *mp, /* mount point for filesystem */
343 xfs_ino_t *lastinop, /* last inode returned */
344 int *ubcountp, /* size of buffer/count returned */
345 bulkstat_one_pf formatter, /* func that'd fill a single buf */
346 size_t statstruct_size, /* sizeof struct filling */
347 char __user *ubuffer, /* buffer with inode stats */
348 int *done) /* 1 if there are more stats to get */
350 xfs_buf_t *agbp; /* agi header buffer */
351 xfs_agino_t agino; /* inode # in allocation group */
352 xfs_agnumber_t agno; /* allocation group number */
353 xfs_btree_cur_t *cur; /* btree cursor for ialloc btree */
354 xfs_inobt_rec_incore_t *irbuf; /* start of irec buffer */
355 int nirbuf; /* size of irbuf */
356 int ubcount; /* size of user's buffer */
357 struct xfs_bulkstat_agichunk ac;
358 int error = 0;
361 * Get the last inode value, see if there's nothing to do.
363 agno = XFS_INO_TO_AGNO(mp, *lastinop);
364 agino = XFS_INO_TO_AGINO(mp, *lastinop);
365 if (agno >= mp->m_sb.sb_agcount ||
366 *lastinop != XFS_AGINO_TO_INO(mp, agno, agino)) {
367 *done = 1;
368 *ubcountp = 0;
369 return 0;
372 ubcount = *ubcountp; /* statstruct's */
373 ac.ac_ubuffer = &ubuffer;
374 ac.ac_ubleft = ubcount * statstruct_size; /* bytes */;
375 ac.ac_ubelem = 0;
377 *ubcountp = 0;
378 *done = 0;
380 irbuf = kmem_zalloc_large(PAGE_SIZE * 4, KM_SLEEP);
381 if (!irbuf)
382 return -ENOMEM;
383 nirbuf = (PAGE_SIZE * 4) / sizeof(*irbuf);
386 * Loop over the allocation groups, starting from the last
387 * inode returned; 0 means start of the allocation group.
389 while (agno < mp->m_sb.sb_agcount) {
390 struct xfs_inobt_rec_incore *irbp = irbuf;
391 struct xfs_inobt_rec_incore *irbufend = irbuf + nirbuf;
392 bool end_of_ag = false;
393 int icount = 0;
394 int stat;
396 error = xfs_ialloc_read_agi(mp, NULL, agno, &agbp);
397 if (error)
398 break;
400 * Allocate and initialize a btree cursor for ialloc btree.
402 cur = xfs_inobt_init_cursor(mp, NULL, agbp, agno,
403 XFS_BTNUM_INO);
404 if (agino > 0) {
406 * In the middle of an allocation group, we need to get
407 * the remainder of the chunk we're in.
409 struct xfs_inobt_rec_incore r;
411 error = xfs_bulkstat_grab_ichunk(cur, agino, &icount, &r);
412 if (error)
413 goto del_cursor;
414 if (icount) {
415 irbp->ir_startino = r.ir_startino;
416 irbp->ir_holemask = r.ir_holemask;
417 irbp->ir_count = r.ir_count;
418 irbp->ir_freecount = r.ir_freecount;
419 irbp->ir_free = r.ir_free;
420 irbp++;
422 /* Increment to the next record */
423 error = xfs_btree_increment(cur, 0, &stat);
424 } else {
425 /* Start of ag. Lookup the first inode chunk */
426 error = xfs_inobt_lookup(cur, 0, XFS_LOOKUP_GE, &stat);
428 if (error || stat == 0) {
429 end_of_ag = true;
430 goto del_cursor;
434 * Loop through inode btree records in this ag,
435 * until we run out of inodes or space in the buffer.
437 while (irbp < irbufend && icount < ubcount) {
438 struct xfs_inobt_rec_incore r;
440 error = xfs_inobt_get_rec(cur, &r, &stat);
441 if (error || stat == 0) {
442 end_of_ag = true;
443 goto del_cursor;
447 * If this chunk has any allocated inodes, save it.
448 * Also start read-ahead now for this chunk.
450 if (r.ir_freecount < r.ir_count) {
451 xfs_bulkstat_ichunk_ra(mp, agno, &r);
452 irbp->ir_startino = r.ir_startino;
453 irbp->ir_holemask = r.ir_holemask;
454 irbp->ir_count = r.ir_count;
455 irbp->ir_freecount = r.ir_freecount;
456 irbp->ir_free = r.ir_free;
457 irbp++;
458 icount += r.ir_count - r.ir_freecount;
460 error = xfs_btree_increment(cur, 0, &stat);
461 if (error || stat == 0) {
462 end_of_ag = true;
463 goto del_cursor;
465 cond_resched();
469 * Drop the btree buffers and the agi buffer as we can't hold any
470 * of the locks these represent when calling iget. If there is a
471 * pending error, then we are done.
473 del_cursor:
474 xfs_btree_del_cursor(cur, error ?
475 XFS_BTREE_ERROR : XFS_BTREE_NOERROR);
476 xfs_buf_relse(agbp);
477 if (error)
478 break;
480 * Now format all the good inodes into the user's buffer. The
481 * call to xfs_bulkstat_ag_ichunk() sets up the agino pointer
482 * for the next loop iteration.
484 irbufend = irbp;
485 for (irbp = irbuf;
486 irbp < irbufend && ac.ac_ubleft >= statstruct_size;
487 irbp++) {
488 error = xfs_bulkstat_ag_ichunk(mp, agno, irbp,
489 formatter, statstruct_size, &ac,
490 &agino);
491 if (error)
492 break;
494 cond_resched();
498 * If we've run out of space or had a formatting error, we
499 * are now done
501 if (ac.ac_ubleft < statstruct_size || error)
502 break;
504 if (end_of_ag) {
505 agno++;
506 agino = 0;
510 * Done, we're either out of filesystem or space to put the data.
512 kmem_free(irbuf);
513 *ubcountp = ac.ac_ubelem;
516 * We found some inodes, so clear the error status and return them.
517 * The lastino pointer will point directly at the inode that triggered
518 * any error that occurred, so on the next call the error will be
519 * triggered again and propagated to userspace as there will be no
520 * formatted inodes in the buffer.
522 if (ac.ac_ubelem)
523 error = 0;
526 * If we ran out of filesystem, lastino will point off the end of
527 * the filesystem so the next call will return immediately.
529 *lastinop = XFS_AGINO_TO_INO(mp, agno, agino);
530 if (agno >= mp->m_sb.sb_agcount)
531 *done = 1;
533 return error;
537 xfs_inumbers_fmt(
538 void __user *ubuffer, /* buffer to write to */
539 const struct xfs_inogrp *buffer, /* buffer to read from */
540 long count, /* # of elements to read */
541 long *written) /* # of bytes written */
543 if (copy_to_user(ubuffer, buffer, count * sizeof(*buffer)))
544 return -EFAULT;
545 *written = count * sizeof(*buffer);
546 return 0;
550 * Return inode number table for the filesystem.
552 int /* error status */
553 xfs_inumbers(
554 struct xfs_mount *mp,/* mount point for filesystem */
555 xfs_ino_t *lastino,/* last inode returned */
556 int *count,/* size of buffer/count returned */
557 void __user *ubuffer,/* buffer with inode descriptions */
558 inumbers_fmt_pf formatter)
560 xfs_agnumber_t agno = XFS_INO_TO_AGNO(mp, *lastino);
561 xfs_agino_t agino = XFS_INO_TO_AGINO(mp, *lastino);
562 struct xfs_btree_cur *cur = NULL;
563 struct xfs_buf *agbp = NULL;
564 struct xfs_inogrp *buffer;
565 int bcount;
566 int left = *count;
567 int bufidx = 0;
568 int error = 0;
570 *count = 0;
571 if (agno >= mp->m_sb.sb_agcount ||
572 *lastino != XFS_AGINO_TO_INO(mp, agno, agino))
573 return error;
575 bcount = MIN(left, (int)(PAGE_SIZE / sizeof(*buffer)));
576 buffer = kmem_alloc(bcount * sizeof(*buffer), KM_SLEEP);
577 do {
578 struct xfs_inobt_rec_incore r;
579 int stat;
581 if (!agbp) {
582 error = xfs_ialloc_read_agi(mp, NULL, agno, &agbp);
583 if (error)
584 break;
586 cur = xfs_inobt_init_cursor(mp, NULL, agbp, agno,
587 XFS_BTNUM_INO);
588 error = xfs_inobt_lookup(cur, agino, XFS_LOOKUP_GE,
589 &stat);
590 if (error)
591 break;
592 if (!stat)
593 goto next_ag;
596 error = xfs_inobt_get_rec(cur, &r, &stat);
597 if (error)
598 break;
599 if (!stat)
600 goto next_ag;
602 agino = r.ir_startino + XFS_INODES_PER_CHUNK - 1;
603 buffer[bufidx].xi_startino =
604 XFS_AGINO_TO_INO(mp, agno, r.ir_startino);
605 buffer[bufidx].xi_alloccount = r.ir_count - r.ir_freecount;
606 buffer[bufidx].xi_allocmask = ~r.ir_free;
607 if (++bufidx == bcount) {
608 long written;
610 error = formatter(ubuffer, buffer, bufidx, &written);
611 if (error)
612 break;
613 ubuffer += written;
614 *count += bufidx;
615 bufidx = 0;
617 if (!--left)
618 break;
620 error = xfs_btree_increment(cur, 0, &stat);
621 if (error)
622 break;
623 if (stat)
624 continue;
626 next_ag:
627 xfs_btree_del_cursor(cur, XFS_BTREE_ERROR);
628 cur = NULL;
629 xfs_buf_relse(agbp);
630 agbp = NULL;
631 agino = 0;
632 agno++;
633 } while (agno < mp->m_sb.sb_agcount);
635 if (!error) {
636 if (bufidx) {
637 long written;
639 error = formatter(ubuffer, buffer, bufidx, &written);
640 if (!error)
641 *count += bufidx;
643 *lastino = XFS_AGINO_TO_INO(mp, agno, agino);
646 kmem_free(buffer);
647 if (cur)
648 xfs_btree_del_cursor(cur, (error ? XFS_BTREE_ERROR :
649 XFS_BTREE_NOERROR));
650 if (agbp)
651 xfs_buf_relse(agbp);
653 return error;