From 5b5f9560354dc5a3a27ce57a86aec6b98531ee21 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 8 Jan 2012 15:38:27 -0500 Subject: functionfs: unfuck failure exits on mount * if you do dput() of root dentry, do *not* follow that with iput() of root inode. * while we are at it, don't do that dput() at all - you are leaving the pointer in ->s_root and your ->kill_sb() will be very unhappy with that. It will do proper dput(), though, so the easiest way is to leave that to it entirely. * freeing ->s_fs_info is also best left to ->kill_sb() (which will do it anyway), especially since we leave the pointer in place. * that xchg() in ->kill_sb() is not a bug per se, but it's a plain and simple masturbation with fewer excuses than Onan had... Signed-off-by: Al Viro --- drivers/usb/gadget/f_fs.c | 31 +++++++++++-------------------- 1 file changed, 11 insertions(+), 20 deletions(-) diff --git a/drivers/usb/gadget/f_fs.c b/drivers/usb/gadget/f_fs.c index acb38004eec..b5f6f9fef9c 100644 --- a/drivers/usb/gadget/f_fs.c +++ b/drivers/usb/gadget/f_fs.c @@ -1037,7 +1037,6 @@ static int ffs_sb_fill(struct super_block *sb, void *_data, int silent) { struct ffs_sb_fill_data *data = _data; struct inode *inode; - struct dentry *d; struct ffs_data *ffs; ENTER(); @@ -1045,7 +1044,7 @@ static int ffs_sb_fill(struct super_block *sb, void *_data, int silent) /* Initialise data */ ffs = ffs_data_new(); if (unlikely(!ffs)) - goto enomem0; + goto Enomem; ffs->sb = sb; ffs->dev_name = data->dev_name; @@ -1065,26 +1064,21 @@ static int ffs_sb_fill(struct super_block *sb, void *_data, int silent) &simple_dir_inode_operations, &data->perms); if (unlikely(!inode)) - goto enomem1; - d = d_alloc_root(inode); - if (unlikely(!d)) - goto enomem2; - sb->s_root = d; + goto Enomem; + sb->s_root = d_alloc_root(inode); + if (unlikely(!sb->s_root)) { + iput(inode); + goto Enomem; + } /* EP0 file */ if (unlikely(!ffs_sb_create_file(sb, "ep0", ffs, &ffs_ep0_operations, NULL))) - goto enomem3; + goto Enomem; return 0; -enomem3: - dput(d); -enomem2: - iput(inode); -enomem1: - ffs_data_put(ffs); -enomem0: +Enomem: return -ENOMEM; } @@ -1196,14 +1190,11 @@ ffs_fs_mount(struct file_system_type *t, int flags, static void ffs_fs_kill_sb(struct super_block *sb) { - void *ptr; - ENTER(); kill_litter_super(sb); - ptr = xchg(&sb->s_fs_info, NULL); - if (ptr) - ffs_data_put(ptr); + if (sb->s_fs_info) + ffs_data_put(sb->s_fs_info); } static struct file_system_type ffs_fs_type = { -- cgit v1.2.3 From 87da5b3264c8514b85c6c6e8ef51b9440eee2030 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 8 Jan 2012 15:59:45 -0500 Subject: ... and the same for gadgetfs Signed-off-by: Al Viro --- drivers/usb/gadget/inode.c | 26 +++++++++++--------------- 1 file changed, 11 insertions(+), 15 deletions(-) diff --git a/drivers/usb/gadget/inode.c b/drivers/usb/gadget/inode.c index 6ccae2707e5..6b7ea25af0f 100644 --- a/drivers/usb/gadget/inode.c +++ b/drivers/usb/gadget/inode.c @@ -2035,7 +2035,6 @@ static int gadgetfs_fill_super (struct super_block *sb, void *opts, int silent) { struct inode *inode; - struct dentry *d; struct dev_data *dev; if (the_device) @@ -2058,24 +2057,27 @@ gadgetfs_fill_super (struct super_block *sb, void *opts, int silent) NULL, &simple_dir_operations, S_IFDIR | S_IRUGO | S_IXUGO); if (!inode) - goto enomem0; + goto Enomem; inode->i_op = &simple_dir_inode_operations; - if (!(d = d_alloc_root (inode))) - goto enomem1; - sb->s_root = d; + if (!(sb->s_root = d_alloc_root (inode))) { + iput(inode); + goto Enomem; + } /* the ep0 file is named after the controller we expect; * user mode code can use it for sanity checks, like we do. */ dev = dev_new (); if (!dev) - goto enomem2; + goto Enomem; dev->sb = sb; if (!gadgetfs_create_file (sb, CHIP, dev, &dev_init_operations, - &dev->dentry)) - goto enomem3; + &dev->dentry)) { + put_dev(dev); + goto Enomem; + } /* other endpoint files are available after hardware setup, * from binding to a controller. @@ -2083,13 +2085,7 @@ gadgetfs_fill_super (struct super_block *sb, void *opts, int silent) the_device = dev; return 0; -enomem3: - put_dev (dev); -enomem2: - dput (d); -enomem1: - iput (inode); -enomem0: +Enomem: return -ENOMEM; } -- cgit v1.2.3 From 3850aba74873aa47fefe6900b99f42f5e656a6e7 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 8 Jan 2012 19:40:27 -0500 Subject: devpts: fix double-free on mount failure devpts_kill_sb() is called even if devpts_fill_super() fails; we should not do that kfree() in the latter, especially not with ->s_fs_info left pointing to freed object. Double kfree() is a Bad Thing(tm)... Signed-off-by: Al Viro --- fs/devpts/inode.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/fs/devpts/inode.c b/fs/devpts/inode.c index 79673eb7115..c4e2a58a2e8 100644 --- a/fs/devpts/inode.c +++ b/fs/devpts/inode.c @@ -301,7 +301,7 @@ devpts_fill_super(struct super_block *s, void *data, int silent) inode = new_inode(s); if (!inode) - goto free_fsi; + goto fail; inode->i_ino = 1; inode->i_mtime = inode->i_atime = inode->i_ctime = CURRENT_TIME; inode->i_mode = S_IFDIR | S_IRUGO | S_IXUGO | S_IWUSR; @@ -316,8 +316,6 @@ devpts_fill_super(struct super_block *s, void *data, int silent) printk(KERN_ERR "devpts: get root dentry failed\n"); iput(inode); -free_fsi: - kfree(s->s_fs_info); fail: return -ENOMEM; } -- cgit v1.2.3 From da01636a6511c3bd0c1cf546c47b8e92a837a613 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 8 Jan 2012 19:45:28 -0500 Subject: exofs: oops after late failure in mount We have already set ->s_root, so ->put_super() is going to be called. Freeing ->s_fs_info is a bloody bad idea when it's going to be dereferenced very shortly... Signed-off-by: Al Viro --- fs/exofs/super.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/fs/exofs/super.c b/fs/exofs/super.c index 8addfe314dc..d22cd168c6e 100644 --- a/fs/exofs/super.c +++ b/fs/exofs/super.c @@ -838,6 +838,8 @@ static int exofs_fill_super(struct super_block *sb, void *data, int silent) ret = bdi_setup_and_register(&sbi->bdi, "exofs", BDI_CAP_MAP_COPY); if (ret) { EXOFS_DBGMSG("Failed to bdi_setup_and_register\n"); + dput(sb->s_root); + sb->s_root = NULL; goto free_sbi; } -- cgit v1.2.3 From 0ce8c0109f548ed75535d96ec5a347b410ed1472 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sun, 8 Jan 2012 19:50:23 -0500 Subject: ext[34]: avoid i_nlink warnings triggered by drop_nlink/inc_nlink kludge in symlink() Both ext3 and ext4 put the half-created symlink inode into the orphan list for a while (see the comment in ext[34]_symlink() for gory details). Then, if everything went fine, they pull it out of the orphan list and bump the link count back to 1. The thing is, inc_nlink() is going to complain about seeing somebody changing i_nlink from 0 to 1. With a good reason, since normally something like that is a bug. Explicit set_nlink(inode, 1) does the same thing as inc_nlink() here, but it does *not* complain - exactly because it should be usable in strange situations like this one. Signed-off-by: Al Viro --- fs/ext3/namei.c | 2 +- fs/ext4/namei.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/ext3/namei.c b/fs/ext3/namei.c index 4f35b2f315d..d269821203f 100644 --- a/fs/ext3/namei.c +++ b/fs/ext3/namei.c @@ -2272,7 +2272,7 @@ retry: err = PTR_ERR(handle); goto err_drop_inode; } - inc_nlink(inode); + set_nlink(inode, 1); err = ext3_orphan_del(handle, inode); if (err) { ext3_journal_stop(handle); diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c index 86edc45b52a..2043f482375 100644 --- a/fs/ext4/namei.c +++ b/fs/ext4/namei.c @@ -2315,7 +2315,7 @@ retry: err = PTR_ERR(handle); goto err_drop_inode; } - inc_nlink(inode); + set_nlink(inode, 1); err = ext4_orphan_del(handle, inode); if (err) { ext4_journal_stop(handle); -- cgit v1.2.3