android_kernel_google_msm/fs/smbfs/file.c
Andrew Morton 54b21a7992 [PATCH] fix possible PAGE_CACHE_SHIFT overflows
We've had two instances recently of overflows when doing

	64_bit_value = (32_bit_value << PAGE_CACHE_SHIFT)

I did a tree-wide grep of `<<.*PAGE_CACHE_SHIFT' and this is the result.

- afs_rxfs_fetch_descriptor.offset is of type off_t, which seems broken.

- jfs and jffs are limited to 4GB anyway.

- reiserfs map_block_for_writepage() takes an unsigned long for the block -
  it should take sector_t.  (It'll fail for huge filesystems with
  blocksize<PAGE_CACHE_SIZE)

- cramfs_read() needs to use sector_t (I think cramsfs is busted on large
  filesystems anyway)

- affs is limited in file size anyway.

- I generally didn't fix 32-bit overflows in directory operations.

- arm's __flush_dcache_page() is peculiar.  What if the page lies beyond 4G?

- gss_wrap_req_priv() needs checking (snd_buf->page_base)

Cc: Oleg Drokin <green@linuxhacker.ru>
Cc: David Howells <dhowells@redhat.com>
Cc: David Woodhouse <dwmw2@infradead.org>
Cc: <reiserfs-dev@namesys.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: Anton Altaparmakov <aia21@cantab.net>
Cc: Jeff Dike <jdike@addtoit.com>
Cc: Paolo 'Blaisorblade' Giarrusso <blaisorblade@yahoo.it>
Cc: Roman Zippel <zippel@linux-m68k.org>
Cc: <linux-fsdevel@vger.kernel.org>
Cc: Miklos Szeredi <miklos@szeredi.hu>
Cc: Russell King <rmk@arm.linux.org.uk>
Cc: Trond Myklebust <trond.myklebust@fys.uio.no>
Cc: Neil Brown <neilb@cse.unsw.edu.au>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-01-08 20:13:54 -08:00

422 lines
9.9 KiB
C

/*
* file.c
*
* Copyright (C) 1995, 1996, 1997 by Paal-Kr. Engstad and Volker Lendecke
* Copyright (C) 1997 by Volker Lendecke
*
* Please add a note about your changes to smbfs in the ChangeLog file.
*/
#include <linux/time.h>
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/fcntl.h>
#include <linux/stat.h>
#include <linux/mm.h>
#include <linux/slab.h>
#include <linux/pagemap.h>
#include <linux/smp_lock.h>
#include <linux/net.h>
#include <asm/uaccess.h>
#include <asm/system.h>
#include <linux/smbno.h>
#include <linux/smb_fs.h>
#include "smb_debug.h"
#include "proto.h"
static int
smb_fsync(struct file *file, struct dentry * dentry, int datasync)
{
struct smb_sb_info *server = server_from_dentry(dentry);
int result;
VERBOSE("sync file %s/%s\n", DENTRY_PATH(dentry));
/*
* The VFS will writepage() all dirty pages for us, but we
* should send a SMBflush to the server, letting it know that
* we want things synchronized with actual storage.
*
* Note: this function requires all pages to have been written already
* (should be ok with writepage_sync)
*/
result = smb_proc_flush(server, SMB_I(dentry->d_inode)->fileid);
return result;
}
/*
* Read a page synchronously.
*/
static int
smb_readpage_sync(struct dentry *dentry, struct page *page)
{
char *buffer = kmap(page);
loff_t offset = (loff_t)page->index << PAGE_CACHE_SHIFT;
struct smb_sb_info *server = server_from_dentry(dentry);
unsigned int rsize = smb_get_rsize(server);
int count = PAGE_SIZE;
int result;
VERBOSE("file %s/%s, count=%d@%Ld, rsize=%d\n",
DENTRY_PATH(dentry), count, offset, rsize);
result = smb_open(dentry, SMB_O_RDONLY);
if (result < 0)
goto io_error;
do {
if (count < rsize)
rsize = count;
result = server->ops->read(dentry->d_inode,offset,rsize,buffer);
if (result < 0)
goto io_error;
count -= result;
offset += result;
buffer += result;
dentry->d_inode->i_atime =
current_fs_time(dentry->d_inode->i_sb);
if (result < rsize)
break;
} while (count);
memset(buffer, 0, count);
flush_dcache_page(page);
SetPageUptodate(page);
result = 0;
io_error:
kunmap(page);
unlock_page(page);
return result;
}
/*
* We are called with the page locked and we unlock it when done.
*/
static int
smb_readpage(struct file *file, struct page *page)
{
int error;
struct dentry *dentry = file->f_dentry;
page_cache_get(page);
error = smb_readpage_sync(dentry, page);
page_cache_release(page);
return error;
}
/*
* Write a page synchronously.
* Offset is the data offset within the page.
*/
static int
smb_writepage_sync(struct inode *inode, struct page *page,
unsigned long pageoffset, unsigned int count)
{
loff_t offset;
char *buffer = kmap(page) + pageoffset;
struct smb_sb_info *server = server_from_inode(inode);
unsigned int wsize = smb_get_wsize(server);
int ret = 0;
offset = ((loff_t)page->index << PAGE_CACHE_SHIFT) + pageoffset;
VERBOSE("file ino=%ld, fileid=%d, count=%d@%Ld, wsize=%d\n",
inode->i_ino, SMB_I(inode)->fileid, count, offset, wsize);
do {
int write_ret;
if (count < wsize)
wsize = count;
write_ret = server->ops->write(inode, offset, wsize, buffer);
if (write_ret < 0) {
PARANOIA("failed write, wsize=%d, write_ret=%d\n",
wsize, write_ret);
ret = write_ret;
break;
}
/* N.B. what if result < wsize?? */
#ifdef SMBFS_PARANOIA
if (write_ret < wsize)
PARANOIA("short write, wsize=%d, write_ret=%d\n",
wsize, write_ret);
#endif
buffer += wsize;
offset += wsize;
count -= wsize;
/*
* Update the inode now rather than waiting for a refresh.
*/
inode->i_mtime = inode->i_atime = current_fs_time(inode->i_sb);
SMB_I(inode)->flags |= SMB_F_LOCALWRITE;
if (offset > inode->i_size)
inode->i_size = offset;
} while (count);
kunmap(page);
return ret;
}
/*
* Write a page to the server. This will be used for NFS swapping only
* (for now), and we currently do this synchronously only.
*
* We are called with the page locked and we unlock it when done.
*/
static int
smb_writepage(struct page *page, struct writeback_control *wbc)
{
struct address_space *mapping = page->mapping;
struct inode *inode;
unsigned long end_index;
unsigned offset = PAGE_CACHE_SIZE;
int err;
if (!mapping)
BUG();
inode = mapping->host;
if (!inode)
BUG();
end_index = inode->i_size >> PAGE_CACHE_SHIFT;
/* easy case */
if (page->index < end_index)
goto do_it;
/* things got complicated... */
offset = inode->i_size & (PAGE_CACHE_SIZE-1);
/* OK, are we completely out? */
if (page->index >= end_index+1 || !offset)
return 0; /* truncated - don't care */
do_it:
page_cache_get(page);
err = smb_writepage_sync(inode, page, 0, offset);
SetPageUptodate(page);
unlock_page(page);
page_cache_release(page);
return err;
}
static int
smb_updatepage(struct file *file, struct page *page, unsigned long offset,
unsigned int count)
{
struct dentry *dentry = file->f_dentry;
DEBUG1("(%s/%s %d@%lld)\n", DENTRY_PATH(dentry), count,
((unsigned long long)page->index << PAGE_CACHE_SHIFT) + offset);
return smb_writepage_sync(dentry->d_inode, page, offset, count);
}
static ssize_t
smb_file_read(struct file * file, char __user * buf, size_t count, loff_t *ppos)
{
struct dentry * dentry = file->f_dentry;
ssize_t status;
VERBOSE("file %s/%s, count=%lu@%lu\n", DENTRY_PATH(dentry),
(unsigned long) count, (unsigned long) *ppos);
status = smb_revalidate_inode(dentry);
if (status) {
PARANOIA("%s/%s validation failed, error=%Zd\n",
DENTRY_PATH(dentry), status);
goto out;
}
VERBOSE("before read, size=%ld, flags=%x, atime=%ld\n",
(long)dentry->d_inode->i_size,
dentry->d_inode->i_flags, dentry->d_inode->i_atime);
status = generic_file_read(file, buf, count, ppos);
out:
return status;
}
static int
smb_file_mmap(struct file * file, struct vm_area_struct * vma)
{
struct dentry * dentry = file->f_dentry;
int status;
VERBOSE("file %s/%s, address %lu - %lu\n",
DENTRY_PATH(dentry), vma->vm_start, vma->vm_end);
status = smb_revalidate_inode(dentry);
if (status) {
PARANOIA("%s/%s validation failed, error=%d\n",
DENTRY_PATH(dentry), status);
goto out;
}
status = generic_file_mmap(file, vma);
out:
return status;
}
static ssize_t
smb_file_sendfile(struct file *file, loff_t *ppos,
size_t count, read_actor_t actor, void *target)
{
struct dentry *dentry = file->f_dentry;
ssize_t status;
VERBOSE("file %s/%s, pos=%Ld, count=%d\n",
DENTRY_PATH(dentry), *ppos, count);
status = smb_revalidate_inode(dentry);
if (status) {
PARANOIA("%s/%s validation failed, error=%Zd\n",
DENTRY_PATH(dentry), status);
goto out;
}
status = generic_file_sendfile(file, ppos, count, actor, target);
out:
return status;
}
/*
* This does the "real" work of the write. The generic routine has
* allocated the page, locked it, done all the page alignment stuff
* calculations etc. Now we should just copy the data from user
* space and write it back to the real medium..
*
* If the writer ends up delaying the write, the writer needs to
* increment the page use counts until he is done with the page.
*/
static int smb_prepare_write(struct file *file, struct page *page,
unsigned offset, unsigned to)
{
return 0;
}
static int smb_commit_write(struct file *file, struct page *page,
unsigned offset, unsigned to)
{
int status;
status = -EFAULT;
lock_kernel();
status = smb_updatepage(file, page, offset, to-offset);
unlock_kernel();
return status;
}
struct address_space_operations smb_file_aops = {
.readpage = smb_readpage,
.writepage = smb_writepage,
.prepare_write = smb_prepare_write,
.commit_write = smb_commit_write
};
/*
* Write to a file (through the page cache).
*/
static ssize_t
smb_file_write(struct file *file, const char __user *buf, size_t count, loff_t *ppos)
{
struct dentry * dentry = file->f_dentry;
ssize_t result;
VERBOSE("file %s/%s, count=%lu@%lu\n",
DENTRY_PATH(dentry),
(unsigned long) count, (unsigned long) *ppos);
result = smb_revalidate_inode(dentry);
if (result) {
PARANOIA("%s/%s validation failed, error=%Zd\n",
DENTRY_PATH(dentry), result);
goto out;
}
result = smb_open(dentry, SMB_O_WRONLY);
if (result)
goto out;
if (count > 0) {
result = generic_file_write(file, buf, count, ppos);
VERBOSE("pos=%ld, size=%ld, mtime=%ld, atime=%ld\n",
(long) file->f_pos, (long) dentry->d_inode->i_size,
dentry->d_inode->i_mtime, dentry->d_inode->i_atime);
}
out:
return result;
}
static int
smb_file_open(struct inode *inode, struct file * file)
{
int result;
struct dentry *dentry = file->f_dentry;
int smb_mode = (file->f_mode & O_ACCMODE) - 1;
lock_kernel();
result = smb_open(dentry, smb_mode);
if (result)
goto out;
SMB_I(inode)->openers++;
out:
unlock_kernel();
return result;
}
static int
smb_file_release(struct inode *inode, struct file * file)
{
lock_kernel();
if (!--SMB_I(inode)->openers) {
/* We must flush any dirty pages now as we won't be able to
write anything after close. mmap can trigger this.
"openers" should perhaps include mmap'ers ... */
filemap_write_and_wait(inode->i_mapping);
smb_close(inode);
}
unlock_kernel();
return 0;
}
/*
* Check whether the required access is compatible with
* an inode's permission. SMB doesn't recognize superuser
* privileges, so we need our own check for this.
*/
static int
smb_file_permission(struct inode *inode, int mask, struct nameidata *nd)
{
int mode = inode->i_mode;
int error = 0;
VERBOSE("mode=%x, mask=%x\n", mode, mask);
/* Look at user permissions */
mode >>= 6;
if ((mode & 7 & mask) != mask)
error = -EACCES;
return error;
}
struct file_operations smb_file_operations =
{
.llseek = remote_llseek,
.read = smb_file_read,
.write = smb_file_write,
.ioctl = smb_ioctl,
.mmap = smb_file_mmap,
.open = smb_file_open,
.release = smb_file_release,
.fsync = smb_fsync,
.sendfile = smb_file_sendfile,
};
struct inode_operations smb_file_inode_operations =
{
.permission = smb_file_permission,
.getattr = smb_getattr,
.setattr = smb_notify_change,
};