NFS: Fix a use-after-free case in nfs_async_rename()
[linux-2.6.git] / fs / nfs / unlink.c
1 /*
2  *  linux/fs/nfs/unlink.c
3  *
4  * nfs sillydelete handling
5  *
6  */
7
8 #include <linux/slab.h>
9 #include <linux/string.h>
10 #include <linux/dcache.h>
11 #include <linux/sunrpc/sched.h>
12 #include <linux/sunrpc/clnt.h>
13 #include <linux/nfs_fs.h>
14 #include <linux/sched.h>
15 #include <linux/wait.h>
16 #include <linux/namei.h>
17
18 #include "internal.h"
19 #include "nfs4_fs.h"
20 #include "iostat.h"
21 #include "delegation.h"
22
23 struct nfs_unlinkdata {
24         struct hlist_node list;
25         struct nfs_removeargs args;
26         struct nfs_removeres res;
27         struct inode *dir;
28         struct rpc_cred *cred;
29         struct nfs_fattr dir_attr;
30 };
31
32 /**
33  * nfs_free_unlinkdata - release data from a sillydelete operation.
34  * @data: pointer to unlink structure.
35  */
36 static void
37 nfs_free_unlinkdata(struct nfs_unlinkdata *data)
38 {
39         iput(data->dir);
40         put_rpccred(data->cred);
41         kfree(data->args.name.name);
42         kfree(data);
43 }
44
45 #define NAME_ALLOC_LEN(len)     ((len+16) & ~15)
46 /**
47  * nfs_copy_dname - copy dentry name to data structure
48  * @dentry: pointer to dentry
49  * @data: nfs_unlinkdata
50  */
51 static int nfs_copy_dname(struct dentry *dentry, struct nfs_unlinkdata *data)
52 {
53         char            *str;
54         int             len = dentry->d_name.len;
55
56         str = kmemdup(dentry->d_name.name, NAME_ALLOC_LEN(len), GFP_KERNEL);
57         if (!str)
58                 return -ENOMEM;
59         data->args.name.len = len;
60         data->args.name.name = str;
61         return 0;
62 }
63
64 static void nfs_free_dname(struct nfs_unlinkdata *data)
65 {
66         kfree(data->args.name.name);
67         data->args.name.name = NULL;
68         data->args.name.len = 0;
69 }
70
71 static void nfs_dec_sillycount(struct inode *dir)
72 {
73         struct nfs_inode *nfsi = NFS_I(dir);
74         if (atomic_dec_return(&nfsi->silly_count) == 1)
75                 wake_up(&nfsi->waitqueue);
76 }
77
78 /**
79  * nfs_async_unlink_done - Sillydelete post-processing
80  * @task: rpc_task of the sillydelete
81  *
82  * Do the directory attribute update.
83  */
84 static void nfs_async_unlink_done(struct rpc_task *task, void *calldata)
85 {
86         struct nfs_unlinkdata *data = calldata;
87         struct inode *dir = data->dir;
88
89         if (!NFS_PROTO(dir)->unlink_done(task, dir))
90                 nfs_restart_rpc(task, NFS_SERVER(dir)->nfs_client);
91 }
92
93 /**
94  * nfs_async_unlink_release - Release the sillydelete data.
95  * @task: rpc_task of the sillydelete
96  *
97  * We need to call nfs_put_unlinkdata as a 'tk_release' task since the
98  * rpc_task would be freed too.
99  */
100 static void nfs_async_unlink_release(void *calldata)
101 {
102         struct nfs_unlinkdata   *data = calldata;
103         struct super_block *sb = data->dir->i_sb;
104
105         nfs_dec_sillycount(data->dir);
106         nfs_free_unlinkdata(data);
107         nfs_sb_deactive(sb);
108 }
109
110 #if defined(CONFIG_NFS_V4_1)
111 void nfs_unlink_prepare(struct rpc_task *task, void *calldata)
112 {
113         struct nfs_unlinkdata *data = calldata;
114         struct nfs_server *server = NFS_SERVER(data->dir);
115
116         if (nfs4_setup_sequence(server, &data->args.seq_args,
117                                 &data->res.seq_res, 1, task))
118                 return;
119         rpc_call_start(task);
120 }
121 #endif /* CONFIG_NFS_V4_1 */
122
123 static const struct rpc_call_ops nfs_unlink_ops = {
124         .rpc_call_done = nfs_async_unlink_done,
125         .rpc_release = nfs_async_unlink_release,
126 #if defined(CONFIG_NFS_V4_1)
127         .rpc_call_prepare = nfs_unlink_prepare,
128 #endif /* CONFIG_NFS_V4_1 */
129 };
130
131 static int nfs_do_call_unlink(struct dentry *parent, struct inode *dir, struct nfs_unlinkdata *data)
132 {
133         struct rpc_message msg = {
134                 .rpc_argp = &data->args,
135                 .rpc_resp = &data->res,
136                 .rpc_cred = data->cred,
137         };
138         struct rpc_task_setup task_setup_data = {
139                 .rpc_message = &msg,
140                 .callback_ops = &nfs_unlink_ops,
141                 .callback_data = data,
142                 .workqueue = nfsiod_workqueue,
143                 .flags = RPC_TASK_ASYNC,
144         };
145         struct rpc_task *task;
146         struct dentry *alias;
147
148         alias = d_lookup(parent, &data->args.name);
149         if (alias != NULL) {
150                 int ret = 0;
151
152                 /*
153                  * Hey, we raced with lookup... See if we need to transfer
154                  * the sillyrename information to the aliased dentry.
155                  */
156                 nfs_free_dname(data);
157                 spin_lock(&alias->d_lock);
158                 if (alias->d_inode != NULL &&
159                     !(alias->d_flags & DCACHE_NFSFS_RENAMED)) {
160                         alias->d_fsdata = data;
161                         alias->d_flags |= DCACHE_NFSFS_RENAMED;
162                         ret = 1;
163                 }
164                 spin_unlock(&alias->d_lock);
165                 nfs_dec_sillycount(dir);
166                 dput(alias);
167                 return ret;
168         }
169         data->dir = igrab(dir);
170         if (!data->dir) {
171                 nfs_dec_sillycount(dir);
172                 return 0;
173         }
174         nfs_sb_active(dir->i_sb);
175         data->args.fh = NFS_FH(dir);
176         nfs_fattr_init(data->res.dir_attr);
177
178         NFS_PROTO(dir)->unlink_setup(&msg, dir);
179
180         task_setup_data.rpc_client = NFS_CLIENT(dir);
181         task = rpc_run_task(&task_setup_data);
182         if (!IS_ERR(task))
183                 rpc_put_task(task);
184         return 1;
185 }
186
187 static int nfs_call_unlink(struct dentry *dentry, struct nfs_unlinkdata *data)
188 {
189         struct dentry *parent;
190         struct inode *dir;
191         int ret = 0;
192
193
194         parent = dget_parent(dentry);
195         if (parent == NULL)
196                 goto out_free;
197         dir = parent->d_inode;
198         if (nfs_copy_dname(dentry, data) != 0)
199                 goto out_dput;
200         /* Non-exclusive lock protects against concurrent lookup() calls */
201         spin_lock(&dir->i_lock);
202         if (atomic_inc_not_zero(&NFS_I(dir)->silly_count) == 0) {
203                 /* Deferred delete */
204                 hlist_add_head(&data->list, &NFS_I(dir)->silly_list);
205                 spin_unlock(&dir->i_lock);
206                 ret = 1;
207                 goto out_dput;
208         }
209         spin_unlock(&dir->i_lock);
210         ret = nfs_do_call_unlink(parent, dir, data);
211 out_dput:
212         dput(parent);
213 out_free:
214         return ret;
215 }
216
217 void nfs_block_sillyrename(struct dentry *dentry)
218 {
219         struct nfs_inode *nfsi = NFS_I(dentry->d_inode);
220
221         wait_event(nfsi->waitqueue, atomic_cmpxchg(&nfsi->silly_count, 1, 0) == 1);
222 }
223
224 void nfs_unblock_sillyrename(struct dentry *dentry)
225 {
226         struct inode *dir = dentry->d_inode;
227         struct nfs_inode *nfsi = NFS_I(dir);
228         struct nfs_unlinkdata *data;
229
230         atomic_inc(&nfsi->silly_count);
231         spin_lock(&dir->i_lock);
232         while (!hlist_empty(&nfsi->silly_list)) {
233                 if (!atomic_inc_not_zero(&nfsi->silly_count))
234                         break;
235                 data = hlist_entry(nfsi->silly_list.first, struct nfs_unlinkdata, list);
236                 hlist_del(&data->list);
237                 spin_unlock(&dir->i_lock);
238                 if (nfs_do_call_unlink(dentry, dir, data) == 0)
239                         nfs_free_unlinkdata(data);
240                 spin_lock(&dir->i_lock);
241         }
242         spin_unlock(&dir->i_lock);
243 }
244
245 /**
246  * nfs_async_unlink - asynchronous unlinking of a file
247  * @dir: parent directory of dentry
248  * @dentry: dentry to unlink
249  */
250 static int
251 nfs_async_unlink(struct inode *dir, struct dentry *dentry)
252 {
253         struct nfs_unlinkdata *data;
254         int status = -ENOMEM;
255
256         data = kzalloc(sizeof(*data), GFP_KERNEL);
257         if (data == NULL)
258                 goto out;
259
260         data->cred = rpc_lookup_cred();
261         if (IS_ERR(data->cred)) {
262                 status = PTR_ERR(data->cred);
263                 goto out_free;
264         }
265         data->res.seq_res.sr_slotid = NFS4_MAX_SLOT_TABLE;
266         data->res.dir_attr = &data->dir_attr;
267
268         status = -EBUSY;
269         spin_lock(&dentry->d_lock);
270         if (dentry->d_flags & DCACHE_NFSFS_RENAMED)
271                 goto out_unlock;
272         dentry->d_flags |= DCACHE_NFSFS_RENAMED;
273         dentry->d_fsdata = data;
274         spin_unlock(&dentry->d_lock);
275         return 0;
276 out_unlock:
277         spin_unlock(&dentry->d_lock);
278         put_rpccred(data->cred);
279 out_free:
280         kfree(data);
281 out:
282         return status;
283 }
284
285 /**
286  * nfs_complete_unlink - Initialize completion of the sillydelete
287  * @dentry: dentry to delete
288  * @inode: inode
289  *
290  * Since we're most likely to be called by dentry_iput(), we
291  * only use the dentry to find the sillydelete. We then copy the name
292  * into the qstr.
293  */
294 void
295 nfs_complete_unlink(struct dentry *dentry, struct inode *inode)
296 {
297         struct nfs_unlinkdata   *data = NULL;
298
299         spin_lock(&dentry->d_lock);
300         if (dentry->d_flags & DCACHE_NFSFS_RENAMED) {
301                 dentry->d_flags &= ~DCACHE_NFSFS_RENAMED;
302                 data = dentry->d_fsdata;
303         }
304         spin_unlock(&dentry->d_lock);
305
306         if (data != NULL && (NFS_STALE(inode) || !nfs_call_unlink(dentry, data)))
307                 nfs_free_unlinkdata(data);
308 }
309
310 /* Cancel a queued async unlink. Called when a sillyrename run fails. */
311 static void
312 nfs_cancel_async_unlink(struct dentry *dentry)
313 {
314         spin_lock(&dentry->d_lock);
315         if (dentry->d_flags & DCACHE_NFSFS_RENAMED) {
316                 struct nfs_unlinkdata *data = dentry->d_fsdata;
317
318                 dentry->d_flags &= ~DCACHE_NFSFS_RENAMED;
319                 spin_unlock(&dentry->d_lock);
320                 nfs_free_unlinkdata(data);
321                 return;
322         }
323         spin_unlock(&dentry->d_lock);
324 }
325
326 struct nfs_renamedata {
327         struct nfs_renameargs   args;
328         struct nfs_renameres    res;
329         struct rpc_cred         *cred;
330         struct inode            *old_dir;
331         struct dentry           *old_dentry;
332         struct nfs_fattr        old_fattr;
333         struct inode            *new_dir;
334         struct dentry           *new_dentry;
335         struct nfs_fattr        new_fattr;
336 };
337
338 /**
339  * nfs_async_rename_done - Sillyrename post-processing
340  * @task: rpc_task of the sillyrename
341  * @calldata: nfs_renamedata for the sillyrename
342  *
343  * Do the directory attribute updates and the d_move
344  */
345 static void nfs_async_rename_done(struct rpc_task *task, void *calldata)
346 {
347         struct nfs_renamedata *data = calldata;
348         struct inode *old_dir = data->old_dir;
349         struct inode *new_dir = data->new_dir;
350
351         if (!NFS_PROTO(old_dir)->rename_done(task, old_dir, new_dir)) {
352                 nfs_restart_rpc(task, NFS_SERVER(old_dir)->nfs_client);
353                 return;
354         }
355
356         if (task->tk_status != 0) {
357                 nfs_cancel_async_unlink(data->old_dentry);
358                 return;
359         }
360
361         nfs_set_verifier(data->old_dentry, nfs_save_change_attribute(old_dir));
362         d_move(data->old_dentry, data->new_dentry);
363 }
364
365 /**
366  * nfs_async_rename_release - Release the sillyrename data.
367  * @calldata: the struct nfs_renamedata to be released
368  */
369 static void nfs_async_rename_release(void *calldata)
370 {
371         struct nfs_renamedata   *data = calldata;
372         struct super_block *sb = data->old_dir->i_sb;
373
374         if (data->old_dentry->d_inode)
375                 nfs_mark_for_revalidate(data->old_dentry->d_inode);
376
377         dput(data->old_dentry);
378         dput(data->new_dentry);
379         iput(data->old_dir);
380         iput(data->new_dir);
381         nfs_sb_deactive(sb);
382         put_rpccred(data->cred);
383         kfree(data);
384 }
385
386 #if defined(CONFIG_NFS_V4_1)
387 static void nfs_rename_prepare(struct rpc_task *task, void *calldata)
388 {
389         struct nfs_renamedata *data = calldata;
390         struct nfs_server *server = NFS_SERVER(data->old_dir);
391
392         if (nfs4_setup_sequence(server, &data->args.seq_args,
393                                 &data->res.seq_res, 1, task))
394                 return;
395         rpc_call_start(task);
396 }
397 #endif /* CONFIG_NFS_V4_1 */
398
399 static const struct rpc_call_ops nfs_rename_ops = {
400         .rpc_call_done = nfs_async_rename_done,
401         .rpc_release = nfs_async_rename_release,
402 #if defined(CONFIG_NFS_V4_1)
403         .rpc_call_prepare = nfs_rename_prepare,
404 #endif /* CONFIG_NFS_V4_1 */
405 };
406
407 /**
408  * nfs_async_rename - perform an asynchronous rename operation
409  * @old_dir: directory that currently holds the dentry to be renamed
410  * @new_dir: target directory for the rename
411  * @old_dentry: original dentry to be renamed
412  * @new_dentry: dentry to which the old_dentry should be renamed
413  *
414  * It's expected that valid references to the dentries and inodes are held
415  */
416 static struct rpc_task *
417 nfs_async_rename(struct inode *old_dir, struct inode *new_dir,
418                  struct dentry *old_dentry, struct dentry *new_dentry)
419 {
420         struct nfs_renamedata *data;
421         struct rpc_message msg = { };
422         struct rpc_task_setup task_setup_data = {
423                 .rpc_message = &msg,
424                 .callback_ops = &nfs_rename_ops,
425                 .workqueue = nfsiod_workqueue,
426                 .rpc_client = NFS_CLIENT(old_dir),
427                 .flags = RPC_TASK_ASYNC,
428         };
429
430         data = kmalloc(sizeof(*data), GFP_KERNEL);
431         if (data == NULL)
432                 return ERR_PTR(-ENOMEM);
433         task_setup_data.callback_data = data,
434
435         data->cred = rpc_lookup_cred();
436         if (IS_ERR(data->cred)) {
437                 struct rpc_task *task = ERR_CAST(data->cred);
438                 kfree(data);
439                 return task;
440         }
441
442         msg.rpc_argp = &data->args;
443         msg.rpc_resp = &data->res;
444         msg.rpc_cred = data->cred;
445
446         /* set up nfs_renamedata */
447         data->old_dir = old_dir;
448         atomic_inc(&old_dir->i_count);
449         data->new_dir = new_dir;
450         atomic_inc(&new_dir->i_count);
451         data->old_dentry = dget(old_dentry);
452         data->new_dentry = dget(new_dentry);
453         nfs_fattr_init(&data->old_fattr);
454         nfs_fattr_init(&data->new_fattr);
455
456         /* set up nfs_renameargs */
457         data->args.old_dir = NFS_FH(old_dir);
458         data->args.old_name = &old_dentry->d_name;
459         data->args.new_dir = NFS_FH(new_dir);
460         data->args.new_name = &new_dentry->d_name;
461
462         /* set up nfs_renameres */
463         data->res.old_fattr = &data->old_fattr;
464         data->res.new_fattr = &data->new_fattr;
465
466         nfs_sb_active(old_dir->i_sb);
467
468         NFS_PROTO(data->old_dir)->rename_setup(&msg, old_dir);
469
470         return rpc_run_task(&task_setup_data);
471 }
472
473 /**
474  * nfs_sillyrename - Perform a silly-rename of a dentry
475  * @dir: inode of directory that contains dentry
476  * @dentry: dentry to be sillyrenamed
477  *
478  * NFSv2/3 is stateless and the server doesn't know when the client is
479  * holding a file open. To prevent application problems when a file is
480  * unlinked while it's still open, the client performs a "silly-rename".
481  * That is, it renames the file to a hidden file in the same directory,
482  * and only performs the unlink once the last reference to it is put.
483  *
484  * The final cleanup is done during dentry_iput.
485  */
486 int
487 nfs_sillyrename(struct inode *dir, struct dentry *dentry)
488 {
489         static unsigned int sillycounter;
490         const int      fileidsize  = sizeof(NFS_FILEID(dentry->d_inode))*2;
491         const int      countersize = sizeof(sillycounter)*2;
492         const int      slen        = sizeof(".nfs")+fileidsize+countersize-1;
493         char           silly[slen+1];
494         struct dentry *sdentry;
495         struct rpc_task *task;
496         int            error = -EIO;
497
498         dfprintk(VFS, "NFS: silly-rename(%s/%s, ct=%d)\n",
499                 dentry->d_parent->d_name.name, dentry->d_name.name,
500                 atomic_read(&dentry->d_count));
501         nfs_inc_stats(dir, NFSIOS_SILLYRENAME);
502
503         /*
504          * We don't allow a dentry to be silly-renamed twice.
505          */
506         error = -EBUSY;
507         if (dentry->d_flags & DCACHE_NFSFS_RENAMED)
508                 goto out;
509
510         sprintf(silly, ".nfs%*.*Lx",
511                 fileidsize, fileidsize,
512                 (unsigned long long)NFS_FILEID(dentry->d_inode));
513
514         /* Return delegation in anticipation of the rename */
515         nfs_inode_return_delegation(dentry->d_inode);
516
517         sdentry = NULL;
518         do {
519                 char *suffix = silly + slen - countersize;
520
521                 dput(sdentry);
522                 sillycounter++;
523                 sprintf(suffix, "%*.*x", countersize, countersize, sillycounter);
524
525                 dfprintk(VFS, "NFS: trying to rename %s to %s\n",
526                                 dentry->d_name.name, silly);
527
528                 sdentry = lookup_one_len(silly, dentry->d_parent, slen);
529                 /*
530                  * N.B. Better to return EBUSY here ... it could be
531                  * dangerous to delete the file while it's in use.
532                  */
533                 if (IS_ERR(sdentry))
534                         goto out;
535         } while (sdentry->d_inode != NULL); /* need negative lookup */
536
537         /* queue unlink first. Can't do this from rpc_release as it
538          * has to allocate memory
539          */
540         error = nfs_async_unlink(dir, dentry);
541         if (error)
542                 goto out_dput;
543
544         /* run the rename task, undo unlink if it fails */
545         task = nfs_async_rename(dir, dir, dentry, sdentry);
546         if (IS_ERR(task)) {
547                 error = -EBUSY;
548                 nfs_cancel_async_unlink(dentry);
549                 goto out_dput;
550         }
551
552         /* wait for the RPC task to complete, unless a SIGKILL intervenes */
553         error = rpc_wait_for_completion_task(task);
554         if (error == 0)
555                 error = task->tk_status;
556         rpc_put_task(task);
557 out_dput:
558         dput(sdentry);
559 out:
560         return error;
561 }