Commit 94bebf4d authored by Oliver Neukum's avatar Oliver Neukum Committed by Greg Kroah-Hartman

Driver core: fix race in sysfs between sysfs_remove_file() and read()/write()

This patch prevents a race between IO and removing a file from sysfs.
It introduces a list of sysfs_buffers associated with a file at the inode.
Upon removal of a file the list is walked and the buffers marked orphaned.
IO to orphaned buffers fails with -ENODEV. The driver can safely free
associated data structures or be unloaded.
Signed-off-by: default avatarOliver Neukum <oliver@neukum.name>
Acked-by: default avatarManeesh Soni <maneesh@in.ibm.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent cb986b74
...@@ -16,6 +16,7 @@ ...@@ -16,6 +16,7 @@
#include <linux/slab.h> #include <linux/slab.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include <asm/semaphore.h>
#include "sysfs.h" #include "sysfs.h"
......
...@@ -9,6 +9,7 @@ ...@@ -9,6 +9,7 @@
#include <linux/module.h> #include <linux/module.h>
#include <linux/kobject.h> #include <linux/kobject.h>
#include <linux/namei.h> #include <linux/namei.h>
#include <asm/semaphore.h>
#include "sysfs.h" #include "sysfs.h"
DECLARE_RWSEM(sysfs_rename_sem); DECLARE_RWSEM(sysfs_rename_sem);
......
...@@ -7,6 +7,7 @@ ...@@ -7,6 +7,7 @@
#include <linux/kobject.h> #include <linux/kobject.h>
#include <linux/namei.h> #include <linux/namei.h>
#include <linux/poll.h> #include <linux/poll.h>
#include <linux/list.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include <asm/semaphore.h> #include <asm/semaphore.h>
...@@ -50,17 +51,29 @@ static struct sysfs_ops subsys_sysfs_ops = { ...@@ -50,17 +51,29 @@ static struct sysfs_ops subsys_sysfs_ops = {
.store = subsys_attr_store, .store = subsys_attr_store,
}; };
/**
* add_to_collection - add buffer to a collection
* @buffer: buffer to be added
* @node inode of set to add to
*/
struct sysfs_buffer { static inline void
size_t count; add_to_collection(struct sysfs_buffer *buffer, struct inode *node)
loff_t pos; {
char * page; struct sysfs_buffer_collection *set = node->i_private;
struct sysfs_ops * ops;
struct semaphore sem; mutex_lock(&node->i_mutex);
int needs_read_fill; list_add(&buffer->associates, &set->associates);
int event; mutex_unlock(&node->i_mutex);
}; }
static inline void
remove_from_collection(struct sysfs_buffer *buffer, struct inode *node)
{
mutex_lock(&node->i_mutex);
list_del(&buffer->associates);
mutex_unlock(&node->i_mutex);
}
/** /**
* fill_read_buffer - allocate and fill buffer from object. * fill_read_buffer - allocate and fill buffer from object.
...@@ -153,6 +166,10 @@ sysfs_read_file(struct file *file, char __user *buf, size_t count, loff_t *ppos) ...@@ -153,6 +166,10 @@ sysfs_read_file(struct file *file, char __user *buf, size_t count, loff_t *ppos)
ssize_t retval = 0; ssize_t retval = 0;
down(&buffer->sem); down(&buffer->sem);
if (buffer->orphaned) {
retval = -ENODEV;
goto out;
}
if (buffer->needs_read_fill) { if (buffer->needs_read_fill) {
if ((retval = fill_read_buffer(file->f_path.dentry,buffer))) if ((retval = fill_read_buffer(file->f_path.dentry,buffer)))
goto out; goto out;
...@@ -165,7 +182,6 @@ sysfs_read_file(struct file *file, char __user *buf, size_t count, loff_t *ppos) ...@@ -165,7 +182,6 @@ sysfs_read_file(struct file *file, char __user *buf, size_t count, loff_t *ppos)
return retval; return retval;
} }
/** /**
* fill_write_buffer - copy buffer from userspace. * fill_write_buffer - copy buffer from userspace.
* @buffer: data buffer for file. * @buffer: data buffer for file.
...@@ -243,19 +259,25 @@ sysfs_write_file(struct file *file, const char __user *buf, size_t count, loff_t ...@@ -243,19 +259,25 @@ sysfs_write_file(struct file *file, const char __user *buf, size_t count, loff_t
ssize_t len; ssize_t len;
down(&buffer->sem); down(&buffer->sem);
if (buffer->orphaned) {
len = -ENODEV;
goto out;
}
len = fill_write_buffer(buffer, buf, count); len = fill_write_buffer(buffer, buf, count);
if (len > 0) if (len > 0)
len = flush_write_buffer(file->f_path.dentry, buffer, len); len = flush_write_buffer(file->f_path.dentry, buffer, len);
if (len > 0) if (len > 0)
*ppos += len; *ppos += len;
out:
up(&buffer->sem); up(&buffer->sem);
return len; return len;
} }
static int check_perm(struct inode * inode, struct file * file) static int sysfs_open_file(struct inode *inode, struct file *file)
{ {
struct kobject *kobj = sysfs_get_kobject(file->f_path.dentry->d_parent); struct kobject *kobj = sysfs_get_kobject(file->f_path.dentry->d_parent);
struct attribute * attr = to_attr(file->f_path.dentry); struct attribute * attr = to_attr(file->f_path.dentry);
struct sysfs_buffer_collection *set;
struct sysfs_buffer * buffer; struct sysfs_buffer * buffer;
struct sysfs_ops * ops = NULL; struct sysfs_ops * ops = NULL;
int error = 0; int error = 0;
...@@ -285,6 +307,18 @@ static int check_perm(struct inode * inode, struct file * file) ...@@ -285,6 +307,18 @@ static int check_perm(struct inode * inode, struct file * file)
if (!ops) if (!ops)
goto Eaccess; goto Eaccess;
/* make sure we have a collection to add our buffers to */
mutex_lock(&inode->i_mutex);
if (!(set = inode->i_private)) {
if (!(set = inode->i_private = kmalloc(sizeof(struct sysfs_buffer_collection), GFP_KERNEL))) {
error = -ENOMEM;
goto Done;
} else {
INIT_LIST_HEAD(&set->associates);
}
}
mutex_unlock(&inode->i_mutex);
/* File needs write support. /* File needs write support.
* The inode's perms must say it's ok, * The inode's perms must say it's ok,
* and we must have a store method. * and we must have a store method.
...@@ -310,9 +344,11 @@ static int check_perm(struct inode * inode, struct file * file) ...@@ -310,9 +344,11 @@ static int check_perm(struct inode * inode, struct file * file)
*/ */
buffer = kzalloc(sizeof(struct sysfs_buffer), GFP_KERNEL); buffer = kzalloc(sizeof(struct sysfs_buffer), GFP_KERNEL);
if (buffer) { if (buffer) {
INIT_LIST_HEAD(&buffer->associates);
init_MUTEX(&buffer->sem); init_MUTEX(&buffer->sem);
buffer->needs_read_fill = 1; buffer->needs_read_fill = 1;
buffer->ops = ops; buffer->ops = ops;
add_to_collection(buffer, inode);
file->private_data = buffer; file->private_data = buffer;
} else } else
error = -ENOMEM; error = -ENOMEM;
...@@ -330,11 +366,6 @@ static int check_perm(struct inode * inode, struct file * file) ...@@ -330,11 +366,6 @@ static int check_perm(struct inode * inode, struct file * file)
return error; return error;
} }
static int sysfs_open_file(struct inode * inode, struct file * filp)
{
return check_perm(inode,filp);
}
static int sysfs_release(struct inode * inode, struct file * filp) static int sysfs_release(struct inode * inode, struct file * filp)
{ {
struct kobject * kobj = to_kobj(filp->f_path.dentry->d_parent); struct kobject * kobj = to_kobj(filp->f_path.dentry->d_parent);
...@@ -342,6 +373,8 @@ static int sysfs_release(struct inode * inode, struct file * filp) ...@@ -342,6 +373,8 @@ static int sysfs_release(struct inode * inode, struct file * filp)
struct module * owner = attr->owner; struct module * owner = attr->owner;
struct sysfs_buffer * buffer = filp->private_data; struct sysfs_buffer * buffer = filp->private_data;
if (buffer)
remove_from_collection(buffer, inode);
if (kobj) if (kobj)
kobject_put(kobj); kobject_put(kobj);
/* After this point, attr should not be accessed. */ /* After this point, attr should not be accessed. */
...@@ -548,7 +581,7 @@ EXPORT_SYMBOL_GPL(sysfs_chmod_file); ...@@ -548,7 +581,7 @@ EXPORT_SYMBOL_GPL(sysfs_chmod_file);
void sysfs_remove_file(struct kobject * kobj, const struct attribute * attr) void sysfs_remove_file(struct kobject * kobj, const struct attribute * attr)
{ {
sysfs_hash_and_remove(kobj->dentry,attr->name); sysfs_hash_and_remove(kobj->dentry, attr->name);
} }
......
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
#include <linux/dcache.h> #include <linux/dcache.h>
#include <linux/namei.h> #include <linux/namei.h>
#include <linux/err.h> #include <linux/err.h>
#include <asm/semaphore.h>
#include "sysfs.h" #include "sysfs.h"
......
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
#include <linux/backing-dev.h> #include <linux/backing-dev.h>
#include <linux/capability.h> #include <linux/capability.h>
#include <linux/errno.h> #include <linux/errno.h>
#include <asm/semaphore.h>
#include "sysfs.h" #include "sysfs.h"
extern struct super_block * sysfs_sb; extern struct super_block * sysfs_sb;
...@@ -209,6 +210,22 @@ const unsigned char * sysfs_get_name(struct sysfs_dirent *sd) ...@@ -209,6 +210,22 @@ const unsigned char * sysfs_get_name(struct sysfs_dirent *sd)
return NULL; return NULL;
} }
static inline void orphan_all_buffers(struct inode *node)
{
struct sysfs_buffer_collection *set = node->i_private;
struct sysfs_buffer *buf;
mutex_lock(&node->i_mutex);
if (node->i_private) {
list_for_each_entry(buf, &set->associates, associates) {
down(&buf->sem);
buf->orphaned = 1;
up(&buf->sem);
}
}
mutex_unlock(&node->i_mutex);
}
/* /*
* Unhashes the dentry corresponding to given sysfs_dirent * Unhashes the dentry corresponding to given sysfs_dirent
...@@ -217,16 +234,23 @@ const unsigned char * sysfs_get_name(struct sysfs_dirent *sd) ...@@ -217,16 +234,23 @@ const unsigned char * sysfs_get_name(struct sysfs_dirent *sd)
void sysfs_drop_dentry(struct sysfs_dirent * sd, struct dentry * parent) void sysfs_drop_dentry(struct sysfs_dirent * sd, struct dentry * parent)
{ {
struct dentry * dentry = sd->s_dentry; struct dentry * dentry = sd->s_dentry;
struct inode *inode;
if (dentry) { if (dentry) {
spin_lock(&dcache_lock); spin_lock(&dcache_lock);
spin_lock(&dentry->d_lock); spin_lock(&dentry->d_lock);
if (!(d_unhashed(dentry) && dentry->d_inode)) { if (!(d_unhashed(dentry) && dentry->d_inode)) {
inode = dentry->d_inode;
spin_lock(&inode->i_lock);
__iget(inode);
spin_unlock(&inode->i_lock);
dget_locked(dentry); dget_locked(dentry);
__d_drop(dentry); __d_drop(dentry);
spin_unlock(&dentry->d_lock); spin_unlock(&dentry->d_lock);
spin_unlock(&dcache_lock); spin_unlock(&dcache_lock);
simple_unlink(parent->d_inode, dentry); simple_unlink(parent->d_inode, dentry);
orphan_all_buffers(inode);
iput(inode);
} else { } else {
spin_unlock(&dentry->d_lock); spin_unlock(&dentry->d_lock);
spin_unlock(&dcache_lock); spin_unlock(&dcache_lock);
......
...@@ -8,6 +8,7 @@ ...@@ -8,6 +8,7 @@
#include <linux/mount.h> #include <linux/mount.h>
#include <linux/pagemap.h> #include <linux/pagemap.h>
#include <linux/init.h> #include <linux/init.h>
#include <asm/semaphore.h>
#include "sysfs.h" #include "sysfs.h"
...@@ -18,9 +19,12 @@ struct vfsmount *sysfs_mount; ...@@ -18,9 +19,12 @@ struct vfsmount *sysfs_mount;
struct super_block * sysfs_sb = NULL; struct super_block * sysfs_sb = NULL;
struct kmem_cache *sysfs_dir_cachep; struct kmem_cache *sysfs_dir_cachep;
static void sysfs_clear_inode(struct inode *inode);
static struct super_operations sysfs_ops = { static struct super_operations sysfs_ops = {
.statfs = simple_statfs, .statfs = simple_statfs,
.drop_inode = generic_delete_inode, .drop_inode = generic_delete_inode,
.clear_inode = sysfs_clear_inode,
}; };
static struct sysfs_dirent sysfs_root = { static struct sysfs_dirent sysfs_root = {
...@@ -31,6 +35,11 @@ static struct sysfs_dirent sysfs_root = { ...@@ -31,6 +35,11 @@ static struct sysfs_dirent sysfs_root = {
.s_iattr = NULL, .s_iattr = NULL,
}; };
static void sysfs_clear_inode(struct inode *inode)
{
kfree(inode->i_private);
}
static int sysfs_fill_super(struct super_block *sb, void *data, int silent) static int sysfs_fill_super(struct super_block *sb, void *data, int silent)
{ {
struct inode *inode; struct inode *inode;
......
...@@ -7,6 +7,7 @@ ...@@ -7,6 +7,7 @@
#include <linux/module.h> #include <linux/module.h>
#include <linux/kobject.h> #include <linux/kobject.h>
#include <linux/namei.h> #include <linux/namei.h>
#include <asm/semaphore.h>
#include "sysfs.h" #include "sysfs.h"
......
...@@ -33,6 +33,22 @@ struct sysfs_symlink { ...@@ -33,6 +33,22 @@ struct sysfs_symlink {
struct kobject * target_kobj; struct kobject * target_kobj;
}; };
struct sysfs_buffer {
struct list_head associates;
size_t count;
loff_t pos;
char * page;
struct sysfs_ops * ops;
struct semaphore sem;
int orphaned;
int needs_read_fill;
int event;
};
struct sysfs_buffer_collection {
struct list_head associates;
};
static inline struct kobject * to_kobj(struct dentry * dentry) static inline struct kobject * to_kobj(struct dentry * dentry)
{ {
struct sysfs_dirent * sd = dentry->d_fsdata; struct sysfs_dirent * sd = dentry->d_fsdata;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment