ClabureDB: Classified Bug-Reports Database

Project: Linux Kernel

Showing error 1764

User:	Jiri Slaby
Error type:	Invalid Pointer Dereference
Error type description:	A pointer which is invalid is being dereferenced
File location:	fs/pnode.c
Line in file:	261
Project:	Linux Kernel
Project version:	2.6.28
Tools:	Smatch (1.59)
Entered:	2013-09-10 20:24:52 UTC
Source:

  1/*
  2 *  linux/fs/pnode.c
  3 *
  4 * (C) Copyright IBM Corporation 2005.
  5 *        Released under GPL v2.
  6 *        Author : Ram Pai (linuxram@us.ibm.com)
  7 *
  8 */
  9#include <linux/mnt_namespace.h>
 10#include <linux/mount.h>
 11#include <linux/fs.h>
 12#include "internal.h"
 13#include "pnode.h"
 14
 15/* return the next shared peer mount of @p */
 16static inline struct vfsmount *next_peer(struct vfsmount *p)
 17{
 18        return list_entry(p->mnt_share.next, struct vfsmount, mnt_share);
 19}
 20
 21static inline struct vfsmount *first_slave(struct vfsmount *p)
 22{
 23        return list_entry(p->mnt_slave_list.next, struct vfsmount, mnt_slave);
 24}
 25
 26static inline struct vfsmount *next_slave(struct vfsmount *p)
 27{
 28        return list_entry(p->mnt_slave.next, struct vfsmount, mnt_slave);
 29}
 30
 31/*
 32 * Return true if path is reachable from root
 33 *
 34 * namespace_sem is held, and mnt is attached
 35 */
 36static bool is_path_reachable(struct vfsmount *mnt, struct dentry *dentry,
 37                         const struct path *root)
 38{
 39        while (mnt != root->mnt && mnt->mnt_parent != mnt) {
 40                dentry = mnt->mnt_mountpoint;
 41                mnt = mnt->mnt_parent;
 42        }
 43        return mnt == root->mnt && is_subdir(dentry, root->dentry);
 44}
 45
 46static struct vfsmount *get_peer_under_root(struct vfsmount *mnt,
 47                                            struct mnt_namespace *ns,
 48                                            const struct path *root)
 49{
 50        struct vfsmount *m = mnt;
 51
 52        do {
 53                /* Check the namespace first for optimization */
 54                if (m->mnt_ns == ns && is_path_reachable(m, m->mnt_root, root))
 55                        return m;
 56
 57                m = next_peer(m);
 58        } while (m != mnt);
 59
 60        return NULL;
 61}
 62
 63/*
 64 * Get ID of closest dominating peer group having a representative
 65 * under the given root.
 66 *
 67 * Caller must hold namespace_sem
 68 */
 69int get_dominating_id(struct vfsmount *mnt, const struct path *root)
 70{
 71        struct vfsmount *m;
 72
 73        for (m = mnt->mnt_master; m != NULL; m = m->mnt_master) {
 74                struct vfsmount *d = get_peer_under_root(m, mnt->mnt_ns, root);
 75                if (d)
 76                        return d->mnt_group_id;
 77        }
 78
 79        return 0;
 80}
 81
 82static int do_make_slave(struct vfsmount *mnt)
 83{
 84        struct vfsmount *peer_mnt = mnt, *master = mnt->mnt_master;
 85        struct vfsmount *slave_mnt;
 86
 87        /*
 88         * slave 'mnt' to a peer mount that has the
 89         * same root dentry. If none is available than
 90         * slave it to anything that is available.
 91         */
 92        while ((peer_mnt = next_peer(peer_mnt)) != mnt &&
 93               peer_mnt->mnt_root != mnt->mnt_root) ;
 94
 95        if (peer_mnt == mnt) {
 96                peer_mnt = next_peer(mnt);
 97                if (peer_mnt == mnt)
 98                        peer_mnt = NULL;
 99        }
100        if (IS_MNT_SHARED(mnt) && list_empty(&mnt->mnt_share))
101                mnt_release_group_id(mnt);
102
103        list_del_init(&mnt->mnt_share);
104        mnt->mnt_group_id = 0;
105
106        if (peer_mnt)
107                master = peer_mnt;
108
109        if (master) {
110                list_for_each_entry(slave_mnt, &mnt->mnt_slave_list, mnt_slave)
111                        slave_mnt->mnt_master = master;
112                list_move(&mnt->mnt_slave, &master->mnt_slave_list);
113                list_splice(&mnt->mnt_slave_list, master->mnt_slave_list.prev);
114                INIT_LIST_HEAD(&mnt->mnt_slave_list);
115        } else {
116                struct list_head *p = &mnt->mnt_slave_list;
117                while (!list_empty(p)) {
118                        slave_mnt = list_first_entry(p,
119                                        struct vfsmount, mnt_slave);
120                        list_del_init(&slave_mnt->mnt_slave);
121                        slave_mnt->mnt_master = NULL;
122                }
123        }
124        mnt->mnt_master = master;
125        CLEAR_MNT_SHARED(mnt);
126        return 0;
127}
128
129void change_mnt_propagation(struct vfsmount *mnt, int type)
130{
131        if (type == MS_SHARED) {
132                set_mnt_shared(mnt);
133                return;
134        }
135        do_make_slave(mnt);
136        if (type != MS_SLAVE) {
137                list_del_init(&mnt->mnt_slave);
138                mnt->mnt_master = NULL;
139                if (type == MS_UNBINDABLE)
140                        mnt->mnt_flags |= MNT_UNBINDABLE;
141                else
142                        mnt->mnt_flags &= ~MNT_UNBINDABLE;
143        }
144}
145
146/*
147 * get the next mount in the propagation tree.
148 * @m: the mount seen last
149 * @origin: the original mount from where the tree walk initiated
150 */
151static struct vfsmount *propagation_next(struct vfsmount *m,
152                                         struct vfsmount *origin)
153{
154        /* are there any slaves of this mount? */
155        if (!IS_MNT_NEW(m) && !list_empty(&m->mnt_slave_list))
156                return first_slave(m);
157
158        while (1) {
159                struct vfsmount *next;
160                struct vfsmount *master = m->mnt_master;
161
162                if (master == origin->mnt_master) {
163                        next = next_peer(m);
164                        return ((next == origin) ? NULL : next);
165                } else if (m->mnt_slave.next != &master->mnt_slave_list)
166                        return next_slave(m);
167
168                /* back at master */
169                m = master;
170        }
171}
172
173/*
174 * return the source mount to be used for cloning
175 *
176 * @dest         the current destination mount
177 * @last_dest          the last seen destination mount
178 * @last_src          the last seen source mount
179 * @type        return CL_SLAVE if the new mount has to be
180 *                 cloned as a slave.
181 */
182static struct vfsmount *get_source(struct vfsmount *dest,
183                                        struct vfsmount *last_dest,
184                                        struct vfsmount *last_src,
185                                        int *type)
186{
187        struct vfsmount *p_last_src = NULL;
188        struct vfsmount *p_last_dest = NULL;
189        *type = CL_PROPAGATION;
190
191        if (IS_MNT_SHARED(dest))
192                *type |= CL_MAKE_SHARED;
193
194        while (last_dest != dest->mnt_master) {
195                p_last_dest = last_dest;
196                p_last_src = last_src;
197                last_dest = last_dest->mnt_master;
198                last_src = last_src->mnt_master;
199        }
200
201        if (p_last_dest) {
202                do {
203                        p_last_dest = next_peer(p_last_dest);
204                } while (IS_MNT_NEW(p_last_dest));
205        }
206
207        if (dest != p_last_dest) {
208                *type |= CL_SLAVE;
209                return last_src;
210        } else
211                return p_last_src;
212}
213
214/*
215 * mount 'source_mnt' under the destination 'dest_mnt' at
216 * dentry 'dest_dentry'. And propagate that mount to
217 * all the peer and slave mounts of 'dest_mnt'.
218 * Link all the new mounts into a propagation tree headed at
219 * source_mnt. Also link all the new mounts using ->mnt_list
220 * headed at source_mnt's ->mnt_list
221 *
222 * @dest_mnt: destination mount.
223 * @dest_dentry: destination dentry.
224 * @source_mnt: source mount.
225 * @tree_list : list of heads of trees to be attached.
226 */
227int propagate_mnt(struct vfsmount *dest_mnt, struct dentry *dest_dentry,
228                    struct vfsmount *source_mnt, struct list_head *tree_list)
229{
230        struct vfsmount *m, *child;
231        int ret = 0;
232        struct vfsmount *prev_dest_mnt = dest_mnt;
233        struct vfsmount *prev_src_mnt  = source_mnt;
234        LIST_HEAD(tmp_list);
235        LIST_HEAD(umount_list);
236
237        for (m = propagation_next(dest_mnt, dest_mnt); m;
238                        m = propagation_next(m, dest_mnt)) {
239                int type;
240                struct vfsmount *source;
241
242                if (IS_MNT_NEW(m))
243                        continue;
244
245                source =  get_source(m, prev_dest_mnt, prev_src_mnt, &type);
246
247                if (!(child = copy_tree(source, source->mnt_root, type))) {
248                        ret = -ENOMEM;
249                        list_splice(tree_list, tmp_list.prev);
250                        goto out;
251                }
252
253                if (is_subdir(dest_dentry, m->mnt_root)) {
254                        mnt_set_mountpoint(m, dest_dentry, child);
255                        list_add_tail(&child->mnt_hash, tree_list);
256                } else {
257                        /*
258                         * This can happen if the parent mount was bind mounted
259                         * on some subdirectory of a shared/slave mount.
260                         */
261                        list_add_tail(&child->mnt_hash, &tmp_list);
262                }
263                prev_dest_mnt = m;
264                prev_src_mnt  = child;
265        }
266out:
267        spin_lock(&vfsmount_lock);
268        while (!list_empty(&tmp_list)) {
269                child = list_first_entry(&tmp_list, struct vfsmount, mnt_hash);
270                umount_tree(child, 0, &umount_list);
271        }
272        spin_unlock(&vfsmount_lock);
273        release_mounts(&umount_list);
274        return ret;
275}
276
277/*
278 * return true if the refcount is greater than count
279 */
280static inline int do_refcount_check(struct vfsmount *mnt, int count)
281{
282        int mycount = atomic_read(&mnt->mnt_count) - mnt->mnt_ghosts;
283        return (mycount > count);
284}
285
286/*
287 * check if the mount 'mnt' can be unmounted successfully.
288 * @mnt: the mount to be checked for unmount
289 * NOTE: unmounting 'mnt' would naturally propagate to all
290 * other mounts its parent propagates to.
291 * Check if any of these mounts that **do not have submounts**
292 * have more references than 'refcnt'. If so return busy.
293 */
294int propagate_mount_busy(struct vfsmount *mnt, int refcnt)
295{
296        struct vfsmount *m, *child;
297        struct vfsmount *parent = mnt->mnt_parent;
298        int ret = 0;
299
300        if (mnt == parent)
301                return do_refcount_check(mnt, refcnt);
302
303        /*
304         * quickly check if the current mount can be unmounted.
305         * If not, we don't have to go checking for all other
306         * mounts
307         */
308        if (!list_empty(&mnt->mnt_mounts) || do_refcount_check(mnt, refcnt))
309                return 1;
310
311        for (m = propagation_next(parent, parent); m;
312                             m = propagation_next(m, parent)) {
313                child = __lookup_mnt(m, mnt->mnt_mountpoint, 0);
314                if (child && list_empty(&child->mnt_mounts) &&
315                    (ret = do_refcount_check(child, 1)))
316                        break;
317        }
318        return ret;
319}
320
321/*
322 * NOTE: unmounting 'mnt' naturally propagates to all other mounts its
323 * parent propagates to.
324 */
325static void __propagate_umount(struct vfsmount *mnt)
326{
327        struct vfsmount *parent = mnt->mnt_parent;
328        struct vfsmount *m;
329
330        BUG_ON(parent == mnt);
331
332        for (m = propagation_next(parent, parent); m;
333                        m = propagation_next(m, parent)) {
334
335                struct vfsmount *child = __lookup_mnt(m,
336                                        mnt->mnt_mountpoint, 0);
337                /*
338                 * umount the child only if the child has no
339                 * other children
340                 */
341                if (child && list_empty(&child->mnt_mounts))
342                        list_move_tail(&child->mnt_hash, &mnt->mnt_hash);
343        }
344}
345
346/*
347 * collect all mounts that receive propagation from the mount in @list,
348 * and return these additional mounts in the same list.
349 * @list: the list of mounts to be unmounted.
350 */
351int propagate_umount(struct list_head *list)
352{
353        struct vfsmount *mnt;
354
355        list_for_each_entry(mnt, list, mnt_hash)
356                __propagate_umount(mnt);
357        return 0;
358}