From 1a3cac6c6d1f56dc26939eb41be29844f897c15a Mon Sep 17 00:00:00 2001 From: Eric Van Hensbergen Date: Thu, 26 Jul 2007 14:04:54 -0500 Subject: [PATCH 1/4] 9p: fix use after free On 7/22/07, Adrian Bunk wrote: The Coverity checker spotted the following use-after-free in net/9p/mux.c: <-- snip --> ... struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, unsigned char *extended) { ... if (!m->tagpool) { kfree(m); return ERR_PTR(PTR_ERR(m->tagpool)); } ... <-- snip --> Also spotted was a leak of the same structure further down in the function. Signed-off-by: Eric Van Hensbergen --- net/9p/mux.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/net/9p/mux.c b/net/9p/mux.c index acb038810f39..5d70558c4c61 100644 --- a/net/9p/mux.c +++ b/net/9p/mux.c @@ -288,9 +288,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, m->extended = extended; m->trans = trans; m->tagpool = p9_idpool_create(); - if (!m->tagpool) { + if (IS_ERR(m->tagpool)) { + mtmp = ERR_PTR(-ENOMEM); kfree(m); - return ERR_PTR(PTR_ERR(m->tagpool)); + return mtmp; } m->err = 0; @@ -308,8 +309,10 @@ struct p9_conn *p9_conn_create(struct p9_transport *trans, int msize, memset(&m->poll_waddr, 0, sizeof(m->poll_waddr)); m->poll_task = NULL; n = p9_mux_poll_start(m); - if (n) + if (n) { + kfree(m); return ERR_PTR(n); + } n = trans->poll(trans, &m->pt); if (n & POLLIN) { From 27a2a5ff41e366290adb89adcc9e70e6a9e81455 Mon Sep 17 00:00:00 2001 From: Eric Van Hensbergen Date: Mon, 23 Jul 2007 13:06:13 -0500 Subject: [PATCH 2/4] 9p: update maintainers and documentation Updates to the MAINTAINERS file and documentation for 9p to point to the swik wiki versus the outdated sf.net page. Also updated some email addresses and added pointers to papers which better describe the implementation and application of the Linux 9p client. Signed-off-by: Eric Van Hensbergen --- Documentation/filesystems/9p.txt | 24 +++++++++++++++++++----- MAINTAINERS | 4 ++-- 2 files changed, 21 insertions(+), 7 deletions(-) diff --git a/Documentation/filesystems/9p.txt b/Documentation/filesystems/9p.txt index bbd8b28c13de..cda6905cbe49 100644 --- a/Documentation/filesystems/9p.txt +++ b/Documentation/filesystems/9p.txt @@ -6,12 +6,26 @@ ABOUT v9fs is a Unix implementation of the Plan 9 9p remote filesystem protocol. -This software was originally developed by Ron Minnich -and Maya Gokhale . Additional development by Greg Watson +This software was originally developed by Ron Minnich +and Maya Gokhale. Additional development by Greg Watson and most recently Eric Van Hensbergen , Latchesar Ionkov and Russ Cox . +The best detailed explanation of the Linux implementation and applications of +the 9p client is available in the form of a USENIX paper: + http://www.usenix.org/events/usenix05/tech/freenix/hensbergen.html + +Other applications are described in the following papers: + * XCPU & Clustering + http://www.xcpu.org/xcpu-talk.pdf + * KVMFS: control file system for KVM + http://www.xcpu.org/kvmfs.pdf + * CellFS: A New ProgrammingModel for the Cell BE + http://www.xcpu.org/cellfs-talk.pdf + * PROSE I/O: Using 9p to enable Application Partitions + http://plan9.escet.urjc.es/iwp9/cready/PROSE_iwp9_2006.pdf + USAGE ===== @@ -90,9 +104,9 @@ subset of the namespace by extending the path: '#U*'/tmp would just export and export. A Linux version of the 9p server is now maintained under the npfs project -on sourceforge (http://sourceforge.net/projects/npfs). There is also a -more stable single-threaded version of the server (named spfs) available from -the same CVS repository. +on sourceforge (http://sourceforge.net/projects/npfs). The currently +maintained version is the single-threaded version of the server (named spfs) +available from the same CVS repository. There are user and developer mailing lists available through the v9fs project on sourceforge (http://sourceforge.net/projects/v9fs). diff --git a/MAINTAINERS b/MAINTAINERS index 371fe67a4eef..c1609ea0fa1f 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -167,11 +167,11 @@ S: Maintained P: Eric Van Hensbergen M: ericvh@gmail.com P: Ron Minnich -M: rminnich@lanl.gov +M: rminnich@sandia.gov P: Latchesar Ionkov M: lucho@ionkov.net L: v9fs-developer@lists.sourceforge.net -W: http://v9fs.sf.net +W: http://swik.net/v9fs T: git kernel.org:/pub/scm/linux/kernel/ericvh/v9fs.git S: Maintained From fbcb7599e411309cf47a2b834d3546469c153cf4 Mon Sep 17 00:00:00 2001 From: Eric Van Hensbergen Date: Thu, 23 Aug 2007 10:08:45 -0500 Subject: [PATCH 3/4] 9p: remove deprecated v9fs_fid_lookup_remove() This patch removes the v9fs_fid_lookup_remove which is no longer used. Based on original patch from Adrian Bunk which used #if 0 to isolate the code. Signed-off-by: Adrian Bunk Signed-off-by: Eric Van Hensbergen --- fs/9p/fid.c | 17 ----------------- fs/9p/fid.h | 1 - 2 files changed, 18 deletions(-) diff --git a/fs/9p/fid.c b/fs/9p/fid.c index 08fa320b7e6d..15e05a15b575 100644 --- a/fs/9p/fid.c +++ b/fs/9p/fid.c @@ -92,23 +92,6 @@ struct p9_fid *v9fs_fid_lookup(struct dentry *dentry) return fid; } -struct p9_fid *v9fs_fid_lookup_remove(struct dentry *dentry) -{ - struct p9_fid *fid; - struct v9fs_dentry *dent; - - dent = dentry->d_fsdata; - fid = v9fs_fid_lookup(dentry); - if (!IS_ERR(fid)) { - spin_lock(&dent->lock); - list_del(&fid->dlist); - spin_unlock(&dent->lock); - } - - return fid; -} - - /** * v9fs_fid_clone - lookup the fid for a dentry, clone a private copy and * release it diff --git a/fs/9p/fid.h b/fs/9p/fid.h index 47a0ba742872..26e07df783b9 100644 --- a/fs/9p/fid.h +++ b/fs/9p/fid.h @@ -28,6 +28,5 @@ struct v9fs_dentry { }; struct p9_fid *v9fs_fid_lookup(struct dentry *dentry); -struct p9_fid *v9fs_fid_lookup_remove(struct dentry *dentry); struct p9_fid *v9fs_fid_clone(struct dentry *dentry); int v9fs_fid_add(struct dentry *dentry, struct p9_fid *fid); From 02881d94780faa86e32952e46381f7cd4c78d5ac Mon Sep 17 00:00:00 2001 From: Mariusz Kozlowski Date: Thu, 23 Aug 2007 10:24:28 -0500 Subject: [PATCH 4/4] 9p: fix bad error path in conversion routines When buf_check_overflow() returns != 0 we will hit kfree(ERR_PTR(err)) and it will not be happy about it. Signed-off-by: Mariusz Kozlowski Signed-off-by: Eric Van Hensbergen --- net/9p/conv.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/9p/conv.c b/net/9p/conv.c index f2a041cb508a..d979d958ea19 100644 --- a/net/9p/conv.c +++ b/net/9p/conv.c @@ -796,6 +796,7 @@ struct p9_fcall *p9_create_twrite_u(u32 fid, u64 offset, u32 count, if (err) { kfree(fc); fc = ERR_PTR(err); + goto error; } if (buf_check_overflow(bufp)) {