fix buffer overflow in the moxa driver (CVE-2005-0504)
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / fs / pnode.c
blobf1871f773f642c8f39045431f5e42134e93ea80f
1 /*
2 * linux/fs/pnode.c
4 * (C) Copyright IBM Corporation 2005.
5 * Released under GPL v2.
6 * Author : Ram Pai (linuxram@us.ibm.com)
8 */
9 #include <linux/namespace.h>
10 #include <linux/mount.h>
11 #include <linux/fs.h>
12 #include "pnode.h"
14 /* return the next shared peer mount of @p */
15 static inline struct vfsmount *next_peer(struct vfsmount *p)
17 return list_entry(p->mnt_share.next, struct vfsmount, mnt_share);
20 static inline struct vfsmount *first_slave(struct vfsmount *p)
22 return list_entry(p->mnt_slave_list.next, struct vfsmount, mnt_slave);
25 static inline struct vfsmount *next_slave(struct vfsmount *p)
27 return list_entry(p->mnt_slave.next, struct vfsmount, mnt_slave);
30 static int do_make_slave(struct vfsmount *mnt)
32 struct vfsmount *peer_mnt = mnt, *master = mnt->mnt_master;
33 struct vfsmount *slave_mnt;
36 * slave 'mnt' to a peer mount that has the
37 * same root dentry. If none is available than
38 * slave it to anything that is available.
40 while ((peer_mnt = next_peer(peer_mnt)) != mnt &&
41 peer_mnt->mnt_root != mnt->mnt_root) ;
43 if (peer_mnt == mnt) {
44 peer_mnt = next_peer(mnt);
45 if (peer_mnt == mnt)
46 peer_mnt = NULL;
48 list_del_init(&mnt->mnt_share);
50 if (peer_mnt)
51 master = peer_mnt;
53 if (master) {
54 list_for_each_entry(slave_mnt, &mnt->mnt_slave_list, mnt_slave)
55 slave_mnt->mnt_master = master;
56 list_del(&mnt->mnt_slave);
57 list_add(&mnt->mnt_slave, &master->mnt_slave_list);
58 list_splice(&mnt->mnt_slave_list, master->mnt_slave_list.prev);
59 INIT_LIST_HEAD(&mnt->mnt_slave_list);
60 } else {
61 struct list_head *p = &mnt->mnt_slave_list;
62 while (!list_empty(p)) {
63 slave_mnt = list_entry(p->next,
64 struct vfsmount, mnt_slave);
65 list_del_init(&slave_mnt->mnt_slave);
66 slave_mnt->mnt_master = NULL;
69 mnt->mnt_master = master;
70 CLEAR_MNT_SHARED(mnt);
71 INIT_LIST_HEAD(&mnt->mnt_slave_list);
72 return 0;
75 void change_mnt_propagation(struct vfsmount *mnt, int type)
77 if (type == MS_SHARED) {
78 set_mnt_shared(mnt);
79 return;
81 do_make_slave(mnt);
82 if (type != MS_SLAVE) {
83 list_del_init(&mnt->mnt_slave);
84 mnt->mnt_master = NULL;
85 if (type == MS_UNBINDABLE)
86 mnt->mnt_flags |= MNT_UNBINDABLE;
91 * get the next mount in the propagation tree.
92 * @m: the mount seen last
93 * @origin: the original mount from where the tree walk initiated
95 static struct vfsmount *propagation_next(struct vfsmount *m,
96 struct vfsmount *origin)
98 /* are there any slaves of this mount? */
99 if (!IS_MNT_NEW(m) && !list_empty(&m->mnt_slave_list))
100 return first_slave(m);
102 while (1) {
103 struct vfsmount *next;
104 struct vfsmount *master = m->mnt_master;
106 if (master == origin->mnt_master) {
107 next = next_peer(m);
108 return ((next == origin) ? NULL : next);
109 } else if (m->mnt_slave.next != &master->mnt_slave_list)
110 return next_slave(m);
112 /* back at master */
113 m = master;
118 * return the source mount to be used for cloning
120 * @dest the current destination mount
121 * @last_dest the last seen destination mount
122 * @last_src the last seen source mount
123 * @type return CL_SLAVE if the new mount has to be
124 * cloned as a slave.
126 static struct vfsmount *get_source(struct vfsmount *dest,
127 struct vfsmount *last_dest,
128 struct vfsmount *last_src,
129 int *type)
131 struct vfsmount *p_last_src = NULL;
132 struct vfsmount *p_last_dest = NULL;
133 *type = CL_PROPAGATION;;
135 if (IS_MNT_SHARED(dest))
136 *type |= CL_MAKE_SHARED;
138 while (last_dest != dest->mnt_master) {
139 p_last_dest = last_dest;
140 p_last_src = last_src;
141 last_dest = last_dest->mnt_master;
142 last_src = last_src->mnt_master;
145 if (p_last_dest) {
146 do {
147 p_last_dest = next_peer(p_last_dest);
148 } while (IS_MNT_NEW(p_last_dest));
151 if (dest != p_last_dest) {
152 *type |= CL_SLAVE;
153 return last_src;
154 } else
155 return p_last_src;
159 * mount 'source_mnt' under the destination 'dest_mnt' at
160 * dentry 'dest_dentry'. And propagate that mount to
161 * all the peer and slave mounts of 'dest_mnt'.
162 * Link all the new mounts into a propagation tree headed at
163 * source_mnt. Also link all the new mounts using ->mnt_list
164 * headed at source_mnt's ->mnt_list
166 * @dest_mnt: destination mount.
167 * @dest_dentry: destination dentry.
168 * @source_mnt: source mount.
169 * @tree_list : list of heads of trees to be attached.
171 int propagate_mnt(struct vfsmount *dest_mnt, struct dentry *dest_dentry,
172 struct vfsmount *source_mnt, struct list_head *tree_list)
174 struct vfsmount *m, *child;
175 int ret = 0;
176 struct vfsmount *prev_dest_mnt = dest_mnt;
177 struct vfsmount *prev_src_mnt = source_mnt;
178 LIST_HEAD(tmp_list);
179 LIST_HEAD(umount_list);
181 for (m = propagation_next(dest_mnt, dest_mnt); m;
182 m = propagation_next(m, dest_mnt)) {
183 int type;
184 struct vfsmount *source;
186 if (IS_MNT_NEW(m))
187 continue;
189 source = get_source(m, prev_dest_mnt, prev_src_mnt, &type);
191 if (!(child = copy_tree(source, source->mnt_root, type))) {
192 ret = -ENOMEM;
193 list_splice(tree_list, tmp_list.prev);
194 goto out;
197 if (is_subdir(dest_dentry, m->mnt_root)) {
198 mnt_set_mountpoint(m, dest_dentry, child);
199 list_add_tail(&child->mnt_hash, tree_list);
200 } else {
202 * This can happen if the parent mount was bind mounted
203 * on some subdirectory of a shared/slave mount.
205 list_add_tail(&child->mnt_hash, &tmp_list);
207 prev_dest_mnt = m;
208 prev_src_mnt = child;
210 out:
211 spin_lock(&vfsmount_lock);
212 while (!list_empty(&tmp_list)) {
213 child = list_entry(tmp_list.next, struct vfsmount, mnt_hash);
214 list_del_init(&child->mnt_hash);
215 umount_tree(child, 0, &umount_list);
217 spin_unlock(&vfsmount_lock);
218 release_mounts(&umount_list);
219 return ret;
223 * return true if the refcount is greater than count
225 static inline int do_refcount_check(struct vfsmount *mnt, int count)
227 int mycount = atomic_read(&mnt->mnt_count);
228 return (mycount > count);
232 * check if the mount 'mnt' can be unmounted successfully.
233 * @mnt: the mount to be checked for unmount
234 * NOTE: unmounting 'mnt' would naturally propagate to all
235 * other mounts its parent propagates to.
236 * Check if any of these mounts that **do not have submounts**
237 * have more references than 'refcnt'. If so return busy.
239 int propagate_mount_busy(struct vfsmount *mnt, int refcnt)
241 struct vfsmount *m, *child;
242 struct vfsmount *parent = mnt->mnt_parent;
243 int ret = 0;
245 if (mnt == parent)
246 return do_refcount_check(mnt, refcnt);
249 * quickly check if the current mount can be unmounted.
250 * If not, we don't have to go checking for all other
251 * mounts
253 if (!list_empty(&mnt->mnt_mounts) || do_refcount_check(mnt, refcnt))
254 return 1;
256 for (m = propagation_next(parent, parent); m;
257 m = propagation_next(m, parent)) {
258 child = __lookup_mnt(m, mnt->mnt_mountpoint, 0);
259 if (child && list_empty(&child->mnt_mounts) &&
260 (ret = do_refcount_check(child, 1)))
261 break;
263 return ret;
267 * NOTE: unmounting 'mnt' naturally propagates to all other mounts its
268 * parent propagates to.
270 static void __propagate_umount(struct vfsmount *mnt)
272 struct vfsmount *parent = mnt->mnt_parent;
273 struct vfsmount *m;
275 BUG_ON(parent == mnt);
277 for (m = propagation_next(parent, parent); m;
278 m = propagation_next(m, parent)) {
280 struct vfsmount *child = __lookup_mnt(m,
281 mnt->mnt_mountpoint, 0);
283 * umount the child only if the child has no
284 * other children
286 if (child && list_empty(&child->mnt_mounts)) {
287 list_del(&child->mnt_hash);
288 list_add_tail(&child->mnt_hash, &mnt->mnt_hash);
294 * collect all mounts that receive propagation from the mount in @list,
295 * and return these additional mounts in the same list.
296 * @list: the list of mounts to be unmounted.
298 int propagate_umount(struct list_head *list)
300 struct vfsmount *mnt;
302 list_for_each_entry(mnt, list, mnt_hash)
303 __propagate_umount(mnt);
304 return 0;