1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
|
Mon Oct 24 23:27:42 1994 Theodore Y. Ts'o (tytso@rt-11)
* fcntl.c (sys_fcntl): Liberalize security checks which Alan Cox
put in.
Thu Oct 20 23:44:22 1994 Theodore Y. Ts'o (tytso@rt-11)
* fcntl.c (sys_fcntl): Add more of a security check to the
F_SETOWN fcntl().
[Tons of changes missed, indeed. This list is worth restarting since
at least some fixes WILL break third-party filesystems. Sorry, but
there was no other way to fix rmdir/rename deadlock, for one.]
Wed Dec 2 (Linus, fill the rest, please)
* namei.c (do_rmdir) and rmdir method in filesystems:
Locking of directory we remove was taken to VFS.
See comments in do_rmdir(). Unfixed filesystems
will bloody likely deadlock in rmdir().
Thu Dec 3 17:25:31 1998 Al Viro (viro@math.psu.edu)
* namei.c (do_rmdir):
Reject non-directories here.
Two (probably) obsolete checks moved here too: we fail if
the directory we remove is the same as parent (BUG: we
serve mountpoints later) or if it lives on a different
device.
* sysv/namei.c (sysv_rmdir): See sysv/CHANGES
Fri Dec 4 00:54:12 1998 AV
* namei.c (check_sticky): New function check_sticky(dir, inode).
If dir is sticky check whether we can unlink/rmdir/rename
the inode. Returns 1 if we can't. If dir isn't sticky -
return 0 (i.e. no objections). Some filesystems require
suser() here; some are fine with CAP_FOWNER. The later
seems more reasonable.
* namei.c (do_rmdir):
Moved the check for sticky bit here.
* affs/{inode,namei}.c:
All AFFS directories have sticky semantics (i.e. non-owner
having write permisssions on directory can unlink/rmdir/rename
only the files he owns), but AFFS didn't set S_ISVTX on them.
Fixed. NB: maybe this behaviour should be controlled by mount
option. Obvious values being 'sticky' (current behaviour),
'nonsticky' (normal behaviour) and maybe some play on 'D'
permissions bit. FIXME.
* qnx4/namei.c (qnx4_rmdir):
Plugged inode leak.
* ufs/namei.c (ufs_rmdir):
Changed handling of busy directory to new scheme.
Fri Dec 4 10:30:58 1998 AV
* namei.c (VFS_rmdir): New function. It gets inode of the parent and
dentry of the victim, does all checks and applies fs-specific
rmdir() method. It should be called with semaphores down
on both the victim and its parent and with bumped d_count on
victim (see comments in do_rmdir).
* include/linux/fs.h: Added VFS_rmdir
* kernel/ksyms.c: Added VFS_rmdir to export list (for NFSD).
* nfsd/vfs.c: Fixed rmdir handling.
Tue Dec 8 05:55:08 1998 AV
* vfat/namei.c: Fixed the bug in vfat_rename() introduced in the
first round of rmdir fixes.
Wed Dec 9 03:06:10 1998 AV
* namei.c (do_rename): part of fs-independent checks had been moved
here (sticky bit handling, type mismatches). Cases of
the source or target being append-only or immutable also went
here - if we check it for parent we could as well do it for
children.
* {affs,ext2,minix,sysv,ufs}/namei.c (do_*_rename):
Removed tests that went to VFS, it simplified the code big way.
Fixed a race in check for empty target - we should check for
extra owners _before_ checking for emptiness, not after it.
* {ext2,ufs}/namei.c (do_*_rename):
VERY nasty bug shot: if somebody mkdired /tmp/cca01234, went
there, rmdired '.', waited till somebody created a file with
the same name and said mv . /tmp/goodbye_sticky_bit... Well,
goodbye sticky bit. Down, not across!
* {minix,sysv}/namei.c (do_*_rename):
Incorrect check for other owners (i_count instead of d_count).
Fixed.
* vfat: Looks like the changes above fixed a bug in VFAT - this beast
used to allow renaming file over directory and vice versa.
Wed Dec 9 08:00:27 1998 AV
* namei.c (VFS_rename): New function. It gets the same arguments as
->rename() method, does all checks and applies fs-specific
rmdir() method. It should be called with semaphores down
on both parents.
* include/linux/fs.h: Added VFS_rename
* kernel/ksyms.c: Added VFS_rename to export list (for NFSD).
* nfsd/vfs.c: Changed rename handling (switched to VFS_rename).
Wed Dec 9 18:16:27 1998 AV
* namei.c (do_unlink): handling of sticky bit went here.
* {affs,ext2,minix,qnx4,sysv,ufs}/namei.c (*_unlink):
removed handling of sticky bit.
* qnx4/namei.c (qnx4_unlink):
Yet another inode leak. Fixed.
Thu Dec 10 04:55:26 1998 AV
* {ext2,minix,sysv,ufs}/namei.c (*_mknod):
removed meaningless code handling attempts to mknod symlinks
and directories. VFS protects us from _that_ and if this code
would ever be called we'ld get a filesystem corruption.
Thu Dec 10 16:58:50 1998 AV
* namei.c (do_rename): Fixed dentry leak that had been introduced by
the first round of rmdir fixes.
Fri Dec 11 14:57:17 1998 AV
* msdos/namei.c (msdos_rmdir): Fixed race in emptiness check.
Sat Dec 12 19:59:57 1998 AV
* msdos/namei.c (msdos_mkdir): Fixed the evil breakage introduced by
the changes of rmdir locking scheme. We shouldn't call
msdos_rmdir from there.
Sun Dec 13 02:05:16 1998 AV
* namei.c (do_unlink):
Added new function: vfs_unlink, with the same arguments as
->unlink() method.
* kernel/ksyms.c: Made it exported.
* include/linux/fs.h: Added prototype.
* nfsd/vfs.c: Changed handling of unlink (switched to vfs_unlink)
* {ext2,ufs}/namei.c (*_unlink): moved handling of imm./append-only to
VFS.
Wed Dec 16 06:10:04 1998 AV
* namei.c (may_create, may_delete): New inline functions.
They check whether creation/deletion is permitted.
Checks from other places of namei.c went there.
Looks like originally I misread permission-related stuff
both here and in nfsd. In particular, checks for
immutable are done in permission(). D'oh.
* unlink on directory should return -EISDIR, not -EPERM as it used to
do. Fixed.
* rmdir of immutable/append-only directory shouldn't be allowed. Fixed.
Remains unfixed:
* UMSDOS_rename is broken. Call it with the dest. existing and being an
empty directory and you've got EBUSY. At least it doesn't do
any harm, so that will wait several days till rename cleanup.
Sigh... It will wait a bit more. Problems with fat-derived
filesystems are much worse than I thought. Idea of changing
inode under dentry is broken by design - guess where the
semaphore sits, for one.
* umsdos: weird. rename() shouldn't return -EEXIST. BTW, manpage
for rename(2) is obviously bogus - it mentions EEXIST and
on the next line (correctly) says that EINVAL should be
returned. Under the same conditions.
* rename's handling of races is, erm, not optimal. Looks like I know
what to do, but this thing needs some more cleanup - we can
take care of almost all races in VFS and be much more graceful
wrt locking. Moreover, it would give strong lookup atomicity.
But it's a lot of changes to lookup and dcache code, so it will
go after the fs drivers' cleanup.
* hfs allows mknod. Only for regular files ;-/ IMHO it's bogus.
* affs allows HARD links to directories. VFS is, to put it politely,
not too ready to cope with _that_. And I'm not sure it should
be - looks like they are pretty much similar to symlinks.
* truncate doesn't give a damn about IO errors and disk overflows (on
braindead filesystems). I've submitted a patch to Linus, but
looks like it wasn't applied.
* msdos: shouldn't we treat SYS as IMMUTABLE? Makes sense, IMHO.
* minix, qnx and sysv do NOT allow to mkdir sticky directories.
* {minix,sysv}/namei.c (do_{minix,syv}_{rename,unlink}):
Stuff related to retries still needs cleanup/fixing.
Looks like I've found an extremely low-probability race
there...
|
