Print this page
7656 unlinking directory on tmpfs can cause kernel panic
Reviewed by: Robert Mustacchi <rm@joyent.com>
Reviewed by: Rich Lowe <richlowe@richlowe.net>
Reviewed by: Vitaliy Gusev <vgusev@racktopsystems.com>

Split Close
Expand all
Collapse all
          --- old/usr/src/uts/common/fs/tmpfs/tmp_vnops.c
          +++ new/usr/src/uts/common/fs/tmpfs/tmp_vnops.c
↓ open down ↓ 1095 lines elided ↑ open up ↑
1096 1096          struct tmpnode *tp = NULL;
1097 1097  
1098 1098          error = tdirlookup(parent, nm, &tp, cred);
1099 1099          if (error)
1100 1100                  return (error);
1101 1101  
1102 1102          ASSERT(tp);
1103 1103          rw_enter(&parent->tn_rwlock, RW_WRITER);
1104 1104          rw_enter(&tp->tn_rwlock, RW_WRITER);
1105 1105  
1106      -        if (tp->tn_type != VDIR ||
1107      -            (error = secpolicy_fs_linkdir(cred, dvp->v_vfsp)) == 0)
1108      -                error = tdirdelete(parent, tp, nm, tp->tn_type == VDIR ?
1109      -                    DR_RMDIR : DR_REMOVE, cred);
     1106 +        error = tp->tn_type == VDIR ? EPERM :
     1107 +            tdirdelete(parent, tp, nm, DR_REMOVE, cred);
1110 1108  
1111 1109          rw_exit(&tp->tn_rwlock);
1112 1110          rw_exit(&parent->tn_rwlock);
1113 1111          vnevent_remove(TNTOV(tp), dvp, nm, ct);
1114 1112          tmpnode_rele(tp);
1115 1113  
1116 1114          TRACE_3(TR_FAC_TMPFS, TR_TMPFS_REMOVE,
1117 1115              "tmpfs remove:dvp %p nm %s error %d", dvp, nm, error);
1118 1116          return (error);
1119 1117  }
↓ open down ↓ 14 lines elided ↑ open up ↑
1134 1132          int error;
1135 1133          struct tmpnode *found = NULL;
1136 1134          struct vnode *realvp;
1137 1135  
1138 1136          if (VOP_REALVP(srcvp, &realvp, ct) == 0)
1139 1137                  srcvp = realvp;
1140 1138  
1141 1139          parent = (struct tmpnode *)VTOTN(dvp);
1142 1140          from = (struct tmpnode *)VTOTN(srcvp);
1143 1141  
1144      -        if ((srcvp->v_type == VDIR &&
1145      -            secpolicy_fs_linkdir(cred, dvp->v_vfsp)) ||
     1142 +        if (srcvp->v_type == VDIR ||
1146 1143              (from->tn_uid != crgetuid(cred) && secpolicy_basic_link(cred)))
1147 1144                  return (EPERM);
1148 1145  
1149 1146          /*
1150 1147           * Make sure link for extended attributes is valid
1151 1148           * We only support hard linking of xattr's in xattrdir to an xattrdir
1152 1149           */
1153 1150          if ((from->tn_flags & ISXATTR) != (parent->tn_flags & ISXATTR))
1154 1151                  return (EINVAL);
1155 1152  
↓ open down ↓ 1316 lines elided ↑ open up ↑
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX