UBIFS: fix oops when R/O file-system is fsync'ed

[pandora-kernel.git] / fs / file_table.c

diff --git a/fs/file_table.c b/fs/file_table.c
index eb36b6b..01e4c1e 100644 (file)
--- a/fs/file_table.c
+++ b/fs/file_table.c
@@ -190,7 +190,8 @@ struct file *alloc_file(struct path *path, fmode_t mode,
                file_take_write(file);
                WARN_ON(mnt_clone_write(path->mnt));
        }
-       ima_counts_get(file);
+       if ((mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
+               i_readcount_inc(path->dentry->d_inode);
        return file;
 }
 EXPORT_SYMBOL(alloc_file);
@@ -246,11 +247,15 @@ static void __fput(struct file *file)
                file->f_op->release(inode, file);
        security_file_free(file);
        ima_file_free(file);
-       if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))
+       if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL &&
+                    !(file->f_mode & FMODE_PATH))) {
                cdev_put(inode->i_cdev);
+       }
        fops_put(file->f_op);
        put_pid(file->f_owner.pid);
        file_sb_list_del(file);
+       if ((file->f_mode & (FMODE_READ | FMODE_WRITE)) == FMODE_READ)
+               i_readcount_dec(inode);
        if (file->f_mode & FMODE_WRITE)
                drop_file_write_access(file);
        file->f_path.dentry = NULL;
@@ -276,11 +281,10 @@ struct file *fget(unsigned int fd)
        rcu_read_lock();
        file = fcheck_files(files, fd);
        if (file) {
-               if (!atomic_long_inc_not_zero(&file->f_count)) {
-                       /* File object ref couldn't be taken */
-                       rcu_read_unlock();
-                       return NULL;
-               }
+               /* File object ref couldn't be taken */
+               if (file->f_mode & FMODE_PATH ||
+                   !atomic_long_inc_not_zero(&file->f_count))
+                       file = NULL;
        }
        rcu_read_unlock();
 
@@ -289,6 +293,25 @@ struct file *fget(unsigned int fd)
 
 EXPORT_SYMBOL(fget);
 
+struct file *fget_raw(unsigned int fd)
+{
+       struct file *file;
+       struct files_struct *files = current->files;
+
+       rcu_read_lock();
+       file = fcheck_files(files, fd);
+       if (file) {
+               /* File object ref couldn't be taken */
+               if (!atomic_long_inc_not_zero(&file->f_count))
+                       file = NULL;
+       }
+       rcu_read_unlock();
+
+       return file;
+}
+
+EXPORT_SYMBOL(fget_raw);
+
 /*
  * Lightweight file lookup - no refcnt increment if fd table isn't shared.
  *
@@ -310,6 +333,33 @@ struct file *fget_light(unsigned int fd, int *fput_needed)
        struct file *file;
        struct files_struct *files = current->files;
 
+       *fput_needed = 0;
+       if (atomic_read(&files->count) == 1) {
+               file = fcheck_files(files, fd);
+               if (file && (file->f_mode & FMODE_PATH))
+                       file = NULL;
+       } else {
+               rcu_read_lock();
+               file = fcheck_files(files, fd);
+               if (file) {
+                       if (!(file->f_mode & FMODE_PATH) &&
+                           atomic_long_inc_not_zero(&file->f_count))
+                               *fput_needed = 1;
+                       else
+                               /* Didn't get the reference, someone's freed */
+                               file = NULL;
+               }
+               rcu_read_unlock();
+       }
+
+       return file;
+}
+
+struct file *fget_raw_light(unsigned int fd, int *fput_needed)
+{
+       struct file *file;
+       struct files_struct *files = current->files;
+
        *fput_needed = 0;
        if (atomic_read(&files->count) == 1) {
                file = fcheck_files(files, fd);