diff options
author | Christoph Hellwig <hch@lst.de> | 2009-08-07 13:38:34 -0400 |
---|---|---|
committer | Christoph Hellwig <hch@brick.lst.de> | 2009-08-07 13:38:34 -0400 |
commit | b36ec0428a06fcbdb67d61e9e664154e5dd9a8c7 (patch) | |
tree | 556cb840214cdff185dfd419bed6dc876a58ae01 /fs/xfs | |
parent | 2e00c97e2c1d2ffc9e26252ca26b237678b0b772 (diff) |
xfs: fix freeing of inodes not yet added to the inode cache
When freeing an inode that lost race getting added to the inode cache we
must not call into ->destroy_inode, because that would delete the inode
that won the race from the inode cache radix tree.
This patch uses splits a new xfs_inode_free helper out of xfs_ireclaim
and uses that plus __destroy_inode to make sure we really only free
the memory allocted for the inode that lost the race, and not mess with
the inode cache state.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Eric Sandeen <sandeen@sandeen.net>
Reported-by: Alex Samad <alex@samad.com.au>
Reported-by: Andrew Randrianasulu <randrik@mail.ru>
Reported-by: Stephane <sharnois@max-t.com>
Reported-by: Tommy <tommy@news-service.com>
Reported-by: Miah Gregory <mace@darksilence.net>
Reported-by: Gabriel Barazer <gabriel@oxeva.fr>
Reported-by: Leandro Lucarella <llucax@gmail.com>
Reported-by: Daniel Burr <dburr@fami.com.au>
Reported-by: Nickolay <newmail@spaces.ru>
Reported-by: Michael Guntsche <mike@it-loops.com>
Reported-by: Dan Carley <dan.carley+linuxkern-bugs@gmail.com>
Reported-by: Michael Ole Olsen <gnu@gmx.net>
Reported-by: Michael Weissenbacher <mw@dermichi.com>
Reported-by: Martin Spott <Martin.Spott@mgras.net>
Reported-by: Christian Kujau <lists@nerdbynature.de>
Tested-by: Michael Guntsche <mike@it-loops.com>
Tested-by: Dan Carley <dan.carley+linuxkern-bugs@gmail.com>
Tested-by: Christian Kujau <lists@nerdbynature.de>
Diffstat (limited to 'fs/xfs')
-rw-r--r-- | fs/xfs/xfs_iget.c | 125 | ||||
-rw-r--r-- | fs/xfs/xfs_inode.h | 17 |
2 files changed, 68 insertions, 74 deletions
diff --git a/fs/xfs/xfs_iget.c b/fs/xfs/xfs_iget.c index 719c85b155f..34ec86923f7 100644 --- a/fs/xfs/xfs_iget.c +++ b/fs/xfs/xfs_iget.c | |||
@@ -116,6 +116,71 @@ xfs_inode_alloc( | |||
116 | return ip; | 116 | return ip; |
117 | } | 117 | } |
118 | 118 | ||
119 | STATIC void | ||
120 | xfs_inode_free( | ||
121 | struct xfs_inode *ip) | ||
122 | { | ||
123 | switch (ip->i_d.di_mode & S_IFMT) { | ||
124 | case S_IFREG: | ||
125 | case S_IFDIR: | ||
126 | case S_IFLNK: | ||
127 | xfs_idestroy_fork(ip, XFS_DATA_FORK); | ||
128 | break; | ||
129 | } | ||
130 | |||
131 | if (ip->i_afp) | ||
132 | xfs_idestroy_fork(ip, XFS_ATTR_FORK); | ||
133 | |||
134 | #ifdef XFS_INODE_TRACE | ||
135 | ktrace_free(ip->i_trace); | ||
136 | #endif | ||
137 | #ifdef XFS_BMAP_TRACE | ||
138 | ktrace_free(ip->i_xtrace); | ||
139 | #endif | ||
140 | #ifdef XFS_BTREE_TRACE | ||
141 | ktrace_free(ip->i_btrace); | ||
142 | #endif | ||
143 | #ifdef XFS_RW_TRACE | ||
144 | ktrace_free(ip->i_rwtrace); | ||
145 | #endif | ||
146 | #ifdef XFS_ILOCK_TRACE | ||
147 | ktrace_free(ip->i_lock_trace); | ||
148 | #endif | ||
149 | #ifdef XFS_DIR2_TRACE | ||
150 | ktrace_free(ip->i_dir_trace); | ||
151 | #endif | ||
152 | |||
153 | if (ip->i_itemp) { | ||
154 | /* | ||
155 | * Only if we are shutting down the fs will we see an | ||
156 | * inode still in the AIL. If it is there, we should remove | ||
157 | * it to prevent a use-after-free from occurring. | ||
158 | */ | ||
159 | xfs_log_item_t *lip = &ip->i_itemp->ili_item; | ||
160 | struct xfs_ail *ailp = lip->li_ailp; | ||
161 | |||
162 | ASSERT(((lip->li_flags & XFS_LI_IN_AIL) == 0) || | ||
163 | XFS_FORCED_SHUTDOWN(ip->i_mount)); | ||
164 | if (lip->li_flags & XFS_LI_IN_AIL) { | ||
165 | spin_lock(&ailp->xa_lock); | ||
166 | if (lip->li_flags & XFS_LI_IN_AIL) | ||
167 | xfs_trans_ail_delete(ailp, lip); | ||
168 | else | ||
169 | spin_unlock(&ailp->xa_lock); | ||
170 | } | ||
171 | xfs_inode_item_destroy(ip); | ||
172 | ip->i_itemp = NULL; | ||
173 | } | ||
174 | |||
175 | /* asserts to verify all state is correct here */ | ||
176 | ASSERT(atomic_read(&ip->i_iocount) == 0); | ||
177 | ASSERT(atomic_read(&ip->i_pincount) == 0); | ||
178 | ASSERT(!spin_is_locked(&ip->i_flags_lock)); | ||
179 | ASSERT(completion_done(&ip->i_flush)); | ||
180 | |||
181 | kmem_zone_free(xfs_inode_zone, ip); | ||
182 | } | ||
183 | |||
119 | /* | 184 | /* |
120 | * Check the validity of the inode we just found it the cache | 185 | * Check the validity of the inode we just found it the cache |
121 | */ | 186 | */ |
@@ -292,7 +357,8 @@ out_preload_end: | |||
292 | if (lock_flags) | 357 | if (lock_flags) |
293 | xfs_iunlock(ip, lock_flags); | 358 | xfs_iunlock(ip, lock_flags); |
294 | out_destroy: | 359 | out_destroy: |
295 | xfs_destroy_inode(ip); | 360 | __destroy_inode(VFS_I(ip)); |
361 | xfs_inode_free(ip); | ||
296 | return error; | 362 | return error; |
297 | } | 363 | } |
298 | 364 | ||
@@ -497,62 +563,7 @@ xfs_ireclaim( | |||
497 | xfs_qm_dqdetach(ip); | 563 | xfs_qm_dqdetach(ip); |
498 | xfs_iunlock(ip, XFS_ILOCK_EXCL | XFS_IOLOCK_EXCL); | 564 | xfs_iunlock(ip, XFS_ILOCK_EXCL | XFS_IOLOCK_EXCL); |
499 | 565 | ||
500 | switch (ip->i_d.di_mode & S_IFMT) { | 566 | xfs_inode_free(ip); |
501 | case S_IFREG: | ||
502 | case S_IFDIR: | ||
503 | case S_IFLNK: | ||
504 | xfs_idestroy_fork(ip, XFS_DATA_FORK); | ||
505 | break; | ||
506 | } | ||
507 | |||
508 | if (ip->i_afp) | ||
509 | xfs_idestroy_fork(ip, XFS_ATTR_FORK); | ||
510 | |||
511 | #ifdef XFS_INODE_TRACE | ||
512 | ktrace_free(ip->i_trace); | ||
513 | #endif | ||
514 | #ifdef XFS_BMAP_TRACE | ||
515 | ktrace_free(ip->i_xtrace); | ||
516 | #endif | ||
517 | #ifdef XFS_BTREE_TRACE | ||
518 | ktrace_free(ip->i_btrace); | ||
519 | #endif | ||
520 | #ifdef XFS_RW_TRACE | ||
521 | ktrace_free(ip->i_rwtrace); | ||
522 | #endif | ||
523 | #ifdef XFS_ILOCK_TRACE | ||
524 | ktrace_free(ip->i_lock_trace); | ||
525 | #endif | ||
526 | #ifdef XFS_DIR2_TRACE | ||
527 | ktrace_free(ip->i_dir_trace); | ||
528 | #endif | ||
529 | if (ip->i_itemp) { | ||
530 | /* | ||
531 | * Only if we are shutting down the fs will we see an | ||
532 | * inode still in the AIL. If it is there, we should remove | ||
533 | * it to prevent a use-after-free from occurring. | ||
534 | */ | ||
535 | xfs_log_item_t *lip = &ip->i_itemp->ili_item; | ||
536 | struct xfs_ail *ailp = lip->li_ailp; | ||
537 | |||
538 | ASSERT(((lip->li_flags & XFS_LI_IN_AIL) == 0) || | ||
539 | XFS_FORCED_SHUTDOWN(ip->i_mount)); | ||
540 | if (lip->li_flags & XFS_LI_IN_AIL) { | ||
541 | spin_lock(&ailp->xa_lock); | ||
542 | if (lip->li_flags & XFS_LI_IN_AIL) | ||
543 | xfs_trans_ail_delete(ailp, lip); | ||
544 | else | ||
545 | spin_unlock(&ailp->xa_lock); | ||
546 | } | ||
547 | xfs_inode_item_destroy(ip); | ||
548 | ip->i_itemp = NULL; | ||
549 | } | ||
550 | /* asserts to verify all state is correct here */ | ||
551 | ASSERT(atomic_read(&ip->i_iocount) == 0); | ||
552 | ASSERT(atomic_read(&ip->i_pincount) == 0); | ||
553 | ASSERT(!spin_is_locked(&ip->i_flags_lock)); | ||
554 | ASSERT(completion_done(&ip->i_flush)); | ||
555 | kmem_zone_free(xfs_inode_zone, ip); | ||
556 | } | 567 | } |
557 | 568 | ||
558 | /* | 569 | /* |
diff --git a/fs/xfs/xfs_inode.h b/fs/xfs/xfs_inode.h index 1804f866a71..65f24a3cc99 100644 --- a/fs/xfs/xfs_inode.h +++ b/fs/xfs/xfs_inode.h | |||
@@ -310,23 +310,6 @@ static inline struct inode *VFS_I(struct xfs_inode *ip) | |||
310 | } | 310 | } |
311 | 311 | ||
312 | /* | 312 | /* |
313 | * Get rid of a partially initialized inode. | ||
314 | * | ||
315 | * We have to go through destroy_inode to make sure allocations | ||
316 | * from init_inode_always like the security data are undone. | ||
317 | * | ||
318 | * We mark the inode bad so that it takes the short cut in | ||
319 | * the reclaim path instead of going through the flush path | ||
320 | * which doesn't make sense for an inode that has never seen the | ||
321 | * light of day. | ||
322 | */ | ||
323 | static inline void xfs_destroy_inode(struct xfs_inode *ip) | ||
324 | { | ||
325 | make_bad_inode(VFS_I(ip)); | ||
326 | return destroy_inode(VFS_I(ip)); | ||
327 | } | ||
328 | |||
329 | /* | ||
330 | * i_flags helper functions | 313 | * i_flags helper functions |
331 | */ | 314 | */ |
332 | static inline void | 315 | static inline void |