diff options
| author | Jeff Mahoney <jeffm@suse.com> | 2007-04-23 17:41:17 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-04-24 11:23:09 -0400 |
| commit | 9b7f375505f5611efb562065b57814b28a81abc3 (patch) | |
| tree | 3f51e49ca5b70081bf15f4ce9d7ddbd289917932 | |
| parent | 1a641fceb6bb6b0930db1aadbda1aaf5711d65d6 (diff) | |
reiserfs: fix xattr root locking/refcount bug
The listxattr() and getxattr() operations are only protected by a read
lock. As a result, if either of these operations run in parallel, a race
condition exists where the xattr_root will end up being cached twice, which
results in the leaking of a reference and a BUG() on umount.
This patch refactors get_xa_root(), __get_xa_root(), and create_xa_root(),
into one get_xa_root() function that takes the appropriate locking around
the entire critical section.
Reported, diagnosed and tested by Andrea Righi <a.righi@cineca.it>
Signed-off-by: Jeff Mahoney <jeffm@suse.com>
Cc: Andrea Righi <a.righi@cineca.it>
Cc: "Vladimir V. Saveliev" <vs@namesys.com>
Cc: Edward Shishkin <edward@namesys.com>
Cc: Alex Zarochentsev <zam@namesys.com>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
| -rw-r--r-- | fs/reiserfs/xattr.c | 92 |
1 files changed, 24 insertions, 68 deletions
diff --git a/fs/reiserfs/xattr.c b/fs/reiserfs/xattr.c index f01389fd162e..c8178b7b9212 100644 --- a/fs/reiserfs/xattr.c +++ b/fs/reiserfs/xattr.c | |||
| @@ -54,82 +54,48 @@ | |||
| 54 | static struct reiserfs_xattr_handler *find_xattr_handler_prefix(const char | 54 | static struct reiserfs_xattr_handler *find_xattr_handler_prefix(const char |
| 55 | *prefix); | 55 | *prefix); |
| 56 | 56 | ||
| 57 | static struct dentry *create_xa_root(struct super_block *sb) | 57 | /* Returns the dentry referring to the root of the extended attribute |
| 58 | * directory tree. If it has already been retrieved, it is used. If it | ||
| 59 | * hasn't been created and the flags indicate creation is allowed, we | ||
| 60 | * attempt to create it. On error, we return a pointer-encoded error. | ||
| 61 | */ | ||
| 62 | static struct dentry *get_xa_root(struct super_block *sb, int flags) | ||
| 58 | { | 63 | { |
| 59 | struct dentry *privroot = dget(REISERFS_SB(sb)->priv_root); | 64 | struct dentry *privroot = dget(REISERFS_SB(sb)->priv_root); |
| 60 | struct dentry *xaroot; | 65 | struct dentry *xaroot; |
| 61 | 66 | ||
| 62 | /* This needs to be created at mount-time */ | 67 | /* This needs to be created at mount-time */ |
| 63 | if (!privroot) | 68 | if (!privroot) |
| 64 | return ERR_PTR(-EOPNOTSUPP); | 69 | return ERR_PTR(-ENODATA); |
| 65 | 70 | ||
| 66 | xaroot = lookup_one_len(XAROOT_NAME, privroot, strlen(XAROOT_NAME)); | 71 | mutex_lock(&privroot->d_inode->i_mutex); |
| 67 | if (IS_ERR(xaroot)) { | 72 | if (REISERFS_SB(sb)->xattr_root) { |
| 73 | xaroot = dget(REISERFS_SB(sb)->xattr_root); | ||
| 68 | goto out; | 74 | goto out; |
| 69 | } else if (!xaroot->d_inode) { | ||
| 70 | int err; | ||
| 71 | mutex_lock(&privroot->d_inode->i_mutex); | ||
| 72 | err = | ||
| 73 | privroot->d_inode->i_op->mkdir(privroot->d_inode, xaroot, | ||
| 74 | 0700); | ||
| 75 | mutex_unlock(&privroot->d_inode->i_mutex); | ||
| 76 | |||
| 77 | if (err) { | ||
| 78 | dput(xaroot); | ||
| 79 | dput(privroot); | ||
| 80 | return ERR_PTR(err); | ||
| 81 | } | ||
| 82 | REISERFS_SB(sb)->xattr_root = dget(xaroot); | ||
| 83 | } | 75 | } |
| 84 | 76 | ||
| 85 | out: | ||
| 86 | dput(privroot); | ||
| 87 | return xaroot; | ||
| 88 | } | ||
| 89 | |||
| 90 | /* This will return a dentry, or error, refering to the xa root directory. | ||
| 91 | * If the xa root doesn't exist yet, the dentry will be returned without | ||
| 92 | * an associated inode. This dentry can be used with ->mkdir to create | ||
| 93 | * the xa directory. */ | ||
| 94 | static struct dentry *__get_xa_root(struct super_block *s) | ||
| 95 | { | ||
| 96 | struct dentry *privroot = dget(REISERFS_SB(s)->priv_root); | ||
| 97 | struct dentry *xaroot = NULL; | ||
| 98 | |||
| 99 | if (IS_ERR(privroot) || !privroot) | ||
| 100 | return privroot; | ||
| 101 | |||
| 102 | xaroot = lookup_one_len(XAROOT_NAME, privroot, strlen(XAROOT_NAME)); | 77 | xaroot = lookup_one_len(XAROOT_NAME, privroot, strlen(XAROOT_NAME)); |
| 103 | if (IS_ERR(xaroot)) { | 78 | if (IS_ERR(xaroot)) { |
| 104 | goto out; | 79 | goto out; |
| 105 | } else if (!xaroot->d_inode) { | 80 | } else if (!xaroot->d_inode) { |
| 106 | dput(xaroot); | 81 | int err = -ENODATA; |
| 107 | xaroot = NULL; | 82 | if (flags == 0 || flags & XATTR_CREATE) |
| 108 | goto out; | 83 | err = privroot->d_inode->i_op->mkdir(privroot->d_inode, |
| 84 | xaroot, 0700); | ||
| 85 | if (err) { | ||
| 86 | dput(xaroot); | ||
| 87 | xaroot = ERR_PTR(err); | ||
| 88 | goto out; | ||
| 89 | } | ||
| 109 | } | 90 | } |
| 110 | 91 | REISERFS_SB(sb)->xattr_root = dget(xaroot); | |
| 111 | REISERFS_SB(s)->xattr_root = dget(xaroot); | ||
| 112 | 92 | ||
| 113 | out: | 93 | out: |
| 94 | mutex_unlock(&privroot->d_inode->i_mutex); | ||
| 114 | dput(privroot); | 95 | dput(privroot); |
| 115 | return xaroot; | 96 | return xaroot; |
| 116 | } | 97 | } |
| 117 | 98 | ||
| 118 | /* Returns the dentry (or NULL) referring to the root of the extended | ||
| 119 | * attribute directory tree. If it has already been retrieved, it is used. | ||
| 120 | * Otherwise, we attempt to retrieve it from disk. It may also return | ||
| 121 | * a pointer-encoded error. | ||
| 122 | */ | ||
| 123 | static inline struct dentry *get_xa_root(struct super_block *s) | ||
| 124 | { | ||
| 125 | struct dentry *dentry = dget(REISERFS_SB(s)->xattr_root); | ||
| 126 | |||
| 127 | if (!dentry) | ||
| 128 | dentry = __get_xa_root(s); | ||
| 129 | |||
| 130 | return dentry; | ||
| 131 | } | ||
| 132 | |||
| 133 | /* Opens the directory corresponding to the inode's extended attribute store. | 99 | /* Opens the directory corresponding to the inode's extended attribute store. |
| 134 | * If flags allow, the tree to the directory may be created. If creation is | 100 | * If flags allow, the tree to the directory may be created. If creation is |
| 135 | * prohibited, -ENODATA is returned. */ | 101 | * prohibited, -ENODATA is returned. */ |
| @@ -138,21 +104,11 @@ static struct dentry *open_xa_dir(const struct inode *inode, int flags) | |||
| 138 | struct dentry *xaroot, *xadir; | 104 | struct dentry *xaroot, *xadir; |
| 139 | char namebuf[17]; | 105 | char namebuf[17]; |
| 140 | 106 | ||
| 141 | xaroot = get_xa_root(inode->i_sb); | 107 | xaroot = get_xa_root(inode->i_sb, flags); |
| 142 | if (IS_ERR(xaroot)) { | 108 | if (IS_ERR(xaroot)) |
| 143 | return xaroot; | 109 | return xaroot; |
| 144 | } else if (!xaroot) { | ||
| 145 | if (flags == 0 || flags & XATTR_CREATE) { | ||
| 146 | xaroot = create_xa_root(inode->i_sb); | ||
| 147 | if (IS_ERR(xaroot)) | ||
| 148 | return xaroot; | ||
| 149 | } | ||
| 150 | if (!xaroot) | ||
| 151 | return ERR_PTR(-ENODATA); | ||
| 152 | } | ||
| 153 | 110 | ||
| 154 | /* ok, we have xaroot open */ | 111 | /* ok, we have xaroot open */ |
| 155 | |||
| 156 | snprintf(namebuf, sizeof(namebuf), "%X.%X", | 112 | snprintf(namebuf, sizeof(namebuf), "%X.%X", |
| 157 | le32_to_cpu(INODE_PKEY(inode)->k_objectid), | 113 | le32_to_cpu(INODE_PKEY(inode)->k_objectid), |
| 158 | inode->i_generation); | 114 | inode->i_generation); |
| @@ -821,7 +777,7 @@ int reiserfs_delete_xattrs(struct inode *inode) | |||
| 821 | 777 | ||
| 822 | /* Leftovers besides . and .. -- that's not good. */ | 778 | /* Leftovers besides . and .. -- that's not good. */ |
| 823 | if (dir->d_inode->i_nlink <= 2) { | 779 | if (dir->d_inode->i_nlink <= 2) { |
| 824 | root = get_xa_root(inode->i_sb); | 780 | root = get_xa_root(inode->i_sb, XATTR_REPLACE); |
| 825 | reiserfs_write_lock_xattrs(inode->i_sb); | 781 | reiserfs_write_lock_xattrs(inode->i_sb); |
| 826 | err = vfs_rmdir(root->d_inode, dir); | 782 | err = vfs_rmdir(root->d_inode, dir); |
| 827 | reiserfs_write_unlock_xattrs(inode->i_sb); | 783 | reiserfs_write_unlock_xattrs(inode->i_sb); |