diff options
author | Al Viro <viro@zeniv.linux.org.uk> | 2008-12-30 01:52:35 -0500 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2008-12-31 18:07:43 -0500 |
commit | 41080b5a240113328c607f22b849f653373db0ce (patch) | |
tree | aa8fd483c241140ebe73b6c71b370f4ad6a12251 | |
parent | 261bca86ed4f7f391d1938167624e78da61dcc6b (diff) |
nfsd race fixes: ext2
* make ext2_new_inode() put the inode into icache in locked state
* do not unlock until the inode is fully set up; otherwise nfsd
might pick it in half-baked state.
* make sure that ext2_new_inode() does *not* lead to two inodes with the
same inumber hashed at the same time; otherwise a bogus fhandle coming
from nfsd might race with inode creation:
nfsd: iget_locked() creates inode
nfsd: try to read from disk, block on that.
ext2_new_inode(): allocate inode with that inumber
ext2_new_inode(): insert it into icache, set it up and dirty
ext2_write_inode(): get the relevant part of inode table in cache,
set the entry for our inode (and start writing to disk)
nfsd: get CPU again, look into inode table, see nice and sane on-disk
inode, set the in-core inode from it
oops - we have two in-core inodes with the same inumber live in icache,
both used for IO. Welcome to fs corruption...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
-rw-r--r-- | fs/ext2/ialloc.c | 6 | ||||
-rw-r--r-- | fs/ext2/namei.c | 15 |
2 files changed, 19 insertions, 2 deletions
diff --git a/fs/ext2/ialloc.c b/fs/ext2/ialloc.c index 8d0add625870..c454d5db28a5 100644 --- a/fs/ext2/ialloc.c +++ b/fs/ext2/ialloc.c | |||
@@ -585,7 +585,10 @@ got: | |||
585 | spin_lock(&sbi->s_next_gen_lock); | 585 | spin_lock(&sbi->s_next_gen_lock); |
586 | inode->i_generation = sbi->s_next_generation++; | 586 | inode->i_generation = sbi->s_next_generation++; |
587 | spin_unlock(&sbi->s_next_gen_lock); | 587 | spin_unlock(&sbi->s_next_gen_lock); |
588 | insert_inode_hash(inode); | 588 | if (insert_inode_locked(inode) < 0) { |
589 | err = -EINVAL; | ||
590 | goto fail_drop; | ||
591 | } | ||
589 | 592 | ||
590 | if (DQUOT_ALLOC_INODE(inode)) { | 593 | if (DQUOT_ALLOC_INODE(inode)) { |
591 | err = -EDQUOT; | 594 | err = -EDQUOT; |
@@ -612,6 +615,7 @@ fail_drop: | |||
612 | DQUOT_DROP(inode); | 615 | DQUOT_DROP(inode); |
613 | inode->i_flags |= S_NOQUOTA; | 616 | inode->i_flags |= S_NOQUOTA; |
614 | inode->i_nlink = 0; | 617 | inode->i_nlink = 0; |
618 | unlock_new_inode(inode); | ||
615 | iput(inode); | 619 | iput(inode); |
616 | return ERR_PTR(err); | 620 | return ERR_PTR(err); |
617 | 621 | ||
diff --git a/fs/ext2/namei.c b/fs/ext2/namei.c index 2a747252ec12..90ea17998a73 100644 --- a/fs/ext2/namei.c +++ b/fs/ext2/namei.c | |||
@@ -41,9 +41,11 @@ static inline int ext2_add_nondir(struct dentry *dentry, struct inode *inode) | |||
41 | int err = ext2_add_link(dentry, inode); | 41 | int err = ext2_add_link(dentry, inode); |
42 | if (!err) { | 42 | if (!err) { |
43 | d_instantiate(dentry, inode); | 43 | d_instantiate(dentry, inode); |
44 | unlock_new_inode(inode); | ||
44 | return 0; | 45 | return 0; |
45 | } | 46 | } |
46 | inode_dec_link_count(inode); | 47 | inode_dec_link_count(inode); |
48 | unlock_new_inode(inode); | ||
47 | iput(inode); | 49 | iput(inode); |
48 | return err; | 50 | return err; |
49 | } | 51 | } |
@@ -170,6 +172,7 @@ out: | |||
170 | 172 | ||
171 | out_fail: | 173 | out_fail: |
172 | inode_dec_link_count(inode); | 174 | inode_dec_link_count(inode); |
175 | unlock_new_inode(inode); | ||
173 | iput (inode); | 176 | iput (inode); |
174 | goto out; | 177 | goto out; |
175 | } | 178 | } |
@@ -178,6 +181,7 @@ static int ext2_link (struct dentry * old_dentry, struct inode * dir, | |||
178 | struct dentry *dentry) | 181 | struct dentry *dentry) |
179 | { | 182 | { |
180 | struct inode *inode = old_dentry->d_inode; | 183 | struct inode *inode = old_dentry->d_inode; |
184 | int err; | ||
181 | 185 | ||
182 | if (inode->i_nlink >= EXT2_LINK_MAX) | 186 | if (inode->i_nlink >= EXT2_LINK_MAX) |
183 | return -EMLINK; | 187 | return -EMLINK; |
@@ -186,7 +190,14 @@ static int ext2_link (struct dentry * old_dentry, struct inode * dir, | |||
186 | inode_inc_link_count(inode); | 190 | inode_inc_link_count(inode); |
187 | atomic_inc(&inode->i_count); | 191 | atomic_inc(&inode->i_count); |
188 | 192 | ||
189 | return ext2_add_nondir(dentry, inode); | 193 | err = ext2_add_link(dentry, inode); |
194 | if (!err) { | ||
195 | d_instantiate(dentry, inode); | ||
196 | return 0; | ||
197 | } | ||
198 | inode_dec_link_count(inode); | ||
199 | iput(inode); | ||
200 | return err; | ||
190 | } | 201 | } |
191 | 202 | ||
192 | static int ext2_mkdir(struct inode * dir, struct dentry * dentry, int mode) | 203 | static int ext2_mkdir(struct inode * dir, struct dentry * dentry, int mode) |
@@ -222,12 +233,14 @@ static int ext2_mkdir(struct inode * dir, struct dentry * dentry, int mode) | |||
222 | goto out_fail; | 233 | goto out_fail; |
223 | 234 | ||
224 | d_instantiate(dentry, inode); | 235 | d_instantiate(dentry, inode); |
236 | unlock_new_inode(inode); | ||
225 | out: | 237 | out: |
226 | return err; | 238 | return err; |
227 | 239 | ||
228 | out_fail: | 240 | out_fail: |
229 | inode_dec_link_count(inode); | 241 | inode_dec_link_count(inode); |
230 | inode_dec_link_count(inode); | 242 | inode_dec_link_count(inode); |
243 | unlock_new_inode(inode); | ||
231 | iput(inode); | 244 | iput(inode); |
232 | out_dir: | 245 | out_dir: |
233 | inode_dec_link_count(dir); | 246 | inode_dec_link_count(dir); |