diff options
author | Nathan Scott <nathans@sgi.com> | 2006-08-10 00:40:41 -0400 |
---|---|---|
committer | Nathan Scott <nathans@sgi.com> | 2006-08-10 00:40:41 -0400 |
commit | 0e1edbd99994270023cea5afe593f972eb09a778 (patch) | |
tree | e4b2618172c17426d200ec435c24daaf606e2437 | |
parent | 9f737633e6ee54fc174282d49b2559bd2208391d (diff) |
[XFS] Fix xfs_free_extent related NULL pointer dereference.
We recently fixed an out-of-space deadlock in XFS, and part of that fix
involved the addition of the XFS_ALLOC_FLAG_FREEING flag to some of the
space allocator calls to indicate they're freeing space, not allocating
it. There was a missed xfs_alloc_fix_freelist condition test that did not
correctly test "flags". The same test would also test an uninitialised
structure field (args->userdata) and depending on its value either would
or would not return early with a critical buffer pointer set to NULL.
This fixes that up, adds asserts to several places to catch future botches
of this nature, and skips sections of xfs_alloc_fix_freelist that are
irrelevent for the space-freeing case.
SGI-PV: 955303
SGI-Modid: xfs-linux-melb:xfs-kern:26743a
Signed-off-by: Nathan Scott <nathans@sgi.com>
-rw-r--r-- | fs/xfs/xfs_alloc.c | 103 |
1 files changed, 54 insertions, 49 deletions
diff --git a/fs/xfs/xfs_alloc.c b/fs/xfs/xfs_alloc.c index eef6763f3a67..d2bbcd882a69 100644 --- a/fs/xfs/xfs_alloc.c +++ b/fs/xfs/xfs_alloc.c | |||
@@ -1835,40 +1835,47 @@ xfs_alloc_fix_freelist( | |||
1835 | &agbp))) | 1835 | &agbp))) |
1836 | return error; | 1836 | return error; |
1837 | if (!pag->pagf_init) { | 1837 | if (!pag->pagf_init) { |
1838 | ASSERT(flags & XFS_ALLOC_FLAG_TRYLOCK); | ||
1839 | ASSERT(!(flags & XFS_ALLOC_FLAG_FREEING)); | ||
1838 | args->agbp = NULL; | 1840 | args->agbp = NULL; |
1839 | return 0; | 1841 | return 0; |
1840 | } | 1842 | } |
1841 | } else | 1843 | } else |
1842 | agbp = NULL; | 1844 | agbp = NULL; |
1843 | 1845 | ||
1844 | /* If this is a metadata preferred pag and we are user data | 1846 | /* |
1847 | * If this is a metadata preferred pag and we are user data | ||
1845 | * then try somewhere else if we are not being asked to | 1848 | * then try somewhere else if we are not being asked to |
1846 | * try harder at this point | 1849 | * try harder at this point |
1847 | */ | 1850 | */ |
1848 | if (pag->pagf_metadata && args->userdata && flags) { | 1851 | if (pag->pagf_metadata && args->userdata && |
1852 | (flags & XFS_ALLOC_FLAG_TRYLOCK)) { | ||
1853 | ASSERT(!(flags & XFS_ALLOC_FLAG_FREEING)); | ||
1849 | args->agbp = NULL; | 1854 | args->agbp = NULL; |
1850 | return 0; | 1855 | return 0; |
1851 | } | 1856 | } |
1852 | 1857 | ||
1853 | need = XFS_MIN_FREELIST_PAG(pag, mp); | 1858 | if (!(flags & XFS_ALLOC_FLAG_FREEING)) { |
1854 | delta = need > pag->pagf_flcount ? need - pag->pagf_flcount : 0; | 1859 | need = XFS_MIN_FREELIST_PAG(pag, mp); |
1855 | /* | 1860 | delta = need > pag->pagf_flcount ? need - pag->pagf_flcount : 0; |
1856 | * If it looks like there isn't a long enough extent, or enough | 1861 | /* |
1857 | * total blocks, reject it. | 1862 | * If it looks like there isn't a long enough extent, or enough |
1858 | */ | 1863 | * total blocks, reject it. |
1859 | longest = (pag->pagf_longest > delta) ? | 1864 | */ |
1860 | (pag->pagf_longest - delta) : | 1865 | longest = (pag->pagf_longest > delta) ? |
1861 | (pag->pagf_flcount > 0 || pag->pagf_longest > 0); | 1866 | (pag->pagf_longest - delta) : |
1862 | if (args->minlen + args->alignment + args->minalignslop - 1 > longest || | 1867 | (pag->pagf_flcount > 0 || pag->pagf_longest > 0); |
1863 | (!(flags & XFS_ALLOC_FLAG_FREEING) && | 1868 | if ((args->minlen + args->alignment + args->minalignslop - 1) > |
1864 | (int)(pag->pagf_freeblks + pag->pagf_flcount - | 1869 | longest || |
1865 | need - args->total) < | 1870 | ((int)(pag->pagf_freeblks + pag->pagf_flcount - |
1866 | (int)args->minleft)) { | 1871 | need - args->total) < (int)args->minleft)) { |
1867 | if (agbp) | 1872 | if (agbp) |
1868 | xfs_trans_brelse(tp, agbp); | 1873 | xfs_trans_brelse(tp, agbp); |
1869 | args->agbp = NULL; | 1874 | args->agbp = NULL; |
1870 | return 0; | 1875 | return 0; |
1876 | } | ||
1871 | } | 1877 | } |
1878 | |||
1872 | /* | 1879 | /* |
1873 | * Get the a.g. freespace buffer. | 1880 | * Get the a.g. freespace buffer. |
1874 | * Can fail if we're not blocking on locks, and it's held. | 1881 | * Can fail if we're not blocking on locks, and it's held. |
@@ -1878,6 +1885,8 @@ xfs_alloc_fix_freelist( | |||
1878 | &agbp))) | 1885 | &agbp))) |
1879 | return error; | 1886 | return error; |
1880 | if (agbp == NULL) { | 1887 | if (agbp == NULL) { |
1888 | ASSERT(flags & XFS_ALLOC_FLAG_TRYLOCK); | ||
1889 | ASSERT(!(flags & XFS_ALLOC_FLAG_FREEING)); | ||
1881 | args->agbp = NULL; | 1890 | args->agbp = NULL; |
1882 | return 0; | 1891 | return 0; |
1883 | } | 1892 | } |
@@ -1887,22 +1896,24 @@ xfs_alloc_fix_freelist( | |||
1887 | */ | 1896 | */ |
1888 | agf = XFS_BUF_TO_AGF(agbp); | 1897 | agf = XFS_BUF_TO_AGF(agbp); |
1889 | need = XFS_MIN_FREELIST(agf, mp); | 1898 | need = XFS_MIN_FREELIST(agf, mp); |
1890 | delta = need > be32_to_cpu(agf->agf_flcount) ? | ||
1891 | (need - be32_to_cpu(agf->agf_flcount)) : 0; | ||
1892 | /* | 1899 | /* |
1893 | * If there isn't enough total or single-extent, reject it. | 1900 | * If there isn't enough total or single-extent, reject it. |
1894 | */ | 1901 | */ |
1895 | longest = be32_to_cpu(agf->agf_longest); | 1902 | if (!(flags & XFS_ALLOC_FLAG_FREEING)) { |
1896 | longest = (longest > delta) ? (longest - delta) : | 1903 | delta = need > be32_to_cpu(agf->agf_flcount) ? |
1897 | (be32_to_cpu(agf->agf_flcount) > 0 || longest > 0); | 1904 | (need - be32_to_cpu(agf->agf_flcount)) : 0; |
1898 | if (args->minlen + args->alignment + args->minalignslop - 1 > longest || | 1905 | longest = be32_to_cpu(agf->agf_longest); |
1899 | (!(flags & XFS_ALLOC_FLAG_FREEING) && | 1906 | longest = (longest > delta) ? (longest - delta) : |
1900 | (int)(be32_to_cpu(agf->agf_freeblks) + | 1907 | (be32_to_cpu(agf->agf_flcount) > 0 || longest > 0); |
1901 | be32_to_cpu(agf->agf_flcount) - need - args->total) < | 1908 | if ((args->minlen + args->alignment + args->minalignslop - 1) > |
1902 | (int)args->minleft)) { | 1909 | longest || |
1903 | xfs_trans_brelse(tp, agbp); | 1910 | ((int)(be32_to_cpu(agf->agf_freeblks) + |
1904 | args->agbp = NULL; | 1911 | be32_to_cpu(agf->agf_flcount) - need - args->total) < |
1905 | return 0; | 1912 | (int)args->minleft)) { |
1913 | xfs_trans_brelse(tp, agbp); | ||
1914 | args->agbp = NULL; | ||
1915 | return 0; | ||
1916 | } | ||
1906 | } | 1917 | } |
1907 | /* | 1918 | /* |
1908 | * Make the freelist shorter if it's too long. | 1919 | * Make the freelist shorter if it's too long. |
@@ -1950,12 +1961,11 @@ xfs_alloc_fix_freelist( | |||
1950 | * on a completely full ag. | 1961 | * on a completely full ag. |
1951 | */ | 1962 | */ |
1952 | if (targs.agbno == NULLAGBLOCK) { | 1963 | if (targs.agbno == NULLAGBLOCK) { |
1953 | if (!(flags & XFS_ALLOC_FLAG_FREEING)) { | 1964 | if (flags & XFS_ALLOC_FLAG_FREEING) |
1954 | xfs_trans_brelse(tp, agflbp); | 1965 | break; |
1955 | args->agbp = NULL; | 1966 | xfs_trans_brelse(tp, agflbp); |
1956 | return 0; | 1967 | args->agbp = NULL; |
1957 | } | 1968 | return 0; |
1958 | break; | ||
1959 | } | 1969 | } |
1960 | /* | 1970 | /* |
1961 | * Put each allocated block on the list. | 1971 | * Put each allocated block on the list. |
@@ -2442,31 +2452,26 @@ xfs_free_extent( | |||
2442 | xfs_fsblock_t bno, /* starting block number of extent */ | 2452 | xfs_fsblock_t bno, /* starting block number of extent */ |
2443 | xfs_extlen_t len) /* length of extent */ | 2453 | xfs_extlen_t len) /* length of extent */ |
2444 | { | 2454 | { |
2445 | #ifdef DEBUG | 2455 | xfs_alloc_arg_t args; |
2446 | xfs_agf_t *agf; /* a.g. freespace header */ | ||
2447 | #endif | ||
2448 | xfs_alloc_arg_t args; /* allocation argument structure */ | ||
2449 | int error; | 2456 | int error; |
2450 | 2457 | ||
2451 | ASSERT(len != 0); | 2458 | ASSERT(len != 0); |
2459 | memset(&args, 0, sizeof(xfs_alloc_arg_t)); | ||
2452 | args.tp = tp; | 2460 | args.tp = tp; |
2453 | args.mp = tp->t_mountp; | 2461 | args.mp = tp->t_mountp; |
2454 | args.agno = XFS_FSB_TO_AGNO(args.mp, bno); | 2462 | args.agno = XFS_FSB_TO_AGNO(args.mp, bno); |
2455 | ASSERT(args.agno < args.mp->m_sb.sb_agcount); | 2463 | ASSERT(args.agno < args.mp->m_sb.sb_agcount); |
2456 | args.agbno = XFS_FSB_TO_AGBNO(args.mp, bno); | 2464 | args.agbno = XFS_FSB_TO_AGBNO(args.mp, bno); |
2457 | args.alignment = 1; | ||
2458 | args.minlen = args.minleft = args.minalignslop = 0; | ||
2459 | down_read(&args.mp->m_peraglock); | 2465 | down_read(&args.mp->m_peraglock); |
2460 | args.pag = &args.mp->m_perag[args.agno]; | 2466 | args.pag = &args.mp->m_perag[args.agno]; |
2461 | if ((error = xfs_alloc_fix_freelist(&args, XFS_ALLOC_FLAG_FREEING))) | 2467 | if ((error = xfs_alloc_fix_freelist(&args, XFS_ALLOC_FLAG_FREEING))) |
2462 | goto error0; | 2468 | goto error0; |
2463 | #ifdef DEBUG | 2469 | #ifdef DEBUG |
2464 | ASSERT(args.agbp != NULL); | 2470 | ASSERT(args.agbp != NULL); |
2465 | agf = XFS_BUF_TO_AGF(args.agbp); | 2471 | ASSERT((args.agbno + len) <= |
2466 | ASSERT(args.agbno + len <= be32_to_cpu(agf->agf_length)); | 2472 | be32_to_cpu(XFS_BUF_TO_AGF(args.agbp)->agf_length)); |
2467 | #endif | 2473 | #endif |
2468 | error = xfs_free_ag_extent(tp, args.agbp, args.agno, args.agbno, | 2474 | error = xfs_free_ag_extent(tp, args.agbp, args.agno, args.agbno, len, 0); |
2469 | len, 0); | ||
2470 | error0: | 2475 | error0: |
2471 | up_read(&args.mp->m_peraglock); | 2476 | up_read(&args.mp->m_peraglock); |
2472 | return error; | 2477 | return error; |