diff options
author | Akira Fujita <a-fujita@rs.jp.nec.com> | 2009-11-24 10:19:57 -0500 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2009-11-24 10:19:57 -0500 |
commit | 94d7c16cbbbd0e03841fcf272bcaf0620ad39618 (patch) | |
tree | 12a4d8b28bd5bf338b9bd1874e18d4bfdc77837a | |
parent | 9084d4719784b00ff0bf9c9580007fac8277dbcb (diff) |
ext4: Fix double-free of blocks with EXT4_IOC_MOVE_EXT
At the beginning of ext4_move_extent(), we call
ext4_discard_preallocations() to discard inode PAs of orig and donor
inodes. But in the following case, blocks can be double freed, so
move ext4_discard_preallocations() to the end of ext4_move_extents().
1. Discard inode PAs of orig and donor inodes with
ext4_discard_preallocations() in ext4_move_extents().
orig : [ DATA1 ]
donor: [ DATA2 ]
2. While data blocks are exchanging between orig and donor inodes, new
inode PAs is created to orig by other process's block allocation.
(Since there are semaphore gaps in ext4_move_extents().) And new
inode PAs is used partially (2-1).
2-1 Create new inode PAs to orig inode
orig : [ DATA1 | used PA1 | free PA1 ]
donor: [ DATA2 ]
3. Donor inode which has old orig inode's blocks is deleted after
EXT4_IOC_MOVE_EXT finished (3-1, 3-2). So the block bitmap
corresponds to old orig inode's blocks are freed.
3-1 After EXT4_IOC_MOVE_EXT finished
orig : [ DATA2 | free PA1 ]
donor: [ DATA1 | used PA1 ]
3-2 Delete donor inode
orig : [ DATA2 | free PA1 ]
donor: [ FREE SPACE(DATA1) | FREE SPACE(used PA1) ]
4. The double-free of blocks is occurred, when close() is called to
orig inode. Because ext4_discard_preallocations() for orig inode
frees used PA1 and free PA1, though used PA1 is already freed in 3.
4-1 Double-free of blocks is occurred
orig : [ DATA2 | FREE SPACE(free PA1) ]
donor: [ FREE SPACE(DATA1) | DOUBLE FREE(used PA1) ]
Signed-off-by: Akira Fujita <a-fujita@rs.jp.nec.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
-rw-r--r-- | fs/ext4/move_extent.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/fs/ext4/move_extent.c b/fs/ext4/move_extent.c index 5a106e02fd9c..3478889e00b3 100644 --- a/fs/ext4/move_extent.c +++ b/fs/ext4/move_extent.c | |||
@@ -1289,10 +1289,6 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, | |||
1289 | ext4_ext_get_actual_len(ext_cur), block_end + 1) - | 1289 | ext4_ext_get_actual_len(ext_cur), block_end + 1) - |
1290 | max(le32_to_cpu(ext_cur->ee_block), block_start); | 1290 | max(le32_to_cpu(ext_cur->ee_block), block_start); |
1291 | 1291 | ||
1292 | /* Discard preallocations of two inodes */ | ||
1293 | ext4_discard_preallocations(orig_inode); | ||
1294 | ext4_discard_preallocations(donor_inode); | ||
1295 | |||
1296 | while (!last_extent && le32_to_cpu(ext_cur->ee_block) <= block_end) { | 1292 | while (!last_extent && le32_to_cpu(ext_cur->ee_block) <= block_end) { |
1297 | seq_blocks += add_blocks; | 1293 | seq_blocks += add_blocks; |
1298 | 1294 | ||
@@ -1410,6 +1406,11 @@ ext4_move_extents(struct file *o_filp, struct file *d_filp, | |||
1410 | 1406 | ||
1411 | } | 1407 | } |
1412 | out: | 1408 | out: |
1409 | if (*moved_len) { | ||
1410 | ext4_discard_preallocations(orig_inode); | ||
1411 | ext4_discard_preallocations(donor_inode); | ||
1412 | } | ||
1413 | |||
1413 | if (orig_path) { | 1414 | if (orig_path) { |
1414 | ext4_ext_drop_refs(orig_path); | 1415 | ext4_ext_drop_refs(orig_path); |
1415 | kfree(orig_path); | 1416 | kfree(orig_path); |