aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteven Whitehouse <swhiteho@redhat.com>2008-11-27 03:27:28 -0500
committerSteven Whitehouse <swhiteho@redhat.com>2009-01-05 02:39:14 -0500
commit3af165ac4d099385b12e3e75a9ee3ffd02da33e0 (patch)
treeb90552f6ac8db316c05d5f3246366cfa09cc7473
parent2e204703a1161e9bae38ba0d3d0df04a679e6f4f (diff)
GFS2: Fix use-after-free bug on umount
There was a use-after-free with the GFS2 super block during umount. This patch moves almost all of the umount code from ->put_super into ->kill_sb, the only bit that cannot be moved being the glock hash clearing which has to remain as ->put_super due to umount ordering requirements. As a result its now obvious that the kfree is the final operation, whereas before it was hidden in ->put_super. Also gfs2_jindex_free is then only referenced from a single file so thats moved and marked static too. Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
-rw-r--r--fs/gfs2/glock.c3
-rw-r--r--fs/gfs2/glock.h2
-rw-r--r--fs/gfs2/ops_fstype.c98
-rw-r--r--fs/gfs2/ops_super.c68
-rw-r--r--fs/gfs2/super.c34
-rw-r--r--fs/gfs2/super.h3
6 files changed, 94 insertions, 114 deletions
diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c
index 6e298b070117..5eae62e7f778 100644
--- a/fs/gfs2/glock.c
+++ b/fs/gfs2/glock.c
@@ -1547,8 +1547,9 @@ static void clear_glock(struct gfs2_glock *gl)
1547 * Called when unmounting the filesystem. 1547 * Called when unmounting the filesystem.
1548 */ 1548 */
1549 1549
1550void gfs2_gl_hash_clear(struct gfs2_sbd *sdp) 1550void gfs2_gl_hash_clear(struct super_block *sb)
1551{ 1551{
1552 struct gfs2_sbd *sdp = sb->s_fs_info;
1552 unsigned long t; 1553 unsigned long t;
1553 unsigned int x; 1554 unsigned int x;
1554 int cont; 1555 int cont;
diff --git a/fs/gfs2/glock.h b/fs/gfs2/glock.h
index 543ec7ecfbda..ce54f338cff9 100644
--- a/fs/gfs2/glock.h
+++ b/fs/gfs2/glock.h
@@ -130,7 +130,7 @@ void gfs2_lvb_unhold(struct gfs2_glock *gl);
130 130
131void gfs2_glock_cb(void *cb_data, unsigned int type, void *data); 131void gfs2_glock_cb(void *cb_data, unsigned int type, void *data);
132void gfs2_reclaim_glock(struct gfs2_sbd *sdp); 132void gfs2_reclaim_glock(struct gfs2_sbd *sdp);
133void gfs2_gl_hash_clear(struct gfs2_sbd *sdp); 133void gfs2_gl_hash_clear(struct super_block *sb);
134void gfs2_glock_finish_truncate(struct gfs2_inode *ip); 134void gfs2_glock_finish_truncate(struct gfs2_inode *ip);
135 135
136int __init gfs2_glock_init(void); 136int __init gfs2_glock_init(void);
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 4cae60f4a175..2e735bece6b9 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -705,6 +705,40 @@ static int gfs2_jindex_hold(struct gfs2_sbd *sdp, struct gfs2_holder *ji_gh)
705 return error; 705 return error;
706} 706}
707 707
708/**
709 * gfs2_jindex_free - Clear all the journal index information
710 * @sdp: The GFS2 superblock
711 *
712 */
713
714static void gfs2_jindex_free(struct gfs2_sbd *sdp)
715{
716 struct list_head list, *head;
717 struct gfs2_jdesc *jd;
718 struct gfs2_journal_extent *jext;
719
720 spin_lock(&sdp->sd_jindex_spin);
721 list_add(&list, &sdp->sd_jindex_list);
722 list_del_init(&sdp->sd_jindex_list);
723 sdp->sd_journals = 0;
724 spin_unlock(&sdp->sd_jindex_spin);
725
726 while (!list_empty(&list)) {
727 jd = list_entry(list.next, struct gfs2_jdesc, jd_list);
728 head = &jd->extent_list;
729 while (!list_empty(head)) {
730 jext = list_entry(head->next,
731 struct gfs2_journal_extent,
732 extent_list);
733 list_del(&jext->extent_list);
734 kfree(jext);
735 }
736 list_del(&jd->jd_list);
737 iput(jd->jd_inode);
738 kfree(jd);
739 }
740}
741
708static int init_journal(struct gfs2_sbd *sdp, int undo) 742static int init_journal(struct gfs2_sbd *sdp, int undo)
709{ 743{
710 struct inode *master = sdp->sd_master_dir->d_inode; 744 struct inode *master = sdp->sd_master_dir->d_inode;
@@ -1203,7 +1237,7 @@ fail_sb:
1203fail_locking: 1237fail_locking:
1204 init_locking(sdp, &mount_gh, UNDO); 1238 init_locking(sdp, &mount_gh, UNDO);
1205fail_lm: 1239fail_lm:
1206 gfs2_gl_hash_clear(sdp); 1240 gfs2_gl_hash_clear(sb);
1207 gfs2_lm_unmount(sdp); 1241 gfs2_lm_unmount(sdp);
1208 while (invalidate_inodes(sb)) 1242 while (invalidate_inodes(sb))
1209 yield(); 1243 yield();
@@ -1263,17 +1297,61 @@ static int gfs2_get_sb_meta(struct file_system_type *fs_type, int flags,
1263static void gfs2_kill_sb(struct super_block *sb) 1297static void gfs2_kill_sb(struct super_block *sb)
1264{ 1298{
1265 struct gfs2_sbd *sdp = sb->s_fs_info; 1299 struct gfs2_sbd *sdp = sb->s_fs_info;
1266 if (sdp) { 1300
1267 gfs2_meta_syncfs(sdp); 1301 if (sdp == NULL) {
1268 dput(sdp->sd_root_dir); 1302 kill_block_super(sb);
1269 dput(sdp->sd_master_dir); 1303 return;
1270 sdp->sd_root_dir = NULL;
1271 sdp->sd_master_dir = NULL;
1272 } 1304 }
1273 shrink_dcache_sb(sb); 1305 gfs2_meta_syncfs(sdp);
1306 dput(sdp->sd_root_dir);
1307 dput(sdp->sd_master_dir);
1308 sdp->sd_root_dir = NULL;
1309 sdp->sd_master_dir = NULL;
1310
1311 /* Unfreeze the filesystem, if we need to */
1312 mutex_lock(&sdp->sd_freeze_lock);
1313 if (sdp->sd_freeze_count)
1314 gfs2_glock_dq_uninit(&sdp->sd_freeze_gh);
1315 mutex_unlock(&sdp->sd_freeze_lock);
1316
1317 kthread_stop(sdp->sd_quotad_process);
1318 kthread_stop(sdp->sd_logd_process);
1319 kthread_stop(sdp->sd_recoverd_process);
1320
1321 if (!(sb->s_flags & MS_RDONLY)) {
1322 int error = gfs2_make_fs_ro(sdp);
1323 if (error)
1324 gfs2_io_error(sdp);
1325 }
1326
1327 /* At this point, we're through modifying the disk */
1328 gfs2_jindex_free(sdp);
1329 gfs2_clear_rgrpd(sdp);
1330 iput(sdp->sd_jindex);
1331 iput(sdp->sd_inum_inode);
1332 iput(sdp->sd_statfs_inode);
1333 iput(sdp->sd_rindex);
1334 iput(sdp->sd_quota_inode);
1335
1336 gfs2_glock_put(sdp->sd_rename_gl);
1337 gfs2_glock_put(sdp->sd_trans_gl);
1338
1339 if (!sdp->sd_args.ar_spectator) {
1340 gfs2_glock_dq_uninit(&sdp->sd_journal_gh);
1341 gfs2_glock_dq_uninit(&sdp->sd_jinode_gh);
1342 gfs2_glock_dq_uninit(&sdp->sd_ir_gh);
1343 gfs2_glock_dq_uninit(&sdp->sd_sc_gh);
1344 gfs2_glock_dq_uninit(&sdp->sd_qc_gh);
1345 iput(sdp->sd_ir_inode);
1346 iput(sdp->sd_sc_inode);
1347 iput(sdp->sd_qc_inode);
1348 }
1349 gfs2_glock_dq_uninit(&sdp->sd_live_gh);
1274 kill_block_super(sb); 1350 kill_block_super(sb);
1275 if (sdp) 1351 gfs2_lm_unmount(sdp);
1276 gfs2_delete_debugfs_file(sdp); 1352 gfs2_sys_fs_del(sdp);
1353 gfs2_delete_debugfs_file(sdp);
1354 kfree(sdp);
1277} 1355}
1278 1356
1279struct file_system_type gfs2_fs_type = { 1357struct file_system_type gfs2_fs_type = {
diff --git a/fs/gfs2/ops_super.c b/fs/gfs2/ops_super.c
index 08837a728635..bd08a0a8d9bf 100644
--- a/fs/gfs2/ops_super.c
+++ b/fs/gfs2/ops_super.c
@@ -95,7 +95,7 @@ do_flush:
95 * Returns: errno 95 * Returns: errno
96 */ 96 */
97 97
98static int gfs2_make_fs_ro(struct gfs2_sbd *sdp) 98int gfs2_make_fs_ro(struct gfs2_sbd *sdp)
99{ 99{
100 struct gfs2_holder t_gh; 100 struct gfs2_holder t_gh;
101 int error; 101 int error;
@@ -122,70 +122,6 @@ static int gfs2_make_fs_ro(struct gfs2_sbd *sdp)
122} 122}
123 123
124/** 124/**
125 * gfs2_put_super - Unmount the filesystem
126 * @sb: The VFS superblock
127 *
128 */
129
130static void gfs2_put_super(struct super_block *sb)
131{
132 struct gfs2_sbd *sdp = sb->s_fs_info;
133 int error;
134
135 /* Unfreeze the filesystem, if we need to */
136
137 mutex_lock(&sdp->sd_freeze_lock);
138 if (sdp->sd_freeze_count)
139 gfs2_glock_dq_uninit(&sdp->sd_freeze_gh);
140 mutex_unlock(&sdp->sd_freeze_lock);
141
142 kthread_stop(sdp->sd_quotad_process);
143 kthread_stop(sdp->sd_logd_process);
144 kthread_stop(sdp->sd_recoverd_process);
145
146 if (!(sb->s_flags & MS_RDONLY)) {
147 error = gfs2_make_fs_ro(sdp);
148 if (error)
149 gfs2_io_error(sdp);
150 }
151 /* At this point, we're through modifying the disk */
152
153 /* Release stuff */
154
155 iput(sdp->sd_jindex);
156 iput(sdp->sd_inum_inode);
157 iput(sdp->sd_statfs_inode);
158 iput(sdp->sd_rindex);
159 iput(sdp->sd_quota_inode);
160
161 gfs2_glock_put(sdp->sd_rename_gl);
162 gfs2_glock_put(sdp->sd_trans_gl);
163
164 if (!sdp->sd_args.ar_spectator) {
165 gfs2_glock_dq_uninit(&sdp->sd_journal_gh);
166 gfs2_glock_dq_uninit(&sdp->sd_jinode_gh);
167 gfs2_glock_dq_uninit(&sdp->sd_ir_gh);
168 gfs2_glock_dq_uninit(&sdp->sd_sc_gh);
169 gfs2_glock_dq_uninit(&sdp->sd_qc_gh);
170 iput(sdp->sd_ir_inode);
171 iput(sdp->sd_sc_inode);
172 iput(sdp->sd_qc_inode);
173 }
174
175 gfs2_glock_dq_uninit(&sdp->sd_live_gh);
176 gfs2_clear_rgrpd(sdp);
177 gfs2_jindex_free(sdp);
178 /* Take apart glock structures and buffer lists */
179 gfs2_gl_hash_clear(sdp);
180 /* Unmount the locking protocol */
181 gfs2_lm_unmount(sdp);
182
183 /* At this point, we're through participating in the lockspace */
184 gfs2_sys_fs_del(sdp);
185 kfree(sdp);
186}
187
188/**
189 * gfs2_write_super 125 * gfs2_write_super
190 * @sb: the superblock 126 * @sb: the superblock
191 * 127 *
@@ -686,7 +622,7 @@ const struct super_operations gfs2_super_ops = {
686 .destroy_inode = gfs2_destroy_inode, 622 .destroy_inode = gfs2_destroy_inode,
687 .write_inode = gfs2_write_inode, 623 .write_inode = gfs2_write_inode,
688 .delete_inode = gfs2_delete_inode, 624 .delete_inode = gfs2_delete_inode,
689 .put_super = gfs2_put_super, 625 .put_super = gfs2_gl_hash_clear,
690 .write_super = gfs2_write_super, 626 .write_super = gfs2_write_super,
691 .sync_fs = gfs2_sync_fs, 627 .sync_fs = gfs2_sync_fs,
692 .write_super_lockfs = gfs2_write_super_lockfs, 628 .write_super_lockfs = gfs2_write_super_lockfs,
diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
index 141b781f2fcc..f14658b20204 100644
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -33,40 +33,6 @@
33#include "trans.h" 33#include "trans.h"
34#include "util.h" 34#include "util.h"
35 35
36/**
37 * gfs2_jindex_free - Clear all the journal index information
38 * @sdp: The GFS2 superblock
39 *
40 */
41
42void gfs2_jindex_free(struct gfs2_sbd *sdp)
43{
44 struct list_head list, *head;
45 struct gfs2_jdesc *jd;
46 struct gfs2_journal_extent *jext;
47
48 spin_lock(&sdp->sd_jindex_spin);
49 list_add(&list, &sdp->sd_jindex_list);
50 list_del_init(&sdp->sd_jindex_list);
51 sdp->sd_journals = 0;
52 spin_unlock(&sdp->sd_jindex_spin);
53
54 while (!list_empty(&list)) {
55 jd = list_entry(list.next, struct gfs2_jdesc, jd_list);
56 head = &jd->extent_list;
57 while (!list_empty(head)) {
58 jext = list_entry(head->next,
59 struct gfs2_journal_extent,
60 extent_list);
61 list_del(&jext->extent_list);
62 kfree(jext);
63 }
64 list_del(&jd->jd_list);
65 iput(jd->jd_inode);
66 kfree(jd);
67 }
68}
69
70static struct gfs2_jdesc *jdesc_find_i(struct list_head *head, unsigned int jid) 36static struct gfs2_jdesc *jdesc_find_i(struct list_head *head, unsigned int jid)
71{ 37{
72 struct gfs2_jdesc *jd; 38 struct gfs2_jdesc *jd;
diff --git a/fs/gfs2/super.h b/fs/gfs2/super.h
index f6b8b00ad881..4d2492b3e7ef 100644
--- a/fs/gfs2/super.h
+++ b/fs/gfs2/super.h
@@ -25,8 +25,6 @@ static inline unsigned int gfs2_jindex_size(struct gfs2_sbd *sdp)
25 return x; 25 return x;
26} 26}
27 27
28void gfs2_jindex_free(struct gfs2_sbd *sdp);
29
30struct gfs2_jdesc *gfs2_jdesc_find(struct gfs2_sbd *sdp, unsigned int jid); 28struct gfs2_jdesc *gfs2_jdesc_find(struct gfs2_sbd *sdp, unsigned int jid);
31int gfs2_jdesc_check(struct gfs2_jdesc *jd); 29int gfs2_jdesc_check(struct gfs2_jdesc *jd);
32 30
@@ -34,6 +32,7 @@ int gfs2_lookup_in_master_dir(struct gfs2_sbd *sdp, char *filename,
34 struct gfs2_inode **ipp); 32 struct gfs2_inode **ipp);
35 33
36int gfs2_make_fs_rw(struct gfs2_sbd *sdp); 34int gfs2_make_fs_rw(struct gfs2_sbd *sdp);
35int gfs2_make_fs_ro(struct gfs2_sbd *sdp);
37 36
38int gfs2_statfs_init(struct gfs2_sbd *sdp); 37int gfs2_statfs_init(struct gfs2_sbd *sdp);
39void gfs2_statfs_change(struct gfs2_sbd *sdp, 38void gfs2_statfs_change(struct gfs2_sbd *sdp,