diff options
author | Steven Whitehouse <swhiteho@redhat.com> | 2008-11-27 03:27:28 -0500 |
---|---|---|
committer | Steven Whitehouse <swhiteho@redhat.com> | 2009-01-05 02:39:14 -0500 |
commit | 3af165ac4d099385b12e3e75a9ee3ffd02da33e0 (patch) | |
tree | b90552f6ac8db316c05d5f3246366cfa09cc7473 | |
parent | 2e204703a1161e9bae38ba0d3d0df04a679e6f4f (diff) |
GFS2: Fix use-after-free bug on umount
There was a use-after-free with the GFS2 super block during
umount. This patch moves almost all of the umount code from
->put_super into ->kill_sb, the only bit that cannot be moved
being the glock hash clearing which has to remain as ->put_super
due to umount ordering requirements. As a result its now obvious
that the kfree is the final operation, whereas before it was
hidden in ->put_super.
Also gfs2_jindex_free is then only referenced from a single file
so thats moved and marked static too.
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
-rw-r--r-- | fs/gfs2/glock.c | 3 | ||||
-rw-r--r-- | fs/gfs2/glock.h | 2 | ||||
-rw-r--r-- | fs/gfs2/ops_fstype.c | 98 | ||||
-rw-r--r-- | fs/gfs2/ops_super.c | 68 | ||||
-rw-r--r-- | fs/gfs2/super.c | 34 | ||||
-rw-r--r-- | fs/gfs2/super.h | 3 |
6 files changed, 94 insertions, 114 deletions
diff --git a/fs/gfs2/glock.c b/fs/gfs2/glock.c index 6e298b070117..5eae62e7f778 100644 --- a/fs/gfs2/glock.c +++ b/fs/gfs2/glock.c | |||
@@ -1547,8 +1547,9 @@ static void clear_glock(struct gfs2_glock *gl) | |||
1547 | * Called when unmounting the filesystem. | 1547 | * Called when unmounting the filesystem. |
1548 | */ | 1548 | */ |
1549 | 1549 | ||
1550 | void gfs2_gl_hash_clear(struct gfs2_sbd *sdp) | 1550 | void gfs2_gl_hash_clear(struct super_block *sb) |
1551 | { | 1551 | { |
1552 | struct gfs2_sbd *sdp = sb->s_fs_info; | ||
1552 | unsigned long t; | 1553 | unsigned long t; |
1553 | unsigned int x; | 1554 | unsigned int x; |
1554 | int cont; | 1555 | int cont; |
diff --git a/fs/gfs2/glock.h b/fs/gfs2/glock.h index 543ec7ecfbda..ce54f338cff9 100644 --- a/fs/gfs2/glock.h +++ b/fs/gfs2/glock.h | |||
@@ -130,7 +130,7 @@ void gfs2_lvb_unhold(struct gfs2_glock *gl); | |||
130 | 130 | ||
131 | void gfs2_glock_cb(void *cb_data, unsigned int type, void *data); | 131 | void gfs2_glock_cb(void *cb_data, unsigned int type, void *data); |
132 | void gfs2_reclaim_glock(struct gfs2_sbd *sdp); | 132 | void gfs2_reclaim_glock(struct gfs2_sbd *sdp); |
133 | void gfs2_gl_hash_clear(struct gfs2_sbd *sdp); | 133 | void gfs2_gl_hash_clear(struct super_block *sb); |
134 | void gfs2_glock_finish_truncate(struct gfs2_inode *ip); | 134 | void gfs2_glock_finish_truncate(struct gfs2_inode *ip); |
135 | 135 | ||
136 | int __init gfs2_glock_init(void); | 136 | int __init gfs2_glock_init(void); |
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c index 4cae60f4a175..2e735bece6b9 100644 --- a/fs/gfs2/ops_fstype.c +++ b/fs/gfs2/ops_fstype.c | |||
@@ -705,6 +705,40 @@ static int gfs2_jindex_hold(struct gfs2_sbd *sdp, struct gfs2_holder *ji_gh) | |||
705 | return error; | 705 | return error; |
706 | } | 706 | } |
707 | 707 | ||
708 | /** | ||
709 | * gfs2_jindex_free - Clear all the journal index information | ||
710 | * @sdp: The GFS2 superblock | ||
711 | * | ||
712 | */ | ||
713 | |||
714 | static void gfs2_jindex_free(struct gfs2_sbd *sdp) | ||
715 | { | ||
716 | struct list_head list, *head; | ||
717 | struct gfs2_jdesc *jd; | ||
718 | struct gfs2_journal_extent *jext; | ||
719 | |||
720 | spin_lock(&sdp->sd_jindex_spin); | ||
721 | list_add(&list, &sdp->sd_jindex_list); | ||
722 | list_del_init(&sdp->sd_jindex_list); | ||
723 | sdp->sd_journals = 0; | ||
724 | spin_unlock(&sdp->sd_jindex_spin); | ||
725 | |||
726 | while (!list_empty(&list)) { | ||
727 | jd = list_entry(list.next, struct gfs2_jdesc, jd_list); | ||
728 | head = &jd->extent_list; | ||
729 | while (!list_empty(head)) { | ||
730 | jext = list_entry(head->next, | ||
731 | struct gfs2_journal_extent, | ||
732 | extent_list); | ||
733 | list_del(&jext->extent_list); | ||
734 | kfree(jext); | ||
735 | } | ||
736 | list_del(&jd->jd_list); | ||
737 | iput(jd->jd_inode); | ||
738 | kfree(jd); | ||
739 | } | ||
740 | } | ||
741 | |||
708 | static int init_journal(struct gfs2_sbd *sdp, int undo) | 742 | static int init_journal(struct gfs2_sbd *sdp, int undo) |
709 | { | 743 | { |
710 | struct inode *master = sdp->sd_master_dir->d_inode; | 744 | struct inode *master = sdp->sd_master_dir->d_inode; |
@@ -1203,7 +1237,7 @@ fail_sb: | |||
1203 | fail_locking: | 1237 | fail_locking: |
1204 | init_locking(sdp, &mount_gh, UNDO); | 1238 | init_locking(sdp, &mount_gh, UNDO); |
1205 | fail_lm: | 1239 | fail_lm: |
1206 | gfs2_gl_hash_clear(sdp); | 1240 | gfs2_gl_hash_clear(sb); |
1207 | gfs2_lm_unmount(sdp); | 1241 | gfs2_lm_unmount(sdp); |
1208 | while (invalidate_inodes(sb)) | 1242 | while (invalidate_inodes(sb)) |
1209 | yield(); | 1243 | yield(); |
@@ -1263,17 +1297,61 @@ static int gfs2_get_sb_meta(struct file_system_type *fs_type, int flags, | |||
1263 | static void gfs2_kill_sb(struct super_block *sb) | 1297 | static void gfs2_kill_sb(struct super_block *sb) |
1264 | { | 1298 | { |
1265 | struct gfs2_sbd *sdp = sb->s_fs_info; | 1299 | struct gfs2_sbd *sdp = sb->s_fs_info; |
1266 | if (sdp) { | 1300 | |
1267 | gfs2_meta_syncfs(sdp); | 1301 | if (sdp == NULL) { |
1268 | dput(sdp->sd_root_dir); | 1302 | kill_block_super(sb); |
1269 | dput(sdp->sd_master_dir); | 1303 | return; |
1270 | sdp->sd_root_dir = NULL; | ||
1271 | sdp->sd_master_dir = NULL; | ||
1272 | } | 1304 | } |
1273 | shrink_dcache_sb(sb); | 1305 | gfs2_meta_syncfs(sdp); |
1306 | dput(sdp->sd_root_dir); | ||
1307 | dput(sdp->sd_master_dir); | ||
1308 | sdp->sd_root_dir = NULL; | ||
1309 | sdp->sd_master_dir = NULL; | ||
1310 | |||
1311 | /* Unfreeze the filesystem, if we need to */ | ||
1312 | mutex_lock(&sdp->sd_freeze_lock); | ||
1313 | if (sdp->sd_freeze_count) | ||
1314 | gfs2_glock_dq_uninit(&sdp->sd_freeze_gh); | ||
1315 | mutex_unlock(&sdp->sd_freeze_lock); | ||
1316 | |||
1317 | kthread_stop(sdp->sd_quotad_process); | ||
1318 | kthread_stop(sdp->sd_logd_process); | ||
1319 | kthread_stop(sdp->sd_recoverd_process); | ||
1320 | |||
1321 | if (!(sb->s_flags & MS_RDONLY)) { | ||
1322 | int error = gfs2_make_fs_ro(sdp); | ||
1323 | if (error) | ||
1324 | gfs2_io_error(sdp); | ||
1325 | } | ||
1326 | |||
1327 | /* At this point, we're through modifying the disk */ | ||
1328 | gfs2_jindex_free(sdp); | ||
1329 | gfs2_clear_rgrpd(sdp); | ||
1330 | iput(sdp->sd_jindex); | ||
1331 | iput(sdp->sd_inum_inode); | ||
1332 | iput(sdp->sd_statfs_inode); | ||
1333 | iput(sdp->sd_rindex); | ||
1334 | iput(sdp->sd_quota_inode); | ||
1335 | |||
1336 | gfs2_glock_put(sdp->sd_rename_gl); | ||
1337 | gfs2_glock_put(sdp->sd_trans_gl); | ||
1338 | |||
1339 | if (!sdp->sd_args.ar_spectator) { | ||
1340 | gfs2_glock_dq_uninit(&sdp->sd_journal_gh); | ||
1341 | gfs2_glock_dq_uninit(&sdp->sd_jinode_gh); | ||
1342 | gfs2_glock_dq_uninit(&sdp->sd_ir_gh); | ||
1343 | gfs2_glock_dq_uninit(&sdp->sd_sc_gh); | ||
1344 | gfs2_glock_dq_uninit(&sdp->sd_qc_gh); | ||
1345 | iput(sdp->sd_ir_inode); | ||
1346 | iput(sdp->sd_sc_inode); | ||
1347 | iput(sdp->sd_qc_inode); | ||
1348 | } | ||
1349 | gfs2_glock_dq_uninit(&sdp->sd_live_gh); | ||
1274 | kill_block_super(sb); | 1350 | kill_block_super(sb); |
1275 | if (sdp) | 1351 | gfs2_lm_unmount(sdp); |
1276 | gfs2_delete_debugfs_file(sdp); | 1352 | gfs2_sys_fs_del(sdp); |
1353 | gfs2_delete_debugfs_file(sdp); | ||
1354 | kfree(sdp); | ||
1277 | } | 1355 | } |
1278 | 1356 | ||
1279 | struct file_system_type gfs2_fs_type = { | 1357 | struct file_system_type gfs2_fs_type = { |
diff --git a/fs/gfs2/ops_super.c b/fs/gfs2/ops_super.c index 08837a728635..bd08a0a8d9bf 100644 --- a/fs/gfs2/ops_super.c +++ b/fs/gfs2/ops_super.c | |||
@@ -95,7 +95,7 @@ do_flush: | |||
95 | * Returns: errno | 95 | * Returns: errno |
96 | */ | 96 | */ |
97 | 97 | ||
98 | static int gfs2_make_fs_ro(struct gfs2_sbd *sdp) | 98 | int gfs2_make_fs_ro(struct gfs2_sbd *sdp) |
99 | { | 99 | { |
100 | struct gfs2_holder t_gh; | 100 | struct gfs2_holder t_gh; |
101 | int error; | 101 | int error; |
@@ -122,70 +122,6 @@ static int gfs2_make_fs_ro(struct gfs2_sbd *sdp) | |||
122 | } | 122 | } |
123 | 123 | ||
124 | /** | 124 | /** |
125 | * gfs2_put_super - Unmount the filesystem | ||
126 | * @sb: The VFS superblock | ||
127 | * | ||
128 | */ | ||
129 | |||
130 | static void gfs2_put_super(struct super_block *sb) | ||
131 | { | ||
132 | struct gfs2_sbd *sdp = sb->s_fs_info; | ||
133 | int error; | ||
134 | |||
135 | /* Unfreeze the filesystem, if we need to */ | ||
136 | |||
137 | mutex_lock(&sdp->sd_freeze_lock); | ||
138 | if (sdp->sd_freeze_count) | ||
139 | gfs2_glock_dq_uninit(&sdp->sd_freeze_gh); | ||
140 | mutex_unlock(&sdp->sd_freeze_lock); | ||
141 | |||
142 | kthread_stop(sdp->sd_quotad_process); | ||
143 | kthread_stop(sdp->sd_logd_process); | ||
144 | kthread_stop(sdp->sd_recoverd_process); | ||
145 | |||
146 | if (!(sb->s_flags & MS_RDONLY)) { | ||
147 | error = gfs2_make_fs_ro(sdp); | ||
148 | if (error) | ||
149 | gfs2_io_error(sdp); | ||
150 | } | ||
151 | /* At this point, we're through modifying the disk */ | ||
152 | |||
153 | /* Release stuff */ | ||
154 | |||
155 | iput(sdp->sd_jindex); | ||
156 | iput(sdp->sd_inum_inode); | ||
157 | iput(sdp->sd_statfs_inode); | ||
158 | iput(sdp->sd_rindex); | ||
159 | iput(sdp->sd_quota_inode); | ||
160 | |||
161 | gfs2_glock_put(sdp->sd_rename_gl); | ||
162 | gfs2_glock_put(sdp->sd_trans_gl); | ||
163 | |||
164 | if (!sdp->sd_args.ar_spectator) { | ||
165 | gfs2_glock_dq_uninit(&sdp->sd_journal_gh); | ||
166 | gfs2_glock_dq_uninit(&sdp->sd_jinode_gh); | ||
167 | gfs2_glock_dq_uninit(&sdp->sd_ir_gh); | ||
168 | gfs2_glock_dq_uninit(&sdp->sd_sc_gh); | ||
169 | gfs2_glock_dq_uninit(&sdp->sd_qc_gh); | ||
170 | iput(sdp->sd_ir_inode); | ||
171 | iput(sdp->sd_sc_inode); | ||
172 | iput(sdp->sd_qc_inode); | ||
173 | } | ||
174 | |||
175 | gfs2_glock_dq_uninit(&sdp->sd_live_gh); | ||
176 | gfs2_clear_rgrpd(sdp); | ||
177 | gfs2_jindex_free(sdp); | ||
178 | /* Take apart glock structures and buffer lists */ | ||
179 | gfs2_gl_hash_clear(sdp); | ||
180 | /* Unmount the locking protocol */ | ||
181 | gfs2_lm_unmount(sdp); | ||
182 | |||
183 | /* At this point, we're through participating in the lockspace */ | ||
184 | gfs2_sys_fs_del(sdp); | ||
185 | kfree(sdp); | ||
186 | } | ||
187 | |||
188 | /** | ||
189 | * gfs2_write_super | 125 | * gfs2_write_super |
190 | * @sb: the superblock | 126 | * @sb: the superblock |
191 | * | 127 | * |
@@ -686,7 +622,7 @@ const struct super_operations gfs2_super_ops = { | |||
686 | .destroy_inode = gfs2_destroy_inode, | 622 | .destroy_inode = gfs2_destroy_inode, |
687 | .write_inode = gfs2_write_inode, | 623 | .write_inode = gfs2_write_inode, |
688 | .delete_inode = gfs2_delete_inode, | 624 | .delete_inode = gfs2_delete_inode, |
689 | .put_super = gfs2_put_super, | 625 | .put_super = gfs2_gl_hash_clear, |
690 | .write_super = gfs2_write_super, | 626 | .write_super = gfs2_write_super, |
691 | .sync_fs = gfs2_sync_fs, | 627 | .sync_fs = gfs2_sync_fs, |
692 | .write_super_lockfs = gfs2_write_super_lockfs, | 628 | .write_super_lockfs = gfs2_write_super_lockfs, |
diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c index 141b781f2fcc..f14658b20204 100644 --- a/fs/gfs2/super.c +++ b/fs/gfs2/super.c | |||
@@ -33,40 +33,6 @@ | |||
33 | #include "trans.h" | 33 | #include "trans.h" |
34 | #include "util.h" | 34 | #include "util.h" |
35 | 35 | ||
36 | /** | ||
37 | * gfs2_jindex_free - Clear all the journal index information | ||
38 | * @sdp: The GFS2 superblock | ||
39 | * | ||
40 | */ | ||
41 | |||
42 | void gfs2_jindex_free(struct gfs2_sbd *sdp) | ||
43 | { | ||
44 | struct list_head list, *head; | ||
45 | struct gfs2_jdesc *jd; | ||
46 | struct gfs2_journal_extent *jext; | ||
47 | |||
48 | spin_lock(&sdp->sd_jindex_spin); | ||
49 | list_add(&list, &sdp->sd_jindex_list); | ||
50 | list_del_init(&sdp->sd_jindex_list); | ||
51 | sdp->sd_journals = 0; | ||
52 | spin_unlock(&sdp->sd_jindex_spin); | ||
53 | |||
54 | while (!list_empty(&list)) { | ||
55 | jd = list_entry(list.next, struct gfs2_jdesc, jd_list); | ||
56 | head = &jd->extent_list; | ||
57 | while (!list_empty(head)) { | ||
58 | jext = list_entry(head->next, | ||
59 | struct gfs2_journal_extent, | ||
60 | extent_list); | ||
61 | list_del(&jext->extent_list); | ||
62 | kfree(jext); | ||
63 | } | ||
64 | list_del(&jd->jd_list); | ||
65 | iput(jd->jd_inode); | ||
66 | kfree(jd); | ||
67 | } | ||
68 | } | ||
69 | |||
70 | static struct gfs2_jdesc *jdesc_find_i(struct list_head *head, unsigned int jid) | 36 | static struct gfs2_jdesc *jdesc_find_i(struct list_head *head, unsigned int jid) |
71 | { | 37 | { |
72 | struct gfs2_jdesc *jd; | 38 | struct gfs2_jdesc *jd; |
diff --git a/fs/gfs2/super.h b/fs/gfs2/super.h index f6b8b00ad881..4d2492b3e7ef 100644 --- a/fs/gfs2/super.h +++ b/fs/gfs2/super.h | |||
@@ -25,8 +25,6 @@ static inline unsigned int gfs2_jindex_size(struct gfs2_sbd *sdp) | |||
25 | return x; | 25 | return x; |
26 | } | 26 | } |
27 | 27 | ||
28 | void gfs2_jindex_free(struct gfs2_sbd *sdp); | ||
29 | |||
30 | struct gfs2_jdesc *gfs2_jdesc_find(struct gfs2_sbd *sdp, unsigned int jid); | 28 | struct gfs2_jdesc *gfs2_jdesc_find(struct gfs2_sbd *sdp, unsigned int jid); |
31 | int gfs2_jdesc_check(struct gfs2_jdesc *jd); | 29 | int gfs2_jdesc_check(struct gfs2_jdesc *jd); |
32 | 30 | ||
@@ -34,6 +32,7 @@ int gfs2_lookup_in_master_dir(struct gfs2_sbd *sdp, char *filename, | |||
34 | struct gfs2_inode **ipp); | 32 | struct gfs2_inode **ipp); |
35 | 33 | ||
36 | int gfs2_make_fs_rw(struct gfs2_sbd *sdp); | 34 | int gfs2_make_fs_rw(struct gfs2_sbd *sdp); |
35 | int gfs2_make_fs_ro(struct gfs2_sbd *sdp); | ||
37 | 36 | ||
38 | int gfs2_statfs_init(struct gfs2_sbd *sdp); | 37 | int gfs2_statfs_init(struct gfs2_sbd *sdp); |
39 | void gfs2_statfs_change(struct gfs2_sbd *sdp, | 38 | void gfs2_statfs_change(struct gfs2_sbd *sdp, |