diff options
author | Thomas Gleixner <tglx@linutronix.de> | 2009-02-16 15:29:31 -0500 |
---|---|---|
committer | David Woodhouse <David.Woodhouse@intel.com> | 2009-02-21 05:09:29 -0500 |
commit | 4c41bd0ec953954158f92bed5d3062645062b98e (patch) | |
tree | bd3f4c7fdbcac9bf2cabce557d472d6ed4ae4741 /fs/jffs2 | |
parent | efab0b5d3eed6aa71f8e3233e4e11774eedc04dc (diff) |
[JFFS2] fix mount crash caused by removed nodes
At scan time we observed following scenario:
node A inserted
node B inserted
node C inserted -> sets overlapped flag on node B
node A is removed due to CRC failure -> overlapped flag on node B remains
while (tn->overlapped)
tn = tn_prev(tn);
==> crash, when tn_prev(B) is referenced.
When the ultimate node is removed at scan time and the overlapped flag
is set on the penultimate node, then nothing updates the overlapped
flag of that node. The overlapped iterators blindly expect that the
ultimate node does not have the overlapped flag set, which causes the
scan code to crash.
It would be a huge overhead to go through the node chain on node
removal and fix up the overlapped flags, so detecting such a case on
the fly in the overlapped iterators is a simpler and reliable
solution.
Cc: stable@kernel.org
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: David Woodhouse <David.Woodhouse@intel.com>
Diffstat (limited to 'fs/jffs2')
-rw-r--r-- | fs/jffs2/readinode.c | 42 |
1 files changed, 33 insertions, 9 deletions
diff --git a/fs/jffs2/readinode.c b/fs/jffs2/readinode.c index 6ca08ad887c0..1fc1e92356ee 100644 --- a/fs/jffs2/readinode.c +++ b/fs/jffs2/readinode.c | |||
@@ -220,7 +220,7 @@ static int jffs2_add_tn_to_tree(struct jffs2_sb_info *c, | |||
220 | struct jffs2_tmp_dnode_info *tn) | 220 | struct jffs2_tmp_dnode_info *tn) |
221 | { | 221 | { |
222 | uint32_t fn_end = tn->fn->ofs + tn->fn->size; | 222 | uint32_t fn_end = tn->fn->ofs + tn->fn->size; |
223 | struct jffs2_tmp_dnode_info *this; | 223 | struct jffs2_tmp_dnode_info *this, *ptn; |
224 | 224 | ||
225 | dbg_readinode("insert fragment %#04x-%#04x, ver %u at %08x\n", tn->fn->ofs, fn_end, tn->version, ref_offset(tn->fn->raw)); | 225 | dbg_readinode("insert fragment %#04x-%#04x, ver %u at %08x\n", tn->fn->ofs, fn_end, tn->version, ref_offset(tn->fn->raw)); |
226 | 226 | ||
@@ -251,11 +251,18 @@ static int jffs2_add_tn_to_tree(struct jffs2_sb_info *c, | |||
251 | if (this) { | 251 | if (this) { |
252 | /* If the node is coincident with another at a lower address, | 252 | /* If the node is coincident with another at a lower address, |
253 | back up until the other node is found. It may be relevant */ | 253 | back up until the other node is found. It may be relevant */ |
254 | while (this->overlapped) | 254 | while (this->overlapped) { |
255 | this = tn_prev(this); | 255 | ptn = tn_prev(this); |
256 | 256 | if (!ptn) { | |
257 | /* First node should never be marked overlapped */ | 257 | /* |
258 | BUG_ON(!this); | 258 | * We killed a node which set the overlapped |
259 | * flags during the scan. Fix it up. | ||
260 | */ | ||
261 | this->overlapped = 0; | ||
262 | break; | ||
263 | } | ||
264 | this = ptn; | ||
265 | } | ||
259 | dbg_readinode("'this' found %#04x-%#04x (%s)\n", this->fn->ofs, this->fn->ofs + this->fn->size, this->fn ? "data" : "hole"); | 266 | dbg_readinode("'this' found %#04x-%#04x (%s)\n", this->fn->ofs, this->fn->ofs + this->fn->size, this->fn ? "data" : "hole"); |
260 | } | 267 | } |
261 | 268 | ||
@@ -360,7 +367,17 @@ static int jffs2_add_tn_to_tree(struct jffs2_sb_info *c, | |||
360 | } | 367 | } |
361 | if (!this->overlapped) | 368 | if (!this->overlapped) |
362 | break; | 369 | break; |
363 | this = tn_prev(this); | 370 | |
371 | ptn = tn_prev(this); | ||
372 | if (!ptn) { | ||
373 | /* | ||
374 | * We killed a node which set the overlapped | ||
375 | * flags during the scan. Fix it up. | ||
376 | */ | ||
377 | this->overlapped = 0; | ||
378 | break; | ||
379 | } | ||
380 | this = ptn; | ||
364 | } | 381 | } |
365 | } | 382 | } |
366 | 383 | ||
@@ -456,8 +473,15 @@ static int jffs2_build_inode_fragtree(struct jffs2_sb_info *c, | |||
456 | eat_last(&rii->tn_root, &last->rb); | 473 | eat_last(&rii->tn_root, &last->rb); |
457 | ver_insert(&ver_root, last); | 474 | ver_insert(&ver_root, last); |
458 | 475 | ||
459 | if (unlikely(last->overlapped)) | 476 | if (unlikely(last->overlapped)) { |
460 | continue; | 477 | if (pen) |
478 | continue; | ||
479 | /* | ||
480 | * We killed a node which set the overlapped | ||
481 | * flags during the scan. Fix it up. | ||
482 | */ | ||
483 | last->overlapped = 0; | ||
484 | } | ||
461 | 485 | ||
462 | /* Now we have a bunch of nodes in reverse version | 486 | /* Now we have a bunch of nodes in reverse version |
463 | order, in the tree at ver_root. Most of the time, | 487 | order, in the tree at ver_root. Most of the time, |