aboutsummaryrefslogtreecommitdiffstats
path: root/fs/xfs
diff options
context:
space:
mode:
authorDave Chinner <dchinner@redhat.com>2012-04-23 01:58:45 -0400
committerBen Myers <bpm@sgi.com>2012-05-14 17:20:41 -0400
commitfe2429b0966a7ec42b5fe3bf96f0f10de0a3b536 (patch)
treec19792c758706dd75773319c0c2506878243586c /fs/xfs
parentaff3a9edb7080f69f07fe76a8bd089b3dfa4cb5d (diff)
xfs: fix buffer lookup race on allocation failure
When memory allocation fails to add the page array or tht epages to a buffer during xfs_buf_get(), the buffer is left in the cache in a partially initialised state. There is enough state left for the next lookup on that buffer to find the buffer, and for the buffer to then be used without finishing the initialisation. As a result, when an attempt to do IO on the buffer occurs, it fails with EIO because there are no pages attached to the buffer. We cannot remove the buffer from the cache immediately and free it, because there may already be a racing lookup that is blocked on the buffer lock. Hence the moment we unlock the buffer to then free it, the other user is woken and we have a use-after-free situation. To avoid this race condition altogether, allocate the pages for the buffer before we insert it into the cache. This then means that we don't have an allocation failure case to deal after the buffer is already present in the cache, and hence avoid the problem altogether. In most cases we won't have racing inserts for the same buffer, and so won't increase the memory pressure allocation before insertion may entail. Signed-off-by: Dave Chinner <dchinner@redhat.com> Reviewed-by: Mark Tinguely <tinguely@sgi.com> Signed-off-by: Ben Myers <bpm@sgi.com>
Diffstat (limited to 'fs/xfs')
-rw-r--r--fs/xfs/xfs_buf.c16
1 files changed, 9 insertions, 7 deletions
diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
index b82fc5c67fed..da2541e5ff81 100644
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -552,18 +552,20 @@ xfs_buf_get(
552 if (unlikely(!new_bp)) 552 if (unlikely(!new_bp))
553 return NULL; 553 return NULL;
554 554
555 error = xfs_buf_allocate_memory(new_bp, flags);
556 if (error) {
557 kmem_zone_free(xfs_buf_zone, new_bp);
558 return NULL;
559 }
560
555 bp = _xfs_buf_find(target, ioff, isize, flags, new_bp); 561 bp = _xfs_buf_find(target, ioff, isize, flags, new_bp);
556 if (!bp) { 562 if (!bp) {
557 kmem_zone_free(xfs_buf_zone, new_bp); 563 xfs_buf_free(new_bp);
558 return NULL; 564 return NULL;
559 } 565 }
560 566
561 if (bp == new_bp) { 567 if (bp != new_bp)
562 error = xfs_buf_allocate_memory(bp, flags); 568 xfs_buf_free(new_bp);
563 if (error)
564 goto no_buffer;
565 } else
566 kmem_zone_free(xfs_buf_zone, new_bp);
567 569
568 /* 570 /*
569 * Now we have a workable buffer, fill in the block number so 571 * Now we have a workable buffer, fill in the block number so