aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorNathan Scott <nathans@sgi.com>2006-08-10 00:40:41 -0400
committerNathan Scott <nathans@sgi.com>2006-08-10 00:40:41 -0400
commit0e1edbd99994270023cea5afe593f972eb09a778 (patch)
treee4b2618172c17426d200ec435c24daaf606e2437 /fs
parent9f737633e6ee54fc174282d49b2559bd2208391d (diff)
[XFS] Fix xfs_free_extent related NULL pointer dereference.
We recently fixed an out-of-space deadlock in XFS, and part of that fix involved the addition of the XFS_ALLOC_FLAG_FREEING flag to some of the space allocator calls to indicate they're freeing space, not allocating it. There was a missed xfs_alloc_fix_freelist condition test that did not correctly test "flags". The same test would also test an uninitialised structure field (args->userdata) and depending on its value either would or would not return early with a critical buffer pointer set to NULL. This fixes that up, adds asserts to several places to catch future botches of this nature, and skips sections of xfs_alloc_fix_freelist that are irrelevent for the space-freeing case. SGI-PV: 955303 SGI-Modid: xfs-linux-melb:xfs-kern:26743a Signed-off-by: Nathan Scott <nathans@sgi.com>
Diffstat (limited to 'fs')
-rw-r--r--fs/xfs/xfs_alloc.c103
1 files changed, 54 insertions, 49 deletions
diff --git a/fs/xfs/xfs_alloc.c b/fs/xfs/xfs_alloc.c
index eef6763f3a67..d2bbcd882a69 100644
--- a/fs/xfs/xfs_alloc.c
+++ b/fs/xfs/xfs_alloc.c
@@ -1835,40 +1835,47 @@ xfs_alloc_fix_freelist(
1835 &agbp))) 1835 &agbp)))
1836 return error; 1836 return error;
1837 if (!pag->pagf_init) { 1837 if (!pag->pagf_init) {
1838 ASSERT(flags & XFS_ALLOC_FLAG_TRYLOCK);
1839 ASSERT(!(flags & XFS_ALLOC_FLAG_FREEING));
1838 args->agbp = NULL; 1840 args->agbp = NULL;
1839 return 0; 1841 return 0;
1840 } 1842 }
1841 } else 1843 } else
1842 agbp = NULL; 1844 agbp = NULL;
1843 1845
1844 /* If this is a metadata preferred pag and we are user data 1846 /*
1847 * If this is a metadata preferred pag and we are user data
1845 * then try somewhere else if we are not being asked to 1848 * then try somewhere else if we are not being asked to
1846 * try harder at this point 1849 * try harder at this point
1847 */ 1850 */
1848 if (pag->pagf_metadata && args->userdata && flags) { 1851 if (pag->pagf_metadata && args->userdata &&
1852 (flags & XFS_ALLOC_FLAG_TRYLOCK)) {
1853 ASSERT(!(flags & XFS_ALLOC_FLAG_FREEING));
1849 args->agbp = NULL; 1854 args->agbp = NULL;
1850 return 0; 1855 return 0;
1851 } 1856 }
1852 1857
1853 need = XFS_MIN_FREELIST_PAG(pag, mp); 1858 if (!(flags & XFS_ALLOC_FLAG_FREEING)) {
1854 delta = need > pag->pagf_flcount ? need - pag->pagf_flcount : 0; 1859 need = XFS_MIN_FREELIST_PAG(pag, mp);
1855 /* 1860 delta = need > pag->pagf_flcount ? need - pag->pagf_flcount : 0;
1856 * If it looks like there isn't a long enough extent, or enough 1861 /*
1857 * total blocks, reject it. 1862 * If it looks like there isn't a long enough extent, or enough
1858 */ 1863 * total blocks, reject it.
1859 longest = (pag->pagf_longest > delta) ? 1864 */
1860 (pag->pagf_longest - delta) : 1865 longest = (pag->pagf_longest > delta) ?
1861 (pag->pagf_flcount > 0 || pag->pagf_longest > 0); 1866 (pag->pagf_longest - delta) :
1862 if (args->minlen + args->alignment + args->minalignslop - 1 > longest || 1867 (pag->pagf_flcount > 0 || pag->pagf_longest > 0);
1863 (!(flags & XFS_ALLOC_FLAG_FREEING) && 1868 if ((args->minlen + args->alignment + args->minalignslop - 1) >
1864 (int)(pag->pagf_freeblks + pag->pagf_flcount - 1869 longest ||
1865 need - args->total) < 1870 ((int)(pag->pagf_freeblks + pag->pagf_flcount -
1866 (int)args->minleft)) { 1871 need - args->total) < (int)args->minleft)) {
1867 if (agbp) 1872 if (agbp)
1868 xfs_trans_brelse(tp, agbp); 1873 xfs_trans_brelse(tp, agbp);
1869 args->agbp = NULL; 1874 args->agbp = NULL;
1870 return 0; 1875 return 0;
1876 }
1871 } 1877 }
1878
1872 /* 1879 /*
1873 * Get the a.g. freespace buffer. 1880 * Get the a.g. freespace buffer.
1874 * Can fail if we're not blocking on locks, and it's held. 1881 * Can fail if we're not blocking on locks, and it's held.
@@ -1878,6 +1885,8 @@ xfs_alloc_fix_freelist(
1878 &agbp))) 1885 &agbp)))
1879 return error; 1886 return error;
1880 if (agbp == NULL) { 1887 if (agbp == NULL) {
1888 ASSERT(flags & XFS_ALLOC_FLAG_TRYLOCK);
1889 ASSERT(!(flags & XFS_ALLOC_FLAG_FREEING));
1881 args->agbp = NULL; 1890 args->agbp = NULL;
1882 return 0; 1891 return 0;
1883 } 1892 }
@@ -1887,22 +1896,24 @@ xfs_alloc_fix_freelist(
1887 */ 1896 */
1888 agf = XFS_BUF_TO_AGF(agbp); 1897 agf = XFS_BUF_TO_AGF(agbp);
1889 need = XFS_MIN_FREELIST(agf, mp); 1898 need = XFS_MIN_FREELIST(agf, mp);
1890 delta = need > be32_to_cpu(agf->agf_flcount) ?
1891 (need - be32_to_cpu(agf->agf_flcount)) : 0;
1892 /* 1899 /*
1893 * If there isn't enough total or single-extent, reject it. 1900 * If there isn't enough total or single-extent, reject it.
1894 */ 1901 */
1895 longest = be32_to_cpu(agf->agf_longest); 1902 if (!(flags & XFS_ALLOC_FLAG_FREEING)) {
1896 longest = (longest > delta) ? (longest - delta) : 1903 delta = need > be32_to_cpu(agf->agf_flcount) ?
1897 (be32_to_cpu(agf->agf_flcount) > 0 || longest > 0); 1904 (need - be32_to_cpu(agf->agf_flcount)) : 0;
1898 if (args->minlen + args->alignment + args->minalignslop - 1 > longest || 1905 longest = be32_to_cpu(agf->agf_longest);
1899 (!(flags & XFS_ALLOC_FLAG_FREEING) && 1906 longest = (longest > delta) ? (longest - delta) :
1900 (int)(be32_to_cpu(agf->agf_freeblks) + 1907 (be32_to_cpu(agf->agf_flcount) > 0 || longest > 0);
1901 be32_to_cpu(agf->agf_flcount) - need - args->total) < 1908 if ((args->minlen + args->alignment + args->minalignslop - 1) >
1902 (int)args->minleft)) { 1909 longest ||
1903 xfs_trans_brelse(tp, agbp); 1910 ((int)(be32_to_cpu(agf->agf_freeblks) +
1904 args->agbp = NULL; 1911 be32_to_cpu(agf->agf_flcount) - need - args->total) <
1905 return 0; 1912 (int)args->minleft)) {
1913 xfs_trans_brelse(tp, agbp);
1914 args->agbp = NULL;
1915 return 0;
1916 }
1906 } 1917 }
1907 /* 1918 /*
1908 * Make the freelist shorter if it's too long. 1919 * Make the freelist shorter if it's too long.
@@ -1950,12 +1961,11 @@ xfs_alloc_fix_freelist(
1950 * on a completely full ag. 1961 * on a completely full ag.
1951 */ 1962 */
1952 if (targs.agbno == NULLAGBLOCK) { 1963 if (targs.agbno == NULLAGBLOCK) {
1953 if (!(flags & XFS_ALLOC_FLAG_FREEING)) { 1964 if (flags & XFS_ALLOC_FLAG_FREEING)
1954 xfs_trans_brelse(tp, agflbp); 1965 break;
1955 args->agbp = NULL; 1966 xfs_trans_brelse(tp, agflbp);
1956 return 0; 1967 args->agbp = NULL;
1957 } 1968 return 0;
1958 break;
1959 } 1969 }
1960 /* 1970 /*
1961 * Put each allocated block on the list. 1971 * Put each allocated block on the list.
@@ -2442,31 +2452,26 @@ xfs_free_extent(
2442 xfs_fsblock_t bno, /* starting block number of extent */ 2452 xfs_fsblock_t bno, /* starting block number of extent */
2443 xfs_extlen_t len) /* length of extent */ 2453 xfs_extlen_t len) /* length of extent */
2444{ 2454{
2445#ifdef DEBUG 2455 xfs_alloc_arg_t args;
2446 xfs_agf_t *agf; /* a.g. freespace header */
2447#endif
2448 xfs_alloc_arg_t args; /* allocation argument structure */
2449 int error; 2456 int error;
2450 2457
2451 ASSERT(len != 0); 2458 ASSERT(len != 0);
2459 memset(&args, 0, sizeof(xfs_alloc_arg_t));
2452 args.tp = tp; 2460 args.tp = tp;
2453 args.mp = tp->t_mountp; 2461 args.mp = tp->t_mountp;
2454 args.agno = XFS_FSB_TO_AGNO(args.mp, bno); 2462 args.agno = XFS_FSB_TO_AGNO(args.mp, bno);
2455 ASSERT(args.agno < args.mp->m_sb.sb_agcount); 2463 ASSERT(args.agno < args.mp->m_sb.sb_agcount);
2456 args.agbno = XFS_FSB_TO_AGBNO(args.mp, bno); 2464 args.agbno = XFS_FSB_TO_AGBNO(args.mp, bno);
2457 args.alignment = 1;
2458 args.minlen = args.minleft = args.minalignslop = 0;
2459 down_read(&args.mp->m_peraglock); 2465 down_read(&args.mp->m_peraglock);
2460 args.pag = &args.mp->m_perag[args.agno]; 2466 args.pag = &args.mp->m_perag[args.agno];
2461 if ((error = xfs_alloc_fix_freelist(&args, XFS_ALLOC_FLAG_FREEING))) 2467 if ((error = xfs_alloc_fix_freelist(&args, XFS_ALLOC_FLAG_FREEING)))
2462 goto error0; 2468 goto error0;
2463#ifdef DEBUG 2469#ifdef DEBUG
2464 ASSERT(args.agbp != NULL); 2470 ASSERT(args.agbp != NULL);
2465 agf = XFS_BUF_TO_AGF(args.agbp); 2471 ASSERT((args.agbno + len) <=
2466 ASSERT(args.agbno + len <= be32_to_cpu(agf->agf_length)); 2472 be32_to_cpu(XFS_BUF_TO_AGF(args.agbp)->agf_length));
2467#endif 2473#endif
2468 error = xfs_free_ag_extent(tp, args.agbp, args.agno, args.agbno, 2474 error = xfs_free_ag_extent(tp, args.agbp, args.agno, args.agbno, len, 0);
2469 len, 0);
2470error0: 2475error0:
2471 up_read(&args.mp->m_peraglock); 2476 up_read(&args.mp->m_peraglock);
2472 return error; 2477 return error;