aboutsummaryrefslogtreecommitdiffstats
path: root/fs
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2008-12-30 01:52:35 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2008-12-31 18:07:43 -0500
commit41080b5a240113328c607f22b849f653373db0ce (patch)
treeaa8fd483c241140ebe73b6c71b370f4ad6a12251 /fs
parent261bca86ed4f7f391d1938167624e78da61dcc6b (diff)
nfsd race fixes: ext2
* make ext2_new_inode() put the inode into icache in locked state * do not unlock until the inode is fully set up; otherwise nfsd might pick it in half-baked state. * make sure that ext2_new_inode() does *not* lead to two inodes with the same inumber hashed at the same time; otherwise a bogus fhandle coming from nfsd might race with inode creation: nfsd: iget_locked() creates inode nfsd: try to read from disk, block on that. ext2_new_inode(): allocate inode with that inumber ext2_new_inode(): insert it into icache, set it up and dirty ext2_write_inode(): get the relevant part of inode table in cache, set the entry for our inode (and start writing to disk) nfsd: get CPU again, look into inode table, see nice and sane on-disk inode, set the in-core inode from it oops - we have two in-core inodes with the same inumber live in icache, both used for IO. Welcome to fs corruption... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs')
-rw-r--r--fs/ext2/ialloc.c6
-rw-r--r--fs/ext2/namei.c15
2 files changed, 19 insertions, 2 deletions
diff --git a/fs/ext2/ialloc.c b/fs/ext2/ialloc.c
index 8d0add625870..c454d5db28a5 100644
--- a/fs/ext2/ialloc.c
+++ b/fs/ext2/ialloc.c
@@ -585,7 +585,10 @@ got:
585 spin_lock(&sbi->s_next_gen_lock); 585 spin_lock(&sbi->s_next_gen_lock);
586 inode->i_generation = sbi->s_next_generation++; 586 inode->i_generation = sbi->s_next_generation++;
587 spin_unlock(&sbi->s_next_gen_lock); 587 spin_unlock(&sbi->s_next_gen_lock);
588 insert_inode_hash(inode); 588 if (insert_inode_locked(inode) < 0) {
589 err = -EINVAL;
590 goto fail_drop;
591 }
589 592
590 if (DQUOT_ALLOC_INODE(inode)) { 593 if (DQUOT_ALLOC_INODE(inode)) {
591 err = -EDQUOT; 594 err = -EDQUOT;
@@ -612,6 +615,7 @@ fail_drop:
612 DQUOT_DROP(inode); 615 DQUOT_DROP(inode);
613 inode->i_flags |= S_NOQUOTA; 616 inode->i_flags |= S_NOQUOTA;
614 inode->i_nlink = 0; 617 inode->i_nlink = 0;
618 unlock_new_inode(inode);
615 iput(inode); 619 iput(inode);
616 return ERR_PTR(err); 620 return ERR_PTR(err);
617 621
diff --git a/fs/ext2/namei.c b/fs/ext2/namei.c
index 2a747252ec12..90ea17998a73 100644
--- a/fs/ext2/namei.c
+++ b/fs/ext2/namei.c
@@ -41,9 +41,11 @@ static inline int ext2_add_nondir(struct dentry *dentry, struct inode *inode)
41 int err = ext2_add_link(dentry, inode); 41 int err = ext2_add_link(dentry, inode);
42 if (!err) { 42 if (!err) {
43 d_instantiate(dentry, inode); 43 d_instantiate(dentry, inode);
44 unlock_new_inode(inode);
44 return 0; 45 return 0;
45 } 46 }
46 inode_dec_link_count(inode); 47 inode_dec_link_count(inode);
48 unlock_new_inode(inode);
47 iput(inode); 49 iput(inode);
48 return err; 50 return err;
49} 51}
@@ -170,6 +172,7 @@ out:
170 172
171out_fail: 173out_fail:
172 inode_dec_link_count(inode); 174 inode_dec_link_count(inode);
175 unlock_new_inode(inode);
173 iput (inode); 176 iput (inode);
174 goto out; 177 goto out;
175} 178}
@@ -178,6 +181,7 @@ static int ext2_link (struct dentry * old_dentry, struct inode * dir,
178 struct dentry *dentry) 181 struct dentry *dentry)
179{ 182{
180 struct inode *inode = old_dentry->d_inode; 183 struct inode *inode = old_dentry->d_inode;
184 int err;
181 185
182 if (inode->i_nlink >= EXT2_LINK_MAX) 186 if (inode->i_nlink >= EXT2_LINK_MAX)
183 return -EMLINK; 187 return -EMLINK;
@@ -186,7 +190,14 @@ static int ext2_link (struct dentry * old_dentry, struct inode * dir,
186 inode_inc_link_count(inode); 190 inode_inc_link_count(inode);
187 atomic_inc(&inode->i_count); 191 atomic_inc(&inode->i_count);
188 192
189 return ext2_add_nondir(dentry, inode); 193 err = ext2_add_link(dentry, inode);
194 if (!err) {
195 d_instantiate(dentry, inode);
196 return 0;
197 }
198 inode_dec_link_count(inode);
199 iput(inode);
200 return err;
190} 201}
191 202
192static int ext2_mkdir(struct inode * dir, struct dentry * dentry, int mode) 203static int ext2_mkdir(struct inode * dir, struct dentry * dentry, int mode)
@@ -222,12 +233,14 @@ static int ext2_mkdir(struct inode * dir, struct dentry * dentry, int mode)
222 goto out_fail; 233 goto out_fail;
223 234
224 d_instantiate(dentry, inode); 235 d_instantiate(dentry, inode);
236 unlock_new_inode(inode);
225out: 237out:
226 return err; 238 return err;
227 239
228out_fail: 240out_fail:
229 inode_dec_link_count(inode); 241 inode_dec_link_count(inode);
230 inode_dec_link_count(inode); 242 inode_dec_link_count(inode);
243 unlock_new_inode(inode);
231 iput(inode); 244 iput(inode);
232out_dir: 245out_dir:
233 inode_dec_link_count(dir); 246 inode_dec_link_count(dir);