36e4ad0316
Before this patch, function read_rindex_entry would set a rgrp glock's gl_object pointer to itself before inserting the rgrp into the rgrp rbtree. The problem is: if another process was also reading the rgrp in, and had already inserted its newly created rgrp, then the second call to read_rindex_entry would overwrite that value, then return a bad return code to the caller. Later, other functions would reference the now-freed rgrp memory by way of gl_object. In some cases, that could result in gfs2_rgrp_brelse being called twice for the same rgrp: once for the failed attempt and once for the "real" rgrp release. Eventually the kernel would panic. There are also a number of other things that could go wrong when a kernel module is accessing freed storage. For example, this could result in rgrp corruption because the fake rgrp would point to a fake bitmap in memory too, causing gfs2_inplace_reserve to search some random memory for free blocks, and find some, since we were never setting rgd->rd_bits to NULL before freeing it. This patch fixes the problem by not setting gl_object until we have successfully inserted the rgrp into the rbtree. Also, it sets rd_bits to NULL as it frees them, which will ensure any accidental access to the wrong rgrp will result in a kernel panic rather than file system corruption, which is preferred. Signed-off-by: Bob Peterson <rpeterso@redhat.com> |
||
---|---|---|
.. | ||
acl.c | ||
acl.h | ||
aops.c | ||
bmap.c | ||
bmap.h | ||
dentry.c | ||
dir.c | ||
dir.h | ||
export.c | ||
file.c | ||
gfs2.h | ||
glock.c | ||
glock.h | ||
glops.c | ||
glops.h | ||
incore.h | ||
inode.c | ||
inode.h | ||
Kconfig | ||
lock_dlm.c | ||
log.c | ||
log.h | ||
lops.c | ||
lops.h | ||
main.c | ||
Makefile | ||
meta_io.c | ||
meta_io.h | ||
ops_fstype.c | ||
quota.c | ||
quota.h | ||
recovery.c | ||
recovery.h | ||
rgrp.c | ||
rgrp.h | ||
super.c | ||
super.h | ||
sys.c | ||
sys.h | ||
trace_gfs2.h | ||
trans.c | ||
trans.h | ||
util.c | ||
util.h | ||
xattr.c | ||
xattr.h |