Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
Revert "GFS2: Fix use-after-free bug on umount"
This reverts commit 78802499912f1ba31ce83a94c55b5a980f250a43.
The original patch is causing problems in relation to order of
operations at umount in relation to jdata files. I need to fix
this a different way.
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
+1
-2
fs/gfs2/glock.c
+1
-2
fs/gfs2/glock.c
+1
-1
fs/gfs2/glock.h
+1
-1
fs/gfs2/glock.h
+10
-88
fs/gfs2/ops_fstype.c
+10
-88
fs/gfs2/ops_fstype.c
···
705
return error;
706
}
707
708
-
/**
709
-
* gfs2_jindex_free - Clear all the journal index information
710
-
* @sdp: The GFS2 superblock
711
-
*
712
-
*/
713
-
714
-
static void gfs2_jindex_free(struct gfs2_sbd *sdp)
715
-
{
716
-
struct list_head list, *head;
717
-
struct gfs2_jdesc *jd;
718
-
struct gfs2_journal_extent *jext;
719
-
720
-
spin_lock(&sdp->sd_jindex_spin);
721
-
list_add(&list, &sdp->sd_jindex_list);
722
-
list_del_init(&sdp->sd_jindex_list);
723
-
sdp->sd_journals = 0;
724
-
spin_unlock(&sdp->sd_jindex_spin);
725
-
726
-
while (!list_empty(&list)) {
727
-
jd = list_entry(list.next, struct gfs2_jdesc, jd_list);
728
-
head = &jd->extent_list;
729
-
while (!list_empty(head)) {
730
-
jext = list_entry(head->next,
731
-
struct gfs2_journal_extent,
732
-
extent_list);
733
-
list_del(&jext->extent_list);
734
-
kfree(jext);
735
-
}
736
-
list_del(&jd->jd_list);
737
-
iput(jd->jd_inode);
738
-
kfree(jd);
739
-
}
740
-
}
741
-
742
static int init_journal(struct gfs2_sbd *sdp, int undo)
743
{
744
struct inode *master = sdp->sd_master_dir->d_inode;
···
1203
fail_locking:
1204
init_locking(sdp, &mount_gh, UNDO);
1205
fail_lm:
1206
-
gfs2_gl_hash_clear(sb);
1207
gfs2_lm_unmount(sdp);
1208
while (invalidate_inodes(sb))
1209
yield();
···
1263
static void gfs2_kill_sb(struct super_block *sb)
1264
{
1265
struct gfs2_sbd *sdp = sb->s_fs_info;
1266
-
1267
-
if (sdp == NULL) {
1268
-
kill_block_super(sb);
1269
-
return;
1270
}
1271
-
gfs2_meta_syncfs(sdp);
1272
-
dput(sdp->sd_root_dir);
1273
-
dput(sdp->sd_master_dir);
1274
-
sdp->sd_root_dir = NULL;
1275
-
sdp->sd_master_dir = NULL;
1276
-
1277
-
/* Unfreeze the filesystem, if we need to */
1278
-
mutex_lock(&sdp->sd_freeze_lock);
1279
-
if (sdp->sd_freeze_count)
1280
-
gfs2_glock_dq_uninit(&sdp->sd_freeze_gh);
1281
-
mutex_unlock(&sdp->sd_freeze_lock);
1282
-
1283
-
kthread_stop(sdp->sd_quotad_process);
1284
-
kthread_stop(sdp->sd_logd_process);
1285
-
kthread_stop(sdp->sd_recoverd_process);
1286
-
1287
-
if (!(sb->s_flags & MS_RDONLY)) {
1288
-
int error = gfs2_make_fs_ro(sdp);
1289
-
if (error)
1290
-
gfs2_io_error(sdp);
1291
-
}
1292
-
1293
-
/* At this point, we're through modifying the disk */
1294
-
gfs2_jindex_free(sdp);
1295
-
gfs2_clear_rgrpd(sdp);
1296
-
iput(sdp->sd_jindex);
1297
-
iput(sdp->sd_inum_inode);
1298
-
iput(sdp->sd_statfs_inode);
1299
-
iput(sdp->sd_rindex);
1300
-
iput(sdp->sd_quota_inode);
1301
-
1302
-
gfs2_glock_put(sdp->sd_rename_gl);
1303
-
gfs2_glock_put(sdp->sd_trans_gl);
1304
-
1305
-
if (!sdp->sd_args.ar_spectator) {
1306
-
gfs2_glock_dq_uninit(&sdp->sd_journal_gh);
1307
-
gfs2_glock_dq_uninit(&sdp->sd_jinode_gh);
1308
-
gfs2_glock_dq_uninit(&sdp->sd_ir_gh);
1309
-
gfs2_glock_dq_uninit(&sdp->sd_sc_gh);
1310
-
gfs2_glock_dq_uninit(&sdp->sd_qc_gh);
1311
-
iput(sdp->sd_ir_inode);
1312
-
iput(sdp->sd_sc_inode);
1313
-
iput(sdp->sd_qc_inode);
1314
-
}
1315
-
gfs2_glock_dq_uninit(&sdp->sd_live_gh);
1316
kill_block_super(sb);
1317
-
gfs2_lm_unmount(sdp);
1318
-
gfs2_sys_fs_del(sdp);
1319
-
gfs2_delete_debugfs_file(sdp);
1320
-
kfree(sdp);
1321
}
1322
1323
struct file_system_type gfs2_fs_type = {
···
705
return error;
706
}
707
708
static int init_journal(struct gfs2_sbd *sdp, int undo)
709
{
710
struct inode *master = sdp->sd_master_dir->d_inode;
···
1237
fail_locking:
1238
init_locking(sdp, &mount_gh, UNDO);
1239
fail_lm:
1240
+
gfs2_gl_hash_clear(sdp);
1241
gfs2_lm_unmount(sdp);
1242
while (invalidate_inodes(sb))
1243
yield();
···
1297
static void gfs2_kill_sb(struct super_block *sb)
1298
{
1299
struct gfs2_sbd *sdp = sb->s_fs_info;
1300
+
if (sdp) {
1301
+
gfs2_meta_syncfs(sdp);
1302
+
dput(sdp->sd_root_dir);
1303
+
dput(sdp->sd_master_dir);
1304
+
sdp->sd_root_dir = NULL;
1305
+
sdp->sd_master_dir = NULL;
1306
}
1307
+
shrink_dcache_sb(sb);
1308
kill_block_super(sb);
1309
+
if (sdp)
1310
+
gfs2_delete_debugfs_file(sdp);
1311
}
1312
1313
struct file_system_type gfs2_fs_type = {
+66
-2
fs/gfs2/ops_super.c
+66
-2
fs/gfs2/ops_super.c
···
95
* Returns: errno
96
*/
97
98
-
int gfs2_make_fs_ro(struct gfs2_sbd *sdp)
99
{
100
struct gfs2_holder t_gh;
101
int error;
···
119
gfs2_quota_cleanup(sdp);
120
121
return error;
122
}
123
124
/**
···
686
.destroy_inode = gfs2_destroy_inode,
687
.write_inode = gfs2_write_inode,
688
.delete_inode = gfs2_delete_inode,
689
-
.put_super = gfs2_gl_hash_clear,
690
.write_super = gfs2_write_super,
691
.sync_fs = gfs2_sync_fs,
692
.write_super_lockfs = gfs2_write_super_lockfs,
···
95
* Returns: errno
96
*/
97
98
+
static int gfs2_make_fs_ro(struct gfs2_sbd *sdp)
99
{
100
struct gfs2_holder t_gh;
101
int error;
···
119
gfs2_quota_cleanup(sdp);
120
121
return error;
122
+
}
123
+
124
+
/**
125
+
* gfs2_put_super - Unmount the filesystem
126
+
* @sb: The VFS superblock
127
+
*
128
+
*/
129
+
130
+
static void gfs2_put_super(struct super_block *sb)
131
+
{
132
+
struct gfs2_sbd *sdp = sb->s_fs_info;
133
+
int error;
134
+
135
+
/* Unfreeze the filesystem, if we need to */
136
+
137
+
mutex_lock(&sdp->sd_freeze_lock);
138
+
if (sdp->sd_freeze_count)
139
+
gfs2_glock_dq_uninit(&sdp->sd_freeze_gh);
140
+
mutex_unlock(&sdp->sd_freeze_lock);
141
+
142
+
kthread_stop(sdp->sd_quotad_process);
143
+
kthread_stop(sdp->sd_logd_process);
144
+
kthread_stop(sdp->sd_recoverd_process);
145
+
146
+
if (!(sb->s_flags & MS_RDONLY)) {
147
+
error = gfs2_make_fs_ro(sdp);
148
+
if (error)
149
+
gfs2_io_error(sdp);
150
+
}
151
+
/* At this point, we're through modifying the disk */
152
+
153
+
/* Release stuff */
154
+
155
+
iput(sdp->sd_jindex);
156
+
iput(sdp->sd_inum_inode);
157
+
iput(sdp->sd_statfs_inode);
158
+
iput(sdp->sd_rindex);
159
+
iput(sdp->sd_quota_inode);
160
+
161
+
gfs2_glock_put(sdp->sd_rename_gl);
162
+
gfs2_glock_put(sdp->sd_trans_gl);
163
+
164
+
if (!sdp->sd_args.ar_spectator) {
165
+
gfs2_glock_dq_uninit(&sdp->sd_journal_gh);
166
+
gfs2_glock_dq_uninit(&sdp->sd_jinode_gh);
167
+
gfs2_glock_dq_uninit(&sdp->sd_ir_gh);
168
+
gfs2_glock_dq_uninit(&sdp->sd_sc_gh);
169
+
gfs2_glock_dq_uninit(&sdp->sd_qc_gh);
170
+
iput(sdp->sd_ir_inode);
171
+
iput(sdp->sd_sc_inode);
172
+
iput(sdp->sd_qc_inode);
173
+
}
174
+
175
+
gfs2_glock_dq_uninit(&sdp->sd_live_gh);
176
+
gfs2_clear_rgrpd(sdp);
177
+
gfs2_jindex_free(sdp);
178
+
/* Take apart glock structures and buffer lists */
179
+
gfs2_gl_hash_clear(sdp);
180
+
/* Unmount the locking protocol */
181
+
gfs2_lm_unmount(sdp);
182
+
183
+
/* At this point, we're through participating in the lockspace */
184
+
gfs2_sys_fs_del(sdp);
185
+
kfree(sdp);
186
}
187
188
/**
···
622
.destroy_inode = gfs2_destroy_inode,
623
.write_inode = gfs2_write_inode,
624
.delete_inode = gfs2_delete_inode,
625
+
.put_super = gfs2_put_super,
626
.write_super = gfs2_write_super,
627
.sync_fs = gfs2_sync_fs,
628
.write_super_lockfs = gfs2_write_super_lockfs,
+34
fs/gfs2/super.c
+34
fs/gfs2/super.c
···
33
#include "trans.h"
34
#include "util.h"
35
36
+
/**
37
+
* gfs2_jindex_free - Clear all the journal index information
38
+
* @sdp: The GFS2 superblock
39
+
*
40
+
*/
41
+
42
+
void gfs2_jindex_free(struct gfs2_sbd *sdp)
43
+
{
44
+
struct list_head list, *head;
45
+
struct gfs2_jdesc *jd;
46
+
struct gfs2_journal_extent *jext;
47
+
48
+
spin_lock(&sdp->sd_jindex_spin);
49
+
list_add(&list, &sdp->sd_jindex_list);
50
+
list_del_init(&sdp->sd_jindex_list);
51
+
sdp->sd_journals = 0;
52
+
spin_unlock(&sdp->sd_jindex_spin);
53
+
54
+
while (!list_empty(&list)) {
55
+
jd = list_entry(list.next, struct gfs2_jdesc, jd_list);
56
+
head = &jd->extent_list;
57
+
while (!list_empty(head)) {
58
+
jext = list_entry(head->next,
59
+
struct gfs2_journal_extent,
60
+
extent_list);
61
+
list_del(&jext->extent_list);
62
+
kfree(jext);
63
+
}
64
+
list_del(&jd->jd_list);
65
+
iput(jd->jd_inode);
66
+
kfree(jd);
67
+
}
68
+
}
69
+
70
static struct gfs2_jdesc *jdesc_find_i(struct list_head *head, unsigned int jid)
71
{
72
struct gfs2_jdesc *jd;
+2
-1
fs/gfs2/super.h
+2
-1
fs/gfs2/super.h
···
25
return x;
26
}
27
28
struct gfs2_jdesc *gfs2_jdesc_find(struct gfs2_sbd *sdp, unsigned int jid);
29
int gfs2_jdesc_check(struct gfs2_jdesc *jd);
30
···
34
struct gfs2_inode **ipp);
35
36
int gfs2_make_fs_rw(struct gfs2_sbd *sdp);
37
-
int gfs2_make_fs_ro(struct gfs2_sbd *sdp);
38
39
int gfs2_statfs_init(struct gfs2_sbd *sdp);
40
void gfs2_statfs_change(struct gfs2_sbd *sdp,
···
25
return x;
26
}
27
28
+
void gfs2_jindex_free(struct gfs2_sbd *sdp);
29
+
30
struct gfs2_jdesc *gfs2_jdesc_find(struct gfs2_sbd *sdp, unsigned int jid);
31
int gfs2_jdesc_check(struct gfs2_jdesc *jd);
32
···
32
struct gfs2_inode **ipp);
33
34
int gfs2_make_fs_rw(struct gfs2_sbd *sdp);
35
36
int gfs2_statfs_init(struct gfs2_sbd *sdp);
37
void gfs2_statfs_change(struct gfs2_sbd *sdp,