From mboxrd@z Thu Jan 1 00:00:00 1970 From: wcheng@sourceware.org Date: 5 Jun 2007 18:15:52 -0000 Subject: [Cluster-devel] cluster/gfs-kernel/src/gfs ops_export.c ops_in ... Message-ID: <20070605181552.30874.qmail@sourceware.org> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit CVSROOT: /cvs/cluster Module name: cluster Changes by: wcheng at sourceware.org 2007-06-05 18:15:51 Modified files: gfs-kernel/src/gfs: ops_export.c ops_inode.c Log message: Bugzilla 236565 Fix a race between GFS lookup code and VM cache reclaim logic kicked off under memory pressure. At the end of the lookup, gfs releases inode glock pre-maturely. This creates a window inside the bottom portion of logic that could make gfs_iget updating the associated GFS inode structure that has been freed. Depending on who gets the new memory, unspecified corruptions occur. In the case where this bug is found, it corrupts TCP buffer head that ends up trashing nfsd kernel stack. Patches: http://sourceware.org/cgi-bin/cvsweb.cgi/cluster/gfs-kernel/src/gfs/ops_export.c.diff?cvsroot=cluster&r1=1.10&r2=1.11 http://sourceware.org/cgi-bin/cvsweb.cgi/cluster/gfs-kernel/src/gfs/ops_inode.c.diff?cvsroot=cluster&r1=1.16&r2=1.17 --- cluster/gfs-kernel/src/gfs/ops_export.c 2007/05/08 18:11:06 1.10 +++ cluster/gfs-kernel/src/gfs/ops_export.c 2007/06/05 18:15:51 1.11 @@ -368,11 +368,11 @@ atomic_inc(&sdp->sd_fh2dentry_misses); out: - gfs_glock_dq_uninit(&i_gh); - inode = gfs_iget(ip, CREATE); gfs_inode_put(ip); + gfs_glock_dq_uninit(&i_gh); + if (!inode) return ERR_PTR(-ENOMEM); --- cluster/gfs-kernel/src/gfs/ops_inode.c 2007/02/02 21:01:04 1.16 +++ cluster/gfs-kernel/src/gfs/ops_inode.c 2007/06/05 18:15:51 1.17 @@ -334,12 +334,12 @@ if (i_gh.gh_gl) { ip = get_gl2ip(i_gh.gh_gl); - gfs_glock_dq_uninit(&d_gh); - gfs_glock_dq_uninit(&i_gh); - inode = gfs_iget(ip, CREATE); gfs_inode_put(ip); + gfs_glock_dq_uninit(&d_gh); + gfs_glock_dq_uninit(&i_gh); + if (!inode) return ERR_PTR(-ENOMEM); } else