From mboxrd@z Thu Jan 1 00:00:00 1970 From: wcheng@sourceware.org Date: 5 Jun 2007 18:43:53 -0000 Subject: [Cluster-devel] cluster/gfs-kernel/src/gfs ops_export.c ops_in ... Message-ID: <20070605184353.7928.qmail@sourceware.org> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit CVSROOT: /cvs/cluster Module name: cluster Branch: RHEL4 Changes by: wcheng at sourceware.org 2007-06-05 18:43:53 Modified files: gfs-kernel/src/gfs: ops_export.c ops_inode.c Log message: Bugzilla 242720 Fix a race between GFS lookup code and VM cache reclaim logic kicked off under memory pressure. At the end of the lookup, gfs releases inode glock pre-maturely. This creates a window inside the bottom portion of logic that could make gfs_iget updating the associated GFS inode memory that has been freed. Depending on who gets the new memory, unspecified corruptions occur. In the case where this bug is found (RHEL5 bugzilla 236565), it corrupts TCP buffer head that ends up trashing nfsd kernel stack. Patches: http://sourceware.org/cgi-bin/cvsweb.cgi/cluster/gfs-kernel/src/gfs/ops_export.c.diff?cvsroot=cluster&only_with_tag=RHEL4&r1=1.3.2.4&r2=1.3.2.5 http://sourceware.org/cgi-bin/cvsweb.cgi/cluster/gfs-kernel/src/gfs/ops_inode.c.diff?cvsroot=cluster&only_with_tag=RHEL4&r1=1.6.2.6&r2=1.6.2.7 --- cluster/gfs-kernel/src/gfs/ops_export.c 2007/02/13 05:40:59 1.3.2.4 +++ cluster/gfs-kernel/src/gfs/ops_export.c 2007/06/05 18:43:53 1.3.2.5 @@ -364,11 +364,11 @@ goto fail; out: - gfs_glock_dq_uninit(&i_gh); - inode = gfs_iget(ip, CREATE); gfs_inode_put(ip); + gfs_glock_dq_uninit(&i_gh); + if (!inode) return ERR_PTR(-ENOMEM); --- cluster/gfs-kernel/src/gfs/ops_inode.c 2007/02/14 23:15:44 1.6.2.6 +++ cluster/gfs-kernel/src/gfs/ops_inode.c 2007/06/05 18:43:53 1.6.2.7 @@ -324,12 +324,12 @@ if (i_gh.gh_gl) { ip = gl2ip(i_gh.gh_gl); - gfs_glock_dq_uninit(&d_gh); - gfs_glock_dq_uninit(&i_gh); - inode = gfs_iget(ip, CREATE); gfs_inode_put(ip); + gfs_glock_dq_uninit(&d_gh); + gfs_glock_dq_uninit(&i_gh); + if (!inode) return ERR_PTR(-ENOMEM); } else