From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Martin Creutziger <martin.creutziger@barco.com>,
Theodore Ts'o <tytso@mit.edu>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Damir Shayhutdinov <lost404@gmail.com>,
Justin Forbes <jmforbes@linuxtx.org>,
Domenico Andreoli <cavokz@gmail.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Randy Dunlap <rdunlap@xenotime.net>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>, Dave Jones <davej@redhat.com>,
linux-mtd <linux-mtd@lists.infradead.org>,
Chuck Wolber <chuckw@quantumlinux.com>,
akpm@linux-foundation.org, torvalds@linux-foundation.org,
David Woodhouse <dwmw2@infradead.org>,
alan@lxorguk.ukuu.org.uk
Subject: [03/37] JFFS2: Fix free space leak with in-band cleanmarkers
Date: Tue, 29 Apr 2008 10:17:57 -0700 [thread overview]
Message-ID: <20080429171757.GD14724@suse.de> (raw)
In-Reply-To: <20080429171730.GA14724@suse.de>
[-- Attachment #1: jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch --]
[-- Type: text/plain, Size: 2444 bytes --]
2.6.25-stable review patch. If anyone has any objections, please let us
know.
------------------
From: David Woodhouse <dwmw2@infradead.org>
We were accounting for the cleanmarker by calling jffs2_link_node_ref()
(without locking!), which adjusted both superblock and per-eraseblock
accounting, subtracting the size of the cleanmarker from {jeb,c}->free_size
and adding it to {jeb,c}->used_size.
But only _then_ were we adding the size of the newly-erased block back
to the superblock counts, and we were adding each of jeb->{free,used}_size
to the corresponding superblock counts. Thus, the size of the cleanmarker
was effectively subtracted from the superblock's free_size _twice_.
Fix this, by always adding a full eraseblock size to c->free_size when
we've erased a block. And call jffs2_link_node_ref() under the proper
lock, while we're at it.
Thanks to Alexander Yurchenko and/or Damir Shayhutdinov for (almost)
pinpointing the problem.
[Backport of commit 014b164e1392a166fe96e003d2f0e7ad2e2a0bb7]
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/jffs2/erase.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
--- a/fs/jffs2/erase.c
+++ b/fs/jffs2/erase.c
@@ -419,9 +419,6 @@ static void jffs2_mark_erased_block(stru
if (jffs2_write_nand_cleanmarker(c, jeb))
goto filebad;
}
-
- /* Everything else got zeroed before the erase */
- jeb->free_size = c->sector_size;
} else {
struct kvec vecs[1];
@@ -449,18 +446,19 @@ static void jffs2_mark_erased_block(stru
goto filebad;
}
-
- /* Everything else got zeroed before the erase */
- jeb->free_size = c->sector_size;
- /* FIXME Special case for cleanmarker in empty block */
- jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL, c->cleanmarker_size, NULL);
}
+ /* Everything else got zeroed before the erase */
+ jeb->free_size = c->sector_size;
down(&c->erase_free_sem);
spin_lock(&c->erase_completion_lock);
+
c->erasing_size -= c->sector_size;
- c->free_size += jeb->free_size;
- c->used_size += jeb->used_size;
+ c->free_size += c->sector_size;
+
+ /* Account for cleanmarker now, if it's in-band */
+ if (c->cleanmarker_size && !jffs2_cleanmarker_oob(c))
+ jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL, c->cleanmarker_size, NULL);
jffs2_dbg_acct_sanity_check_nolock(c,jeb);
jffs2_dbg_acct_paranoia_check_nolock(c, jeb);
--
WARNING: multiple messages have this Message-ID (diff)
From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Martin Creutziger <martin.creutziger@barco.com>,
Damir Shayhutdinov <lost404@gmail.com>,
linux-mtd <linux-mtd@lists.infradead.org>,
David Woodhouse <dwmw2@infradead.org>
Subject: [03/37] JFFS2: Fix free space leak with in-band cleanmarkers
Date: Tue, 29 Apr 2008 10:17:57 -0700 [thread overview]
Message-ID: <20080429171757.GD14724@suse.de> (raw)
In-Reply-To: <20080429171730.GA14724@suse.de>
[-- Attachment #1: jffs2-fix-free-space-leak-with-in-band-cleanmarkers.patch --]
[-- Type: text/plain, Size: 2444 bytes --]
2.6.25-stable review patch. If anyone has any objections, please let us
know.
------------------
From: David Woodhouse <dwmw2@infradead.org>
We were accounting for the cleanmarker by calling jffs2_link_node_ref()
(without locking!), which adjusted both superblock and per-eraseblock
accounting, subtracting the size of the cleanmarker from {jeb,c}->free_size
and adding it to {jeb,c}->used_size.
But only _then_ were we adding the size of the newly-erased block back
to the superblock counts, and we were adding each of jeb->{free,used}_size
to the corresponding superblock counts. Thus, the size of the cleanmarker
was effectively subtracted from the superblock's free_size _twice_.
Fix this, by always adding a full eraseblock size to c->free_size when
we've erased a block. And call jffs2_link_node_ref() under the proper
lock, while we're at it.
Thanks to Alexander Yurchenko and/or Damir Shayhutdinov for (almost)
pinpointing the problem.
[Backport of commit 014b164e1392a166fe96e003d2f0e7ad2e2a0bb7]
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/jffs2/erase.c | 18 ++++++++----------
1 file changed, 8 insertions(+), 10 deletions(-)
--- a/fs/jffs2/erase.c
+++ b/fs/jffs2/erase.c
@@ -419,9 +419,6 @@ static void jffs2_mark_erased_block(stru
if (jffs2_write_nand_cleanmarker(c, jeb))
goto filebad;
}
-
- /* Everything else got zeroed before the erase */
- jeb->free_size = c->sector_size;
} else {
struct kvec vecs[1];
@@ -449,18 +446,19 @@ static void jffs2_mark_erased_block(stru
goto filebad;
}
-
- /* Everything else got zeroed before the erase */
- jeb->free_size = c->sector_size;
- /* FIXME Special case for cleanmarker in empty block */
- jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL, c->cleanmarker_size, NULL);
}
+ /* Everything else got zeroed before the erase */
+ jeb->free_size = c->sector_size;
down(&c->erase_free_sem);
spin_lock(&c->erase_completion_lock);
+
c->erasing_size -= c->sector_size;
- c->free_size += jeb->free_size;
- c->used_size += jeb->used_size;
+ c->free_size += c->sector_size;
+
+ /* Account for cleanmarker now, if it's in-band */
+ if (c->cleanmarker_size && !jffs2_cleanmarker_oob(c))
+ jffs2_link_node_ref(c, jeb, jeb->offset | REF_NORMAL, c->cleanmarker_size, NULL);
jffs2_dbg_acct_sanity_check_nolock(c,jeb);
jffs2_dbg_acct_paranoia_check_nolock(c, jeb);
--
next prev parent reply other threads:[~2008-04-29 17:20 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080429171222.073929148@mini.kroah.org>
2008-04-29 17:17 ` [00/37] 2.6.25-stable review Greg KH
2008-04-29 17:17 ` [01/37] USB: log an error message when USB enumeration fails Greg KH
2008-04-29 17:17 ` [02/37] USB: Add HP hs2300 Broadband Wireless Module to sierra.c Greg KH
2008-04-29 17:17 ` Greg KH [this message]
2008-04-29 17:17 ` [03/37] JFFS2: Fix free space leak with in-band cleanmarkers Greg KH
2008-04-29 17:18 ` [04/37] tg3: 5701 DMA corruption fix Greg KH
2008-04-29 17:18 ` [05/37] tcp: tcp_probe buffer overflow and incorrect return value Greg KH
2008-04-29 17:18 ` [07/37] RTNETLINK: Fix bogus ASSERT_RTNL warning Greg KH
2008-04-29 17:18 ` [08/37] rose: Socket lock was not released before returning to user space Greg KH
2008-04-29 17:18 ` [09/37] net: Fix wrong interpretation of some copy_to_user() results Greg KH
2008-04-29 17:18 ` [10/37] IPSEC: Fix catch-22 with algorithm IDs above 31 Greg KH
2008-04-29 17:18 ` [11/37] USB: OHCI: fix bug in controller resume Greg KH
2008-04-29 17:18 ` [12/37] dm snapshot: fix chunksize sector conversion Greg KH
2008-04-29 17:18 ` [13/37] cgroup: fix a race condition in manipulating tsk->cg_list Greg KH
2008-04-29 17:18 ` [14/37] RDMA/nes: Free IRQ before killing tasklet Greg KH
2008-04-29 17:18 ` [15/37] V4L: Fix VIDIOCGAP corruption in ivtv Greg KH
2008-04-29 17:18 ` [16/37] V4L: tea5761: bugzilla #10462: tea5761 autodetection code were broken Greg KH
2008-04-29 17:18 ` [17/37] V4L: cx88: enable radio GPIO correctly Greg KH
2008-04-29 17:18 ` [18/37] S2io: Fix memory leak during free_tx_buffers Greg KH
2008-04-29 17:18 ` [19/37] S2io: Version update for memory leak fix " Greg KH
2008-04-29 17:18 ` [20/37] SELinux: no BUG_ON(!ss_initialized) in selinux_clone_mnt_opts Greg KH
2008-04-29 17:18 ` Greg KH
2008-04-29 17:18 ` [21/37] x86, pci: fix off-by-one errors in some pirq warnings Greg KH
2008-04-29 17:18 ` [22/37] ssb: Fix all-ones boardflags Greg KH
2008-04-29 17:18 ` Greg KH
2008-04-29 17:18 ` [23/37] b43: Workaround invalid bluetooth settings Greg KH
2008-04-29 17:18 ` Greg KH
2008-04-29 17:18 ` [24/37] b43: Add more btcoexist workarounds Greg KH
2008-04-29 17:18 ` Greg KH
2008-04-29 17:18 ` [25/37] b43: Workaround DMA quirks Greg KH
2008-04-29 17:18 ` Greg KH
2008-04-29 17:18 ` [26/37] tehuti: check register size (CVE-2008-1675) Greg KH
2008-04-29 17:19 ` [27/37] tehuti: move ioctl perm check closer to function start (CVE-2008-1675) Greg KH
2008-04-29 18:13 ` Alan Cox
2008-04-29 18:55 ` Greg KH
2008-04-29 19:02 ` Linus Torvalds
2008-04-30 16:39 ` [stable] " Greg KH
2008-04-29 17:19 ` [28/37] aio: io_getevents() should return if io_destroy() is invoked Greg KH
2008-04-29 17:19 ` [29/37] rtc-pcf8583 build fix Greg KH
2008-04-29 17:19 ` [30/37] dz: test after postfix decrement fails in dz_console_putchar() Greg KH
2008-04-29 17:19 ` [31/37] mm: fix possible off-by-one in walk_pte_range() Greg KH
2008-04-29 17:19 ` [32/37] hrtimer: timeout too long when using HRTIMER_CB_SOFTIRQ Greg KH
2008-04-29 17:19 ` [33/37] RDMA/nes: Fix adapter reset after PXE boot Greg KH
2008-04-29 17:19 ` [34/37] SCSI: qla2xxx: Correct regression in relogin code Greg KH
2008-04-29 17:19 ` [35/37] alpha: unbreak OSF/1 (a.out) binaries Greg KH
2008-04-29 17:19 ` [36/37] x86: Fix 32-bit x86 MSI-X allocation leakage Greg KH
2008-04-29 17:19 ` [37/37] hrtimer: raise softirq unlocked to avoid circular lock dependency Greg KH
2008-04-30 7:58 ` [00/37] 2.6.25-stable review Andre Noll
2008-05-01 0:25 ` [stable] " Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080429171757.GD14724@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=dwmw2@infradead.org \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=lost404@gmail.com \
--cc=martin.creutziger@barco.com \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.