From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Akira Fujita <a-fujita@rs.jp.nec.com>,
"Theodore Tso" <tytso@mit.edu>,
Greg Kroah-Hartman <gregkh@suse.de>
Subject: [21/34] ext4: Fix double-free of blocks with EXT4_IOC_MOVE_EXT
Date: Thu, 10 Dec 2009 21:23:33 -0800 [thread overview]
Message-ID: <20091211052551.564396025@linux.site> (raw)
In-Reply-To: <20091211052858.GA23229@kroah.com>
[-- Attachment #1: 0017-ext4-Fix-double-free-of-blocks-with-EXT4_IOC_MOVE_EX.patch --]
[-- Type: text/plain, Size: 2666 bytes --]
2.6.32-stable review patch. If anyone has any objections, please let us know.
------------------
(cherry picked from commit 94d7c16cbbbd0e03841fcf272bcaf0620ad39618)
At the beginning of ext4_move_extent(), we call
ext4_discard_preallocations() to discard inode PAs of orig and donor
inodes. But in the following case, blocks can be double freed, so
move ext4_discard_preallocations() to the end of ext4_move_extents().
1. Discard inode PAs of orig and donor inodes with
ext4_discard_preallocations() in ext4_move_extents().
orig : [ DATA1 ]
donor: [ DATA2 ]
2. While data blocks are exchanging between orig and donor inodes, new
inode PAs is created to orig by other process's block allocation.
(Since there are semaphore gaps in ext4_move_extents().) And new
inode PAs is used partially (2-1).
2-1 Create new inode PAs to orig inode
orig : [ DATA1 | used PA1 | free PA1 ]
donor: [ DATA2 ]
3. Donor inode which has old orig inode's blocks is deleted after
EXT4_IOC_MOVE_EXT finished (3-1, 3-2). So the block bitmap
corresponds to old orig inode's blocks are freed.
3-1 After EXT4_IOC_MOVE_EXT finished
orig : [ DATA2 | free PA1 ]
donor: [ DATA1 | used PA1 ]
3-2 Delete donor inode
orig : [ DATA2 | free PA1 ]
donor: [ FREE SPACE(DATA1) | FREE SPACE(used PA1) ]
4. The double-free of blocks is occurred, when close() is called to
orig inode. Because ext4_discard_preallocations() for orig inode
frees used PA1 and free PA1, though used PA1 is already freed in 3.
4-1 Double-free of blocks is occurred
orig : [ DATA2 | FREE SPACE(free PA1) ]
donor: [ FREE SPACE(DATA1) | DOUBLE FREE(used PA1) ]
Signed-off-by: Akira Fujita <a-fujita@rs.jp.nec.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/ext4/move_extent.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -1289,10 +1289,6 @@ ext4_move_extents(struct file *o_filp, s
ext4_ext_get_actual_len(ext_cur), block_end + 1) -
max(le32_to_cpu(ext_cur->ee_block), block_start);
- /* Discard preallocations of two inodes */
- ext4_discard_preallocations(orig_inode);
- ext4_discard_preallocations(donor_inode);
-
while (!last_extent && le32_to_cpu(ext_cur->ee_block) <= block_end) {
seq_blocks += add_blocks;
@@ -1410,6 +1406,11 @@ ext4_move_extents(struct file *o_filp, s
}
out:
+ if (*moved_len) {
+ ext4_discard_preallocations(orig_inode);
+ ext4_discard_preallocations(donor_inode);
+ }
+
if (orig_path) {
ext4_ext_drop_refs(orig_path);
kfree(orig_path);
next prev parent reply other threads:[~2009-12-11 5:33 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20091211052312.805428372@linux.site>
2009-12-11 5:28 ` [00/34] 2.6.32.1-stable review Greg KH
2009-12-11 5:23 ` [01/34] signal: Fix alternate signal stack check Greg KH
2009-12-11 5:23 ` [02/34] SCSI: scsi_lib_dma: fix bug with dma maps on nested scsi objects Greg KH
2009-12-11 5:23 ` [03/34] SCSI: osd_protocol.h: Add missing #include Greg KH
2009-12-11 5:23 ` [04/34] SCSI: megaraid_sas: fix 64 bit sense pointer truncation Greg KH
2009-12-11 5:23 ` [05/34] ext4: fix potential buffer head leak when add_dirent_to_buf() returns ENOSPC Greg KH
2009-12-11 5:23 ` [06/34] ext4: avoid divide by zero when trying to mount a corrupted file system Greg KH
2009-12-11 5:23 ` [07/34] ext4: fix the returned block count if EXT4_IOC_MOVE_EXT fails Greg KH
2009-12-11 5:23 ` [08/34] ext4: fix lock order problem in ext4_move_extents() Greg KH
2009-12-11 5:23 ` [09/34] ext4: fix possible recursive locking warning in EXT4_IOC_MOVE_EXT Greg KH
2009-12-11 5:23 ` [10/34] ext4: plug a buffer_head leak in an error path of ext4_iget() Greg KH
2009-12-11 5:23 ` [11/34] ext4: make sure directory and symlink blocks are revoked Greg KH
2009-12-11 5:23 ` [12/34] ext4: fix i_flags access in ext4_da_writepages_trans_blocks() Greg KH
2009-12-11 5:23 ` [13/34] ext4: journal all modifications in ext4_xattr_set_handle Greg KH
2009-12-11 5:23 ` [14/34] ext4: dont update the superblock in ext4_statfs() Greg KH
2009-12-11 5:23 ` [15/34] ext4: fix uninit block bitmap initialization when s_meta_first_bg is non-zero Greg KH
2009-12-11 5:23 ` [16/34] ext4: fix block validity checks so they work correctly with meta_bg Greg KH
2009-12-11 5:23 ` [17/34] ext4: avoid issuing unnecessary barriers Greg KH
2009-12-11 5:23 ` [18/34] ext4: fix error handling in ext4_ind_get_blocks() Greg KH
2009-12-11 5:23 ` [19/34] ext4: make trim/discard optional (and off by default) Greg KH
2009-12-11 5:23 ` [20/34] ext4: make "norecovery" an alias for "noload" Greg KH
2009-12-11 5:23 ` Greg KH [this message]
2009-12-11 5:23 ` [22/34] ext4: initialize moved_len before calling ext4_move_extents() Greg KH
2009-12-11 5:23 ` [23/34] ext4: move_extent_per_page() cleanup Greg KH
2009-12-11 5:23 ` [24/34] jbd2: Add ENOMEM checking in and for jbd2_journal_write_metadata_buffer() Greg KH
2009-12-11 5:23 ` [25/34] ext4: Return the PTR_ERR of the correct pointer in setup_new_group_blocks() Greg KH
2009-12-11 5:23 ` [26/34] ext4: Avoid data / filesystem corruption when write fails to copy data Greg KH
2009-12-11 5:23 ` [27/34] ext4: wait for log to commit when umounting Greg KH
2009-12-11 5:23 ` [28/34] ext4: remove blocks from inode prealloc list on failure Greg KH
2009-12-11 5:23 ` [29/34] ext4: ext4_get_reserved_space() must return bytes instead of blocks Greg KH
2009-12-11 5:23 ` [30/34] ext4: quota macros cleanup Greg KH
2009-12-11 5:23 ` [31/34] ext4: fix incorrect block reservation on quota transfer Greg KH
2009-12-11 5:23 ` [32/34] ext4: Wait for proper transaction commit on fsync Greg KH
2009-12-11 5:23 ` [33/34] ext4: Fix insufficient checks in EXT4_IOC_MOVE_EXT Greg KH
2009-12-11 5:23 ` [34/34] ext4: Fix potential fiemap deadlock (mmap_sem vs. i_data_sem) Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091211052551.564396025@linux.site \
--to=gregkh@suse.de \
--cc=a-fujita@rs.jp.nec.com \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.