From: Andrew Morton <akpm@digeo.com>
To: Paul P Komkoff Jr <i@stingr.net>, ext2-devel@lists.sourceforge.net
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Re: [OOPS] 2.5.51-mm2
Date: Sat, 14 Dec 2002 01:38:15 -0800 [thread overview]
Message-ID: <3DFAFC07.DB5BB0FD@digeo.com> (raw)
In-Reply-To: 20021213181155.GB2496@stingr.net
Paul P Komkoff Jr wrote:
>
> This is very funny.
Actually it's very bad. Thanks for reporting this.
> mke2fs -j -O dir_index -J size=192 -T news -N 1000100
> atest3 1000000
> (creat & write 1 byte to 1000000 files)
>
> free space on device became 0 and voila
>
> Unable to handle kernel paging request at virtual address 5a5a5b9e
Here's a fix:
If ext3_add_nondir() fails it will do an iput() of the inode. But we
continue to run ext3_mark_inode_dirty() against the potentially-freed
inode. This oopses when slab poisoning is enabled.
Fix it so that we only run ext3_mark_inode_dirty() if the inode was
successfully instantiated.
fs/ext3/namei.c | 11 +++++------
1 files changed, 5 insertions(+), 6 deletions(-)
--- 25/fs/ext3/namei.c~ext3-use-after-free Sat Dec 14 01:25:03 2002
+++ 25-akpm/fs/ext3/namei.c Sat Dec 14 01:25:53 2002
@@ -1566,8 +1566,11 @@ static int ext3_add_nondir(handle_t *han
{
int err = ext3_add_entry(handle, dentry, inode);
if (!err) {
- d_instantiate(dentry, inode);
- return 0;
+ err = ext3_mark_inode_dirty(handle, inode);
+ if (!err) {
+ d_instantiate(dentry, inode);
+ return 0;
+ }
}
ext3_dec_count(handle, inode);
iput(inode);
@@ -1609,7 +1612,6 @@ static int ext3_create (struct inode * d
else
inode->i_mapping->a_ops = &ext3_aops;
err = ext3_add_nondir(handle, dentry, inode);
- ext3_mark_inode_dirty(handle, inode);
}
ext3_journal_stop(handle, dir);
unlock_kernel();
@@ -1642,7 +1644,6 @@ static int ext3_mknod (struct inode * di
inode->i_op = &ext3_special_inode_operations;
#endif
err = ext3_add_nondir(handle, dentry, inode);
- ext3_mark_inode_dirty(handle, inode);
}
ext3_journal_stop(handle, dir);
unlock_kernel();
@@ -2105,7 +2106,6 @@ static int ext3_symlink (struct inode *
}
EXT3_I(inode)->i_disksize = inode->i_size;
err = ext3_add_nondir(handle, dentry, inode);
- ext3_mark_inode_dirty(handle, inode);
out_stop:
ext3_journal_stop(handle, dir);
unlock_kernel();
@@ -2140,7 +2140,6 @@ static int ext3_link (struct dentry * ol
atomic_inc(&inode->i_count);
err = ext3_add_nondir(handle, dentry, inode);
- ext3_mark_inode_dirty(handle, inode);
ext3_journal_stop(handle, dir);
unlock_kernel();
return err;
_
prev parent reply other threads:[~2002-12-14 9:30 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-12-13 18:11 [OOPS] 2.5.51-mm2 Paul P Komkoff Jr
2002-12-14 9:38 ` Andrew Morton [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3DFAFC07.DB5BB0FD@digeo.com \
--to=akpm@digeo.com \
--cc=ext2-devel@lists.sourceforge.net \
--cc=i@stingr.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.