From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Bob Peterson <rpeterso@redhat.com>,
Steven Whitehouse <swhiteho@redhat.com>
Subject: [25/36] GFS2: rename causes kernel Oops
Date: Fri, 06 Aug 2010 12:20:06 -0700 [thread overview]
Message-ID: <20100806192116.683623848@clark.site> (raw)
In-Reply-To: <20100806192649.GA1614@kroah.com>
2.6.34-stable review patch. If anyone has any objections, please let us know.
------------------
From: Bob Peterson <rpeterso@redhat.com>
commit 728a756b8fcd22d80e2dbba8117a8a3aafd3f203 upstream.
This patch fixes a kernel Oops in the GFS2 rename code.
The problem was in the way the gfs2 directory code was trying
to re-use sentinel directory entries.
In the failing case, gfs2's rename function was renaming a
file to another name that had the same non-trivial length.
The file being renamed happened to be the first directory
entry on the leaf block.
First, the rename code (gfs2_rename in ops_inode.c) found the
original directory entry and decided it could do its job by
simply replacing the directory entry with another. Therefore
it determined correctly that no block allocations were needed.
Next, the rename code deleted the old directory entry prior to
replacing it with the new name. Therefore, the soon-to-be
replaced directory entry was temporarily made into a directory
entry "sentinel" or a place holder at the start of a leaf block.
Lastly, it went to re-add the replacement directory entry in
that leaf block. However, when gfs2_dirent_find_space was
looking for space in the leaf block, it used the wrong value
for the sentinel. That threw off its calculations so later
it decides it can't really re-use the sentinel and therefore
must allocate a new leaf block. But because it previously decided
to re-use the directory entry, it didn't waste the time to
grab a new block allocation for the inode. Therefore, the
inode's i_alloc pointer was still NULL and it crashes trying to
reference it.
In the case of sentinel directory entries, the entire dirent is
reused, not just the "free space" portion of it, and therefore
the function gfs2_dirent_find_space should use the value 0
rather than GFS2_DIRENT_SIZE(0) for the actual dirent size.
Fixing this calculation enables the reproducer programs to work
properly.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/gfs2/dir.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/gfs2/dir.c
+++ b/fs/gfs2/dir.c
@@ -392,7 +392,7 @@ static int gfs2_dirent_find_space(const
unsigned totlen = be16_to_cpu(dent->de_rec_len);
if (gfs2_dirent_sentinel(dent))
- actual = GFS2_DIRENT_SIZE(0);
+ actual = 0;
if (totlen - actual >= required)
return 1;
return 0;
next prev parent reply other threads:[~2010-08-06 19:32 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-08-06 19:26 [00/36] 2.6.34.3-stable review Greg KH
2010-08-06 19:19 ` [01/36] mm: fix ia64 crash when gcore reads gate area Greg KH
2010-08-06 19:19 ` [02/36] NFS: kswapd must not block in nfs_release_page Greg KH
2010-08-06 19:19 ` [03/36] NFS: Fix a typo in include/linux/nfs_fs.h Greg KH
2010-08-06 19:19 ` [04/36] comedi: Uncripple 8255-based DIO subdevices Greg KH
2010-08-06 19:19 ` [05/36] PARISC: led.c - fix potential stack overflow in led_proc_write() Greg KH
2010-08-06 19:19 ` [06/36] arm/imx/gpio: add spinlock protection Greg KH
2010-08-06 19:19 ` [07/36] parisc: pass through \t to early (iodc) console Greg KH
2010-08-06 19:19 ` [08/36] amd64_edac: Fix DCT base address selector Greg KH
2010-08-06 19:19 ` [09/36] amd64_edac: Correct scrub rate setting Greg KH
2010-08-06 19:19 ` [10/36] amd64_edac: Fix operator precendence error Greg KH
2010-08-06 19:19 ` [11/36] e1000e: dont inadvertently re-set INTX_DISABLE Greg KH
2010-08-06 19:19 ` [12/36] e1000e: 82577/82578 PHY register access issues Greg KH
2010-08-06 19:19 ` [13/36] 9p: strlen() doesnt count the terminator Greg KH
2010-08-06 19:19 ` [14/36] igb: Use only a single Tx queue in SR-IOV mode Greg KH
2010-08-06 19:19 ` [15/36] ath9k: enable serialize_regmode for non-PCIE AR9160 Greg KH
2010-08-06 19:19 ` [16/36] ath9k: fix a potential buffer leak in the STA teardown path Greg KH
2010-08-06 19:19 ` [17/36] ath9k_hw: fix an off-by-one error in the PDADC boundaries calculation Greg KH
2010-08-06 19:19 ` [18/36] ath9k: fix TSF after reset on AR913x Greg KH
2010-08-06 19:20 ` [19/36] ath9k: fix yet another buffer leak in the tx aggregation code Greg KH
2010-08-06 19:20 ` [20/36] iwlwifi: fix scan abort Greg KH
2010-08-06 19:20 ` [21/36] cfg80211: ignore spurious deauth Greg KH
2010-08-06 19:20 ` [22/36] cfg80211: dont get expired BSSes Greg KH
2010-08-06 19:20 ` [23/36] mac80211: avoid scheduling while atomic in mesh_rx_plink_frame Greg KH
2010-08-06 19:20 ` [24/36] SCSI: enclosure: fix error path - actually return ERR_PTR() on error Greg KH
2010-08-06 19:20 ` Greg KH [this message]
2010-08-06 19:20 ` [26/36] KVM: MMU: flush remote tlbs when overwriting spte with different pfn Greg KH
2010-08-06 19:20 ` [27/36] xen: drop xen_sched_clock in favour of using plain wallclock time Greg KH
2010-08-06 19:20 ` [28/36] drm/radeon/kms/igp: sideport is AMD only Greg KH
2010-08-06 19:20 ` [29/36] drm/radeon: add new pci ids Greg KH
2010-08-06 19:20 ` [30/36] drm/radeon/kms/r7xx: add workaround for hw issue with HDP flush Greg KH
2010-08-06 19:20 ` [31/36] drm/i915: Check overlay stride errata for i830 and i845 Greg KH
2010-08-06 19:20 ` [32/36] Revert "ssb: Handle Netbook devices where the SPROM address is changed" Greg KH
2010-08-06 19:20 ` [33/36] ssb: do not read SPROM if it does not exist Greg KH
2010-08-06 19:20 ` [34/36] ssb: Look for SPROM at different offset on higher rev CC Greg KH
2010-08-06 19:20 ` [35/36] ssb: fix NULL ptr deref when pcihost_wrapper is used Greg KH
2010-08-06 19:20 ` [36/36] ssb: Handle alternate SSPROM location Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100806192116.683623848@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=rpeterso@redhat.com \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=swhiteho@redhat.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox