Re: [OOPS] 2.5.51-mm2

From: Andrew Morton (akpm@digeo.com)
Date: Sat Dec 14 2002 - 04:38:15 EST

Paul P Komkoff Jr wrote:
>
> This is very funny.

Actually it's very bad. Thanks for reporting this.

> mke2fs -j -O dir_index -J size=192 -T news -N 1000100
> atest3 1000000
> (creat & write 1 byte to 1000000 files)
>
> free space on device became 0 and voila
>
> Unable to handle kernel paging request at virtual address 5a5a5b9e

Here's a fix:

If ext3_add_nondir() fails it will do an iput() of the inode. But we
continue to run ext3_mark_inode_dirty() against the potentially-freed
inode. This oopses when slab poisoning is enabled.

Fix it so that we only run ext3_mark_inode_dirty() if the inode was
successfully instantiated.

 fs/ext3/namei.c | 11 +++++------
 1 files changed, 5 insertions(+), 6 deletions(-)

--- 25/fs/ext3/namei.c~ext3-use-after-free Sat Dec 14 01:25:03 2002
+++ 25-akpm/fs/ext3/namei.c Sat Dec 14 01:25:53 2002
@@ -1566,8 +1566,11 @@ static int ext3_add_nondir(handle_t *han
 {
         int err = ext3_add_entry(handle, dentry, inode);
         if (!err) {
- d_instantiate(dentry, inode);
- return 0;
+ err = ext3_mark_inode_dirty(handle, inode);
+ if (!err) {
+ d_instantiate(dentry, inode);
+ return 0;
+ }
         }
         ext3_dec_count(handle, inode);
         iput(inode);
@@ -1609,7 +1612,6 @@ static int ext3_create (struct inode * d
                 else
                         inode->i_mapping->a_ops = &ext3_aops;
                 err = ext3_add_nondir(handle, dentry, inode);
- ext3_mark_inode_dirty(handle, inode);
         }
         ext3_journal_stop(handle, dir);
         unlock_kernel();
@@ -1642,7 +1644,6 @@ static int ext3_mknod (struct inode * di
                 inode->i_op = &ext3_special_inode_operations;
 #endif
                 err = ext3_add_nondir(handle, dentry, inode);
- ext3_mark_inode_dirty(handle, inode);
         }
         ext3_journal_stop(handle, dir);
         unlock_kernel();
@@ -2105,7 +2106,6 @@ static int ext3_symlink (struct inode *
         }
         EXT3_I(inode)->i_disksize = inode->i_size;
         err = ext3_add_nondir(handle, dentry, inode);
- ext3_mark_inode_dirty(handle, inode);
 out_stop:
         ext3_journal_stop(handle, dir);
         unlock_kernel();
@@ -2140,7 +2140,6 @@ static int ext3_link (struct dentry * ol
         atomic_inc(&inode->i_count);
 
         err = ext3_add_nondir(handle, dentry, inode);
- ext3_mark_inode_dirty(handle, inode);
         ext3_journal_stop(handle, dir);
         unlock_kernel();
         return err;

_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

This archive was generated by hypermail 2b29 : Sun Dec 15 2002 - 22:00:30 EST