Commit 2c47c1be authored by Bob Peterson's avatar Bob Peterson Committed by Andreas Gruenbacher
Browse files

gfs2: clean up iopen glock mess in gfs2_create_inode 



Before this patch, gfs2_create_inode had a use-after-free for the
iopen glock in some error paths because it did this:

	gfs2_glock_put(io_gl);
fail_gunlock2:
	if (io_gl)
		clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);

In some cases, the io_gl was used for create and only had one
reference, so the glock might be freed before the clear_bit().
This patch tries to straighten it out by only jumping to the
error paths where iopen is properly set, and moving the
gfs2_glock_put after the clear_bit.

Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
parent d99724c3

fs/gfs2/inode.c

+7 −6
Original line number Diff line number Diff line
@@ -712,7 +712,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, 


	error = gfs2_trans_begin(sdp, blocks, 0);

	if (error)

		goto fail_gunlock2;

		goto fail_free_inode;



	if (blocks > 1) {

		ip->i_eattr = ip->i_no_addr + 1;
@@ -723,7 +723,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, 


	error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_iopen_glops, CREATE, &io_gl);

	if (error)

		goto fail_gunlock2;

		goto fail_free_inode;



	BUG_ON(test_and_set_bit(GLF_INODE_CREATING, &io_gl->gl_flags));
@@ -732,7 +732,6 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, 
		goto fail_gunlock2;



	glock_set_object(ip->i_iopen_gh.gh_gl, ip);

	gfs2_glock_put(io_gl);

	gfs2_set_iop(inode);

	insert_inode_hash(inode);
@@ -765,6 +764,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, 


	mark_inode_dirty(inode);

	d_instantiate(dentry, inode);

	/* After instantiate, errors should result in evict which will destroy

	 * both inode and iopen glocks properly. */

	if (file) {

		file->f_mode |= FMODE_CREATED;

		error = finish_open(file, dentry, gfs2_open_common);
@@ -772,15 +773,15 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry, 
	gfs2_glock_dq_uninit(ghs);

	gfs2_glock_dq_uninit(ghs + 1);

	clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);

	gfs2_glock_put(io_gl);

	return error;



fail_gunlock3:

	glock_clear_object(io_gl, ip);

	gfs2_glock_dq_uninit(&ip->i_iopen_gh);

	gfs2_glock_put(io_gl);

fail_gunlock2:

	if (io_gl)

	clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);

	gfs2_glock_put(io_gl);

fail_free_inode:

	if (ip->i_gl) {

		glock_clear_object(ip->i_gl, ip);

CRA Git | Maintained and supported by SUSTech CRA and CCSE