xfs
[Top] [All Lists]

[PATCH 2/2] [XFS] Fix double free of inode

To: xfs@xxxxxxxxxxx
Subject: [PATCH 2/2] [XFS] Fix double free of inode
From: Dave Chinner <david@xxxxxxxxxxxxx>
Date: Sun, 15 Mar 2009 22:25:42 +1100
In-reply-to: <1237116342-25701-1-git-send-email-david@xxxxxxxxxxxxx>
References: <1237116342-25701-1-git-send-email-david@xxxxxxxxxxxxx>
If we fail to initialise the VFS inode in inode_init_always(),
it will call ->delete_inode internally resulting in the inode being
freed. Hence we need to delay the call to inode_init_always()
until after the XFS inode is sufficient set up to handle a
call to ->delete_inode, and then if that fails do not touch
the inode again at all as it has been freed.

Signed-off-by: Dave Chinner <david@xxxxxxxxxxxxx>
---
 fs/xfs/xfs_iget.c |   23 ++++++++++++++---------
 1 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/fs/xfs/xfs_iget.c b/fs/xfs/xfs_iget.c
index 478e587..89b81ee 100644
--- a/fs/xfs/xfs_iget.c
+++ b/fs/xfs/xfs_iget.c
@@ -69,15 +69,6 @@ xfs_inode_alloc(
        ASSERT(!spin_is_locked(&ip->i_flags_lock));
        ASSERT(completion_done(&ip->i_flush));
 
-       /*
-        * initialise the VFS inode here to get failures
-        * out of the way early.
-        */
-       if (!inode_init_always(mp->m_super, VFS_I(ip))) {
-               kmem_zone_free(xfs_inode_zone, ip);
-               return NULL;
-       }
-
        /* initialise the xfs inode */
        ip->i_ino = ino;
        ip->i_mount = mp;
@@ -113,6 +104,20 @@ xfs_inode_alloc(
 #ifdef XFS_DIR2_TRACE
        ip->i_dir_trace = ktrace_alloc(XFS_DIR2_KTRACE_SIZE, KM_NOFS);
 #endif
+       /*
+       * Now initialise the VFS inode. We do this after the xfs_inode
+       * initialisation as internal failures will result in ->destroy_inode
+       * being called and that will pass down through the reclaim path and
+       * free the XFS inode. This path requires the XFS inode to already be
+       * initialised. Hence if this call fails, the xfs_inode has already
+       * been freed and we should not reference it at all in the error
+       * handling.
+       */
+       if (!inode_init_always(mp->m_super, VFS_I(ip)))
+               return NULL;
+
+       /* prevent anyone from using this yet */
+       VFS_I(ip)->i_state = I_NEW|I_LOCK;
 
        return ip;
 }
-- 
1.6.2

<Prev in Thread] Current Thread [Next in Thread>