lustre/extN/ext3-use-after-free.diff

   1
   2
   3 If ext3_add_nondir() fails it will do an iput() of the inode.  But we
   4 continue to run ext3_mark_inode_dirty() against the potentially-freed
   5 inode.  This oopses when slab poisoning is enabled.
   6
   7 Fix it so that we only run ext3_mark_inode_dirty() if the inode was
   8 successfully instantiated.
   9
  10 This bug was added in 2.4.20-pre9.
  11
  12
  13  fs/ext3/namei.c |   11 +++++------
  14  1 files changed, 5 insertions(+), 6 deletions(-)
  15
  16 --- 24/fs/ext3/namei.c~ext3-use-after-free      Sun Dec 15 11:27:50 2002
  17 +++ 24-akpm/fs/ext3/namei.c     Sun Dec 15 11:27:50 2002
  18 @@ -429,8 +429,11 @@ static int ext3_add_nondir(handle_t *han
  19  {
  20         int err = ext3_add_entry(handle, dentry, inode);
  21         if (!err) {
  22 -               d_instantiate(dentry, inode);
  23 -               return 0;
  24 +               err = ext3_mark_inode_dirty(handle, inode);
  25 +               if (err == 0) {
  26 +                       d_instantiate(dentry, inode);
  27 +                       return 0;
  28 +               }
  29         }
  30         ext3_dec_count(handle, inode);
  31         iput(inode);
  32 @@ -465,7 +468,6 @@ static int ext3_create (struct inode * d
  33                 inode->i_fop = &ext3_file_operations;
  34                 inode->i_mapping->a_ops = &ext3_aops;
  35                 err = ext3_add_nondir(handle, dentry, inode);
  36 -               ext3_mark_inode_dirty(handle, inode);
  37         }
  38         ext3_journal_stop(handle, dir);
  39         return err;
  40 @@ -490,7 +492,6 @@ static int ext3_mknod (struct inode * di
  41         if (!IS_ERR(inode)) {
  42                 init_special_inode(inode, mode, rdev);
  43                 err = ext3_add_nondir(handle, dentry, inode);
  44 -               ext3_mark_inode_dirty(handle, inode);
  45         }
  46         ext3_journal_stop(handle, dir);
  47         return err;
  48 @@ -934,7 +935,6 @@ static int ext3_symlink (struct inode *
  49         }
  50         inode->u.ext3_i.i_disksize = inode->i_size;
  51         err = ext3_add_nondir(handle, dentry, inode);
  52 -       ext3_mark_inode_dirty(handle, inode);
  53  out_stop:
  54         ext3_journal_stop(handle, dir);
  55         return err;
  56 @@ -971,7 +971,6 @@ static int ext3_link (struct dentry * ol
  57         atomic_inc(&inode->i_count);
  58
  59         err = ext3_add_nondir(handle, dentry, inode);
  60 -       ext3_mark_inode_dirty(handle, inode);
  61         ext3_journal_stop(handle, dir);
  62         return err;
  63  }
  64
  65 _