1
linux/fs
Lachlan McIlroy f25181f598 xfs_file_last_byte() needs to acquire ilock
We had some systems crash with this stack:

[<a00000010000cb20>] ia64_leave_kernel+0x0/0x280
[<a00000021291ca00>] xfs_bmbt_get_startoff+0x0/0x20 [xfs]
[<a0000002129080b0>] xfs_bmap_last_offset+0x210/0x280 [xfs]
[<a00000021295b010>] xfs_file_last_byte+0x70/0x1a0 [xfs]
[<a00000021295b200>] xfs_itruncate_start+0xc0/0x1a0 [xfs]
[<a0000002129935f0>] xfs_inactive_free_eofblocks+0x290/0x460 [xfs]
[<a000000212998fb0>] xfs_release+0x1b0/0x240 [xfs]
[<a0000002129ad930>] xfs_file_release+0x70/0xa0 [xfs]
[<a000000100162ea0>] __fput+0x1a0/0x420
[<a000000100163160>] fput+0x40/0x60

The problem here is that xfs_file_last_byte() does not acquire the
inode lock and can therefore race with another thread that is modifying
the extext list.  While xfs_bmap_last_offset() is trying to lookup
what was the last extent some extents were merged and the extent list
shrunk so the index we lookup is now beyond the end of the extent list
and potentially in a freed buffer.

Signed-off-by: Lachlan McIlroy <lmcilroy@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Felix Blyakher <felixb@sgi.com>
Signed-off-by: Felix Blyakher <felixb@sgi.com>
2009-04-29 09:14:10 -05:00
..
9p vfs: simple_set_mnt() should return void 2009-03-27 14:44:03 -04:00
adfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
affs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
afs proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
autofs constify dentry_operations: autofs, autofs4 2009-03-27 14:44:00 -04:00
autofs4 constify dentry_operations: autofs, autofs4 2009-03-27 14:44:00 -04:00
befs fs/Kconfig: move befs out 2009-01-22 13:15:57 +03:00
bfs fs/Kconfig: move bfs out 2009-01-22 13:15:57 +03:00
btrfs btrfs: get rid of current_is_pdflush() in btrfs_btree_balance_dirty 2009-03-26 11:01:35 +01:00
cifs proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
coda constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
configfs constify dentry_operations: configfs 2009-03-27 14:44:03 -04:00
cramfs fs/Kconfig: move cramfs out 2009-01-22 13:15:58 +03:00
debugfs
devpts Merge code for single and multiple-instance mounts 2009-03-27 14:44:04 -04:00
dlm dlm: fix length calculation in compat code 2009-03-11 12:23:59 -05:00
ecryptfs constify dentry_operations: ecryptfs 2009-03-27 14:44:01 -04:00
efs fs/Kconfig: move efs out 2009-01-22 13:15:57 +03:00
exportfs
ext2 ext2: Zero our b_size in ext2_quota_read() 2009-03-26 02:18:38 +01:00
ext3 Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-quota-2.6 2009-03-27 14:48:34 -07:00
ext4 ext4: Use lowercase names of quota functions 2009-03-26 02:18:36 +01:00
fat constify dentry_operations: FAT 2009-03-27 14:44:01 -04:00
freevxfs fs/Kconfig: move vxfs out 2009-01-22 13:15:58 +03:00
fuse fuse: fix fuse_file_lseek returning with lock held 2009-03-30 17:26:24 +02:00
gfs2 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
hfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
hfsplus constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
hostfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
hpfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
hppfs
hugetlbfs Do not account for the address space used by hugetlbfs using VM_ACCOUNT 2009-02-10 10:48:42 -08:00
isofs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
jbd jbd: fix return value of journal_start_commit() 2009-02-11 14:25:35 -08:00
jbd2 jbd2: Avoid possible NULL dereference in jbd2_journal_begin_ordered_truncate() 2009-02-10 11:15:34 -05:00
jffs2 [JFFS2] fix mount crash caused by removed nodes 2009-02-21 11:09:29 +01:00
jfs proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
lockd NLM: Fix GRANT callback address comparison when IPv6 is enabled 2009-03-10 20:33:20 -04:00
minix Update my email address 2009-03-22 11:28:37 -07:00
ncpfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
nfs proc 2/2: remove struct proc_dir_entry::owner 2009-03-31 01:14:44 +04:00
nfs_common
nfsd Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-quota-2.6 2009-03-27 14:48:34 -07:00
nls
notify fs: avoid I_NEW inodes 2009-03-27 14:44:05 -04:00
ntfs fs/Kconfig: move ntfs out 2009-01-22 13:15:55 +03:00
ocfs2 constify dentry_operations: OCFS2 2009-03-27 14:44:02 -04:00
omfs fs/Kconfig: move omfs out 2009-01-22 13:15:58 +03:00
openpromfs
partitions Merge branch 'for-linus' of git://git390.marist.edu/pub/scm/linux-2.6 2009-03-26 16:04:22 -07:00
proc Revert "proc: revert /proc/uptime to ->read_proc hook" 2009-03-31 01:14:58 +04:00
qnx4 fs/Kconfig: move qnx4 out 2009-01-22 13:15:59 +03:00
quota Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
ramfs ramfs: Remove quota call 2009-03-26 02:18:35 +01:00
reiserfs Merge branch 'proc-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/adobriyan/proc 2009-03-30 16:06:04 -07:00
romfs fs/Kconfig: move romfs out 2009-01-22 13:15:59 +03:00
smbfs constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
squashfs Squashfs: Valid filesystems are flagged as bad by the corrupted fs patch 2009-03-12 03:23:48 +00:00
sysfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
sysv constify dentry_operations: misc filesystems 2009-03-27 14:44:00 -04:00
ubifs vfs: simple_set_mnt() should return void 2009-03-27 14:44:03 -04:00
udf udf: Use lowercase names of quota functions 2009-03-26 02:18:36 +01:00
ufs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
xfs xfs_file_last_byte() needs to acquire ilock 2009-04-29 09:14:10 -05:00
aio.c aio: lookup_ioctx can return the wrong value when looking up a bogus context 2009-03-19 15:57:18 -07:00
anon_inodes.c constify dentry_operations: rest 2009-03-27 14:44:03 -04:00
attr.c vfs: Use lowercase names of quota functions 2009-03-26 02:18:35 +01:00
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c
binfmt_elf.c elf core dump: fix get_user use 2009-02-06 17:34:07 -08:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c block: add private bio_set for bio integrity allocations 2009-03-24 12:35:17 +01:00
bio.c block: add private bio_set for bio integrity allocations 2009-03-24 12:35:17 +01:00
block_dev.c fs: move bdev code out of buffer.c 2009-03-27 14:44:03 -04:00
buffer.c fs: move bdev code out of buffer.c 2009-03-27 14:44:03 -04:00
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2009-03-01 21:35:16 -08:00
compat.c fix setuid sometimes doesn't 2009-03-28 17:30:00 -07:00
dcache.c cleanup d_add_ci 2009-03-27 14:43:57 -04:00
dcookies.c [CVE-2009-0029] System call wrapper special cases 2009-01-14 14:15:18 +01:00
direct-io.c
drop_caches.c fs: avoid I_NEW inodes 2009-03-27 14:44:05 -04:00
eventfd.c [CVE-2009-0029] System call wrappers part 32 2009-01-14 14:15:31 +01:00
eventpoll.c Rename struct file->f_ep_lock 2009-03-16 08:32:27 -06:00
exec.c fix setuid sometimes doesn't 2009-03-28 17:30:00 -07:00
fcntl.c Fix a lockdep warning in fasync_helper() 2009-03-30 08:00:24 -06:00
fifo.c
file_table.c Merge branch 'bkl-removal' of git://git.lwn.net/linux-2.6 2009-03-26 16:14:02 -07:00
file.c
filesystems.c [CVE-2009-0029] System call wrappers part 27 2009-01-14 14:15:29 +01:00
fs-writeback.c fs: new inode i_state corruption fix 2009-03-12 16:20:24 -07:00
generic_acl.c
inode.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
internal.h fix setuid sometimes doesn't 2009-03-28 17:30:00 -07:00
ioctl.c Rationalize fasync return values 2009-03-16 08:34:35 -06:00
ioprio.c [CVE-2009-0029] System call wrappers part 28 2009-01-14 14:15:30 +01:00
Kconfig quota: Move quota files into separate directory 2009-03-26 02:18:35 +01:00
Kconfig.binfmt CORE_DUMP_DEFAULT_ELF_HEADERS depends on ELF_CORE 2009-01-09 16:54:41 -08:00
libfs.c vfs: simple_set_mnt() should return void 2009-03-27 14:44:03 -04:00
locks.c [CVE-2009-0029] System call wrappers part 16 2009-01-14 14:15:25 +01:00
Makefile quota: Move quota files into separate directory 2009-03-26 02:18:35 +01:00
mbcache.c
mpage.c
namei.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
namespace.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
nfsctl.c [CVE-2009-0029] System call wrappers part 27 2009-01-14 14:15:29 +01:00
no-block.c
open.c vfs: Use lowercase names of quota functions 2009-03-26 02:18:35 +01:00
pipe.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
pnode.c
pnode.h
posix_acl.c
read_write.c [CVE-2009-0029] System call wrappers part 20 2009-01-14 14:15:26 +01:00
read_write.h
readdir.c [CVE-2009-0029] System call wrappers part 32 2009-01-14 14:15:31 +01:00
select.c [CVE-2009-0029] System call wrappers part 32 2009-01-14 14:15:31 +01:00
seq_file.c cpumask: fix seq_bitmap_*() functions. 2009-03-30 22:05:11 +10:30
signalfd.c [CVE-2009-0029] System call wrappers part 31 2009-01-14 14:15:31 +01:00
splice.c [CVE-2009-0029] System call wrappers part 31 2009-01-14 14:15:31 +01:00
stack.c
stat.c [CVE-2009-0029] System call wrappers part 30 2009-01-14 14:15:30 +01:00
super.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6 2009-03-27 16:23:12 -07:00
sync.c Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-quota-2.6 2009-03-27 14:48:34 -07:00
timerfd.c timerfd: add flags check 2009-02-18 15:37:53 -08:00
utimes.c [CVE-2009-0029] System call wrappers part 30 2009-01-14 14:15:30 +01:00
xattr_acl.c
xattr.c [CVE-2009-0029] System call wrappers part 13 2009-01-14 14:15:23 +01:00