aha/fs/xfs
David Chinner 99fa8cb3c5 [XFS] Prevent use-after-free caused by synchronous inode reclaim
With the combined linux and XFS inode, we need to ensure that the combined
structure is not freed before the generic code is finished with the inode.
As it turns out, there is a case where the XFS inode is freed before the
linux inode - when xfs_reclaim() is called from ->clear_inode() on a clean
inode, the xfs inode is freed during that call. The generic code
references the inode after the ->clear_inode() call, so this is a use
after free situation.

Fix the problem by moving the xfs_reclaim() call to ->destroy_inode()
instead of in ->clear_inode(). This ensures the combined inode structure
is not freed until after the generic code has finished with it.

SGI-PV: 988141

SGI-Modid: xfs-linux-melb:xfs-kern:32324a

Signed-off-by: David Chinner <david@fromorbit.com>
Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
Signed-off-by: Christoph Hellwig <hch@infradead.org>
2008-10-30 17:36:40 +11:00
..
linux-2.6 [XFS] Prevent use-after-free caused by synchronous inode reclaim 2008-10-30 17:36:40 +11:00
quota [XFS] Kill xfs_sync() 2008-10-30 17:16:11 +11:00
support [XFS] Show buffer address with debug hexdump on corruption 2008-10-30 17:05:58 +11:00
Kconfig [XFS] allow enabling CONFIG_XFS_DEBUG 2008-04-29 16:07:48 +10:00
Makefile [XFS] move sync code to its own file 2008-10-30 17:06:08 +11:00
xfs.h [XFS] make btree tracing generic 2008-10-30 16:55:13 +11:00
xfs_acl.c [XFS] kill bhv_vnode_t 2008-08-13 16:22:40 +10:00
xfs_acl.h [XFS] kill bhv_vnode_t 2008-08-13 16:22:40 +10:00
xfs_ag.h [XFS] Sync up kernel and user-space headers 2008-10-30 17:05:38 +11:00
xfs_alloc.c [XFS] Always use struct xfs_btree_block instead of short / longform 2008-10-30 17:14:34 +11:00
xfs_alloc.h [XFS] Sync up kernel and user-space headers 2008-10-30 17:05:38 +11:00
xfs_alloc_btree.c [XFS] Always use struct xfs_btree_block instead of short / longform 2008-10-30 17:14:34 +11:00
xfs_alloc_btree.h [XFS] Always use struct xfs_btree_block instead of short / longform 2008-10-30 17:14:34 +11:00
xfs_arch.h [XFS] Sync up kernel and user-space headers 2008-10-30 17:05:38 +11:00
xfs_attr.c [XFS] Move xfs_attr_rolltrans to xfs_trans_roll 2008-08-13 16:05:49 +10:00
xfs_attr.h [XFS] Move attr log alloc size calculator to another function. 2008-08-13 16:03:35 +10:00
xfs_attr_leaf.c [XFS] Move xfs_attr_rolltrans to xfs_trans_roll 2008-08-13 16:05:49 +10:00
xfs_attr_leaf.h [XFS] Move xfs_attr_rolltrans to xfs_trans_roll 2008-08-13 16:05:49 +10:00
xfs_attr_sf.h [XFS] 2008-07-28 16:58:35 +10:00
xfs_bit.c [XFS] Use the generic bitops rather than implementing them ourselves. 2008-08-13 15:41:12 +10:00
xfs_bit.h [XFS] Sync up kernel and user-space headers 2008-10-30 17:05:38 +11:00
xfs_bmap.c [XFS] Move XFS_BMAP_SANITY_CHECK out of line. 2008-10-30 17:14:43 +11:00
xfs_bmap.h [XFS] Sync up kernel and user-space headers 2008-10-30 17:05:38 +11:00
xfs_bmap_btree.c [XFS] Always use struct xfs_btree_block instead of short / longform 2008-10-30 17:14:34 +11:00
xfs_bmap_btree.h [XFS] Move XFS_BMAP_SANITY_CHECK out of line. 2008-10-30 17:14:43 +11:00
xfs_btree.c [XFS] Always use struct xfs_btree_block instead of short / longform 2008-10-30 17:14:34 +11:00
xfs_btree.h [XFS] Always use struct xfs_btree_block instead of short / longform 2008-10-30 17:14:34 +11:00
xfs_btree_trace.c [XFS] make btree tracing generic 2008-10-30 16:58:50 +11:00
xfs_btree_trace.h [XFS] make btree tracing generic 2008-10-30 16:58:50 +11:00
xfs_buf_item.c [XFS] Fix use-after-free with buffers 2008-09-17 16:52:13 +10:00
xfs_buf_item.h
xfs_clnt.h [XFS] Fix up noattr2 so that it will properly update the versionnum and 2008-07-28 16:58:05 +10:00
xfs_da_btree.c [XFS] streamline init/exit path 2008-07-28 16:59:25 +10:00
xfs_da_btree.h [XFS] Sync up kernel and user-space headers 2008-10-30 17:05:38 +11:00
xfs_dfrag.c [XFS] Prevent lockdep false positives when locking two inodes. 2008-09-17 16:51:21 +10:00
xfs_dfrag.h
xfs_dinode.h [XFS] Always use struct xfs_btree_block instead of short / longform 2008-10-30 17:14:34 +11:00
xfs_dir2.c [XFS] Zero uninitialised xfs_da_args structure in xfs_dir2.c 2008-07-28 16:58:46 +10:00
xfs_dir2.h [XFS] Return case-insensitive match for dentry cache 2008-07-28 16:58:40 +10:00
xfs_dir2_block.c [XFS] Return case-insensitive match for dentry cache 2008-07-28 16:58:40 +10:00
xfs_dir2_block.h
xfs_dir2_data.c [XFS] Name operation vector for hash and compare 2008-07-28 16:58:36 +10:00
xfs_dir2_data.h
xfs_dir2_leaf.c [XFS] Fix CI lookup in leaf-form directories 2008-07-28 16:59:06 +10:00
xfs_dir2_leaf.h
xfs_dir2_node.c [XFS] Fix returning case-preserved name with CI node form directories 2008-07-28 16:59:01 +10:00
xfs_dir2_node.h
xfs_dir2_sf.c [XFS] Return case-insensitive match for dentry cache 2008-07-28 16:58:40 +10:00
xfs_dir2_sf.h [XFS] Pack some shortform dir2 structures for the ARM old ABI 2008-07-28 16:58:50 +10:00
xfs_dir2_trace.c [XFS] Add op_flags field and helpers to xfs_da_args 2008-07-28 16:58:37 +10:00
xfs_dir2_trace.h
xfs_dmapi.h removed unused #include <linux/version.h>'s 2008-08-23 12:14:12 -07:00
xfs_dmops.c
xfs_error.c [XFS] kill INDUCE_IO_ERROR 2008-08-13 16:17:37 +10:00
xfs_error.h [XFS] kill INDUCE_IO_ERROR 2008-08-13 16:17:37 +10:00
xfs_extfree_item.c [XFS] Remove unused arg from kmem_free() 2008-07-28 16:58:07 +10:00
xfs_extfree_item.h
xfs_filestream.c [XFS] Use KM_NOFS for debug trace buffers 2008-08-13 16:51:57 +10:00
xfs_filestream.h
xfs_fs.h [XFS] attrmulti cleanup 2008-07-28 16:59:09 +10:00
xfs_fsops.c [XFS] Always use struct xfs_btree_block instead of short / longform 2008-10-30 17:14:34 +11:00
xfs_fsops.h
xfs_ialloc.c [XFS] implement generic xfs_btree_get_rec 2008-10-30 16:58:11 +11:00
xfs_ialloc.h [XFS] Sync up kernel and user-space headers 2008-10-30 17:05:38 +11:00
xfs_ialloc_btree.c [XFS] Always use struct xfs_btree_block instead of short / longform 2008-10-30 17:14:34 +11:00
xfs_ialloc_btree.h [XFS] Always use struct xfs_btree_block instead of short / longform 2008-10-30 17:14:34 +11:00
xfs_iget.c [XFS] Combine the XFS and Linux inodes 2008-10-30 17:36:14 +11:00
xfs_imap.h [XFS] Sync up kernel and user-space headers 2008-10-30 17:05:38 +11:00
xfs_inode.c [XFS] Combine the XFS and Linux inodes 2008-10-30 17:36:14 +11:00
xfs_inode.h [XFS] Combine the XFS and Linux inodes 2008-10-30 17:36:14 +11:00
xfs_inode_item.c [XFS] replace inode flush semaphore with a completion 2008-08-13 16:41:16 +10:00
xfs_inode_item.h [XFS] Sync up kernel and user-space headers 2008-10-30 17:05:38 +11:00
xfs_inum.h
xfs_iomap.c [XFS] use minleft when allocating in xfs_bmbt_split() 2008-07-28 16:59:10 +10:00
xfs_iomap.h
xfs_itable.c [XFS] implement generic xfs_btree_increment 2008-10-30 16:55:45 +11:00
xfs_itable.h
xfs_log.c Fix barrier fail detection in XFS 2008-10-10 11:08:07 -07:00
xfs_log.h [XFS] cleanup xfs_mountfs 2008-08-13 16:49:32 +10:00
xfs_log_priv.h [XFS] Move memory allocations for log tracing out of the critical path 2008-09-17 16:45:37 +10:00
xfs_log_recover.c [XFS] Always use struct xfs_btree_block instead of short / longform 2008-10-30 17:14:34 +11:00
xfs_log_recover.h
xfs_mount.c [XFS] remove the mount inode list 2008-10-30 17:11:29 +11:00
xfs_mount.h [XFS] use xfs_sync_inodes rather than xfs_syncsub 2008-10-30 17:15:12 +11:00
xfs_mru_cache.c [XFS] streamline init/exit path 2008-07-28 16:59:25 +10:00
xfs_mru_cache.h
xfs_qmops.c
xfs_quota.h
xfs_refcache.h
xfs_rename.c [XFS] Don't update mtime on rename source 2008-07-28 16:59:14 +10:00
xfs_rtalloc.c [XFS] Use the generic bitops rather than implementing them ourselves. 2008-08-13 15:41:12 +10:00
xfs_rtalloc.h
xfs_rw.c [XFS] replace the XFS buf iodone semaphore with a completion 2008-08-13 16:36:11 +10:00
xfs_rw.h
xfs_sb.h [XFS] XFS: ASCII case-insensitive support 2008-07-28 16:58:42 +10:00
xfs_trans.c [XFS] remove shouting-indirection macros from xfs_trans.h 2008-08-13 16:10:52 +10:00
xfs_trans.h [XFS] Sync up kernel and user-space headers 2008-10-30 17:05:38 +11:00
xfs_trans_ail.c [XFS] replace remaining __FUNCTION__ occurrences 2008-04-18 11:51:26 +10:00
xfs_trans_buf.c [XFS] remove shouting-indirection macros from xfs_trans.h 2008-08-13 16:10:52 +10:00
xfs_trans_extfree.c
xfs_trans_inode.c [XFS] Remove unused arg from kmem_free() 2008-07-28 16:58:07 +10:00
xfs_trans_item.c [XFS] remove shouting-indirection macros from xfs_trans.h 2008-08-13 16:10:52 +10:00
xfs_trans_priv.h
xfs_trans_space.h
xfs_types.h [XFS] remove bhv_vname_t and xfs_rename code 2008-04-18 12:00:12 +10:00
xfs_utils.c [XFS] Avoid directly referencing the VFS inode. 2008-08-13 15:45:15 +10:00
xfs_utils.h [XFS] implement IHOLD/IRELE directly 2008-08-13 16:13:45 +10:00
xfs_vfsops.c [XFS] Move remaining quiesce code. 2008-10-30 17:16:21 +11:00
xfs_vfsops.h [XFS] Move remaining quiesce code. 2008-10-30 17:16:21 +11:00
xfs_vnodeops.c [XFS] Combine the XFS and Linux inodes 2008-10-30 17:36:14 +11:00
xfs_vnodeops.h [XFS] Now that xfs_setattr is only used for attributes set from ->setattr 2008-07-28 16:59:37 +10:00