| blob | 60fe3dc77f1ca2f0e7a5ecb7ef50de5b1ee26114 |
1 jbd2: fix potential double free
3 From: Chengguang Xu <cgxu519@gmail.com>
5 When failing from creating cache jbd2_inode_cache, we will destroy the
6 previously created cache jbd2_handle_cache twice. This patch fixes
7 this by moving each cache initialization/destruction to its own
8 separate, individual function.
10 Signed-off-by: Chengguang Xu <cgxu519@gmail.com>
11 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
12 Cc: stable@kernel.org
13 ---
14 v2:
15 - Seperate cache initialization/destruction to individual function.
17 fs/jbd2/journal.c | 51 +++++++++++++++++++++++++++----------------
18 fs/jbd2/revoke.c | 32 +++++++++++++++++----------
19 fs/jbd2/transaction.c | 8 ++++---
20 include/linux/jbd2.h | 8 ++++---
21 4 files changed, 62 insertions(+), 37 deletions(-)
23 diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
24 index 37e16d969925..0f1ac43d0560 100644
25 --- a/fs/jbd2/journal.c
26 +++ b/fs/jbd2/journal.c
27 @@ -2375,22 +2375,19 @@ static struct kmem_cache *jbd2_journal_head_cache;
28 static atomic_t nr_journal_heads = ATOMIC_INIT(0);
29 #endif
31 -static int jbd2_journal_init_journal_head_cache(void)
32 +static int __init jbd2_journal_init_journal_head_cache(void)
33 {
34 - int retval;
35 -
36 - J_ASSERT(jbd2_journal_head_cache == NULL);
37 + J_ASSERT(!jbd2_journal_head_cache);
38 jbd2_journal_head_cache = kmem_cache_create("jbd2_journal_head",
39 sizeof(struct journal_head),
40 0, /* offset */
41 SLAB_TEMPORARY | SLAB_TYPESAFE_BY_RCU,
42 NULL); /* ctor */
43 - retval = 0;
44 if (!jbd2_journal_head_cache) {
45 - retval = -ENOMEM;
46 printk(KERN_EMERG "JBD2: no memory for journal_head cache\n");
47 + return -ENOMEM;
48 }
49 - return retval;
50 + return 0;
51 }
53 static void jbd2_journal_destroy_journal_head_cache(void)
54 @@ -2636,28 +2633,38 @@ static void __exit jbd2_remove_jbd_stats_proc_entry(void)
56 struct kmem_cache *jbd2_handle_cache, *jbd2_inode_cache;
58 +static int __init jbd2_journal_init_inode_cache(void)
59 +{
60 + J_ASSERT(!jbd2_inode_cache);
61 + jbd2_inode_cache = KMEM_CACHE(jbd2_inode, 0);
62 + if (!jbd2_inode_cache) {
63 + pr_emerg("JBD2: failed to create inode cache\n");
64 + return -ENOMEM;
65 + }
66 + return 0;
67 +}
68 +
69 static int __init jbd2_journal_init_handle_cache(void)
70 {
71 + J_ASSERT(!jbd2_handle_cache);
72 jbd2_handle_cache = KMEM_CACHE(jbd2_journal_handle, SLAB_TEMPORARY);
73 - if (jbd2_handle_cache == NULL) {
74 + if (!jbd2_handle_cache) {
75 printk(KERN_EMERG "JBD2: failed to create handle cache\n");
76 return -ENOMEM;
77 }
78 - jbd2_inode_cache = KMEM_CACHE(jbd2_inode, 0);
79 - if (jbd2_inode_cache == NULL) {
80 - printk(KERN_EMERG "JBD2: failed to create inode cache\n");
81 - kmem_cache_destroy(jbd2_handle_cache);
82 - return -ENOMEM;
83 - }
84 return 0;
85 }
87 +static void jbd2_journal_destroy_inode_cache(void)
88 +{
89 + kmem_cache_destroy(jbd2_inode_cache);
90 + jbd2_inode_cache = NULL;
91 +}
92 +
93 static void jbd2_journal_destroy_handle_cache(void)
94 {
95 kmem_cache_destroy(jbd2_handle_cache);
96 jbd2_handle_cache = NULL;
97 - kmem_cache_destroy(jbd2_inode_cache);
98 - jbd2_inode_cache = NULL;
99 }
101 /*
102 @@ -2668,11 +2675,15 @@ static int __init journal_init_caches(void)
103 {
104 int ret;
106 - ret = jbd2_journal_init_revoke_caches();
107 + ret = jbd2_journal_init_revoke_record_cache();
108 + if (ret == 0)
109 + ret = jbd2_journal_init_revoke_table_cache();
110 if (ret == 0)
111 ret = jbd2_journal_init_journal_head_cache();
112 if (ret == 0)
113 ret = jbd2_journal_init_handle_cache();
114 + if (ret == 0)
115 + ret = jbd2_journal_init_inode_cache();
116 if (ret == 0)
117 ret = jbd2_journal_init_transaction_cache();
118 return ret;
119 @@ -2680,9 +2691,11 @@ static int __init journal_init_caches(void)
121 static void jbd2_journal_destroy_caches(void)
122 {
123 - jbd2_journal_destroy_revoke_caches();
124 + jbd2_journal_destroy_revoke_record_cache();
125 + jbd2_journal_destroy_revoke_table_cache();
126 jbd2_journal_destroy_journal_head_cache();
127 jbd2_journal_destroy_handle_cache();
128 + jbd2_journal_destroy_inode_cache();
129 jbd2_journal_destroy_transaction_cache();
130 jbd2_journal_destroy_slabs();
131 }
132 diff --git a/fs/jbd2/revoke.c b/fs/jbd2/revoke.c
133 index a1143e57a718..69b9bc329964 100644
134 --- a/fs/jbd2/revoke.c
135 +++ b/fs/jbd2/revoke.c
136 @@ -178,33 +178,41 @@ static struct jbd2_revoke_record_s *find_revoke_record(journal_t *journal,
137 return NULL;
138 }
140 -void jbd2_journal_destroy_revoke_caches(void)
141 +void jbd2_journal_destroy_revoke_record_cache(void)
142 {
143 kmem_cache_destroy(jbd2_revoke_record_cache);
144 jbd2_revoke_record_cache = NULL;
145 +}
146 +
147 +void jbd2_journal_destroy_revoke_table_cache(void)
148 +{
149 kmem_cache_destroy(jbd2_revoke_table_cache);
150 jbd2_revoke_table_cache = NULL;
151 }
153 -int __init jbd2_journal_init_revoke_caches(void)
154 +int __init jbd2_journal_init_revoke_record_cache(void)
155 {
156 J_ASSERT(!jbd2_revoke_record_cache);
157 - J_ASSERT(!jbd2_revoke_table_cache);
158 -
159 jbd2_revoke_record_cache = KMEM_CACHE(jbd2_revoke_record_s,
160 SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY);
161 - if (!jbd2_revoke_record_cache)
162 - goto record_cache_failure;
164 + if (!jbd2_revoke_record_cache) {
165 + pr_emerg("JBD2: failed to create revoke_record cache\n");
166 + return -ENOMEM;
167 + }
168 + return 0;
169 +}
170 +
171 +int __init jbd2_journal_init_revoke_table_cache(void)
172 +{
173 + J_ASSERT(!jbd2_revoke_table_cache);
174 jbd2_revoke_table_cache = KMEM_CACHE(jbd2_revoke_table_s,
175 SLAB_TEMPORARY);
176 - if (!jbd2_revoke_table_cache)
177 - goto table_cache_failure;
178 - return 0;
179 -table_cache_failure:
180 - jbd2_journal_destroy_revoke_caches();
181 -record_cache_failure:
182 + if (!jbd2_revoke_table_cache) {
183 + pr_emerg("JBD2: failed to create revoke_table cache\n");
184 return -ENOMEM;
185 + }
186 + return 0;
187 }
189 static struct jbd2_revoke_table_s *jbd2_journal_init_revoke_table(int hash_size)
190 diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c
191 index f940d31c2adc..8ca4fddc705f 100644
192 --- a/fs/jbd2/transaction.c
193 +++ b/fs/jbd2/transaction.c
194 @@ -42,9 +42,11 @@ int __init jbd2_journal_init_transaction_cache(void)
195 0,
196 SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY,
197 NULL);
198 - if (transaction_cache)
199 - return 0;
200 - return -ENOMEM;
201 + if (!transaction_cache) {
202 + pr_emerg("JBD2: failed to create transaction cache\n");
203 + return -ENOMEM;
204 + }
205 + return 0;
206 }
208 void jbd2_journal_destroy_transaction_cache(void)
209 diff --git a/include/linux/jbd2.h b/include/linux/jbd2.h
210 index c2ffff5f9ae2..6c9870e16b19 100644
211 --- a/include/linux/jbd2.h
212 +++ b/include/linux/jbd2.h
213 @@ -1318,7 +1318,7 @@ extern void __wait_on_journal (journal_t *);
215 /* Transaction cache support */
216 extern void jbd2_journal_destroy_transaction_cache(void);
217 -extern int jbd2_journal_init_transaction_cache(void);
218 +extern int __init jbd2_journal_init_transaction_cache(void);
219 extern void jbd2_journal_free_transaction(transaction_t *);
221 /*
222 @@ -1446,8 +1446,10 @@ static inline void jbd2_free_inode(struct jbd2_inode *jinode)
223 /* Primary revoke support */
224 #define JOURNAL_REVOKE_DEFAULT_HASH 256
225 extern int jbd2_journal_init_revoke(journal_t *, int);
226 -extern void jbd2_journal_destroy_revoke_caches(void);
227 -extern int jbd2_journal_init_revoke_caches(void);
228 +extern void jbd2_journal_destroy_revoke_record_cache(void);
229 +extern void jbd2_journal_destroy_revoke_table_cache(void);
230 +extern int __init jbd2_journal_init_revoke_record_cache(void);
231 +extern int __init jbd2_journal_init_revoke_table_cache(void);
233 extern void jbd2_journal_destroy_revoke(journal_t *);
234 extern int jbd2_journal_revoke (handle_t *, unsigned long long, struct buffer_head *);
235 --
236 2.20.1