summaryrefslogtreecommitdiff
path: root/fs/ext2/ialloc.c
diff options
context:
space:
mode:
authorAl Viro <viro@zeniv.linux.org.uk>2008-12-30 01:52:35 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2008-12-31 18:07:43 -0500
commit41080b5a240113328c607f22b849f653373db0ce (patch)
treeaa8fd483c241140ebe73b6c71b370f4ad6a12251 /fs/ext2/ialloc.c
parent261bca86ed4f7f391d1938167624e78da61dcc6b (diff)
downloadlwn-41080b5a240113328c607f22b849f653373db0ce.tar.gz
lwn-41080b5a240113328c607f22b849f653373db0ce.zip
nfsd race fixes: ext2
* make ext2_new_inode() put the inode into icache in locked state * do not unlock until the inode is fully set up; otherwise nfsd might pick it in half-baked state. * make sure that ext2_new_inode() does *not* lead to two inodes with the same inumber hashed at the same time; otherwise a bogus fhandle coming from nfsd might race with inode creation: nfsd: iget_locked() creates inode nfsd: try to read from disk, block on that. ext2_new_inode(): allocate inode with that inumber ext2_new_inode(): insert it into icache, set it up and dirty ext2_write_inode(): get the relevant part of inode table in cache, set the entry for our inode (and start writing to disk) nfsd: get CPU again, look into inode table, see nice and sane on-disk inode, set the in-core inode from it oops - we have two in-core inodes with the same inumber live in icache, both used for IO. Welcome to fs corruption... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'fs/ext2/ialloc.c')
-rw-r--r--fs/ext2/ialloc.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/fs/ext2/ialloc.c b/fs/ext2/ialloc.c
index 8d0add625870..c454d5db28a5 100644
--- a/fs/ext2/ialloc.c
+++ b/fs/ext2/ialloc.c
@@ -585,7 +585,10 @@ got:
spin_lock(&sbi->s_next_gen_lock);
inode->i_generation = sbi->s_next_generation++;
spin_unlock(&sbi->s_next_gen_lock);
- insert_inode_hash(inode);
+ if (insert_inode_locked(inode) < 0) {
+ err = -EINVAL;
+ goto fail_drop;
+ }
if (DQUOT_ALLOC_INODE(inode)) {
err = -EDQUOT;
@@ -612,6 +615,7 @@ fail_drop:
DQUOT_DROP(inode);
inode->i_flags |= S_NOQUOTA;
inode->i_nlink = 0;
+ unlock_new_inode(inode);
iput(inode);
return ERR_PTR(err);