Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5b856768 authored by Chengguang Xu's avatar Chengguang Xu Committed by Greg Kroah-Hartman
Browse files

jbd2: fix potential double free 



commit 0d52154bb0a700abb459a2cbce0a30fc2549b67e upstream.

When failing from creating cache jbd2_inode_cache, we will destroy the
previously created cache jbd2_handle_cache twice.  This patch fixes
this by moving each cache initialization/destruction to its own
separate, individual function.

Signed-off-by: default avatarChengguang Xu <cgxu519@gmail.com>
Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 95482af2

fs/jbd2/journal.c

+31 −18
Original line number Diff line number Diff line
@@ -2389,22 +2389,19 @@ static struct kmem_cache *jbd2_journal_head_cache; 
static atomic_t nr_journal_heads = ATOMIC_INIT(0);

#endif



static int jbd2_journal_init_journal_head_cache(void)

static int __init jbd2_journal_init_journal_head_cache(void)

{

	int retval;



	J_ASSERT(jbd2_journal_head_cache == NULL);

	J_ASSERT(!jbd2_journal_head_cache);

	jbd2_journal_head_cache = kmem_cache_create("jbd2_journal_head",

				sizeof(struct journal_head),

				0,		/* offset */

				SLAB_TEMPORARY | SLAB_TYPESAFE_BY_RCU,

				NULL);		/* ctor */

	retval = 0;

	if (!jbd2_journal_head_cache) {

		retval = -ENOMEM;

		printk(KERN_EMERG "JBD2: no memory for journal_head cache\n");

		return -ENOMEM;

	}

	return retval;

	return 0;

}



static void jbd2_journal_destroy_journal_head_cache(void)
@@ -2650,28 +2647,38 @@ static void __exit jbd2_remove_jbd_stats_proc_entry(void) 


struct kmem_cache *jbd2_handle_cache, *jbd2_inode_cache;



static int __init jbd2_journal_init_inode_cache(void)

{

	J_ASSERT(!jbd2_inode_cache);

	jbd2_inode_cache = KMEM_CACHE(jbd2_inode, 0);

	if (!jbd2_inode_cache) {

		pr_emerg("JBD2: failed to create inode cache\n");

		return -ENOMEM;

	}

	return 0;

}



static int __init jbd2_journal_init_handle_cache(void)

{

	J_ASSERT(!jbd2_handle_cache);

	jbd2_handle_cache = KMEM_CACHE(jbd2_journal_handle, SLAB_TEMPORARY);

	if (jbd2_handle_cache == NULL) {

	if (!jbd2_handle_cache) {

		printk(KERN_EMERG "JBD2: failed to create handle cache\n");

		return -ENOMEM;

	}

	jbd2_inode_cache = KMEM_CACHE(jbd2_inode, 0);

	if (jbd2_inode_cache == NULL) {

		printk(KERN_EMERG "JBD2: failed to create inode cache\n");

		kmem_cache_destroy(jbd2_handle_cache);

		return -ENOMEM;

	}

	return 0;

}



static void jbd2_journal_destroy_inode_cache(void)

{

	kmem_cache_destroy(jbd2_inode_cache);

	jbd2_inode_cache = NULL;

}



static void jbd2_journal_destroy_handle_cache(void)

{

	kmem_cache_destroy(jbd2_handle_cache);

	jbd2_handle_cache = NULL;

	kmem_cache_destroy(jbd2_inode_cache);

	jbd2_inode_cache = NULL;

}



/*
@@ -2682,11 +2689,15 @@ static int __init journal_init_caches(void) 
{

	int ret;



	ret = jbd2_journal_init_revoke_caches();

	ret = jbd2_journal_init_revoke_record_cache();

	if (ret == 0)

		ret = jbd2_journal_init_revoke_table_cache();

	if (ret == 0)

		ret = jbd2_journal_init_journal_head_cache();

	if (ret == 0)

		ret = jbd2_journal_init_handle_cache();

	if (ret == 0)

		ret = jbd2_journal_init_inode_cache();

	if (ret == 0)

		ret = jbd2_journal_init_transaction_cache();

	return ret;
@@ -2694,9 +2705,11 @@ static int __init journal_init_caches(void) 


static void jbd2_journal_destroy_caches(void)

{

	jbd2_journal_destroy_revoke_caches();

	jbd2_journal_destroy_revoke_record_cache();

	jbd2_journal_destroy_revoke_table_cache();

	jbd2_journal_destroy_journal_head_cache();

	jbd2_journal_destroy_handle_cache();

	jbd2_journal_destroy_inode_cache();

	jbd2_journal_destroy_transaction_cache();

	jbd2_journal_destroy_slabs();

}

fs/jbd2/revoke.c

+20 −12
Original line number Diff line number Diff line
@@ -178,34 +178,42 @@ static struct jbd2_revoke_record_s *find_revoke_record(journal_t *journal, 
	return NULL;

}



void jbd2_journal_destroy_revoke_caches(void)

void jbd2_journal_destroy_revoke_record_cache(void)

{

	kmem_cache_destroy(jbd2_revoke_record_cache);

	jbd2_revoke_record_cache = NULL;

}



void jbd2_journal_destroy_revoke_table_cache(void)

{

	kmem_cache_destroy(jbd2_revoke_table_cache);

	jbd2_revoke_table_cache = NULL;

}



int __init jbd2_journal_init_revoke_caches(void)

int __init jbd2_journal_init_revoke_record_cache(void)

{

	J_ASSERT(!jbd2_revoke_record_cache);

	J_ASSERT(!jbd2_revoke_table_cache);



	jbd2_revoke_record_cache = KMEM_CACHE(jbd2_revoke_record_s,

					SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY);

	if (!jbd2_revoke_record_cache)

		goto record_cache_failure;



	if (!jbd2_revoke_record_cache) {

		pr_emerg("JBD2: failed to create revoke_record cache\n");

		return -ENOMEM;

	}

	return 0;

}



int __init jbd2_journal_init_revoke_table_cache(void)

{

	J_ASSERT(!jbd2_revoke_table_cache);

	jbd2_revoke_table_cache = KMEM_CACHE(jbd2_revoke_table_s,

					     SLAB_TEMPORARY);

	if (!jbd2_revoke_table_cache)

		goto table_cache_failure;

	return 0;

table_cache_failure:

	jbd2_journal_destroy_revoke_caches();

record_cache_failure:

	if (!jbd2_revoke_table_cache) {

		pr_emerg("JBD2: failed to create revoke_table cache\n");

		return -ENOMEM;

	}

	return 0;

}



static struct jbd2_revoke_table_s *jbd2_journal_init_revoke_table(int hash_size)

{

fs/jbd2/transaction.c

+5 −3
Original line number Diff line number Diff line
@@ -42,10 +42,12 @@ int __init jbd2_journal_init_transaction_cache(void) 
					0,

					SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY,

					NULL);

	if (transaction_cache)

		return 0;

	if (!transaction_cache) {

		pr_emerg("JBD2: failed to create transaction cache\n");

		return -ENOMEM;

	}

	return 0;

}



void jbd2_journal_destroy_transaction_cache(void)

{

include/linux/jbd2.h

+5 −3
Original line number Diff line number Diff line
@@ -1317,7 +1317,7 @@ extern void __wait_on_journal (journal_t *); 


/* Transaction cache support */

extern void jbd2_journal_destroy_transaction_cache(void);

extern int  jbd2_journal_init_transaction_cache(void);

extern int __init jbd2_journal_init_transaction_cache(void);

extern void jbd2_journal_free_transaction(transaction_t *);



/*
@@ -1445,8 +1445,10 @@ static inline void jbd2_free_inode(struct jbd2_inode *jinode) 
/* Primary revoke support */

#define JOURNAL_REVOKE_DEFAULT_HASH 256

extern int	   jbd2_journal_init_revoke(journal_t *, int);

extern void	   jbd2_journal_destroy_revoke_caches(void);

extern int	   jbd2_journal_init_revoke_caches(void);

extern void	   jbd2_journal_destroy_revoke_record_cache(void);

extern void	   jbd2_journal_destroy_revoke_table_cache(void);

extern int __init jbd2_journal_init_revoke_record_cache(void);

extern int __init jbd2_journal_init_revoke_table_cache(void);



extern void	   jbd2_journal_destroy_revoke(journal_t *);

extern int	   jbd2_journal_revoke (handle_t *, unsigned long long, struct buffer_head *);