• Andreas Gruenbacher's avatar
    [PATCH] ext3/EA: Race in ext[23] xattr sharing code · fd1ea9ab
    Andreas Gruenbacher authored
    Andrew Tridgell and Stephen C.  Tweedie have reported two different Oopses
    caused by a race condition in the mbcache, which is responsible for
    extended attribute sharing in ext2 and ext3.  Stephen tracked down the bug;
    I did the fix.
    
    Explanation:
    
    The mbcache caches the locations and content hashes of xattr blocks.  There
    are two access strategies: [1] xattr block disposal via
    mb_cache_entry_get(), [2] xattr block reuse (sharing) via
    mb_cache_entry_find_{first,next}().  There is no locking between the two
    methods, so between one mb_cache_entry_find_x and the next, a
    mb_cache_entry_get might come in, unhash the cache entry, and change the
    journaling state of the xattr buffer.  Subsequently, two things can happen:
    [a] the next mb_cache_entry_find_x may try to follow the mbcache hash chain
    starting from the entry that has become unhashed, which now is a stale
    pointer, [b] the block may have become deallocated, and then we try to
    reuse it.
    
    Fix this by converting the mbcache into a readers-writer style lock, and
    protect all block accesses in ext2/ext3 by the mbcache entry lock.  This
    ensures that destroying blocks is an exclusive operation that may not
    overlap xattr block reuse, while allowing multiple "re-users".  Write
    access to the xattr block's buffer is protected by the buffer lock.  
    Signed-off-by: default avatarAndreas Gruenbacher <agruen@suse.de>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    fd1ea9ab
mbcache.c 18.3 KB