Commit b8bd6257 authored by Chengguang Xu's avatar Chengguang Xu Committed by Greg Kroah-Hartman

jbd2: fix potential double free

commit 0d52154b upstream.

When failing from creating cache jbd2_inode_cache, we will destroy the
previously created cache jbd2_handle_cache twice.  This patch fixes
this by moving each cache initialization/destruction to its own
separate, individual function.
Signed-off-by: default avatarChengguang Xu <cgxu519@gmail.com>
Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 8e9dbdd6
...@@ -2375,22 +2375,19 @@ static struct kmem_cache *jbd2_journal_head_cache; ...@@ -2375,22 +2375,19 @@ static struct kmem_cache *jbd2_journal_head_cache;
static atomic_t nr_journal_heads = ATOMIC_INIT(0); static atomic_t nr_journal_heads = ATOMIC_INIT(0);
#endif #endif
static int jbd2_journal_init_journal_head_cache(void) static int __init jbd2_journal_init_journal_head_cache(void)
{ {
int retval; J_ASSERT(!jbd2_journal_head_cache);
J_ASSERT(jbd2_journal_head_cache == NULL);
jbd2_journal_head_cache = kmem_cache_create("jbd2_journal_head", jbd2_journal_head_cache = kmem_cache_create("jbd2_journal_head",
sizeof(struct journal_head), sizeof(struct journal_head),
0, /* offset */ 0, /* offset */
SLAB_TEMPORARY | SLAB_TYPESAFE_BY_RCU, SLAB_TEMPORARY | SLAB_TYPESAFE_BY_RCU,
NULL); /* ctor */ NULL); /* ctor */
retval = 0;
if (!jbd2_journal_head_cache) { if (!jbd2_journal_head_cache) {
retval = -ENOMEM;
printk(KERN_EMERG "JBD2: no memory for journal_head cache\n"); printk(KERN_EMERG "JBD2: no memory for journal_head cache\n");
return -ENOMEM;
} }
return retval; return 0;
} }
static void jbd2_journal_destroy_journal_head_cache(void) static void jbd2_journal_destroy_journal_head_cache(void)
...@@ -2636,28 +2633,38 @@ static void __exit jbd2_remove_jbd_stats_proc_entry(void) ...@@ -2636,28 +2633,38 @@ static void __exit jbd2_remove_jbd_stats_proc_entry(void)
struct kmem_cache *jbd2_handle_cache, *jbd2_inode_cache; struct kmem_cache *jbd2_handle_cache, *jbd2_inode_cache;
static int __init jbd2_journal_init_inode_cache(void)
{
J_ASSERT(!jbd2_inode_cache);
jbd2_inode_cache = KMEM_CACHE(jbd2_inode, 0);
if (!jbd2_inode_cache) {
pr_emerg("JBD2: failed to create inode cache\n");
return -ENOMEM;
}
return 0;
}
static int __init jbd2_journal_init_handle_cache(void) static int __init jbd2_journal_init_handle_cache(void)
{ {
J_ASSERT(!jbd2_handle_cache);
jbd2_handle_cache = KMEM_CACHE(jbd2_journal_handle, SLAB_TEMPORARY); jbd2_handle_cache = KMEM_CACHE(jbd2_journal_handle, SLAB_TEMPORARY);
if (jbd2_handle_cache == NULL) { if (!jbd2_handle_cache) {
printk(KERN_EMERG "JBD2: failed to create handle cache\n"); printk(KERN_EMERG "JBD2: failed to create handle cache\n");
return -ENOMEM; return -ENOMEM;
} }
jbd2_inode_cache = KMEM_CACHE(jbd2_inode, 0);
if (jbd2_inode_cache == NULL) {
printk(KERN_EMERG "JBD2: failed to create inode cache\n");
kmem_cache_destroy(jbd2_handle_cache);
return -ENOMEM;
}
return 0; return 0;
} }
static void jbd2_journal_destroy_inode_cache(void)
{
kmem_cache_destroy(jbd2_inode_cache);
jbd2_inode_cache = NULL;
}
static void jbd2_journal_destroy_handle_cache(void) static void jbd2_journal_destroy_handle_cache(void)
{ {
kmem_cache_destroy(jbd2_handle_cache); kmem_cache_destroy(jbd2_handle_cache);
jbd2_handle_cache = NULL; jbd2_handle_cache = NULL;
kmem_cache_destroy(jbd2_inode_cache);
jbd2_inode_cache = NULL;
} }
/* /*
...@@ -2668,11 +2675,15 @@ static int __init journal_init_caches(void) ...@@ -2668,11 +2675,15 @@ static int __init journal_init_caches(void)
{ {
int ret; int ret;
ret = jbd2_journal_init_revoke_caches(); ret = jbd2_journal_init_revoke_record_cache();
if (ret == 0)
ret = jbd2_journal_init_revoke_table_cache();
if (ret == 0) if (ret == 0)
ret = jbd2_journal_init_journal_head_cache(); ret = jbd2_journal_init_journal_head_cache();
if (ret == 0) if (ret == 0)
ret = jbd2_journal_init_handle_cache(); ret = jbd2_journal_init_handle_cache();
if (ret == 0)
ret = jbd2_journal_init_inode_cache();
if (ret == 0) if (ret == 0)
ret = jbd2_journal_init_transaction_cache(); ret = jbd2_journal_init_transaction_cache();
return ret; return ret;
...@@ -2680,9 +2691,11 @@ static int __init journal_init_caches(void) ...@@ -2680,9 +2691,11 @@ static int __init journal_init_caches(void)
static void jbd2_journal_destroy_caches(void) static void jbd2_journal_destroy_caches(void)
{ {
jbd2_journal_destroy_revoke_caches(); jbd2_journal_destroy_revoke_record_cache();
jbd2_journal_destroy_revoke_table_cache();
jbd2_journal_destroy_journal_head_cache(); jbd2_journal_destroy_journal_head_cache();
jbd2_journal_destroy_handle_cache(); jbd2_journal_destroy_handle_cache();
jbd2_journal_destroy_inode_cache();
jbd2_journal_destroy_transaction_cache(); jbd2_journal_destroy_transaction_cache();
jbd2_journal_destroy_slabs(); jbd2_journal_destroy_slabs();
} }
......
...@@ -178,33 +178,41 @@ static struct jbd2_revoke_record_s *find_revoke_record(journal_t *journal, ...@@ -178,33 +178,41 @@ static struct jbd2_revoke_record_s *find_revoke_record(journal_t *journal,
return NULL; return NULL;
} }
void jbd2_journal_destroy_revoke_caches(void) void jbd2_journal_destroy_revoke_record_cache(void)
{ {
kmem_cache_destroy(jbd2_revoke_record_cache); kmem_cache_destroy(jbd2_revoke_record_cache);
jbd2_revoke_record_cache = NULL; jbd2_revoke_record_cache = NULL;
}
void jbd2_journal_destroy_revoke_table_cache(void)
{
kmem_cache_destroy(jbd2_revoke_table_cache); kmem_cache_destroy(jbd2_revoke_table_cache);
jbd2_revoke_table_cache = NULL; jbd2_revoke_table_cache = NULL;
} }
int __init jbd2_journal_init_revoke_caches(void) int __init jbd2_journal_init_revoke_record_cache(void)
{ {
J_ASSERT(!jbd2_revoke_record_cache); J_ASSERT(!jbd2_revoke_record_cache);
J_ASSERT(!jbd2_revoke_table_cache);
jbd2_revoke_record_cache = KMEM_CACHE(jbd2_revoke_record_s, jbd2_revoke_record_cache = KMEM_CACHE(jbd2_revoke_record_s,
SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY); SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY);
if (!jbd2_revoke_record_cache)
goto record_cache_failure;
if (!jbd2_revoke_record_cache) {
pr_emerg("JBD2: failed to create revoke_record cache\n");
return -ENOMEM;
}
return 0;
}
int __init jbd2_journal_init_revoke_table_cache(void)
{
J_ASSERT(!jbd2_revoke_table_cache);
jbd2_revoke_table_cache = KMEM_CACHE(jbd2_revoke_table_s, jbd2_revoke_table_cache = KMEM_CACHE(jbd2_revoke_table_s,
SLAB_TEMPORARY); SLAB_TEMPORARY);
if (!jbd2_revoke_table_cache) if (!jbd2_revoke_table_cache) {
goto table_cache_failure; pr_emerg("JBD2: failed to create revoke_table cache\n");
return 0;
table_cache_failure:
jbd2_journal_destroy_revoke_caches();
record_cache_failure:
return -ENOMEM; return -ENOMEM;
}
return 0;
} }
static struct jbd2_revoke_table_s *jbd2_journal_init_revoke_table(int hash_size) static struct jbd2_revoke_table_s *jbd2_journal_init_revoke_table(int hash_size)
......
...@@ -42,9 +42,11 @@ int __init jbd2_journal_init_transaction_cache(void) ...@@ -42,9 +42,11 @@ int __init jbd2_journal_init_transaction_cache(void)
0, 0,
SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY, SLAB_HWCACHE_ALIGN|SLAB_TEMPORARY,
NULL); NULL);
if (transaction_cache) if (!transaction_cache) {
return 0; pr_emerg("JBD2: failed to create transaction cache\n");
return -ENOMEM; return -ENOMEM;
}
return 0;
} }
void jbd2_journal_destroy_transaction_cache(void) void jbd2_journal_destroy_transaction_cache(void)
......
...@@ -1318,7 +1318,7 @@ extern void __wait_on_journal (journal_t *); ...@@ -1318,7 +1318,7 @@ extern void __wait_on_journal (journal_t *);
/* Transaction cache support */ /* Transaction cache support */
extern void jbd2_journal_destroy_transaction_cache(void); extern void jbd2_journal_destroy_transaction_cache(void);
extern int jbd2_journal_init_transaction_cache(void); extern int __init jbd2_journal_init_transaction_cache(void);
extern void jbd2_journal_free_transaction(transaction_t *); extern void jbd2_journal_free_transaction(transaction_t *);
/* /*
...@@ -1446,8 +1446,10 @@ static inline void jbd2_free_inode(struct jbd2_inode *jinode) ...@@ -1446,8 +1446,10 @@ static inline void jbd2_free_inode(struct jbd2_inode *jinode)
/* Primary revoke support */ /* Primary revoke support */
#define JOURNAL_REVOKE_DEFAULT_HASH 256 #define JOURNAL_REVOKE_DEFAULT_HASH 256
extern int jbd2_journal_init_revoke(journal_t *, int); extern int jbd2_journal_init_revoke(journal_t *, int);
extern void jbd2_journal_destroy_revoke_caches(void); extern void jbd2_journal_destroy_revoke_record_cache(void);
extern int jbd2_journal_init_revoke_caches(void); extern void jbd2_journal_destroy_revoke_table_cache(void);
extern int __init jbd2_journal_init_revoke_record_cache(void);
extern int __init jbd2_journal_init_revoke_table_cache(void);
extern void jbd2_journal_destroy_revoke(journal_t *); extern void jbd2_journal_destroy_revoke(journal_t *);
extern int jbd2_journal_revoke (handle_t *, unsigned long long, struct buffer_head *); extern int jbd2_journal_revoke (handle_t *, unsigned long long, struct buffer_head *);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment