iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/fs
History
Zheng Liu e94bd3490f ext4: fix a BUG when opening a file with O_TMPFILE flag 
When we try to open a file with O_TMPFILE flag, we will trigger a bug.
The root cause is that in ext4_orphan_add() we check ->i_nlink == 0 and
this check always fails because we set ->i_nlink = 1 in
inode_init_always().  We can use the following program to trigger it:

int main(int argc, char *argv[])
{
	int fd;

	fd = open(argv[1], O_TMPFILE, 0666);
	if (fd < 0) {
		perror("open ");
		return -1;
	}
	close(fd);
	return 0;
}

The oops message looks like this:

kernel BUG at fs/ext4/namei.c:2572!
invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
Modules linked in: dlci bridge stp hidp cmtp kernelcapi l2tp_ppp l2tp_netlink l2tp_core sctp libcrc32c rfcomm tun fuse nfnetli
nk can_raw ipt_ULOG can_bcm x25 scsi_transport_iscsi ipx p8023 p8022 appletalk phonet psnap vmw_vsock_vmci_transport af_key vmw_vmci rose vsock atm can netrom ax25 af_rxrpc ir
da pppoe pppox ppp_generic slhc bluetooth nfc rfkill rds caif_socket caif crc_ccitt af_802154 llc2 llc snd_hda_codec_realtek snd_hda_intel snd_hda_codec serio_raw snd_pcm pcsp
kr edac_core snd_page_alloc snd_timer snd soundcore r8169 mii sr_mod cdrom pata_atiixp radeon backlight drm_kms_helper ttm
CPU: 1 PID: 1812571 Comm: trinity-child2 Not tainted 3.11.0-rc1+ #12
Hardware name: Gigabyte Technology Co., Ltd. GA-MA78GM-S2H/GA-MA78GM-S2H, BIOS F12a 04/23/2010
task: ffff88007dfe69a0 ti: ffff88010f7b6000 task.ti: ffff88010f7b6000
RIP: 0010:[<ffffffff8125ce69>]  [<ffffffff8125ce69>] ext4_orphan_add+0x299/0x2b0
RSP: 0018:ffff88010f7b7cf8  EFLAGS: 00010202
RAX: 0000000000000000 RBX: ffff8800966d3020 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff88007dfe70b8 RDI: 0000000000000001
RBP: ffff88010f7b7d40 R08: ffff880126a3c4e0 R09: ffff88010f7b7ca0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801271fd668
R13: ffff8800966d2f78 R14: ffff88011d7089f0 R15: ffff88007dfe69a0
FS:  00007f70441a3740(0000) GS:ffff88012a800000(0000) knlGS:00000000f77c96c0
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000002834000 CR3: 0000000107964000 CR4: 00000000000007e0
DR0: 0000000000780000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
Stack:
 0000000000002000 00000020810b6dde 0000000000000000 ffff88011d46db00
 ffff8800966d3020 ffff88011d7089f0 ffff88009c7f4c10 ffff88010f7b7f2c
 ffff88007dfe69a0 ffff88010f7b7da8 ffffffff8125cfac ffff880100000004
Call Trace:
 [<ffffffff8125cfac>] ext4_tmpfile+0x12c/0x180
 [<ffffffff811cba78>] path_openat+0x238/0x700
 [<ffffffff8100afc4>] ? native_sched_clock+0x24/0x80
 [<ffffffff811cc647>] do_filp_open+0x47/0xa0
 [<ffffffff811db73f>] ? __alloc_fd+0xaf/0x200
 [<ffffffff811ba2e4>] do_sys_open+0x124/0x210
 [<ffffffff81010725>] ? syscall_trace_enter+0x25/0x290
 [<ffffffff811ba3ee>] SyS_open+0x1e/0x20
 [<ffffffff816ca8d4>] tracesys+0xdd/0xe2
 [<ffffffff81001001>] ? start_thread_common.constprop.6+0x1/0xa0
Code: 04 00 00 00 89 04 24 31 c0 e8 c4 77 04 00 e9 43 fe ff ff 66 25 00 d0 66 3d 00 80 0f 84 0e fe ff ff 83 7b 48 00 0f 84 04 fe ff ff <0f> 0b 49 8b 8c 24 50 07 00 00 e9 88 fe ff ff 0f 1f 84 00 00 00

Here we couldn't call clear_nlink() directly because in d_tmpfile() we
will call inode_dec_link_count() to decrease ->i_nlink.  So this commit
tries to call d_tmpfile() before ext4_orphan_add() to fix this problem.

Reported-by: Dave Jones <davej@redhat.com>
Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
Tested-by: Darrick J. Wong <darrick.wong@oracle.com>
Tested-by: Dave Jones <davej@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
2013-07-20 21:58:38 -04:00
..
9p
Second round of 9p patches for the 3.11 merge window.
2013-07-11 10:21:23 -07:00
adfs
Don't pass inode to ->d_hash() and ->d_compare()
2013-06-29 12:57:36 +04:00
affs
Don't pass inode to ->d_hash() and ->d_compare()
2013-06-29 12:57:36 +04:00
afs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-07-03 09:10:19 -07:00
autofs4
helper for reading ->d_count
2013-07-05 18:59:33 +04:00
befs
[readdir] convert befs
2013-06-29 12:56:55 +04:00
bfs
[readdir] convert bfs
2013-06-29 12:56:33 +04:00
btrfs
Btrfs: fix wrong write offset when replacing a device
2013-07-19 15:07:26 -04:00
cachefiles
mm: remove lru parameter from __pagevec_lru_add and remove parts of pagevec API
2013-07-03 16:07:31 -07:00
ceph
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client
2013-07-09 12:39:10 -07:00
cifs
CIFS: Fix a deadlock when a file is reopened
2013-07-11 18:05:41 -05:00
coda
helper for reading ->d_count
2013-07-05 18:59:33 +04:00
configfs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-07-14 11:42:26 -07:00
cramfs
[readdir] convert f2fs
2013-06-29 12:56:46 +04:00
debugfs
debugfs: write_file_bool() - ensure strtobool() operates on valid data
2013-06-03 13:55:02 -07:00
devpts
fs: Limit sys_mount to only request filesystem modules (Part 2).
2013-03-07 01:08:55 -08:00
dlm
dlm: Avoid LVB truncation
2013-06-26 11:38:02 -05:00
ecryptfs
Code cleanups and improved buffer handling during page crypto operations
2013-07-11 10:20:18 -07:00
efivarfs
efivarfs: we can use simple_lookup() now
2013-07-14 17:48:35 +04:00
efs
[readdir] convert efs
2013-06-29 12:56:31 +04:00
exofs
Lots of bug fixes, cleanups and optimizations. In the bug fixes
2013-07-02 09:39:34 -07:00
exportfs
[readdir] constify ->actor
2013-06-29 12:57:05 +04:00
ext2
[O_TMPFILE] it's still short a few helpers, but infrastructure should be OK now...
2013-06-29 12:57:10 +04:00
ext3
Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2013-07-09 12:08:43 -07:00
ext4
ext4: fix a BUG when opening a file with O_TMPFILE flag
2013-07-20 21:58:38 -04:00
f2fs
f2fs: fix readdir incorrectness
2013-07-08 13:35:48 +04:00
fat
fatfs: add FAT_IOCTL_GET_VOLUME_ID
2013-07-09 10:33:25 -07:00
freevxfs
[readdir] convert freevxfs
2013-06-29 12:56:53 +04:00
fscache
FS-Cache: Don't use spin_is_locked() in assertions
2013-06-19 14:16:47 +01:00
fuse
mm: use totalram_pages instead of num_physpages at runtime
2013-07-03 16:07:35 -07:00
gfs2
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-07-03 09:10:19 -07:00
hfs
Don't pass inode to ->d_hash() and ->d_compare()
2013-06-29 12:57:36 +04:00
hfsplus
Don't pass inode to ->d_hash() and ->d_compare()
2013-06-29 12:57:36 +04:00
hostfs
[readdir] convert hostfs
2013-06-29 12:56:59 +04:00
hpfs
Merge branch 'hpfs' from Mikulas Patocka
2013-07-04 11:22:55 -07:00
hppfs
clean up scary strncpy(dst, src, strlen(src)) uses
2013-07-03 16:07:41 -07:00
hugetlbfs
hugetlbfs: fix mmap failure in unaligned size request
2013-05-07 18:38:27 -07:00
isofs
Don't pass inode to ->d_hash() and ->d_compare()
2013-06-29 12:57:36 +04:00
jbd
jbd: change journal_invalidatepage() to accept length
2013-05-21 23:26:36 -04:00
jbd2
jbd2: invalidate handle if jbd2_journal_restart() fails
2013-07-01 08:12:41 -04:00
jffs2
[readdir] convert jffs2
2013-06-29 12:56:47 +04:00
jfs
A couple cleanups to JFS for 3.11
2013-07-11 10:19:34 -07:00
lockd
Merge branch 'for-3.11' of git://linux-nfs.org/~bfields/linux
2013-07-17 13:43:55 -07:00
logfs
Lots of bug fixes, cleanups and optimizations. In the bug fixes
2013-07-02 09:39:34 -07:00
minix
minix: bug widening a binary "not" operation
2013-06-29 12:57:35 +04:00
ncpfs
ncpfs: fix error return code in ncp_parse_options()
2013-07-09 10:33:25 -07:00
nfs
NFSv4: Fix a regression against the FreeBSD server
2013-07-17 16:54:46 -04:00
nfs_common
nfsd
Merge branch 'for-3.11' of git://linux-nfs.org/~bfields/linux
2013-07-17 13:43:55 -07:00
nilfs2
helper for reading ->d_count
2013-07-05 18:59:33 +04:00
nls
notify
fsnotify: update comments concerning locking scheme
2013-07-09 10:33:20 -07:00
ntfs
Lots of bug fixes, cleanups and optimizations. In the bug fixes
2013-07-02 09:39:34 -07:00
ocfs2
ocfs2: fix NULL pointer dereference when traversing o2hb_all_regions
2013-07-03 16:07:25 -07:00
omfs
[readdir] convert omfs
2013-06-29 12:56:37 +04:00
openpromfs
[readdir] convert openpromfs
2013-06-29 12:56:32 +04:00
proc
s390/kdump: Disable mmap for s390
2013-07-18 13:40:18 +02:00
pstore
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc
2013-07-04 10:29:23 -07:00
qnx4
[readdir] convert qnx4
2013-06-29 12:56:38 +04:00
qnx6
[readdir] convert qnx6
2013-06-29 12:56:39 +04:00
quota
quota: Convert use of typedef ctl_table to struct ctl_table
2013-07-04 19:22:55 +02:00
ramfs
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-02-26 20:16:07 -08:00
reiserfs
Lots of bug fixes, cleanups and optimizations. In the bug fixes
2013-07-02 09:39:34 -07:00
romfs
[readdir] convert romfs
2013-06-29 12:56:29 +04:00
squashfs
[readdir] convert squashfs
2013-06-29 12:56:28 +04:00
sysfs
sysfs: prevent warning when only using binary attributes
2013-07-16 10:57:36 -07:00
sysv
Don't pass inode to ->d_hash() and ->d_compare()
2013-06-29 12:57:36 +04:00
ubifs
Only a single patch which fixes a message.
2013-07-05 12:08:47 -07:00
udf
udf: provide ->tmpfile()
2013-06-29 12:57:12 +04:00
ufs
[readdir] simple local unixlike: switch to ->iterate()
2013-06-29 12:46:47 +04:00
xfs
xfs: update (#2) for 3.11-rc1
2013-07-13 11:40:24 -07:00
aio.c
aio: fix wrong comment in aio_complete()
2013-07-03 16:08:06 -07:00
anon_inodes.c
get_empty_filp()/alloc_file() leave both ->f_pos and ->f_version zero
2013-02-26 02:46:11 -05:00
attr.c
bad_inode.c
[readdir] ->readdir() is gone
2013-06-29 12:57:04 +04:00
binfmt_aout.c
mm: remove free_area_cache
2013-07-10 18:11:34 -07:00
binfmt_elf_fdpic.c
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc
2013-05-02 10:16:16 -07:00
binfmt_elf.c
mm: remove free_area_cache
2013-07-10 18:11:34 -07:00
binfmt_em86.c
binfmt_flat.c
new helper: read_code()
2013-04-29 15:40:23 -04:00
binfmt_misc.c
binfmt_misc: reuse string_unescape_inplace()
2013-04-30 17:04:03 -07:00
binfmt_script.c
binfmt_som.c
bio-integrity.c
bio-integrity: Add explicit field for owner of bip_buf
2013-03-23 14:26:34 -07:00
bio.c
Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block
2013-05-08 10:13:35 -07:00
block_dev.c
Merge branch 'for-3.11/core' of git://git.kernel.dk/linux-block
2013-07-11 13:03:24 -07:00
buffer.c
mm: vmscan: take page buffers dirty and locked state into account
2013-07-03 16:07:29 -07:00
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c
compat.c: LOOP_CLR_FD is taken care of in loop.c itself...
2013-06-29 12:46:44 +04:00
compat.c
[readdir] constify ->actor
2013-06-29 12:57:05 +04:00
coredump.c
coredump: '% at the end' shouldn't bypass core_uses_pid logic
2013-07-03 16:08:02 -07:00
coredump.h
dcache.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-07-03 09:10:19 -07:00
dcookies.c
consolidate compat lookup_dcookie()
2013-03-03 23:00:23 -05:00
direct-io.c
Merge branch 'for-3.10/core' of git://git.kernel.dk/linux-block
2013-05-08 10:13:35 -07:00
drop_caches.c
eventfd.c
eventpoll.c
Merge branch 'akpm' (updates from Andrew Morton)
2013-07-03 17:12:13 -07:00
exec.c
fs/exec.c:de_thread: mt-exec should update ->real_start_time
2013-07-03 16:08:03 -07:00
fcntl.c
new helper: file_inode(file)
2013-02-22 23:31:31 -05:00
fhandle.c
file_table.c
fput: turn "list_head delayed_fput_list" into llist_head
2013-07-13 13:29:10 +04:00
file.c
don't bother with deferred freeing of fdtables
2013-05-01 17:31:42 -04:00
filesystems.c
fs: Limit sys_mount to only request filesystem modules.
2013-03-03 19:36:31 -08:00
fs_struct.c
constify path_get/path_put and fs_struct.c stuff
2013-03-01 23:51:07 -05:00
fs-writeback.c
mm/writeback: don't check force_wait to handle bdi->work_list
2013-07-09 10:33:22 -07:00
generic_acl.c
inode.c
allow the temp files created by open() to be linked to
2013-06-29 12:57:11 +04:00
internal.h
constify rw_verify_area()
2013-06-29 12:57:34 +04:00
ioctl.c
new helper: file_inode(file)
2013-02-22 23:31:31 -05:00
ioprio.c
Kconfig
efivarfs: Move to fs/efivarfs
2013-04-17 13:25:09 +01:00
Kconfig.binfmt
fs: make binfmt support for #! scripts modular and removable
2013-04-30 17:04:04 -07:00
libfs.c
make simple_lookup() usable for filesystems that set ->s_d_op
2013-07-14 17:43:25 +04:00
locks.c
locks: move file_lock_list to a set of percpu hlist_heads and convert file_lock_lock to an lglock
2013-07-08 13:36:42 +04:00
Makefile
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-05-01 17:51:54 -07:00
mbcache.c
mount.h
get rid of full-hash scan on detaching vfsmounts
2013-04-09 14:12:52 -04:00
mpage.c
namei.c
Safer ABI for O_TMPFILE
2013-07-13 13:26:37 +04:00
namespace.c
create_mnt_ns: unidiomatic use of list_add()
2013-05-04 15:18:53 -04:00
no-block.c
open.c
allow O_TMPFILE to work with O_WRONLY
2013-07-20 03:11:32 +04:00
pipe.c
aio: don't include aio.h in sched.h
2013-05-07 20:16:25 -07:00
pnode.c
vfs: Fix invalid ida_remove() call
2013-05-31 15:16:33 -04:00
pnode.h
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-05-01 17:51:54 -07:00
posix_acl.c
proc_namespace.c
read_write.c
vfs: export lseek_execute() to modules
2013-07-03 16:23:27 +04:00
readdir.c
[readdir] constify ->actor
2013-06-29 12:57:05 +04:00
select.c
net: rename include/net/ll_poll.h to include/net/busy_poll.h
2013-07-10 17:08:27 -07:00
seq_file.c
seq_file: add seq_list_*_percpu helpers
2013-07-08 13:36:41 +04:00
signalfd.c
switch signalfd{,4}() to COMPAT_SYSCALL_DEFINE
2013-03-03 22:58:46 -05:00
splice.c
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2013-07-03 09:10:19 -07:00
stack.c
stat.c
switch vfs_getattr() to struct path
2013-02-26 02:46:08 -05:00
statfs.c
super.c
livelock avoidance in sget()
2013-07-20 04:58:58 +04:00
sync.c
teach SYSCALL_DEFINE<n> how to deal with long long/unsigned long long
2013-03-03 22:46:22 -05:00
timerfd.c
timerfd: Add alarm timers
2013-05-29 12:57:34 -07:00
utimes.c
xattr_acl.c
xattr.c