diff options
| author | Andrew Morton <akpm@digeo.com> | 2003-03-22 07:35:06 -0800 |
|---|---|---|
| committer | David S. Miller <davem@kernel.bkbits.net> | 2003-03-22 07:35:06 -0800 |
| commit | 7dbfb92c19aa738572a41870e3b3f1c15f88777b (patch) | |
| tree | a78ec414919b9245824243408e0c85ca84b2a8db /fs/ext3/xattr.c | |
| parent | 34f2047de1ac6c5a34791b782138cccfcce6cd2e (diff) | |
| download | history-7dbfb92c19aa738572a41870e3b3f1c15f88777b.tar.gz | |
[PATCH] ext3: fix use-after-free bug
ext3_writepage() calls ext3_journal_stop(), which dereferences the affected
inode.
It does this _after_ writing the page out, which is illegal. The IO can
complete, the page can be repeased from the inode and the inode can be freed
up.
It's a long-standing bug. It has been reported happening on preemptible
kernels, where the timing window is larger.
Fix that up by teaching ext3_journal_stop to locate the superblock via the
journal structure, not via the inode.
This means that ext3_journal_stop() does not need the inode argument at all.
Also uninline the affected functions. It saves 5.5 kbytes.
Also remove the setting of sb->s_dirt in ext3_journal_stop(). That was an
awkward way of telling sys_sync() that the filesystem needs a commit, and
with the ext3_sync_fs() that is no longer needed.
Diffstat (limited to 'fs/ext3/xattr.c')
| -rw-r--r-- | fs/ext3/xattr.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/ext3/xattr.c b/fs/ext3/xattr.c index 2cb85fb47f0865..8eee2a4b010d81 100644 --- a/fs/ext3/xattr.c +++ b/fs/ext3/xattr.c @@ -855,7 +855,7 @@ ext3_xattr_set(struct inode *inode, int name_index, const char *name, else error = ext3_xattr_set_handle(handle, inode, name_index, name, value, value_len, flags); - error2 = ext3_journal_stop(handle, inode); + error2 = ext3_journal_stop(handle); unlock_kernel(); return error ? error : error2; |