--- /dev/null
+From 1bb933fb1fa8e4cb337a0d5dfd2ff4c0dc2073e8 Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Fri, 20 May 2011 13:55:29 -0400
+Subject: ext4: fix possible use-after-free in
+ ext4_remove_li_request()
+
+From: Lukas Czerner <lczerner@redhat.com>
+
+commit 1bb933fb1fa8e4cb337a0d5dfd2ff4c0dc2073e8 upstream.
+
+We need to take reference to the s_li_request after we take a mutex,
+because it might be freed since then, hence result in accessing old
+already freed memory. Also we should protect the whole
+ext4_remove_li_request() because ext4_li_info might be in the process of
+being freed in ext4_lazyinit_thread().
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Reviewed-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext4/super.c | 10 ++++++----
+ 1 file changed, 6 insertions(+), 4 deletions(-)
+
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2730,14 +2730,16 @@ static void ext4_remove_li_request(struc
+
+ static void ext4_unregister_li_request(struct super_block *sb)
+ {
+- struct ext4_li_request *elr = EXT4_SB(sb)->s_li_request;
+-
+- if (!ext4_li_info)
++ mutex_lock(&ext4_li_mtx);
++ if (!ext4_li_info) {
++ mutex_unlock(&ext4_li_mtx);
+ return;
++ }
+
+ mutex_lock(&ext4_li_info->li_list_mtx);
+- ext4_remove_li_request(elr);
++ ext4_remove_li_request(EXT4_SB(sb)->s_li_request);
+ mutex_unlock(&ext4_li_info->li_list_mtx);
++ mutex_unlock(&ext4_li_mtx);
+ }
+
+ static struct task_struct *ext4_lazyinit_task;
--- /dev/null
+From 4ed5c033c11b33149d993734a6a8de1016e8f03f Mon Sep 17 00:00:00 2001
+From: Lukas Czerner <lczerner@redhat.com>
+Date: Fri, 20 May 2011 13:49:04 -0400
+Subject: ext4: Use schedule_timeout_interruptible() for waiting in
+ lazyinit thread
+
+From: Lukas Czerner <lczerner@redhat.com>
+
+commit 4ed5c033c11b33149d993734a6a8de1016e8f03f upstream.
+
+In order to make lazyinit eat approx. 10% of io bandwidth at max, we
+are sleeping between zeroing each single inode table. For that purpose
+we are using timer which wakes up thread when it expires. It is set
+via add_timer() and this may cause troubles in the case that thread
+has been woken up earlier and in next iteration we call add_timer() on
+still running timer hence hitting BUG_ON in add_timer(). We could fix
+that by using mod_timer() instead however we can use
+schedule_timeout_interruptible() for waiting and hence simplifying
+things a lot.
+
+This commit exchange the old "waiting mechanism" with simple
+schedule_timeout_interruptible(), setting the time to sleep. Hence we
+do not longer need li_wait_daemon waiting queue and others, so get rid
+of it.
+
+Addresses-Red-Hat-Bugzilla: #699708
+
+Signed-off-by: Lukas Czerner <lczerner@redhat.com>
+Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
+Reviewed-by: Eric Sandeen <sandeen@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/ext4/ext4.h | 4 ----
+ fs/ext4/super.c | 31 ++++++-------------------------
+ 2 files changed, 6 insertions(+), 29 deletions(-)
+
+--- a/fs/ext4/ext4.h
++++ b/fs/ext4/ext4.h
+@@ -1590,12 +1590,8 @@ void ext4_get_group_no_and_offset(struct
+ */
+ struct ext4_lazy_init {
+ unsigned long li_state;
+-
+- wait_queue_head_t li_wait_daemon;
+ wait_queue_head_t li_wait_task;
+- struct timer_list li_timer;
+ struct task_struct *li_task;
+-
+ struct list_head li_request_list;
+ struct mutex li_list_mtx;
+ };
+--- a/fs/ext4/super.c
++++ b/fs/ext4/super.c
+@@ -2659,12 +2659,6 @@ static void print_daily_error_info(unsig
+ mod_timer(&sbi->s_err_report, jiffies + 24*60*60*HZ); /* Once a day */
+ }
+
+-static void ext4_lazyinode_timeout(unsigned long data)
+-{
+- struct task_struct *p = (struct task_struct *)data;
+- wake_up_process(p);
+-}
+-
+ /* Find next suitable group and run ext4_init_inode_table */
+ static int ext4_run_li_request(struct ext4_li_request *elr)
+ {
+@@ -2712,7 +2706,7 @@ static int ext4_run_li_request(struct ex
+
+ /*
+ * Remove lr_request from the list_request and free the
+- * request tructure. Should be called with li_list_mtx held
++ * request structure. Should be called with li_list_mtx held
+ */
+ static void ext4_remove_li_request(struct ext4_li_request *elr)
+ {
+@@ -2758,14 +2752,10 @@ static int ext4_lazyinit_thread(void *ar
+ struct ext4_lazy_init *eli = (struct ext4_lazy_init *)arg;
+ struct list_head *pos, *n;
+ struct ext4_li_request *elr;
+- unsigned long next_wakeup;
+- DEFINE_WAIT(wait);
++ unsigned long next_wakeup, cur;
+
+ BUG_ON(NULL == eli);
+
+- eli->li_timer.data = (unsigned long)current;
+- eli->li_timer.function = ext4_lazyinode_timeout;
+-
+ eli->li_task = current;
+ wake_up(&eli->li_wait_task);
+
+@@ -2799,19 +2789,15 @@ cont_thread:
+ if (freezing(current))
+ refrigerator();
+
+- if ((time_after_eq(jiffies, next_wakeup)) ||
++ cur = jiffies;
++ if ((time_after_eq(cur, next_wakeup)) ||
+ (MAX_JIFFY_OFFSET == next_wakeup)) {
+ cond_resched();
+ continue;
+ }
+
+- eli->li_timer.expires = next_wakeup;
+- add_timer(&eli->li_timer);
+- prepare_to_wait(&eli->li_wait_daemon, &wait,
+- TASK_INTERRUPTIBLE);
+- if (time_before(jiffies, next_wakeup))
+- schedule();
+- finish_wait(&eli->li_wait_daemon, &wait);
++ schedule_timeout_interruptible(next_wakeup - cur);
++
+ if (kthread_should_stop()) {
+ ext4_clear_request_list();
+ goto exit_thread;
+@@ -2835,12 +2821,10 @@ exit_thread:
+ goto cont_thread;
+ }
+ mutex_unlock(&eli->li_list_mtx);
+- del_timer_sync(&ext4_li_info->li_timer);
+ eli->li_task = NULL;
+ wake_up(&eli->li_wait_task);
+
+ kfree(ext4_li_info);
+- ext4_lazyinit_task = NULL;
+ ext4_li_info = NULL;
+ mutex_unlock(&ext4_li_mtx);
+
+@@ -2868,7 +2852,6 @@ static int ext4_run_lazyinit_thread(void
+ if (IS_ERR(ext4_lazyinit_task)) {
+ int err = PTR_ERR(ext4_lazyinit_task);
+ ext4_clear_request_list();
+- del_timer_sync(&ext4_li_info->li_timer);
+ kfree(ext4_li_info);
+ ext4_li_info = NULL;
+ printk(KERN_CRIT "EXT4: error %d creating inode table "
+@@ -2917,9 +2900,7 @@ static int ext4_li_info_new(void)
+ INIT_LIST_HEAD(&eli->li_request_list);
+ mutex_init(&eli->li_list_mtx);
+
+- init_waitqueue_head(&eli->li_wait_daemon);
+ init_waitqueue_head(&eli->li_wait_task);
+- init_timer(&eli->li_timer);
+ eli->li_state |= EXT4_LAZYINIT_QUIT;
+
+ ext4_li_info = eli;
projects / thirdparty / kernel / stable-queue.git / commitdiff
