Revision - dda5690 - ext3: fix a BUG when opening a file with O_TMPFILE flag

Revision dda5690defe4af62ee120f055e98e40d97e4c760 authored by Zheng Liu on 21 July 2013, 02:03:20 UTC, committed by Theodore Ts'o on 21 July 2013, 02:03:20 UTC

ext3: fix a BUG when opening a file with O_TMPFILE flag

When we try to open a file with O_TMPFILE flag, we will trigger a bug.
The root cause is that in ext4_orphan_add() we check ->i_nlink == 0 and
this check always fails because we set ->i_nlink = 1 in
inode_init_always().  We can use the following program to trigger it:

int main(int argc, char *argv[])
{
	int fd;

	fd = open(argv[1], O_TMPFILE, 0666);
	if (fd < 0) {
		perror("open ");
		return -1;
	}
	close(fd);
	return 0;
}

The oops message looks like this:

kernel: kernel BUG at fs/ext3/namei.c:1992!
kernel: invalid opcode: 0000 [#1] SMP
kernel: Modules linked in: ext4 jbd2 crc16 cpufreq_ondemand ipv6 dm_mirror dm_region_hash dm_log dm_mod parport_pc parport serio_raw sg dcdbas pcspkr i2c_i801 ehci_pci ehci_hcd button acpi_cpufreq mperf e1000e ptp pps_core ttm drm_kms_helper drm hwmon i2c_algo_bit i2c_core ext3 jbd sd_mod ahci libahci libata scsi_mod uhci_hcd
kernel: CPU: 0 PID: 2882 Comm: tst_tmpfile Not tainted 3.11.0-rc1+ #4
kernel: Hardware name: Dell Inc. OptiPlex 780 /0V4W66, BIOS A05 08/11/2010
kernel: task: ffff880112d30050 ti: ffff8801124d4000 task.ti: ffff8801124d4000
kernel: RIP: 0010:[<ffffffffa00db5ae>] [<ffffffffa00db5ae>] ext3_orphan_add+0x6a/0x1eb [ext3]
kernel: RSP: 0018:ffff8801124d5cc8  EFLAGS: 00010202
kernel: RAX: 0000000000000000 RBX: ffff880111510128 RCX: ffff8801114683a0
kernel: RDX: 0000000000000000 RSI: ffff880111510128 RDI: ffff88010fcf65a8
kernel: RBP: ffff8801124d5d18 R08: 0080000000000000 R09: ffffffffa00d3b7f
kernel: R10: ffff8801114683a0 R11: ffff8801032a2558 R12: 0000000000000000
kernel: R13: ffff88010fcf6800 R14: ffff8801032a2558 R15: ffff8801115100d8
kernel: FS:  00007f5d172b5700(0000) GS:ffff880117c00000(0000) knlGS:0000000000000000
kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
kernel: CR2: 00007f5d16df15d0 CR3: 0000000110b1d000 CR4: 00000000000407f0
kernel: Stack:
kernel: 000000000000000c ffff8801048a7dc8 ffff8801114685a8 ffffffffa00b80d7
kernel: ffff8801124d5e38 ffff8801032a2558 ffff88010ce24d68 0000000000000000
kernel: ffff88011146b300 ffff8801124d5d44 ffff8801124d5d78 ffffffffa00db7e1
kernel: Call Trace:
kernel: [<ffffffffa00b80d7>] ? journal_start+0x8c/0xbd [jbd]
kernel: [<ffffffffa00db7e1>] ext3_tmpfile+0xb2/0x13b [ext3]
kernel: [<ffffffff821076f8>] path_openat+0x11f/0x5e7
kernel: [<ffffffff821c86b4>] ? list_del+0x11/0x30
kernel: [<ffffffff82065fa2>] ?  __dequeue_entity+0x33/0x38
kernel: [<ffffffff82107cd5>] do_filp_open+0x3f/0x8d
kernel: [<ffffffff82112532>] ? __alloc_fd+0x50/0x102
kernel: [<ffffffff820f9296>] do_sys_open+0x13b/0x1cd
kernel: [<ffffffff820f935c>] SyS_open+0x1e/0x20
kernel: [<ffffffff82398c02>] system_call_fastpath+0x16/0x1b
kernel: Code: 39 c7 0f 85 67 01 00 00 0f b7 03 25 00 f0 00 00 3d 00 40 00 00 74 18 3d 00 80 00 00 74 11 3d 00 a0 00 00 74 0a 83 7b 48 00 74 04 <0f> 0b eb fe 49 8b 85 50 03 00 00 4c 89 f6 48 c7 c7 c0 99 0e a0
kernel: RIP  [<ffffffffa00db5ae>] ext3_orphan_add+0x6a/0x1eb [ext3]
kernel: RSP <ffff8801124d5cc8>

Here we couldn't call clear_nlink() directly because in d_tmpfile() we
will call inode_dec_link_count() to decrease ->i_nlink.  So this commit
tries to call d_tmpfile() before ext4_orphan_add() to fix this problem.

Signed-off-by: Zheng Liu <wenqing.lz@taobao.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: Jan Kara <jack@suse.cz>
Cc: Al Viro <viro@zeniv.linux.org.uk>

1 parent e94bd34

Files
Changes

Permalinks

File	Mode	Size
cpu
debug
events
gcov
irq
power
sched
time
trace
.gitignore	-rw-r--r--	69 bytes
Kconfig.freezer	-rw-r--r--	52 bytes
Kconfig.hz	-rw-r--r--	1.7 KB
Kconfig.locks	-rw-r--r--	4.3 KB
Kconfig.preempt	-rw-r--r--	2.1 KB
Makefile	-rw-r--r--	7.0 KB
acct.c	-rw-r--r--	16.8 KB
async.c	-rw-r--r--	9.9 KB
audit.c	-rw-r--r--	44.8 KB
audit.h	-rw-r--r--	10.0 KB
audit_tree.c	-rw-r--r--	22.2 KB
audit_watch.c	-rw-r--r--	13.9 KB
auditfilter.c	-rw-r--r--	32.8 KB
auditsc.c	-rw-r--r--	63.8 KB
backtracetest.c	-rw-r--r--	2.1 KB
bounds.c	-rw-r--r--	600 bytes
capability.c	-rw-r--r--	12.3 KB
cgroup.c	-rw-r--r--	151.8 KB
cgroup_freezer.c	-rw-r--r--	12.9 KB
compat.c	-rw-r--r--	28.5 KB
configs.c	-rw-r--r--	2.8 KB
context_tracking.c	-rw-r--r--	5.5 KB
cpu.c	-rw-r--r--	17.1 KB
cpu_pm.c	-rw-r--r--	6.5 KB
cpuset.c	-rw-r--r--	77.6 KB
crash_dump.c	-rw-r--r--	1.2 KB
cred.c	-rw-r--r--	21.2 KB
delayacct.c	-rw-r--r--	5.1 KB
dma.c	-rw-r--r--	3.6 KB
elfcore.c	-rw-r--r--	459 bytes
exec_domain.c	-rw-r--r--	4.3 KB
exit.c	-rw-r--r--	42.6 KB
extable.c	-rw-r--r--	3.8 KB
fork.c	-rw-r--r--	45.7 KB
freezer.c	-rw-r--r--	4.4 KB
futex.c	-rw-r--r--	71.1 KB
futex_compat.c	-rw-r--r--	4.5 KB
groups.c	-rw-r--r--	6.0 KB
hrtimer.c	-rw-r--r--	47.7 KB
hung_task.c	-rw-r--r--	5.3 KB
irq_work.c	-rw-r--r--	4.5 KB
itimer.c	-rw-r--r--	7.3 KB
jump_label.c	-rw-r--r--	10.8 KB
kallsyms.c	-rw-r--r--	15.0 KB
kcmp.c	-rw-r--r--	4.3 KB
kexec.c	-rw-r--r--	42.3 KB
kmod.c	-rw-r--r--	19.3 KB
kprobes.c	-rw-r--r--	59.4 KB
ksysfs.c	-rw-r--r--	5.5 KB
kthread.c	-rw-r--r--	17.6 KB
latencytop.c	-rw-r--r--	7.6 KB
lglock.c	-rw-r--r--	1.9 KB
lockdep.c	-rw-r--r--	103.9 KB
lockdep_internals.h	-rw-r--r--	4.5 KB
lockdep_proc.c	-rw-r--r--	17.0 KB
lockdep_states.h	-rw-r--r--	233 bytes
modsign_certificate.S	-rw-r--r--	263 bytes
modsign_pubkey.c	-rw-r--r--	2.6 KB
module-internal.h	-rw-r--r--	495 bytes
module.c	-rw-r--r--	96.9 KB
module_signing.c	-rw-r--r--	5.9 KB
mutex-debug.c	-rw-r--r--	2.9 KB
mutex-debug.h	-rw-r--r--	1.7 KB
mutex.c	-rw-r--r--	24.5 KB
mutex.h	-rw-r--r--	1.3 KB
notifier.c	-rw-r--r--	16.0 KB
nsproxy.c	-rw-r--r--	6.2 KB
padata.c	-rw-r--r--	27.1 KB
panic.c	-rw-r--r--	11.1 KB
params.c	-rw-r--r--	21.9 KB
pid.c	-rw-r--r--	14.7 KB
pid_namespace.c	-rw-r--r--	8.9 KB
posix-cpu-timers.c	-rw-r--r--	39.5 KB
posix-timers.c	-rw-r--r--	30.2 KB
printk.c	-rw-r--r--	72.5 KB
profile.c	-rw-r--r--	16.1 KB
ptrace.c	-rw-r--r--	29.9 KB
range.c	-rw-r--r--	3.0 KB
rcu.h	-rw-r--r--	4.0 KB
rcupdate.c	-rw-r--r--	12.6 KB
rcutiny.c	-rw-r--r--	10.3 KB
rcutiny_plugin.h	-rw-r--r--	4.8 KB
rcutorture.c	-rw-r--r--	62.4 KB
rcutree.c	-rw-r--r--	100.9 KB
rcutree.h	-rw-r--r--	22.6 KB
rcutree_plugin.h	-rw-r--r--	68.5 KB
rcutree_trace.c	-rw-r--r--	12.9 KB
reboot.c	-rw-r--r--	9.2 KB
relay.c	-rw-r--r--	32.6 KB
res_counter.c	-rw-r--r--	4.3 KB
resource.c	-rw-r--r--	31.7 KB
rtmutex-debug.c	-rw-r--r--	4.7 KB
rtmutex-debug.h	-rw-r--r--	1.4 KB
rtmutex-tester.c	-rw-r--r--	8.7 KB
rtmutex.c	-rw-r--r--	26.9 KB
rtmutex.h	-rw-r--r--	1.1 KB
rtmutex_common.h	-rw-r--r--	3.3 KB
rwsem.c	-rw-r--r--	2.8 KB
seccomp.c	-rw-r--r--	13.9 KB
semaphore.c	-rw-r--r--	7.3 KB
signal.c	-rw-r--r--	95.0 KB
smp.c	-rw-r--r--	18.3 KB
smpboot.c	-rw-r--r--	6.9 KB
smpboot.h	-rw-r--r--	564 bytes
softirq.c	-rw-r--r--	21.0 KB
spinlock.c	-rw-r--r--	9.5 KB
srcu.c	-rw-r--r--	19.5 KB
stacktrace.c	-rw-r--r--	1.1 KB
stop_machine.c	-rw-r--r--	14.6 KB
sys.c	-rw-r--r--	50.1 KB
sys_ni.c	-rw-r--r--	6.0 KB
sysctl.c	-rw-r--r--	60.6 KB
sysctl_binary.c	-rw-r--r--	51.0 KB
task_work.c	-rw-r--r--	2.2 KB
taskstats.c	-rw-r--r--	16.4 KB
test_kprobes.c	-rw-r--r--	8.5 KB
time.c	-rw-r--r--	18.8 KB
timeconst.bc	-rw-r--r--	2.7 KB
timer.c	-rw-r--r--	46.5 KB
tracepoint.c	-rw-r--r--	19.8 KB
tsacct.c	-rw-r--r--	5.0 KB
uid16.c	-rw-r--r--	5.0 KB
up.c	-rw-r--r--	413 bytes
user-return-notifier.c	-rw-r--r--	1.3 KB
user.c	-rw-r--r--	5.2 KB
user_namespace.c	-rw-r--r--	22.7 KB
utsname.c	-rw-r--r--	2.9 KB
utsname_sysctl.c	-rw-r--r--	3.0 KB
wait.c	-rw-r--r--	10.7 KB
watchdog.c	-rw-r--r--	14.4 KB
workqueue.c	-rw-r--r--	138.5 KB
workqueue_internal.h	-rw-r--r--	2.1 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...