Must ensure that all the entries on the pd_pendinghd list have been
committed to disk before clearing them. More specifically, when free_newdirblk is called, we know that the inode claims the new directory block. However, if the associated pagedep is still linked onto the directory buffer dependency chain, then some of the entries on the pd_pendinghd list may not be committed to disk yet. In this case, we will simply note that the inode claims the block and let the pd_pendinghd list be processed when the pagedep is next written. If the pagedep is no longer on the buffer dependency chain, then all the entries on the pd_pending list are committed to disk and we can free them in free_newdirblk. This corrects a window of vulnerability introduced in the code added in version 1.95.
This commit is contained in:
parent
2f1cb61572
commit
dc01275be9
@ -2017,12 +2017,20 @@ free_newdirblk(newdirblk)
|
||||
panic("free_newdirblk: lock not held");
|
||||
#endif
|
||||
/*
|
||||
* Free any directory additions that have been committed.
|
||||
* If the pagedep is still linked onto the directory buffer
|
||||
* dependency chain, then some of the entries on the
|
||||
* pd_pendinghd list may not be committed to disk yet. In
|
||||
* this case, we will simply clear the NEWBLOCK flag and
|
||||
* let the pd_pendinghd list be processed when the pagedep
|
||||
* is next written. If the pagedep is no longer on the buffer
|
||||
* dependency chain, then all the entries on the pd_pending
|
||||
* list are committed to disk and we can free them here.
|
||||
*/
|
||||
pagedep = newdirblk->db_pagedep;
|
||||
pagedep->pd_state &= ~NEWBLOCK;
|
||||
while ((dap = LIST_FIRST(&pagedep->pd_pendinghd)) != NULL)
|
||||
free_diradd(dap);
|
||||
if ((pagedep->pd_state & ONWORKLIST) == 0)
|
||||
while ((dap = LIST_FIRST(&pagedep->pd_pendinghd)) != NULL)
|
||||
free_diradd(dap);
|
||||
/*
|
||||
* If no dependencies remain, the pagedep will be freed.
|
||||
*/
|
||||
|
Loading…
x
Reference in New Issue
Block a user