[Cluster-devel] cluster/gfs-kernel/src/gfs ops_export.c ops_in ...

[wcheng at sourceware.org]

CVSROOT:	/cvs/cluster
Module name:	cluster
Branch: 	RHEL4
Changes by:	wcheng at sourceware.org	2007-06-05 18:43:53

Modified files:
	gfs-kernel/src/gfs: ops_export.c ops_inode.c 

Log message:
	Bugzilla 242720
	
	Fix a race between GFS lookup code and VM cache reclaim logic kicked off
	under memory pressure. At the end of the lookup, gfs releases inode glock
	pre-maturely.  This creates a window inside the bottom portion of logic
	that could make gfs_iget updating the associated GFS inode memory that
	has been freed. Depending on who gets the new memory, unspecified corruptions
	occur.
	
	In the case where this bug is found (RHEL5 bugzilla 236565), it corrupts
	TCP buffer head that ends up trashing nfsd kernel stack.

Patches:
http://sourceware.org/cgi-bin/cvsweb.cgi/cluster/gfs-kernel/src/gfs/ops_export.c.diff?cvsroot=cluster&only_with_tag=RHEL4&r1=1.3.2.4&r2=1.3.2.5
http://sourceware.org/cgi-bin/cvsweb.cgi/cluster/gfs-kernel/src/gfs/ops_inode.c.diff?cvsroot=cluster&only_with_tag=RHEL4&r1=1.6.2.6&r2=1.6.2.7

--- cluster/gfs-kernel/src/gfs/ops_export.c	2007/02/13 05:40:59	1.3.2.4
+++ cluster/gfs-kernel/src/gfs/ops_export.c	2007/06/05 18:43:53	1.3.2.5
@@ -364,11 +364,11 @@
 		goto fail;
 
  out:
-	gfs_glock_dq_uninit(&i_gh);
-
 	inode = gfs_iget(ip, CREATE);
 	gfs_inode_put(ip);
 
+	gfs_glock_dq_uninit(&i_gh);
+
 	if (!inode)
 		return ERR_PTR(-ENOMEM);
 
--- cluster/gfs-kernel/src/gfs/ops_inode.c	2007/02/14 23:15:44	1.6.2.6
+++ cluster/gfs-kernel/src/gfs/ops_inode.c	2007/06/05 18:43:53	1.6.2.7
@@ -324,12 +324,12 @@
 	if (i_gh.gh_gl) {
 		ip = gl2ip(i_gh.gh_gl);
 
-		gfs_glock_dq_uninit(&d_gh);
-		gfs_glock_dq_uninit(&i_gh);
-
 		inode = gfs_iget(ip, CREATE);
 		gfs_inode_put(ip);
 
+		gfs_glock_dq_uninit(&d_gh);
+		gfs_glock_dq_uninit(&i_gh);
+
 		if (!inode)
 			return ERR_PTR(-ENOMEM);
 	} else