From: Nikita Danilov <Nikita@Namesys.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <15884.10772.44042.51586@laputa.namesys.com>
Date: Fri, 27 Dec 2002 13:23:16 +0300
To: Linus Torvalds <Torvalds@Transmeta.COM>,
       Linux Kernel Mailing List <Linux-Kernel@Vger.Kernel.ORG>
Subject: missed inode->i_hash cleanup in prune_icache()
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1093
Lines: 31

Hello,

fs/inode.c:prune_icache() does list_del(&inode->i_hash), and then calls
destroy_inode(). Inode is returned to the slab with ->i_hash still
containing dangling pointers. Probably this wasn't observed so far,
because prune_icache() is called during memory pressure and slab page
where inode is returned back into, is almost immediately released.

2.4 explicitly calls INIT_LIST_HEAD(&inode->i_hash) in prune_icache().

Following patch re-initializes ->i_hash.

Nikita.
===== fs/inode.c 1.84 vs edited =====
--- 1.84/fs/inode.c	Mon Dec 16 09:38:48 2002
+++ edited/fs/inode.c	Wed Dec 25 16:19:10 2002
@@ -248,7 +248,7 @@
 		struct inode *inode;
 
 		inode = list_entry(head->next, struct inode, i_list);
-		list_del(&inode->i_list);
+		list_del_init(&inode->i_list);
 
 		if (inode->i_data.nrpages)
 			truncate_inode_pages(&inode->i_data, 0);

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/