gfs2: clean up iopen glock mess in gfs2_create_inode

[ Upstream commit 2c47c1be51fbded1f7baa2ceaed90f97932f79be ]

Before this patch, gfs2_create_inode had a use-after-free for the
iopen glock in some error paths because it did this:

	gfs2_glock_put(io_gl);
fail_gunlock2:
	if (io_gl)
		clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);

In some cases, the io_gl was used for create and only had one
reference, so the glock might be freed before the clear_bit().
This patch tries to straighten it out by only jumping to the
error paths where iopen is properly set, and moving the
gfs2_glock_put after the clear_bit.

Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 6c6401084d3d8f72c20b3e3c208234b8f0a895b5..e893b1fbde98b9855f14e13b71f9ab828e504f06 100644 (file)
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -714,7 +714,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 
        error = gfs2_trans_begin(sdp, blocks, 0);
        if (error)
-               goto fail_gunlock2;
+               goto fail_free_inode;
 
        if (blocks > 1) {
                ip->i_eattr = ip->i_no_addr + 1;
@@ -725,7 +725,7 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 
        error = gfs2_glock_get(sdp, ip->i_no_addr, &gfs2_iopen_glops, CREATE, &io_gl);
        if (error)
-               goto fail_gunlock2;
+               goto fail_free_inode;
 
        BUG_ON(test_and_set_bit(GLF_INODE_CREATING, &io_gl->gl_flags));
 
@@ -734,7 +734,6 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
                goto fail_gunlock2;
 
        glock_set_object(ip->i_iopen_gh.gh_gl, ip);
-       gfs2_glock_put(io_gl);
        gfs2_set_iop(inode);
        insert_inode_hash(inode);
 
@@ -767,6 +766,8 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
 
        mark_inode_dirty(inode);
        d_instantiate(dentry, inode);
+       /* After instantiate, errors should result in evict which will destroy
+        * both inode and iopen glocks properly. */
        if (file) {
                *opened |= FILE_CREATED;
                error = finish_open(file, dentry, gfs2_open_common, opened);
@@ -774,15 +775,15 @@ static int gfs2_create_inode(struct inode *dir, struct dentry *dentry,
        gfs2_glock_dq_uninit(ghs);
        gfs2_glock_dq_uninit(ghs + 1);
        clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);
+       gfs2_glock_put(io_gl);
        return error;
 
 fail_gunlock3:
        glock_clear_object(io_gl, ip);
        gfs2_glock_dq_uninit(&ip->i_iopen_gh);
-       gfs2_glock_put(io_gl);
 fail_gunlock2:
-       if (io_gl)
-               clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);
+       clear_bit(GLF_INODE_CREATING, &io_gl->gl_flags);
+       gfs2_glock_put(io_gl);
 fail_free_inode:
        if (ip->i_gl) {
                glock_clear_object(ip->i_gl, ip);