]> git.openfabrics.org - ~shefty/rdma-dev.git/commitdiff
Merge branch 'linux-next' of git://git.infradead.org/ubifs-2.6
authorLinus Torvalds <torvalds@linux-foundation.org>
Tue, 10 Jan 2012 22:57:19 +0000 (14:57 -0800)
committerLinus Torvalds <torvalds@linux-foundation.org>
Tue, 10 Jan 2012 22:57:19 +0000 (14:57 -0800)
* 'linux-next' of git://git.infradead.org/ubifs-2.6:
  UBI: fix use-after-free on error path
  UBI: fix missing scrub when there is a bit-flip
  UBIFS: Use kmemdup rather than duplicating its implementation

drivers/mtd/ubi/eba.c
drivers/mtd/ubi/ubi.h
drivers/mtd/ubi/wl.c
fs/ubifs/lpt.c
fs/ubifs/tnc.c
fs/ubifs/xattr.c

index fb7f19b62d91fabe2fdc785bf08aa1a32f523497..cd26da8ad225b882d918188e46c6c2d38cccc803 100644 (file)
@@ -1028,12 +1028,14 @@ int ubi_eba_copy_leb(struct ubi_device *ubi, int from, int to,
         * 'ubi_wl_put_peb()' function on the @ubi->move_mutex. In turn, we are
         * holding @ubi->move_mutex and go sleep on the LEB lock. So, if the
         * LEB is already locked, we just do not move it and return
-        * %MOVE_CANCEL_RACE, which means that UBI will re-try, but later.
+        * %MOVE_RETRY. Note, we do not return %MOVE_CANCEL_RACE here because
+        * we do not know the reasons of the contention - it may be just a
+        * normal I/O on this LEB, so we want to re-try.
         */
        err = leb_write_trylock(ubi, vol_id, lnum);
        if (err) {
                dbg_wl("contention on LEB %d:%d, cancel", vol_id, lnum);
-               return MOVE_CANCEL_RACE;
+               return MOVE_RETRY;
        }
 
        /*
index dc64c767fd2175e2503510bb1cea51d3ffb63f47..d51d75d344462c1ec3b0ae657b423594f5857517 100644 (file)
@@ -120,6 +120,7 @@ enum {
  *                     PEB
  * MOVE_CANCEL_BITFLIPS: canceled because a bit-flip was detected in the
  *                       target PEB
+ * MOVE_RETRY: retry scrubbing the PEB
  */
 enum {
        MOVE_CANCEL_RACE = 1,
@@ -127,6 +128,7 @@ enum {
        MOVE_TARGET_RD_ERR,
        MOVE_TARGET_WR_ERR,
        MOVE_CANCEL_BITFLIPS,
+       MOVE_RETRY,
 };
 
 /**
index 42c684cf368815814614be19b0398d65fc99fcf0..0696e36b053939e878d0215aefe4f4598ba61ac3 100644 (file)
@@ -795,7 +795,10 @@ static int wear_leveling_worker(struct ubi_device *ubi, struct ubi_work *wrk,
                        protect = 1;
                        goto out_not_moved;
                }
-
+               if (err == MOVE_RETRY) {
+                       scrubbing = 1;
+                       goto out_not_moved;
+               }
                if (err == MOVE_CANCEL_BITFLIPS || err == MOVE_TARGET_WR_ERR ||
                    err == MOVE_TARGET_RD_ERR) {
                        /*
@@ -1049,7 +1052,6 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
 
        ubi_err("failed to erase PEB %d, error %d", pnum, err);
        kfree(wl_wrk);
-       kmem_cache_free(ubi_wl_entry_slab, e);
 
        if (err == -EINTR || err == -ENOMEM || err == -EAGAIN ||
            err == -EBUSY) {
@@ -1062,14 +1064,16 @@ static int erase_worker(struct ubi_device *ubi, struct ubi_work *wl_wrk,
                        goto out_ro;
                }
                return err;
-       } else if (err != -EIO) {
+       }
+
+       kmem_cache_free(ubi_wl_entry_slab, e);
+       if (err != -EIO)
                /*
                 * If this is not %-EIO, we have no idea what to do. Scheduling
                 * this physical eraseblock for erasure again would cause
                 * errors again and again. Well, lets switch to R/O mode.
                 */
                goto out_ro;
-       }
 
        /* It is %-EIO, the PEB went bad */
 
index 6189c74d97f03ef6ba3eafc19fc1a8924b42d4b9..66d59d0a14029ebc8b1fa3bb2d0ecfad38199e66 100644 (file)
@@ -1986,12 +1986,11 @@ again:
 
                                if (path[h].in_tree)
                                        continue;
-                               nnode = kmalloc(sz, GFP_NOFS);
+                               nnode = kmemdup(&path[h].nnode, sz, GFP_NOFS);
                                if (!nnode) {
                                        err = -ENOMEM;
                                        goto out;
                                }
-                               memcpy(nnode, &path[h].nnode, sz);
                                parent = nnode->parent;
                                parent->nbranch[nnode->iip].nnode = nnode;
                                path[h].ptr.nnode = nnode;
@@ -2004,12 +2003,11 @@ again:
                                const size_t sz = sizeof(struct ubifs_pnode);
                                struct ubifs_nnode *parent;
 
-                               pnode = kmalloc(sz, GFP_NOFS);
+                               pnode = kmemdup(&path[h].pnode, sz, GFP_NOFS);
                                if (!pnode) {
                                        err = -ENOMEM;
                                        goto out;
                                }
-                               memcpy(pnode, &path[h].pnode, sz);
                                parent = pnode->parent;
                                parent->nbranch[pnode->iip].pnode = pnode;
                                path[h].ptr.pnode = pnode;
index 066738647685ba8ad2d371060bfd226e12020e3b..e14ee53159db36b0ecade9b31ad6466678db6b74 100644 (file)
@@ -344,12 +344,11 @@ static int lnc_add(struct ubifs_info *c, struct ubifs_zbranch *zbr,
                return err;
        }
 
-       lnc_node = kmalloc(zbr->len, GFP_NOFS);
+       lnc_node = kmemdup(node, zbr->len, GFP_NOFS);
        if (!lnc_node)
                /* We don't have to have the cache, so no error */
                return 0;
 
-       memcpy(lnc_node, node, zbr->len);
        zbr->leaf = lnc_node;
        return 0;
 }
index bf18f7a04544b28bb0fd989e33065ee17bb7a95e..85b2722687545b0e3299d7bdc0275ebe9fb2d2e2 100644 (file)
@@ -138,12 +138,11 @@ static int create_xattr(struct ubifs_info *c, struct inode *host,
        ui = ubifs_inode(inode);
        ui->xattr = 1;
        ui->flags |= UBIFS_XATTR_FL;
-       ui->data = kmalloc(size, GFP_NOFS);
+       ui->data = kmemdup(value, size, GFP_NOFS);
        if (!ui->data) {
                err = -ENOMEM;
                goto out_free;
        }
-       memcpy(ui->data, value, size);
        inode->i_size = ui->ui_size = size;
        ui->data_len = size;
 
@@ -204,12 +203,11 @@ static int change_xattr(struct ubifs_info *c, struct inode *host,
                return err;
 
        kfree(ui->data);
-       ui->data = kmalloc(size, GFP_NOFS);
+       ui->data = kmemdup(value, size, GFP_NOFS);
        if (!ui->data) {
                err = -ENOMEM;
                goto out_free;
        }
-       memcpy(ui->data, value, size);
        inode->i_size = ui->ui_size = size;
        ui->data_len = size;