reiserfs: only call unlock_new_inode() if I_NEW
diff mbox series

Message ID 20200628070057.820213-1-ebiggers@kernel.org
State New
Headers show
Series
  • reiserfs: only call unlock_new_inode() if I_NEW
Related show

Commit Message

Eric Biggers June 28, 2020, 7 a.m. UTC
From: Eric Biggers <ebiggers@google.com>

unlock_new_inode() is only meant to be called after a new inode has
already been inserted into the hash table.  But reiserfs_new_inode() can
call it even before it has inserted the inode, triggering the WARNING in
unlock_new_inode().  Fix this by only calling unlock_new_inode() if the
inode has the I_NEW flag set, indicating that it's in the table.

This addresses the syzbot report "WARNING in unlock_new_inode"
(https://syzkaller.appspot.com/bug?extid=187510916eb6a14598f7).

Reported-by: syzbot+187510916eb6a14598f7@syzkaller.appspotmail.com
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 fs/reiserfs/inode.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Eric Biggers July 27, 2020, 4:52 p.m. UTC | #1
On Sun, Jun 28, 2020 at 12:00:57AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> unlock_new_inode() is only meant to be called after a new inode has
> already been inserted into the hash table.  But reiserfs_new_inode() can
> call it even before it has inserted the inode, triggering the WARNING in
> unlock_new_inode().  Fix this by only calling unlock_new_inode() if the
> inode has the I_NEW flag set, indicating that it's in the table.
> 
> This addresses the syzbot report "WARNING in unlock_new_inode"
> (https://syzkaller.appspot.com/bug?extid=187510916eb6a14598f7).
> 
> Reported-by: syzbot+187510916eb6a14598f7@syzkaller.appspotmail.com
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Anyone interested in taking this patch?

- Eric

Patch
diff mbox series

diff --git a/fs/reiserfs/inode.c b/fs/reiserfs/inode.c
index 1509775da040..e3af44c61524 100644
--- a/fs/reiserfs/inode.c
+++ b/fs/reiserfs/inode.c
@@ -2163,7 +2163,8 @@  int reiserfs_new_inode(struct reiserfs_transaction_handle *th,
 out_inserted_sd:
 	clear_nlink(inode);
 	th->t_trans_id = 0;	/* so the caller can't use this handle later */
-	unlock_new_inode(inode); /* OK to do even if we hadn't locked it */
+	if (inode->i_state & I_NEW)
+		unlock_new_inode(inode);
 	iput(inode);
 	return err;
 }