Kernel Bug-Vulnerability-Comment library

sisi8408

确如思一克大侠所言，得以解惑，鲜花和致敬奉上，还有￥6。

1. 
   
2. /*
   
3. * linux-2.6.20.7/fs/dcache.c
   
4. */
   
5. static void dentry_iput(struct dentry * dentry)
   
6. {
   
7.         struct inode * inode = dentry->d_inode;
   
8.        
   
9.         if (inode) {
   
10.                 dentry->d_inode = NULL;
    
11.                 list_del_init(&dentry->d_alias);
    
12.                 spin_unlock(&dentry->d_lock);
    
13.                 spin_unlock(&dcache_lock);
    
14. 
    
15.                 if (!inode->i_nlink)
    
16.                         fsnotify_inoderemove(inode);
    
17.                
    
18.                 if (dentry->d_op && dentry->d_op->d_iput)
    
19.                         dentry->d_op->d_iput(dentry, inode);
    
20.                 else
    
21.                         iput(inode);
    
22.         } else {
    
23.                 spin_unlock(&dentry->d_lock);
    
24.                 spin_unlock(&dcache_lock);
    
25.         }
    
26. }
    

复制代码

[ 本帖最后由 sisi8408 于 2007-8-27 16:22 编辑 ]

daemeon

偶也来贴一个

2.6.22

int tcp_set_allowed_congestion_control(char *val) {     struct tcp_congestion_ops *ca;     char *clone, *name;     int ret = 0;     clone = kstrdup(val, GFP_USER);     if (!clone)         return -ENOMEM;     spin_lock(&tcp_cong_list_lock);     /* pass 1 check for bad entries */     while ((name = strsep(&clone, " ")) && *name) {         ca = tcp_ca_find(name);         if (!ca) {             ret = -ENOENT;             goto out;         }     }     /* pass 2 clear old values */     list_for_each_entry_rcu(ca, &tcp_cong_list, list)         ca->flags &= ~TCP_CONG_NON_RESTRICTED;     /* pass 3 mark as allowed */     while ((name = strsep(&val, " ")) && *name) {         ca = tcp_ca_find(name);         WARN_ON(!ca);         if (ca)             ca->flags |= TCP_CONG_NON_RESTRICTED;     } out:     spin_unlock(&tcp_cong_list_lock);     return ret; }

[ 本帖最后由 daemeon 于 2007-8-25 16:21 编辑 ]

sisi8408

鲜花奉上，还有￥1。

另外，劳烦daemeon大哥注明kernel版本，方便大家查询比对。

clone not released?

[ 本帖最后由 sisi8408 于 2007-8-25 14:07 编辑 ]

sisi8408

1. 
   
2. int tcp_set_allowed_congestion_control(char *val)
   
3. {
   
4.      .............
   
5. 
   
6. out:
   
7.     spin_unlock(&tcp_cong_list_lock);
   
8.     if (clone)
   
9.             kfree(clone);
   
10.     return ret;
    
11. }
    
12. 
    
13. /*
    
14. * based upon linux/2.6.20.7/mm/utils.c
    
15. */
    
16. char * kstrdup(const char *s, gfp_t gfp)
    
17. {
    
18.         size_t len;
    
19.         char *buf;
    
20. 
    
21.         if (!s)
    
22.                 return NULL;
    
23. 
    
24.         len = strlen(s) + 1;
    
25.         buf = kmalloc_track_caller(len, gfp);
    
26.         if (buf)
    
27.                 memcpy(buf, s, len);
    
28.         return buf;
    
29. }
    

复制代码

daemeon

the variable 'clone' is modified by strsep. we need another variable to save original value.

sisi8408

try again

1. 
   
2. int tcp_set_allowed_congestion_control(char *val)
   
3. {
   
4.     struct tcp_congestion_ops *ca;
   
5.     char *clone, *name;
   
6. +    char *org;
   
7.     int ret = 0;
   
8. 
   
9.     clone = kstrdup(val, GFP_USER);
   
10.     if (!clone)
    
11.         return -ENOMEM;
    
12. +  org = clone;
    
13.     spin_lock(&tcp_cong_list_lock);
    
14.     /* pass 1 check for bad entries */
    
15.     while ((name = strsep(&clone, " ")) && *name) {
    
16.         ca = tcp_ca_find(name);
    
17.         if (!ca) {
    
18.             ret = -ENOENT;
    
19.             goto out;
    
20.         }
    
21.     }
    
22. 
    
23.     /* pass 2 clear old values */
    
24.     list_for_each_entry_rcu(ca, &tcp_cong_list, list)
    
25.         ca->flags &= ~TCP_CONG_NON_RESTRICTED;
    
26. 
    
27.     /* pass 3 mark as allowed */
    
28.     while ((name = strsep(&val, " ")) && *name) {
    
29.         ca = tcp_ca_find(name);
    
30.         WARN_ON(!ca);
    
31.         if (ca)
    
32.             ca->flags |= TCP_CONG_NON_RESTRICTED;
    
33.     }
    
34. out:
    
35.     spin_unlock(&tcp_cong_list_lock);
    
36. +  if (org)  kfree(org);
    
37.     return ret;
    
38. }
    

复制代码

sisi8408

1. 
   
2. static ssize_t dlmfs_file_read(struct file *filp,
   
3.                                char __user *buf, size_t count,
   
4.                                loff_t *ppos)
   
5. {
   
6.         int bytes_left;
   
7.         ssize_t readlen;
   
8.         char *lvb_buf;
   
9.         struct inode *inode = filp->f_path.dentry->d_inode;
   
10. 
    
11.         mlog(0, "inode %lu, count = %zu, *ppos = %llu\n",
    
12.                 inode->i_ino, count, *ppos);
    
13. 
    
14.         if (*ppos >= i_size_read(inode))
    
15.                 return 0;
    
16. 
    
17.         if (!count)
    
18.                 return 0;
    
19. 
    
20.         if (!access_ok(VERIFY_WRITE, buf, count))
    
21.                 return -EFAULT;
    
22. 
    
23.         /* don't read past the lvb */
    
24.         if ((count + *ppos) > i_size_read(inode))
    
25.                 readlen = i_size_read(inode) - *ppos;
    
26.         else
    
27. /*
    
28. * linux-2.6.22.5/fs/ocfs2/dlm/dlmfs.c
    
29. * ￥2
    
30. * what relation between count and ppos?
    
31. * readlen determined right?
    
32. * say, i_size_read(inode) = 8M bytes, count = 4096 bytes.
    
33. */
    
34.                 readlen = count - *ppos;
    
35. 
    
36.         lvb_buf = kmalloc(readlen, GFP_NOFS);
    
37.         if (!lvb_buf)
    
38.                 return -ENOMEM;
    
39. 
    
40.         user_dlm_read_lvb(inode, lvb_buf, readlen);
    
41.         bytes_left = __copy_to_user(buf, lvb_buf, readlen);
    
42.         readlen -= bytes_left;
    
43. 
    
44.         kfree(lvb_buf);
    
45. 
    
46.         *ppos = *ppos + readlen;
    
47. 
    
48.         mlog(0, "read %zd bytes\n", readlen);
    
49. 
    
50.         return readlen;
    
51. }
    

复制代码

sisi8408

1. 
   
2. static ssize_t dlmfs_file_write(struct file *filp,
   
3.                                 const char __user *buf, size_t count,
   
4.                                 loff_t *ppos)
   
5. {
   
6.         int bytes_left;
   
7.         ssize_t writelen;
   
8.         char *lvb_buf;
   
9.         struct inode *inode = filp->f_path.dentry->d_inode;
   
10. 
    
11.         mlog(0, "inode %lu, count = %zu, *ppos = %llu\n",
    
12.                 inode->i_ino, count, *ppos);
    
13. 
    
14.         if (*ppos >= i_size_read(inode))
    
15.                 return -ENOSPC;
    
16. 
    
17.         if (!count)
    
18.                 return 0;
    
19. 
    
20.         if (!access_ok(VERIFY_READ, buf, count))
    
21.                 return -EFAULT;
    
22. 
    
23.         /* don't write past the lvb */
    
24.         if ((count + *ppos) > i_size_read(inode))
    
25.                 writelen = i_size_read(inode) - *ppos;
    
26.         else
    
27. /*
    
28. * linux-2.6.22.5/fs/ocfs2/dlm/dlmfs.c
    
29. 
    
30. #!/bin/sh
    
31. if [ $# != 2 ]
    
32. then
    
33.         echo disasfun objectfile functionname
    
34.         exit 1
    
35. fi
    
36. OBJFILE=$1
    
37. FUNNAME=$2
    
38. ADDRSZ=`objdump -t $OBJFILE | gawk -- "{
    
39.         if (\\\$3 == \\"F\\" && \\\$6 == \\"$FUNNAME\\") {
    
40.                 printf(\\"%s %s\\", \\\$1, \\\$5)
    
41.         }
    
42. }"`
    
43. ADDR=`echo $ADDRSZ | gawk "{ printf(\\"%s\\",\\\$1)}"`
    
44. SIZE=`echo $ADDRSZ | gawk "{ printf(\\"%s\\",\\\$2)}"`
    
45. if [ -z "$ADDR" -o -z "$SIZE" ]
    
46. then
    
47.         echo Cannot find address or size of function $FUNNAME
    
48.         exit 2
    
49. fi
    
50. objdump -S $OBJFILE --start-address=0x$ADDR --stop-address=$((0x$ADDR + 0x$SIZE))
    
51. 
    
52. * writelen determined right?
    
53. */
    
54.                 writelen = count - *ppos;
    
55. 
    
56.         lvb_buf = kmalloc(writelen, GFP_NOFS);
    
57.         if (!lvb_buf)
    
58.                 return -ENOMEM;
    
59. 
    
60.         bytes_left = copy_from_user(lvb_buf, buf, writelen);
    
61.         writelen -= bytes_left;
    
62.         if (writelen)
    
63.                 user_dlm_write_lvb(inode, lvb_buf, writelen);
    
64. 
    
65.         kfree(lvb_buf);
    
66. 
    
67.         *ppos = *ppos + writelen;
    
68.         mlog(0, "wrote %zd bytes\n", writelen);
    
69.         return writelen;
    
70. }
    

复制代码

[ 本帖最后由 sisi8408 于 2008-3-1 10:19 编辑 ]

sisi8408

1. 
   
2. static int ocfs2_write_data_page(struct inode *inode, handle_t *handle,
   
3.                                  u64 *p_blkno, struct page *page,
   
4.                                  struct ocfs2_write_ctxt *wc, int new)
   
5. {
   
6.         int ret, copied = 0;
   
7.         unsigned int from = 0, to = 0;
   
8.         unsigned int cluster_start, cluster_end;
   
9.         unsigned int zero_from = 0, zero_to = 0;
   
10. 
    
11.         ocfs2_figure_cluster_boundaries(OCFS2_SB(inode->i_sb), wc->w_cpos,
    
12.                                         &cluster_start, &cluster_end);
    
13. 
    
14.         if ((wc->w_pos >> PAGE_CACHE_SHIFT) == page->index
    
15.             && !wc->w_finished_copy) {
    
16.                 wc->w_this_page = page;
    
17.                 wc->w_this_page_new = new;
    
18.                
    
19.                 ret = wc->w_write_data_page(inode, wc, p_blkno, &from, &to);
    
20. 
    
21.                 if (ret < 0) {
    
22.                         mlog_errno(ret);
    
23.                         goto out;
    
24.                 }
    
25.                 copied = ret;
    
26. 
    
27.                 zero_from = from;
    
28.                 zero_to = to;
    
29. 
    
30.                 if (new) {
    
31.                         from = cluster_start;
    
32.                         to = cluster_end;
    
33.                 }
    
34.         } else {
    
35.                 /*
    
36.                  * If we haven't allocated the new page yet, we
    
37.                  * shouldn't be writing it out without copying user
    
38.                  * data. This is likely a math error from the caller.
    
39.                  */
    
40.                 BUG_ON(!new);
    
41. 
    
42.                 from = cluster_start;
    
43.                 to = cluster_end;
    
44. 
    
45.                 ret = ocfs2_map_page_blocks(page, p_blkno, inode,
    
46.                                             cluster_start, cluster_end, 1);
    
47.                 if (ret) {
    
48.                         mlog_errno(ret);
    
49.                         goto out;
    
50.                 }
    
51.         }
    
52. 
    
53.         /*
    
54.          * Parts of newly allocated pages need to be zero'd.
    
55.          *
    
56.          * Above, we have also rewritten 'to' and 'from' - as far as
    
57.          * the rest of the function is concerned, the entire cluster
    
58.          * range inside of a page needs to be written.
    
59.          *
    
60.          * We can skip this if the page is uptodate - it's already
    
61.          * been zero'd from being read in as a hole.
    
62.          */
    
63.         if (new && !PageUptodate(page))
    
64.                 ocfs2_clear_page_regions(page, OCFS2_SB(inode->i_sb),
    
65.                                          wc->w_cpos, zero_from, zero_to);
    
66.         flush_dcache_page(page);
    
67. 
    
68.         if (ocfs2_should_order_data(inode)) {
    
69.                 ret = walk_page_buffers(handle,
    
70.                                         page_buffers(page),
    
71.                                         from, to, NULL,
    
72.                                         ocfs2_journal_dirty_data);
    
73.                 if (ret < 0)
    
74. /*
    
75. * linux-2.6.22.5/fs/ocfs2/aops.c
    
76. *
    
77. * how to & necessary to include this case on return?
    
78. * how to re-check in mlog?
    
79. */
    
80.                         mlog_errno(ret);
    
81.         }
    
82. 
    
83.         /*
    
84.          * We don't use generic_commit_write() because we need to
    
85.          * handle our own i_size update.
    
86.          */
    
87.         ret = block_commit_write(page, from, to);
    
88.         if (ret)
    
89.                 mlog_errno(ret);
    
90. out:
    
91.         return copied ? copied : ret;
    
92. }
    

复制代码

sisi8408

1. 
   
2. static int ocfs2_try_to_merge_extent_map(struct ocfs2_extent_map_item *emi,
   
3.                                          struct ocfs2_extent_map_item *ins)
   
4. {
   
5.         /*
   
6.          * Handle contiguousness
   
7.          */
   
8.         if (ins->ei_phys == (emi->ei_phys + emi->ei_clusters) &&
   
9.             ins->ei_cpos == (emi->ei_cpos + emi->ei_clusters) &&
   
10.             ins->ei_flags == emi->ei_flags) {
    
11.                 emi->ei_clusters += ins->ei_clusters;
    
12.                 return 1;
    
13.         } else if ((ins->ei_phys + ins->ei_clusters) == emi->ei_phys &&
    
14. /*
    
15. * linux-2.6.22.5/fs/ocfs2/extent_map.c
    
16. * why not
    
17. * (ins->ei_cpos + ins->ei_clusters) == emi->ei_cpos
    
18. * and more symmetric??
    
19. */
    
20.                    (ins->ei_cpos + ins->ei_clusters) == emi->ei_phys &&
    
21.                    ins->ei_flags == emi->ei_flags) {
    
22.                 emi->ei_phys = ins->ei_phys;
    
23.                 emi->ei_cpos = ins->ei_cpos;
    
24.                 emi->ei_clusters += ins->ei_clusters;
    
25.                 return 1;
    
26.         }
    
27. 
    
28.         /*
    
29.          * Overlapping extents - this shouldn't happen unless we've
    
30.          * split an extent to change it's flags. That is exceedingly
    
31.          * rare, so there's no sense in trying to optimize it yet.
    
32.          */
    
33.         if (ocfs2_ei_is_contained(emi, ins) ||
    
34.             ocfs2_ei_is_contained(ins, emi)) {
    
35. /*
    
36. * more care needed in em-cache, even a small/simple one.
    
37. */
    
38.                 ocfs2_copy_emi_fields(emi, ins);
    
39.                 return 1;
    
40.         }
    
41. 
    
42.         /* No merge was possible. */
    
43.         return 0;
    
44. }
    

复制代码

[ 本帖最后由 sisi8408 于 2007-8-30 13:51 编辑 ]