/* * alloc.h - persistent object (dat entry/disk inode) allocator/deallocator * * Copyright (C) 2006-2008 Nippon Telegraph and Telephone Corporation. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * Originally written by Koji Sato. * Two allocators were unified by Ryusuke Konishi and Amagai Yoshiji. */ #ifndef _NILFS_ALLOC_H #define _NILFS_ALLOC_H #include #include #include /** * nilfs_palloc_entries_per_group - get the number of entries per group * @inode: inode of metadata file using this allocator * * The number of entries per group is defined by the number of bits * that a bitmap block can maintain. */ static inline unsigned long nilfs_palloc_entries_per_group(const struct inode *inode) { return 1UL << (inode->i_blkbits + 3 /* log2(8 = CHAR_BITS) */); } int nilfs_palloc_init_blockgroup(struct inode *, unsigned int); int nilfs_palloc_get_entry_block(struct inode *, __u64, int, struct buffer_head **); void *nilfs_palloc_block_get_entry(const struct inode *, __u64, const struct buffer_head *, void *); int nilfs_palloc_count_max_entries(struct inode *, u64, u64 *); /** * nilfs_palloc_req - persistent allocator request and reply * @pr_entry_nr: entry number (vblocknr or inode number) * @pr_desc_bh: buffer head of the buffer containing block group descriptors * @pr_bitmap_bh: buffer head of the buffer containing a block group bitmap * @pr_entry_bh: buffer head of the buffer containing translation entries */ struct nilfs_palloc_req { __u64 pr_entry_nr; struct buffer_head *pr_desc_bh; struct buffer_head *pr_bitmap_bh; struct buffer_head *pr_entry_bh; }; int nilfs_palloc_prepare_alloc_entry(struct inode *, struct nilfs_palloc_req *); void nilfs_palloc_commit_alloc_entry(struct inode *, struct nilfs_palloc_req *); void nilfs_palloc_abort_alloc_entry(struct inode *, struct nilfs_palloc_req *); void nilfs_palloc_commit_free_entry(struct inode *, struct nilfs_palloc_req *); int nilfs_palloc_prepare_free_entry(struct inode *, struct nilfs_palloc_req *); void nilfs_palloc_abort_free_entry(struct inode *, struct nilfs_palloc_req *); int nilfs_palloc_freev(struct inode *, __u64 *, size_t); #define nilfs_set_bit_atomic ext2_set_bit_atomic #define nilfs_clear_bit_atomic ext2_clear_bit_atomic #define nilfs_find_next_zero_bit find_next_zero_bit_le #define nilfs_find_next_bit find_next_bit_le /** * struct nilfs_bh_assoc - block offset and buffer head association * @blkoff: block offset * @bh: buffer head */ struct nilfs_bh_assoc { unsigned long blkoff; struct buffer_head *bh; }; /** * struct nilfs_palloc_cache - persistent object allocator cache * @lock: cache protecting lock * @prev_desc: blockgroup descriptors cache * @prev_bitmap: blockgroup bitmap cache * @prev_entry: translation entries cache */ struct nilfs_palloc_cache { spinlock_t lock; struct nilfs_bh_assoc prev_desc; struct nilfs_bh_assoc prev_bitmap; struct nilfs_bh_assoc prev_entry; }; void nilfs_palloc_setup_cache(struct inode *inode, struct nilfs_palloc_cache *cache); void nilfs_palloc_clear_cache(struct inode *inode); void nilfs_palloc_destroy_cache(struct inode *inode); #endif /* _NILFS_ALLOC_H */ option value='20'>20space:mode:
authorPeter Zijlstra <peterz@infradead.org>2017-01-26 16:39:55 +0100
committerIngo Molnar <mingo@kernel.org>2017-01-30 11:41:25 +0100
commita76a82a3e38c8d3fb6499e3dfaeb0949241ab588 (patch)
treeb5bc906278fe1ac66d75de984d26bf59b43b3ed8 /sound/oss/trix.c
parent566cf877a1fcb6d6dc0126b076aad062054c2637 (diff)
perf/core: Fix use-after-free bug
Dmitry reported a KASAN use-after-free on event->group_leader. It turns out there's a hole in perf_remove_from_context() due to event_function_call() not calling its function when the task associated with the event is already dead. In this case the event will have been detached from the task, but the grouping will have been retained, such that group operations might still work properly while there are live child events etc. This does however mean that we can miss a perf_group_detach() call when the group decomposes, this in turn can then lead to use-after-free. Fix it by explicitly doing the group detach if its still required. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com> Cc: Arnaldo Carvalho de Melo <acme@kernel.org> Cc: Arnaldo Carvalho de Melo <acme@redhat.com> Cc: Jiri Olsa <jolsa@redhat.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: stable@vger.kernel.org # v4.5+ Cc: syzkaller <syzkaller@googlegroups.com> Fixes: 63b6da39bb38 ("perf: Fix perf_event_exit_task() race") Link: http://lkml.kernel.org/r/20170126153955.GD6515@twins.programming.kicks-ass.net Signed-off-by: Ingo Molnar <mingo@kernel.org>
Diffstat (limited to 'sound/oss/trix.c')