diff options
author | Jan Kara <jack@suse.cz> | 2011-12-09 20:30:48 -0500 |
---|---|---|
committer | Jan Kara <jack@suse.cz> | 2012-01-09 07:52:08 -0500 |
commit | d2eb8c359309ec45d6bf5b147303ab8e13be86ea (patch) | |
tree | 4725da2f9f5728b41960cff7b628d0997812504c | |
parent | 7b0b0933a3ff6052addf4d49ea99f75ab27df2d0 (diff) |
udf: Fix deadlock when converting file from in-ICB one to normal one
During BKL removal in 2.6.38, conversion of files from in-ICB format to normal
format got broken. We call ->writepage with i_data_sem held but udf_get_block()
also acquires i_data_sem thus creating A-A deadlock.
We fix the problem by dropping i_data_sem before calling ->writepage() which is
safe since i_mutex still protects us against any changes in the file. Also fix
pagelock - i_data_sem lock inversion in udf_expand_file_adinicb() by dropping
i_data_sem before calling find_or_create_page().
CC: stable@kernel.org
Reported-by: Matthias Matiak <netzpython@mail-on.us>
Tested-by: Matthias Matiak <netzpython@mail-on.us>
Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
-rw-r--r-- | fs/udf/file.c | 6 | ||||
-rw-r--r-- | fs/udf/inode.c | 21 |
2 files changed, 21 insertions, 6 deletions
diff --git a/fs/udf/file.c b/fs/udf/file.c index d8ffa7cc661d..dca0c3881e82 100644 --- a/fs/udf/file.c +++ b/fs/udf/file.c | |||
@@ -125,7 +125,6 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov, | |||
125 | err = udf_expand_file_adinicb(inode); | 125 | err = udf_expand_file_adinicb(inode); |
126 | if (err) { | 126 | if (err) { |
127 | udf_debug("udf_expand_adinicb: err=%d\n", err); | 127 | udf_debug("udf_expand_adinicb: err=%d\n", err); |
128 | up_write(&iinfo->i_data_sem); | ||
129 | return err; | 128 | return err; |
130 | } | 129 | } |
131 | } else { | 130 | } else { |
@@ -133,9 +132,10 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov, | |||
133 | iinfo->i_lenAlloc = pos + count; | 132 | iinfo->i_lenAlloc = pos + count; |
134 | else | 133 | else |
135 | iinfo->i_lenAlloc = inode->i_size; | 134 | iinfo->i_lenAlloc = inode->i_size; |
135 | up_write(&iinfo->i_data_sem); | ||
136 | } | 136 | } |
137 | } | 137 | } else |
138 | up_write(&iinfo->i_data_sem); | 138 | up_write(&iinfo->i_data_sem); |
139 | 139 | ||
140 | retval = generic_file_aio_write(iocb, iov, nr_segs, ppos); | 140 | retval = generic_file_aio_write(iocb, iov, nr_segs, ppos); |
141 | if (retval > 0) | 141 | if (retval > 0) |
diff --git a/fs/udf/inode.c b/fs/udf/inode.c index 1bd2c42f3b48..4f7b1ffd9e37 100644 --- a/fs/udf/inode.c +++ b/fs/udf/inode.c | |||
@@ -150,6 +150,12 @@ const struct address_space_operations udf_aops = { | |||
150 | .bmap = udf_bmap, | 150 | .bmap = udf_bmap, |
151 | }; | 151 | }; |
152 | 152 | ||
153 | /* | ||
154 | * Expand file stored in ICB to a normal one-block-file | ||
155 | * | ||
156 | * This function requires i_data_sem for writing and releases it. | ||
157 | * This function requires i_mutex held | ||
158 | */ | ||
153 | int udf_expand_file_adinicb(struct inode *inode) | 159 | int udf_expand_file_adinicb(struct inode *inode) |
154 | { | 160 | { |
155 | struct page *page; | 161 | struct page *page; |
@@ -168,9 +174,15 @@ int udf_expand_file_adinicb(struct inode *inode) | |||
168 | iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG; | 174 | iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG; |
169 | /* from now on we have normal address_space methods */ | 175 | /* from now on we have normal address_space methods */ |
170 | inode->i_data.a_ops = &udf_aops; | 176 | inode->i_data.a_ops = &udf_aops; |
177 | up_write(&iinfo->i_data_sem); | ||
171 | mark_inode_dirty(inode); | 178 | mark_inode_dirty(inode); |
172 | return 0; | 179 | return 0; |
173 | } | 180 | } |
181 | /* | ||
182 | * Release i_data_sem so that we can lock a page - page lock ranks | ||
183 | * above i_data_sem. i_mutex still protects us against file changes. | ||
184 | */ | ||
185 | up_write(&iinfo->i_data_sem); | ||
174 | 186 | ||
175 | page = find_or_create_page(inode->i_mapping, 0, GFP_NOFS); | 187 | page = find_or_create_page(inode->i_mapping, 0, GFP_NOFS); |
176 | if (!page) | 188 | if (!page) |
@@ -186,6 +198,7 @@ int udf_expand_file_adinicb(struct inode *inode) | |||
186 | SetPageUptodate(page); | 198 | SetPageUptodate(page); |
187 | kunmap(page); | 199 | kunmap(page); |
188 | } | 200 | } |
201 | down_write(&iinfo->i_data_sem); | ||
189 | memset(iinfo->i_ext.i_data + iinfo->i_lenEAttr, 0x00, | 202 | memset(iinfo->i_ext.i_data + iinfo->i_lenEAttr, 0x00, |
190 | iinfo->i_lenAlloc); | 203 | iinfo->i_lenAlloc); |
191 | iinfo->i_lenAlloc = 0; | 204 | iinfo->i_lenAlloc = 0; |
@@ -195,17 +208,20 @@ int udf_expand_file_adinicb(struct inode *inode) | |||
195 | iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG; | 208 | iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG; |
196 | /* from now on we have normal address_space methods */ | 209 | /* from now on we have normal address_space methods */ |
197 | inode->i_data.a_ops = &udf_aops; | 210 | inode->i_data.a_ops = &udf_aops; |
211 | up_write(&iinfo->i_data_sem); | ||
198 | err = inode->i_data.a_ops->writepage(page, &udf_wbc); | 212 | err = inode->i_data.a_ops->writepage(page, &udf_wbc); |
199 | if (err) { | 213 | if (err) { |
200 | /* Restore everything back so that we don't lose data... */ | 214 | /* Restore everything back so that we don't lose data... */ |
201 | lock_page(page); | 215 | lock_page(page); |
202 | kaddr = kmap(page); | 216 | kaddr = kmap(page); |
217 | down_write(&iinfo->i_data_sem); | ||
203 | memcpy(iinfo->i_ext.i_data + iinfo->i_lenEAttr, kaddr, | 218 | memcpy(iinfo->i_ext.i_data + iinfo->i_lenEAttr, kaddr, |
204 | inode->i_size); | 219 | inode->i_size); |
205 | kunmap(page); | 220 | kunmap(page); |
206 | unlock_page(page); | 221 | unlock_page(page); |
207 | iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB; | 222 | iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB; |
208 | inode->i_data.a_ops = &udf_adinicb_aops; | 223 | inode->i_data.a_ops = &udf_adinicb_aops; |
224 | up_write(&iinfo->i_data_sem); | ||
209 | } | 225 | } |
210 | page_cache_release(page); | 226 | page_cache_release(page); |
211 | mark_inode_dirty(inode); | 227 | mark_inode_dirty(inode); |
@@ -1105,10 +1121,9 @@ int udf_setsize(struct inode *inode, loff_t newsize) | |||
1105 | if (bsize < | 1121 | if (bsize < |
1106 | (udf_file_entry_alloc_offset(inode) + newsize)) { | 1122 | (udf_file_entry_alloc_offset(inode) + newsize)) { |
1107 | err = udf_expand_file_adinicb(inode); | 1123 | err = udf_expand_file_adinicb(inode); |
1108 | if (err) { | 1124 | if (err) |
1109 | up_write(&iinfo->i_data_sem); | ||
1110 | return err; | 1125 | return err; |
1111 | } | 1126 | down_write(&iinfo->i_data_sem); |
1112 | } else | 1127 | } else |
1113 | iinfo->i_lenAlloc = newsize; | 1128 | iinfo->i_lenAlloc = newsize; |
1114 | } | 1129 | } |