UBI: Fastmap: Fix race after ubi_wl_get_peb()

ubi_wl_get_peb() returns a fresh PEB which can be used by user of UBI. Due to the pool logic fastmap will correctly map this PEB upon attach time because it will be scanned. If a new fastmap is written (due to heavy parallel io) while the before the fresh PEB is assigned to the EBA table it will not be scanned as it is no longer in the pool. So, the race window exists between ubi_wl_get_peb() and the EBA table assignment. We have to make sure that no new fastmap can be written while that. To ensure that ubi_wl_get_peb() will grab ubi->fm_sem in read mode and the user of ubi_wl_get_peb() has to release it after the PEB got assigned. Signed-off-by: Richard Weinberger <richard@nod.at>
author: Richard Weinberger <richard@nod.at> 2014-11-10 10:27:10 -0500
committer: Richard Weinberger <richard@nod.at> 2015-03-26 17:46:01 -0400
commit: 8fb2a514780eee48602424a86e3cd72d3f1bdfb2 (patch)
tree: 2c5c3bced155af20a7a27a2b368bc7c1df5586fa /drivers/mtd/ubi/eba.c
parent: ad3d6a05ee45eebf68ff08da0d3f86251b530a27 (diff)
1 files changed, 18 insertions, 6 deletions
diff --git a/drivers/mtd/ubi/eba.c b/drivers/mtd/ubi/eba.c
index e0a06e4b95a4..4757cef756f7 100644
--- a/drivers/mtd/ubi/eba.c
+++ b/drivers/mtd/ubi/eba.c
@@ -567,6 +567,7 @@ retry:
        new_pnum = ubi_wl_get_peb(ubi);
        if (new_pnum < 0) {
                ubi_free_vid_hdr(ubi, vid_hdr);
+                up_read(&ubi->fm_sem);
                return new_pnum;
        }
@@ -577,13 +578,16 @@ retry:
        if (err && err != UBI_IO_BITFLIPS) {
                if (err > 0)
                        err = -EIO;
+                up_read(&ubi->fm_sem);
                goto out_put;
        }
        vid_hdr->sqnum = cpu_to_be64(ubi_next_sqnum(ubi));
        err = ubi_io_write_vid_hdr(ubi, new_pnum, vid_hdr);
-        if (err)
+        if (err) {
+                up_read(&ubi->fm_sem);
                goto write_error;
+        }
        data_size = offset + len;
        mutex_lock(&ubi->buf_mutex);
@@ -592,8 +596,10 @@ retry:
        /* Read everything before the area where the write failure happened */
        if (offset > 0) {
                err = ubi_io_read_data(ubi, ubi->peb_buf, pnum, 0, offset);
-                if (err && err != UBI_IO_BITFLIPS)
+                if (err && err != UBI_IO_BITFLIPS) {
+                        up_read(&ubi->fm_sem);
                        goto out_unlock;
+                }
        }
        memcpy(ubi->peb_buf + offset, buf, len);
@@ -601,13 +607,13 @@ retry:
        err = ubi_io_write_data(ubi, ubi->peb_buf, new_pnum, 0, data_size);
        if (err) {
                mutex_unlock(&ubi->buf_mutex);
+                up_read(&ubi->fm_sem);
                goto write_error;
        }
        mutex_unlock(&ubi->buf_mutex);
        ubi_free_vid_hdr(ubi, vid_hdr);
-        down_read(&ubi->fm_sem);
        vol->eba_tbl[lnum] = new_pnum;
        up_read(&ubi->fm_sem);
        ubi_wl_put_peb(ubi, vol_id, lnum, pnum, 1);
@@ -704,6 +710,7 @@ retry:
        if (pnum < 0) {
                ubi_free_vid_hdr(ubi, vid_hdr);
                leb_write_unlock(ubi, vol_id, lnum);
+                up_read(&ubi->fm_sem);
                return pnum;
        }
@@ -714,6 +721,7 @@ retry:
        if (err) {
                ubi_warn(ubi, "failed to write VID header to LEB %d:%d, PEB %d",
                         vol_id, lnum, pnum);
+                up_read(&ubi->fm_sem);
                goto write_error;
        }
@@ -722,11 +730,11 @@ retry:
                if (err) {
                        ubi_warn(ubi, "failed to write %d bytes at offset %d of LEB %d:%d, PEB %d",
                                 len, offset, vol_id, lnum, pnum);
+                        up_read(&ubi->fm_sem);
                        goto write_error;
                }
        }
-        down_read(&ubi->fm_sem);
        vol->eba_tbl[lnum] = pnum;
        up_read(&ubi->fm_sem);
@@ -825,6 +833,7 @@ retry:
        if (pnum < 0) {
                ubi_free_vid_hdr(ubi, vid_hdr);
                leb_write_unlock(ubi, vol_id, lnum);
+                up_read(&ubi->fm_sem);
                return pnum;
        }
@@ -835,6 +844,7 @@ retry:
        if (err) {
                ubi_warn(ubi, "failed to write VID header to LEB %d:%d, PEB %d",
                         vol_id, lnum, pnum);
+                up_read(&ubi->fm_sem);
                goto write_error;
        }
@@ -842,11 +852,11 @@ retry:
        if (err) {
                ubi_warn(ubi, "failed to write %d bytes of data to PEB %d",
                         len, pnum);
+                up_read(&ubi->fm_sem);
                goto write_error;
        }
        ubi_assert(vol->eba_tbl[lnum] < 0);
-        down_read(&ubi->fm_sem);
        vol->eba_tbl[lnum] = pnum;
        up_read(&ubi->fm_sem);
@@ -943,6 +953,7 @@ retry:
        pnum = ubi_wl_get_peb(ubi);
        if (pnum < 0) {
                err = pnum;
+                up_read(&ubi->fm_sem);
                goto out_leb_unlock;
        }
@@ -953,6 +964,7 @@ retry:
        if (err) {
                ubi_warn(ubi, "failed to write VID header to LEB %d:%d, PEB %d",
                         vol_id, lnum, pnum);
+                up_read(&ubi->fm_sem);
                goto write_error;
        }
@@ -960,10 +972,10 @@ retry:
        if (err) {
                ubi_warn(ubi, "failed to write %d bytes of data to PEB %d",
                         len, pnum);
+                up_read(&ubi->fm_sem);
                goto write_error;
        }
-        down_read(&ubi->fm_sem);
        old_pnum = vol->eba_tbl[lnum];
        vol->eba_tbl[lnum] = pnum;
        up_read(&ubi->fm_sem);
author	Richard Weinberger <richard@nod.at>	2014-11-10 10:27:10 -0500
committer	Richard Weinberger <richard@nod.at>	2015-03-26 17:46:01 -0400
commit	8fb2a514780eee48602424a86e3cd72d3f1bdfb2 (patch)
tree	2c5c3bced155af20a7a27a2b368bc7c1df5586fa /drivers/mtd/ubi/eba.c
parent	ad3d6a05ee45eebf68ff08da0d3f86251b530a27 (diff)