tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

block: fix refcounting in BLKBSZSET

Adam Kovari and others reported that disconnecting an USB drive with
an ntfs-3g filesystem would cause "kernel BUG at fs/inode.c:1421!" to
be triggered.

The BUG could be traced back to ioctl(BLKBSZSET), which would
erroneously decrement the refcount on the bdev. This is because
blkdev_get() expects the refcount to be already incremented and either
returns success or decrements the refcount and returns an error.

The bug was introduced by e525fd89 (block: make blkdev_get/put()
handle exclusive access), which didn't take into account this behavior
of blkdev_get().

This fixes
https://bugzilla.kernel.org/show_bug.cgi?id=29202
(and likely 29792 too)

Reported-by: Adam Kovari <kovariadam@gmail.com>
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by Miklos Szeredi and committed by Linus Torvalds 3c522ced dcace5ac

+5 -3
unified split
+5 -3
block/ioctl.c
··· 294 294 return -EINVAL; 295 295 if (get_user(n, (int __user *) arg)) 296 296 return -EFAULT; 297 - if (!(mode & FMODE_EXCL) && 298 - blkdev_get(bdev, mode | FMODE_EXCL, &bdev) < 0) 299 - return -EBUSY; 297 + if (!(mode & FMODE_EXCL)) { 298 + bdgrab(bdev); 299 + if (blkdev_get(bdev, mode | FMODE_EXCL, &bdev) < 0) 300 + return -EBUSY; 301 + } 300 302 ret = set_blocksize(bdev, n); 301 303 if (!(mode & FMODE_EXCL)) 302 304 blkdev_put(bdev, mode | FMODE_EXCL);