tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

udf: Fix deadlock when converting file from in-ICB one to normal one

During BKL removal in 2.6.38, conversion of files from in-ICB format to normal
format got broken. We call ->writepage with i_data_sem held but udf_get_block()
also acquires i_data_sem thus creating A-A deadlock.

We fix the problem by dropping i_data_sem before calling ->writepage() which is
safe since i_mutex still protects us against any changes in the file. Also fix
pagelock - i_data_sem lock inversion in udf_expand_file_adinicb() by dropping
i_data_sem before calling find_or_create_page().

CC: stable@kernel.org
Reported-by: Matthias Matiak <netzpython@mail-on.us>
Tested-by: Matthias Matiak <netzpython@mail-on.us>
Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>

Jan Kara d2eb8c35 7b0b0933

+21 -6
+3 -3
fs/udf/file.c
··· 125 125 err = udf_expand_file_adinicb(inode); 126 126 if (err) { 127 127 udf_debug("udf_expand_adinicb: err=%d\n", err); 128 - up_write(&iinfo->i_data_sem); 129 128 return err; 130 129 } 131 130 } else { ··· 132 133 iinfo->i_lenAlloc = pos + count; 133 134 else 134 135 iinfo->i_lenAlloc = inode->i_size; 136 + up_write(&iinfo->i_data_sem); 135 137 } 136 - } 137 - up_write(&iinfo->i_data_sem); 138 + } else 139 + up_write(&iinfo->i_data_sem); 138 140 139 141 retval = generic_file_aio_write(iocb, iov, nr_segs, ppos); 140 142 if (retval > 0)
+18 -3
fs/udf/inode.c
··· 150 150 .bmap = udf_bmap, 151 151 }; 152 152 153 + /* 154 + * Expand file stored in ICB to a normal one-block-file 155 + * 156 + * This function requires i_data_sem for writing and releases it. 157 + * This function requires i_mutex held 158 + */ 153 159 int udf_expand_file_adinicb(struct inode *inode) 154 160 { 155 161 struct page *page; ··· 174 168 iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG; 175 169 /* from now on we have normal address_space methods */ 176 170 inode->i_data.a_ops = &udf_aops; 171 + up_write(&iinfo->i_data_sem); 177 172 mark_inode_dirty(inode); 178 173 return 0; 179 174 } 175 + /* 176 + * Release i_data_sem so that we can lock a page - page lock ranks 177 + * above i_data_sem. i_mutex still protects us against file changes. 178 + */ 179 + up_write(&iinfo->i_data_sem); 180 180 181 181 page = find_or_create_page(inode->i_mapping, 0, GFP_NOFS); 182 182 if (!page) ··· 198 186 SetPageUptodate(page); 199 187 kunmap(page); 200 188 } 189 + down_write(&iinfo->i_data_sem); 201 190 memset(iinfo->i_ext.i_data + iinfo->i_lenEAttr, 0x00, 202 191 iinfo->i_lenAlloc); 203 192 iinfo->i_lenAlloc = 0; ··· 208 195 iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG; 209 196 /* from now on we have normal address_space methods */ 210 197 inode->i_data.a_ops = &udf_aops; 198 + up_write(&iinfo->i_data_sem); 211 199 err = inode->i_data.a_ops->writepage(page, &udf_wbc); 212 200 if (err) { 213 201 /* Restore everything back so that we don't lose data... */ 214 202 lock_page(page); 215 203 kaddr = kmap(page); 204 + down_write(&iinfo->i_data_sem); 216 205 memcpy(iinfo->i_ext.i_data + iinfo->i_lenEAttr, kaddr, 217 206 inode->i_size); 218 207 kunmap(page); 219 208 unlock_page(page); 220 209 iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB; 221 210 inode->i_data.a_ops = &udf_adinicb_aops; 211 + up_write(&iinfo->i_data_sem); 222 212 } 223 213 page_cache_release(page); 224 214 mark_inode_dirty(inode); ··· 1121 1105 if (bsize < 1122 1106 (udf_file_entry_alloc_offset(inode) + newsize)) { 1123 1107 err = udf_expand_file_adinicb(inode); 1124 - if (err) { 1125 - up_write(&iinfo->i_data_sem); 1108 + if (err) 1126 1109 return err; 1127 - } 1110 + down_write(&iinfo->i_data_sem); 1128 1111 } else 1129 1112 iinfo->i_lenAlloc = newsize; 1130 1113 }