tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

nilfs2: fix timing issue between rmcp and chcp ioctls

The checkpoint deletion ioctl (rmcp ioctl) has potential for breaking
snapshot because it is not fully exclusive with checkpoint mode change
ioctl (chcp ioctl).

The rmcp ioctl first tests if the specified checkpoint is a snapshot or
not within nilfs_cpfile_delete_checkpoint function, and then calls
nilfs_cpfile_delete_checkpoints function to actually invalidate the
checkpoint only if it's not a snapshot. However, the checkpoint can be
changed into a snapshot by the chcp ioctl between these two operations.
In that case, calling nilfs_cpfile_delete_checkpoints() wrongly
invalidates the snapshot, which leads to snapshot list corruption and
snapshot count mismatch.

This fixes the issue by changing nilfs_cpfile_delete_checkpoints() so
that it reconfirms the target checkpoints are snapshot or not.

This second check is exclusive with the chcp operation since it is
protected by an existing semaphore.

Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Cc: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Ryusuke Konishi and committed by
Linus Torvalds fe0627e7 278038ac

+7 -3
+7 -3
fs/nilfs2/cpfile.c
··· 286 286 __u64 cno; 287 287 void *kaddr; 288 288 unsigned long tnicps; 289 - int ret, ncps, nicps, count, i; 289 + int ret, ncps, nicps, nss, count, i; 290 290 291 291 if (unlikely(start == 0 || start > end)) { 292 292 printk(KERN_ERR "%s: invalid range of checkpoint numbers: " ··· 301 301 if (ret < 0) 302 302 goto out_sem; 303 303 tnicps = 0; 304 + nss = 0; 304 305 305 306 for (cno = start; cno < end; cno += ncps) { 306 307 ncps = nilfs_cpfile_checkpoints_in_block(cpfile, cno, end); ··· 319 318 cpfile, cno, cp_bh, kaddr); 320 319 nicps = 0; 321 320 for (i = 0; i < ncps; i++, cp = (void *)cp + cpsz) { 322 - WARN_ON(nilfs_checkpoint_snapshot(cp)); 323 - if (!nilfs_checkpoint_invalid(cp)) { 321 + if (nilfs_checkpoint_snapshot(cp)) { 322 + nss++; 323 + } else if (!nilfs_checkpoint_invalid(cp)) { 324 324 nilfs_checkpoint_set_invalid(cp); 325 325 nicps++; 326 326 } ··· 366 364 } 367 365 368 366 brelse(header_bh); 367 + if (nss > 0) 368 + ret = -EBUSY; 369 369 370 370 out_sem: 371 371 up_write(&NILFS_MDT(cpfile)->mi_sem);