From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Thomas Betker <thomas.betker@freenet.de>,
Thomas Betker <thomas.betker@rohde-schwarz.com>,
Joakim Tjernlund <Joakim.Tjernlund@transmode.se>,
Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
Subject: [ 51/89] jffs2: Fix lock acquisition order bug in jffs2_write_begin
Date: Mon, 03 Dec 2012 14:32:37 +0000 [thread overview]
Message-ID: <20121203143154.623890415@decadent.org.uk> (raw)
In-Reply-To: <20121203143146.549859007@decadent.org.uk>
3.2-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Betker <thomas.betker@freenet.de>
commit 5ffd3412ae5536a4c57469cb8ea31887121dcb2e upstream.
jffs2_write_begin() first acquires the page lock, then f->sem. This
causes an AB-BA deadlock with jffs2_garbage_collect_live(), which first
acquires f->sem, then the page lock:
jffs2_garbage_collect_live
mutex_lock(&f->sem) (A)
jffs2_garbage_collect_dnode
jffs2_gc_fetch_page
read_cache_page_async
do_read_cache_page
lock_page(page) (B)
jffs2_write_begin
grab_cache_page_write_begin
find_lock_page
lock_page(page) (B)
mutex_lock(&f->sem) (A)
We fix this by restructuring jffs2_write_begin() to take f->sem before
the page lock. However, we make sure that f->sem is not held when
calling jffs2_reserve_space(), as this is not permitted by the locking
rules.
The deadlock above was observed multiple times on an SoC with a dual
ARMv7 (Cortex-A9), running the long-term 3.4.11 kernel; it occurred
when using scp to copy files from a host system to the ARM target
system. The fix was heavily tested on the same target system.
Signed-off-by: Thomas Betker <thomas.betker@rohde-schwarz.com>
Acked-by: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
Signed-off-by: Artem Bityutskiy <artem.bityutskiy@linux.intel.com>
[bwh: Backported to 3.2:
- Adjust context
- Use D1(printk(KERN_DEBUG ...)) instead of jffs2_dbg(1, ...)]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
fs/jffs2/file.c | 39 +++++++++++++++++++++------------------
1 file changed, 21 insertions(+), 18 deletions(-)
--- a/fs/jffs2/file.c
+++ b/fs/jffs2/file.c
@@ -135,33 +135,39 @@ static int jffs2_write_begin(struct file
struct page *pg;
struct inode *inode = mapping->host;
struct jffs2_inode_info *f = JFFS2_INODE_INFO(inode);
+ struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
+ struct jffs2_raw_inode ri;
+ uint32_t alloc_len = 0;
pgoff_t index = pos >> PAGE_CACHE_SHIFT;
uint32_t pageofs = index << PAGE_CACHE_SHIFT;
int ret = 0;
+ D1(printk(KERN_DEBUG "%s()\n", __func__));
+
+ if (pageofs > inode->i_size) {
+ ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len,
+ ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
+ if (ret)
+ return ret;
+ }
+
+ mutex_lock(&f->sem);
pg = grab_cache_page_write_begin(mapping, index, flags);
- if (!pg)
+ if (!pg) {
+ if (alloc_len)
+ jffs2_complete_reservation(c);
+ mutex_unlock(&f->sem);
return -ENOMEM;
+ }
*pagep = pg;
- D1(printk(KERN_DEBUG "jffs2_write_begin()\n"));
-
- if (pageofs > inode->i_size) {
+ if (alloc_len) {
/* Make new hole frag from old EOF to new page */
- struct jffs2_sb_info *c = JFFS2_SB_INFO(inode->i_sb);
- struct jffs2_raw_inode ri;
struct jffs2_full_dnode *fn;
- uint32_t alloc_len;
D1(printk(KERN_DEBUG "Writing new hole frag 0x%x-0x%x between current EOF and new page\n",
(unsigned int)inode->i_size, pageofs));
- ret = jffs2_reserve_space(c, sizeof(ri), &alloc_len,
- ALLOC_NORMAL, JFFS2_SUMMARY_INODE_SIZE);
- if (ret)
- goto out_page;
-
- mutex_lock(&f->sem);
memset(&ri, 0, sizeof(ri));
ri.magic = cpu_to_je16(JFFS2_MAGIC_BITMASK);
@@ -188,7 +194,6 @@ static int jffs2_write_begin(struct file
if (IS_ERR(fn)) {
ret = PTR_ERR(fn);
jffs2_complete_reservation(c);
- mutex_unlock(&f->sem);
goto out_page;
}
ret = jffs2_add_full_dnode_to_inode(c, f, fn);
@@ -202,12 +207,10 @@ static int jffs2_write_begin(struct file
jffs2_mark_node_obsolete(c, fn->raw);
jffs2_free_full_dnode(fn);
jffs2_complete_reservation(c);
- mutex_unlock(&f->sem);
goto out_page;
}
jffs2_complete_reservation(c);
inode->i_size = pageofs;
- mutex_unlock(&f->sem);
}
/*
@@ -216,18 +219,18 @@ static int jffs2_write_begin(struct file
* case of a short-copy.
*/
if (!PageUptodate(pg)) {
- mutex_lock(&f->sem);
ret = jffs2_do_readpage_nolock(inode, pg);
- mutex_unlock(&f->sem);
if (ret)
goto out_page;
}
+ mutex_unlock(&f->sem);
D1(printk(KERN_DEBUG "end write_begin(). pg->flags %lx\n", pg->flags));
return ret;
out_page:
unlock_page(pg);
page_cache_release(pg);
+ mutex_unlock(&f->sem);
return ret;
}
next prev parent reply other threads:[~2012-12-03 14:36 UTC|newest]
Thread overview: 100+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-03 14:31 [ 00/89] 3.2.35-stable review Ben Hutchings
2012-12-03 14:31 ` [ 01/89] UBIFS: introduce categorized lprops counter Ben Hutchings
2012-12-03 14:31 ` [ 02/89] UBIFS: fix mounting problems after power cuts Ben Hutchings
2012-12-03 14:31 ` [ 03/89] futex: Handle futex_pi OWNER_DIED take over correctly Ben Hutchings
2012-12-03 14:31 ` [ 04/89] mac80211: sync acccess to tx_filtered/ps_tx_buf queues Ben Hutchings
2012-12-03 14:31 ` [ 05/89] ASoC: wm8978: pll incorrectly configured when codec is master Ben Hutchings
2012-12-03 14:31 ` [ 06/89] device_cgroup: fix RCU usage Ben Hutchings
2012-12-06 19:36 ` Herton Ronaldo Krzesinski
2012-12-07 1:41 ` Ben Hutchings
2012-12-03 14:31 ` [ 07/89] ASoC: dapm: Use card_list during DAPM shutdown Ben Hutchings
2012-12-03 14:31 ` [ 08/89] s390/signal: set correct address space control Ben Hutchings
2012-12-03 14:31 ` [ 09/89] wireless: allow 40 MHz on world roaming channels 12/13 Ben Hutchings
2012-12-03 14:31 ` [ 10/89] drm/i915/sdvo: clean up connectors on intel_sdvo_init() failures Ben Hutchings
2012-12-03 14:31 ` [ 11/89] s390/gup: add missing TASK_SIZE check to get_user_pages_fast() Ben Hutchings
2012-12-03 14:31 ` [ 12/89] USB: option: add Novatel E362 and Dell Wireless 5800 USB IDs Ben Hutchings
2012-12-03 14:31 ` [ 13/89] USB: option: add Alcatel X220/X500D " Ben Hutchings
2012-12-03 14:32 ` [ 14/89] drm/radeon: fix logic error in atombios_encoders.c Ben Hutchings
2012-12-03 14:32 ` [ 15/89] ttm: Clear the ttm page allocated from high memory zone correctly Ben Hutchings
2012-12-03 14:32 ` [ 16/89] memcg: oom: fix totalpages calculation for memory.swappiness==0 Ben Hutchings
2012-12-03 14:32 ` [ 17/89] tmpfs: change final i_blocks BUG to WARNING Ben Hutchings
2012-12-03 14:32 ` [ 18/89] x86: Exclude E820_RESERVED regions and memory holes above 4 GB from direct mapping Ben Hutchings
2012-12-03 14:32 ` [ 19/89] x86, mm: Find_early_table_space based on ranges that are actually being mapped Ben Hutchings
2012-12-03 14:32 ` [ 20/89] x86, mm: Undo incorrect revert in arch/x86/mm/init.c Ben Hutchings
2012-12-03 14:32 ` [ 21/89] netfilter: Mark SYN/ACK packets as invalid from original direction Ben Hutchings
2012-12-03 14:32 ` [ 22/89] netfilter: Validate the sequence number of dataless ACK packets as well Ben Hutchings
2012-12-03 14:32 ` [ 23/89] netfilter: nf_nat: dont check for port change on ICMP tuples Ben Hutchings
2012-12-03 14:32 ` [ 24/89] ipv4: avoid undefined behavior in do_ip_setsockopt() Ben Hutchings
2012-12-03 14:32 ` [ 25/89] ipv6: setsockopt(IPIPPROTO_IPV6, IPV6_MINHOPCOUNT) forgot to set return value Ben Hutchings
2012-12-03 14:32 ` [ 26/89] net: correct check in dev_addr_del() Ben Hutchings
2012-12-03 14:32 ` [ 27/89] net-rps: Fix brokeness causing OOO packets Ben Hutchings
2012-12-03 14:32 ` [ 28/89] usb: use usb_serial_put in usb_serial_probe errors Ben Hutchings
2012-12-03 14:32 ` [ 29/89] PCI : Calculate right add_size Ben Hutchings
2012-12-03 14:32 ` [ 30/89] Input: i8042 - also perform controller reset when suspending Ben Hutchings
2012-12-03 14:32 ` [ 31/89] ixgbe: add support for new 82599 device id Ben Hutchings
2012-12-03 14:32 ` [ 32/89] ixgbe: add support for X540-AT1 Ben Hutchings
2012-12-03 14:32 ` [ 33/89] drm/i915: Check VBIOS value for determining LVDS dual channel mode, too Ben Hutchings
2012-12-03 14:32 ` [ 34/89] get_dvb_firmware: fix download site for tda10046 firmware Ben Hutchings
2012-12-03 14:32 ` [ 35/89] m68k: fix sigset_t accessor functions Ben Hutchings
2012-12-03 14:32 ` [ 36/89] HID: add quirk for Freescale i.MX28 ROM recovery Ben Hutchings
2012-12-03 14:32 ` [ 37/89] brcm80211: smac: only print block-ack timeout message at trace level Ben Hutchings
2012-12-03 14:32 ` [ 38/89] bas_gigaset: fix pre_reset handling Ben Hutchings
2012-12-03 14:32 ` [ 39/89] GFS2: Test bufdata with buffer locked and gfs2_log_lock held Ben Hutchings
2012-12-03 14:32 ` [ 40/89] ptp: update adjfreq callback description Ben Hutchings
2012-12-03 14:32 ` [ 41/89] watchdog: iTCO_wdt: add Intel Lynx Point DeviceIDs Ben Hutchings
2012-12-03 14:32 ` [ 42/89] acer-wmi: support for P key on TM8372 Ben Hutchings
2012-12-03 14:32 ` [ 43/89] xhci: Remove warnings about MSI and MSI-X capabilities Ben Hutchings
2012-12-03 14:32 ` [ 44/89] xhci: Remove scary warnings about transfer issues Ben Hutchings
2012-12-03 14:32 ` [ 45/89] x86, mce, therm_throt: Dont report power limit and package level thermal throttle events in mcelog Ben Hutchings
2012-12-03 14:32 ` [ 46/89] Input: bcm5974 - set BUTTONPAD property Ben Hutchings
2012-12-03 14:32 ` [ 47/89] watchdog: using u64 in get_sample_period() Ben Hutchings
2012-12-03 14:32 ` [ 48/89] x86, amd: Disable way access filter on Piledriver CPUs Ben Hutchings
2012-12-03 14:32 ` [ 49/89] mtd: ofpart: Fix incorrect NULL check in parse_ofoldpart_partitions() Ben Hutchings
2012-12-03 14:32 ` [ 50/89] mtd: slram: invalid checking of absolute end address Ben Hutchings
2012-12-03 14:32 ` Ben Hutchings [this message]
2012-12-03 14:32 ` [ 52/89] [SCSI] isci: copy fis 0x34 response into proper buffer Ben Hutchings
2012-12-03 14:32 ` [ 53/89] mac80211: deinitialize ibss-internals after emptiness check Ben Hutchings
2012-12-03 14:32 ` [ 54/89] [PARISC] fix virtual aliasing issue in get_shared_area() Ben Hutchings
2012-12-03 14:32 ` [ 55/89] rtlwifi: rtl8192cu: Add new USB ID Ben Hutchings
2012-12-03 14:32 ` [ 56/89] mwifiex: fix system hang issue in cmd timeout error case Ben Hutchings
2012-12-03 14:32 ` [ 57/89] mwifiex: report error to MMC core if we cannot suspend Ben Hutchings
2012-12-03 14:32 ` [ 58/89] xfs: drop buffer io reference when a bad bio is built Ben Hutchings
2012-12-03 14:32 ` [ 59/89] ALSA: ua101, usx2y: fix broken MIDI output Ben Hutchings
2012-12-03 14:32 ` [ 60/89] sparc64: not any error from do_sigaltstack() should fail rt_sigreturn() Ben Hutchings
2012-12-03 14:32 ` [ 61/89] reiserfs: Fix lock ordering during remount Ben Hutchings
2012-12-03 14:32 ` [ 62/89] reiserfs: Protect reiserfs_quota_on() with write lock Ben Hutchings
2012-12-03 14:32 ` [ 63/89] reiserfs: Protect reiserfs_quota_write() " Ben Hutchings
2012-12-03 14:32 ` [ 64/89] reiserfs: Move quota calls out of " Ben Hutchings
2012-12-03 14:32 ` [ 65/89] md: Reassigned the parameters if read_seqretry returned true in func md_is_badblock Ben Hutchings
2012-12-03 14:32 ` [ 66/89] md: Avoid write invalid address if read_seqretry returned true Ben Hutchings
2012-12-03 14:32 ` [ 67/89] drm/radeon: properly track the crtc not_enabled case evergreen_mc_stop() Ben Hutchings
2012-12-03 15:24 ` Josh Boyer
2012-12-03 15:35 ` Deucher, Alexander
2012-12-03 23:26 ` Josh Boyer
2012-12-03 23:40 ` Deucher, Alexander
2012-12-04 14:35 ` Josh Boyer
2012-12-06 18:14 ` Greg KH
2012-12-09 23:25 ` Ben Hutchings
2012-12-03 14:32 ` [ 68/89] radeon: add AGPMode 1 quirk for RV250 Ben Hutchings
2012-12-03 14:32 ` [ 69/89] x86-32: Fix invalid stack address while in softirq Ben Hutchings
2012-12-03 14:32 ` [ 70/89] x86-32: Export kernel_stack_pointer() for modules Ben Hutchings
2012-12-03 14:32 ` [ 71/89] x86, microcode, AMD: Add support for family 16h processors Ben Hutchings
2012-12-03 14:32 ` [ 72/89] ALSA: hda - Add new codec ALC283 ALC290 support Ben Hutchings
2012-12-03 14:32 ` [ 73/89] ALSA: hda - Add support for Realtek ALC292 Ben Hutchings
2012-12-03 14:33 ` [ 74/89] selinux: fix sel_netnode_insert() suspicious rcu dereference Ben Hutchings
2012-12-03 14:33 ` [ 75/89] Dove: Attempt to fix PMU/RTC interrupts Ben Hutchings
2012-12-03 14:33 ` [ 76/89] Dove: Fix irq_to_pmu() Ben Hutchings
2012-12-03 14:33 ` [ 77/89] ARM: Kirkwood: Update PCI-E fixup Ben Hutchings
2012-12-03 14:33 ` [ 78/89] [PARISC] fix user-triggerable panic on parisc Ben Hutchings
2012-12-03 14:33 ` [ 79/89] dm: fix deadlock with request based dm and queue request_fn recursion Ben Hutchings
2012-12-03 14:33 ` [ 80/89] block: Dont access request after it might be freed Ben Hutchings
2012-12-03 14:33 ` [ 81/89] jbd: Fix lock ordering bug in journal_unmap_buffer() Ben Hutchings
2012-12-03 14:33 ` [ 82/89] can: bcm: initialize ifindex for timeouts without previous frame reception Ben Hutchings
2012-12-03 14:33 ` [ 83/89] futex: avoid wake_futex() for a PI futex_q Ben Hutchings
2012-12-03 14:33 ` [ 84/89] mm/vmemmap: fix wrong use of virt_to_page Ben Hutchings
2012-12-03 14:33 ` [ 85/89] mm: vmscan: fix endless loop in kswapd balancing Ben Hutchings
2012-12-03 14:33 ` [ 86/89] mm: soft offline: split thp at the beginning of soft_offline_page() Ben Hutchings
2012-12-03 14:33 ` [ 87/89] workqueue: exit rescuer_thread() as TASK_RUNNING Ben Hutchings
2012-12-03 14:33 ` [ 88/89] intel_idle: initial IVB support Ben Hutchings
2012-12-03 14:33 ` [ 89/89] intel_idle: enable IVB Xeon support Ben Hutchings
2012-12-03 15:09 ` [ 00/89] 3.2.35-stable review Ben Hutchings
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121203143154.623890415@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=Joakim.Tjernlund@transmode.se \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=artem.bityutskiy@linux.intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=thomas.betker@freenet.de \
--cc=thomas.betker@rohde-schwarz.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).