Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d2eb8c35 authored by Jan Kara's avatar Jan Kara
Browse files

udf: Fix deadlock when converting file from in-ICB one to normal one 



During BKL removal in 2.6.38, conversion of files from in-ICB format to normal
format got broken. We call ->writepage with i_data_sem held but udf_get_block()
also acquires i_data_sem thus creating A-A deadlock.

We fix the problem by dropping i_data_sem before calling ->writepage() which is
safe since i_mutex still protects us against any changes in the file. Also fix
pagelock - i_data_sem lock inversion in udf_expand_file_adinicb() by dropping
i_data_sem before calling find_or_create_page().

CC: stable@kernel.org
Reported-by: default avatarMatthias Matiak <netzpython@mail-on.us>
Tested-by: default avatarMatthias Matiak <netzpython@mail-on.us>
Reviewed-by: default avatarNamjae Jeon <linkinjeon@gmail.com>
Signed-off-by: default avatarJan Kara <jack@suse.cz>
parent 7b0b0933

fs/udf/file.c

+3 −3
Original line number Diff line number Diff line
@@ -125,7 +125,6 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov, 
			err = udf_expand_file_adinicb(inode);

			if (err) {

				udf_debug("udf_expand_adinicb: err=%d\n", err);

				up_write(&iinfo->i_data_sem);

				return err;

			}

		} else {
@@ -133,8 +132,9 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov, 
				iinfo->i_lenAlloc = pos + count;

			else

				iinfo->i_lenAlloc = inode->i_size;

			up_write(&iinfo->i_data_sem);

		}

	}

	} else

		up_write(&iinfo->i_data_sem);



	retval = generic_file_aio_write(iocb, iov, nr_segs, ppos);

fs/udf/inode.c

+18 −3
Original line number Diff line number Diff line
@@ -150,6 +150,12 @@ const struct address_space_operations udf_aops = { 
	.bmap		= udf_bmap,

};



/*

 * Expand file stored in ICB to a normal one-block-file

 *

 * This function requires i_data_sem for writing and releases it.

 * This function requires i_mutex held

 */

int udf_expand_file_adinicb(struct inode *inode)

{

	struct page *page;
@@ -168,9 +174,15 @@ int udf_expand_file_adinicb(struct inode *inode) 
			iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG;

		/* from now on we have normal address_space methods */

		inode->i_data.a_ops = &udf_aops;

		up_write(&iinfo->i_data_sem);

		mark_inode_dirty(inode);

		return 0;

	}

	/*

	 * Release i_data_sem so that we can lock a page - page lock ranks

	 * above i_data_sem. i_mutex still protects us against file changes.

	 */

	up_write(&iinfo->i_data_sem);



	page = find_or_create_page(inode->i_mapping, 0, GFP_NOFS);

	if (!page)
@@ -186,6 +198,7 @@ int udf_expand_file_adinicb(struct inode *inode) 
		SetPageUptodate(page);

		kunmap(page);

	}

	down_write(&iinfo->i_data_sem);

	memset(iinfo->i_ext.i_data + iinfo->i_lenEAttr, 0x00,

	       iinfo->i_lenAlloc);

	iinfo->i_lenAlloc = 0;
@@ -195,17 +208,20 @@ int udf_expand_file_adinicb(struct inode *inode) 
		iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG;

	/* from now on we have normal address_space methods */

	inode->i_data.a_ops = &udf_aops;

	up_write(&iinfo->i_data_sem);

	err = inode->i_data.a_ops->writepage(page, &udf_wbc);

	if (err) {

		/* Restore everything back so that we don't lose data... */

		lock_page(page);

		kaddr = kmap(page);

		down_write(&iinfo->i_data_sem);

		memcpy(iinfo->i_ext.i_data + iinfo->i_lenEAttr, kaddr,

		       inode->i_size);

		kunmap(page);

		unlock_page(page);

		iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB;

		inode->i_data.a_ops = &udf_adinicb_aops;

		up_write(&iinfo->i_data_sem);

	}

	page_cache_release(page);

	mark_inode_dirty(inode);
@@ -1105,10 +1121,9 @@ int udf_setsize(struct inode *inode, loff_t newsize) 
			if (bsize <

			    (udf_file_entry_alloc_offset(inode) + newsize)) {

				err = udf_expand_file_adinicb(inode);

				if (err) {

					up_write(&iinfo->i_data_sem);

				if (err)

					return err;

				}

				down_write(&iinfo->i_data_sem);

			} else

				iinfo->i_lenAlloc = newsize;

		}