| Message ID | 158810566883.1168184.8679527126430822408.stgit@warthog.procyon.org.uk |
|---|---|
| State | New |
| Headers | show |
| Series | Fix use after free in get_tree_bdev() | expand |
On Tue, Apr 28, 2020 at 09:27:48PM +0100, David Howells wrote: > Commit 6fcf0c72e4b9, a fix to get_tree_bdev() put a missing blkdev_put() in > the wrong place, before a warnf() that displays the bdev under > consideration rather after it. > > This results in a silent lockup in printk("%pg") called via warnf() from > get_tree_bdev() under some circumstances when there's a race with the > blockdev being frozen. This can be caused by xfstests/tests/generic/085 in > combination with Lukas Czerner's ext4 mount API conversion patchset. It > looks like it ought to occur with other users of get_tree_bdev() such as > XFS, but apparently doesn't. > > Fix this by switching the order of the lines. This fixes the problem I was seeing. Thanks David. Reviewed-by: Lukas Czerner <lczerner@redhat.com> > > Fixes: 6fcf0c72e4b9 ("vfs: add missing blkdev_put() in get_tree_bdev()") > Reported-by: Lukas Czerner <lczerner@redhat.com> > Signed-off-by: David Howells <dhowells@redhat.com> > cc: Ian Kent <raven@themaw.net> > cc: Al Viro <viro@zeniv.linux.org.uk> > --- > > fs/super.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/super.c b/fs/super.c > index cd352530eca9..a288cd60d2ae 100644 > --- a/fs/super.c > +++ b/fs/super.c > @@ -1302,8 +1302,8 @@ int get_tree_bdev(struct fs_context *fc, > mutex_lock(&bdev->bd_fsfreeze_mutex); > if (bdev->bd_fsfreeze_count > 0) { > mutex_unlock(&bdev->bd_fsfreeze_mutex); > - blkdev_put(bdev, mode); > warnf(fc, "%pg: Can't mount, blockdev is frozen", bdev); > + blkdev_put(bdev, mode); > return -EBUSY; > } > > >
On Tue, Apr 28, 2020 at 11:06 PM Lukas Czerner <lczerner@redhat.com> wrote: > > This fixes the problem I was seeing. Thanks David. > > Reviewed-by: Lukas Czerner <lczerner@redhat.com> Well, it got applied as obvious before this, so the commit log won't show your testing. Commit dd7bc8158b41 ("Fix use after free in get_tree_bdev()") in case anybody cares. Didn't make -rc3, but will be in -rc4. Linus
diff --git a/fs/super.c b/fs/super.c index cd352530eca9..a288cd60d2ae 100644 --- a/fs/super.c +++ b/fs/super.c @@ -1302,8 +1302,8 @@ int get_tree_bdev(struct fs_context *fc, mutex_lock(&bdev->bd_fsfreeze_mutex); if (bdev->bd_fsfreeze_count > 0) { mutex_unlock(&bdev->bd_fsfreeze_mutex); - blkdev_put(bdev, mode); warnf(fc, "%pg: Can't mount, blockdev is frozen", bdev); + blkdev_put(bdev, mode); return -EBUSY; }
Commit 6fcf0c72e4b9, a fix to get_tree_bdev() put a missing blkdev_put() in the wrong place, before a warnf() that displays the bdev under consideration rather after it. This results in a silent lockup in printk("%pg") called via warnf() from get_tree_bdev() under some circumstances when there's a race with the blockdev being frozen. This can be caused by xfstests/tests/generic/085 in combination with Lukas Czerner's ext4 mount API conversion patchset. It looks like it ought to occur with other users of get_tree_bdev() such as XFS, but apparently doesn't. Fix this by switching the order of the lines. Fixes: 6fcf0c72e4b9 ("vfs: add missing blkdev_put() in get_tree_bdev()") Reported-by: Lukas Czerner <lczerner@redhat.com> Signed-off-by: David Howells <dhowells@redhat.com> cc: Ian Kent <raven@themaw.net> cc: Al Viro <viro@zeniv.linux.org.uk> --- fs/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)