[PATCH 1/2] fs/super.c: fix race between freeze_super() and thaw_super()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Oleg Nesterov <oleg@redhat.com>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dave Chinner <david@fromorbit.com>, Jan Kara <jack@suse.cz>,
	Nikolay Borisov <kernel@kyup.com>,
	"Paul E. McKenney" <paulmck@linux.vnet.ibm.com>,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] fs/super.c: fix race between freeze_super() and thaw_super()
Date: Mon, 26 Sep 2016 18:07:48 +0200	[thread overview]
Message-ID: <20160926160748.GA6748@redhat.com> (raw)
In-Reply-To: <20160926160724.GA6739@redhat.com>

Change thaw_super() to check frozen != SB_FREEZE_COMPLETE rather than
frozen == SB_UNFROZEN, otherwise it can race with freeze_super() which
drops sb->s_umount after SB_FREEZE_WRITE to preserve the lock ordering.

In this case thaw_super() will wrongly call s_op->unfreeze_fs() before
it was actually frozen, and call sb_freeze_unlock() which leads to the
unbalanced percpu_up_write(). Unfortunately lockdep can't detect this,
so this triggers misc BUG_ON()'s in kernel/rcu/sync.c.

Reported-and-tested-by: Nikolay Borisov <kernel@kyup.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Cc: stable@vger.kernel.org
---
 fs/super.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/super.c b/fs/super.c
index d78b984..2549896c 100644
--- a/fs/super.c
+++ b/fs/super.c
@@ -1324,8 +1324,8 @@ int freeze_super(struct super_block *sb)
 		}
 	}
 	/*
-	 * This is just for debugging purposes so that fs can warn if it
-	 * sees write activity when frozen is set to SB_FREEZE_COMPLETE.
+	 * For debugging purposes so that fs can warn if it sees write activity
+	 * when frozen is set to SB_FREEZE_COMPLETE, and for thaw_super().
 	 */
 	sb->s_writers.frozen = SB_FREEZE_COMPLETE;
 	up_write(&sb->s_umount);
@@ -1344,7 +1344,7 @@ int thaw_super(struct super_block *sb)
 	int error;
 
 	down_write(&sb->s_umount);
-	if (sb->s_writers.frozen == SB_UNFROZEN) {
+	if (sb->s_writers.frozen != SB_FREEZE_COMPLETE) {
 		up_write(&sb->s_umount);
 		return -EINVAL;
 	}
-- 
2.5.0

next prev parent reply	other threads:[~2016-09-26 16:07 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-09-26 16:07 [PATCH 0/2] (Was: BUG_ON in rcu_sync_func triggered) Oleg Nesterov
2016-09-26 16:07 ` Oleg Nesterov [this message]
2016-09-26 16:11   ` [PATCH 1/2] fs/super.c: fix race between freeze_super() and thaw_super() Jan Kara
2016-09-26 16:08 ` [PATCH 2/2] fs/super.c: don't fool lockdep in freeze_super() and thaw_super() paths Oleg Nesterov
2016-09-26 16:18   ` Jan Kara
2016-09-26 16:55     ` [PATCH V2 " Oleg Nesterov
2016-09-27  6:51       ` Jan Kara
2016-09-27  7:14         ` Dave Chinner
2016-09-27 17:29         ` Oleg Nesterov
2016-09-30 17:14           ` Oleg Nesterov
2016-10-02 21:42             ` Dave Chinner
2016-10-03 16:44               ` Oleg Nesterov
2016-10-04 11:43                 ` Oleg Nesterov
2016-10-04 11:48                   ` Michal Hocko
2016-10-06 13:44                     ` Johannes Weiner
2016-10-07 16:52                       ` Oleg Nesterov
2016-10-04 16:58                   ` Oleg Nesterov
2016-10-04 20:03                     ` Dave Chinner
2016-10-05 16:33                       ` Oleg Nesterov
2016-10-04 19:44                   ` Dave Chinner
2016-10-05 16:44                     ` Oleg Nesterov
2016-10-06  7:27                       ` Jan Kara
2016-10-06 17:17                       ` Oleg Nesterov
2016-10-06 21:59                         ` Dave Chinner
2016-10-07 17:15                           ` Oleg Nesterov
2016-10-07 22:52                             ` Dave Chinner
2016-10-09 16:14                               ` Oleg Nesterov
2016-10-10  1:02                                 ` Dave Chinner
2016-10-13 16:58                                   ` Oleg Nesterov
2016-10-13 17:10 ` [PATCH 0/2] (Was: BUG_ON in rcu_sync_func triggered) Oleg Nesterov

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d78b984 dfblob:2549896 )
 OR (
bs:"[PATCH 1/2] fs/super.c: fix race between freeze_super() and thaw_super()" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160926160748.GA6748@redhat.com \
    --to=oleg@redhat.com \
    --cc=david@fromorbit.com \
    --cc=jack@suse.cz \
    --cc=kernel@kyup.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=paulmck@linux.vnet.ibm.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.