From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
Theodore Ts'o <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, Eric Sandeen <sandeen@redhat.com>,
linux-ext4@vger.kernel.org, Greg Kroah-Hartman <gregkh@suse.de>
Subject: [patch 41/60] ext4: fix bb_prealloc_list corruption due to wrong group locking
Date: Tue, 09 Jun 2009 17:14:09 -0700 [thread overview]
Message-ID: <20090610002349.130372706@blue.kroah.org> (raw)
In-Reply-To: <20090610032135.GA19346@kroah.com>
[-- Attachment #1: ext4-fix-bb_prealloc_list-corruption-due-to-wrong-group-locking.patch --]
[-- Type: text/plain, Size: 2448 bytes --]
-stable review patch. If anyone has any objections, please let us know.
------------------
From: Eric Sandeen <sandeen@redhat.com>
(cherry-picked from commit d33a1976fbee1ee321d6f014333d8f03a39d526c)
This is for Red Hat bug 490026: EXT4 panic, list corruption in
ext4_mb_new_inode_pa
ext4_lock_group(sb, group) is supposed to protect this list for
each group, and a common code flow to remove an album is like
this:
ext4_get_group_no_and_offset(sb, pa->pa_pstart, &grp, NULL);
ext4_lock_group(sb, grp);
list_del(&pa->pa_group_list);
ext4_unlock_group(sb, grp);
so it's critical that we get the right group number back for
this prealloc context, to lock the right group (the one
associated with this pa) and prevent concurrent list manipulation.
however, ext4_mb_put_pa() passes in (pa->pa_pstart - 1) with a
comment, "-1 is to protect from crossing allocation group".
This makes sense for the group_pa, where pa_pstart is advanced
by the length which has been used (in ext4_mb_release_context()),
and when the entire length has been used, pa_pstart has been
advanced to the first block of the next group.
However, for inode_pa, pa_pstart is never advanced; it's just
set once to the first block in the group and not moved after
that. So in this case, if we subtract one in ext4_mb_put_pa(),
we are actually locking the *previous* group, and opening the
race with the other threads which do not subtract off the extra
block.
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
fs/ext4/mballoc.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -3698,6 +3698,7 @@ static void ext4_mb_put_pa(struct ext4_a
struct super_block *sb, struct ext4_prealloc_space *pa)
{
unsigned long grp;
+ ext4_fsblk_t grp_blk;
if (!atomic_dec_and_test(&pa->pa_count) || pa->pa_free != 0)
return;
@@ -3712,8 +3713,12 @@ static void ext4_mb_put_pa(struct ext4_a
pa->pa_deleted = 1;
spin_unlock(&pa->pa_lock);
- /* -1 is to protect from crossing allocation group */
- ext4_get_group_no_and_offset(sb, pa->pa_pstart - 1, &grp, NULL);
+ grp_blk = pa->pa_pstart;
+ /* If linear, pa_pstart may be in the next group when pa is used up */
+ if (pa->pa_linear)
+ grp_blk--;
+
+ ext4_get_group_no_and_offset(sb, grp_blk, &grp, NULL);
/*
* possible race:
next prev parent reply other threads:[~2009-06-10 3:36 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20090610001328.251476848@blue.kroah.org>
[not found] ` <20090610032135.GA19346@kroah.com>
2009-06-10 0:14 ` [patch 37/60] ext4: fix ext4_free_inode() vs. ext4_claim_inode() race Greg KH
2009-06-10 0:14 ` [patch 38/60] ext4: fix header check in ext4_ext_search_right() for deep extent trees Greg KH
2009-06-10 0:14 ` [patch 39/60] ext4: Print the find_group_flex() warning only once Greg KH
2009-06-10 0:14 ` [patch 40/60] ext4: fix bogus BUG_ONs in in mballoc code Greg KH
2009-06-10 0:14 ` Greg KH [this message]
2009-06-10 0:14 ` [patch 42/60] ext4: dont inherit inappropriate inode flags from parent Greg KH
2009-06-10 0:14 ` [patch 43/60] ext4: tighten restrictions on inode flags Greg KH
2009-06-10 0:14 ` [patch 44/60] ext4: return -EIO not -ESTALE on directory traversal through deleted inode Greg KH
2009-06-10 0:14 ` [patch 45/60] ext4: Add fine print for the 32000 subdirectory limit Greg KH
2009-06-10 0:14 ` [patch 46/60] ext4: add EXT4_IOC_ALLOC_DA_BLKS ioctl Greg KH
2009-06-10 0:14 ` [patch 47/60] ext4: Automatically allocate delay allocated blocks on close Greg KH
2009-06-10 0:14 ` [patch 48/60] ext4: Automatically allocate delay allocated blocks on rename Greg KH
2009-06-10 0:14 ` [patch 49/60] ext4: Fix discard of inode prealloc space with delayed allocation Greg KH
2009-06-10 0:14 ` [patch 50/60] ext4: Check for an valid i_mode when reading the inode from disk Greg KH
2009-06-10 0:14 ` [patch 51/60] jbd2: Update locking coments Greg KH
2009-06-10 0:14 ` [patch 52/60] ext4: fix typo which causes a memory leak on error path Greg KH
2009-06-10 0:14 ` [patch 53/60] ext4: fix locking typo in mballoc which could cause soft lockup hangs Greg KH
2009-06-10 0:14 ` [patch 54/60] ext4: really print the find_group_flex fallback warning only once Greg KH
2009-06-10 0:14 ` [patch 55/60] ext4: Fix softlockup caused by illegal i_file_acl value in on-disk inode Greg KH
2009-06-10 0:14 ` [patch 56/60] ext4: Ignore i_file_acl_high unless EXT4_FEATURE_INCOMPAT_64BIT is present Greg KH
2009-06-10 0:14 ` [patch 57/60] ext4: Fix sub-block zeroing for writes into preallocated extents Greg KH
2009-06-10 0:14 ` [patch 58/60] ext4: Use a fake block number for delayed new buffer_head Greg KH
2009-06-10 0:14 ` [patch 59/60] ext4: Clear the unwritten buffer_head flag after the extent is initialized Greg KH
2009-06-10 0:14 ` [patch 60/60] ext4: Fix race in ext4_inode_info.i_cached_extent Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090610002349.130372706@blue.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=sandeen@redhat.com \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).