[PATCH] udf: Fix deadlock when converting file from in-ICB one to normal one

[PATCH] udf: Fix deadlock when converting file from in-ICB one to normal one

[Jan Kara]

During BKL removal, conversion of files from in-ICB format to normal format got
broken. We call ->writepage with i_data_sem held but udf_get_block() also
acquires i_data_sem thus creating A-A deadlock.

We fix the problem by dropping i_data_sem before calling ->writepage() which is
safe since i_mutex still protects us against any changes in the file. Also fix
pagelock - i_data_sem lock inversion in udf_expand_file_adinicb() by dropping
i_data_sem before calling find_or_create_page().

Reported-by: Matthias Matiak <netzpython@mail-on.us>
Signed-off-by: Jan Kara <jack@suse.cz>
---
 fs/udf/file.c  |    6 +++---
 fs/udf/inode.c |   20 +++++++++++++++++---
 2 files changed, 20 insertions(+), 6 deletions(-)

 I plan to merge this fix through my tree soon.

diff --git a/fs/udf/file.c b/fs/udf/file.c
index d8ffa7c..dca0c38 100644
--- a/fs/udf/file.c
+++ b/fs/udf/file.c
@@ -125,7 +125,6 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov,
 			err = udf_expand_file_adinicb(inode);
 			if (err) {
 				udf_debug("udf_expand_adinicb: err=%d\n", err);
-				up_write(&iinfo->i_data_sem);
 				return err;
 			}
 		} else {
@@ -133,9 +132,10 @@ static ssize_t udf_file_aio_write(struct kiocb *iocb, const struct iovec *iov,
 				iinfo->i_lenAlloc = pos + count;
 			else
 				iinfo->i_lenAlloc = inode->i_size;
+			up_write(&iinfo->i_data_sem);
 		}
-	}
-	up_write(&iinfo->i_data_sem);
+	} else
+		up_write(&iinfo->i_data_sem);
 
 	retval = generic_file_aio_write(iocb, iov, nr_segs, ppos);
 	if (retval > 0)
diff --git a/fs/udf/inode.c b/fs/udf/inode.c
index 1bd2c42..30086a8 100644
--- a/fs/udf/inode.c
+++ b/fs/udf/inode.c
@@ -150,6 +150,12 @@ const struct address_space_operations udf_aops = {
 	.bmap		= udf_bmap,
 };
 
+/*
+ * Expand file stored in ICB to a normal one-block-file
+ *
+ * This function requires i_data_sem for writing and releases it.
+ * This function requires i_mutex held
+ */
 int udf_expand_file_adinicb(struct inode *inode)
 {
 	struct page *page;
@@ -171,6 +177,11 @@ int udf_expand_file_adinicb(struct inode *inode)
 		mark_inode_dirty(inode);
 		return 0;
 	}
+	/*
+	 * Release i_data_sem so that we can lock a page - page lock ranks
+	 * above i_data_sem. i_mutex still protects us against file changes.
+	 */
+	up_write(&iinfo->i_data_sem);
 
 	page = find_or_create_page(inode->i_mapping, 0, GFP_NOFS);
 	if (!page)
@@ -186,6 +197,7 @@ int udf_expand_file_adinicb(struct inode *inode)
 		SetPageUptodate(page);
 		kunmap(page);
 	}
+	down_write(&iinfo->i_data_sem);
 	memset(iinfo->i_ext.i_data + iinfo->i_lenEAttr, 0x00,
 	       iinfo->i_lenAlloc);
 	iinfo->i_lenAlloc = 0;
@@ -195,17 +207,20 @@ int udf_expand_file_adinicb(struct inode *inode)
 		iinfo->i_alloc_type = ICBTAG_FLAG_AD_LONG;
 	/* from now on we have normal address_space methods */
 	inode->i_data.a_ops = &udf_aops;
+	up_write(&iinfo->i_data_sem);
 	err = inode->i_data.a_ops->writepage(page, &udf_wbc);
 	if (err) {
 		/* Restore everything back so that we don't lose data... */
 		lock_page(page);
 		kaddr = kmap(page);
+		down_write(&iinfo->i_data_sem);
 		memcpy(iinfo->i_ext.i_data + iinfo->i_lenEAttr, kaddr,
 		       inode->i_size);
 		kunmap(page);
 		unlock_page(page);
 		iinfo->i_alloc_type = ICBTAG_FLAG_AD_IN_ICB;
 		inode->i_data.a_ops = &udf_adinicb_aops;
+		up_write(&iinfo->i_data_sem);
 	}
 	page_cache_release(page);
 	mark_inode_dirty(inode);
@@ -1105,10 +1120,9 @@ int udf_setsize(struct inode *inode, loff_t newsize)
 			if (bsize <
 			    (udf_file_entry_alloc_offset(inode) + newsize)) {
 				err = udf_expand_file_adinicb(inode);
-				if (err) {
-					up_write(&iinfo->i_data_sem);
+				if (err)
 					return err;
-				}
+				down_write(&iinfo->i_data_sem);
 			} else
 				iinfo->i_lenAlloc = newsize;
 		}
-- 
1.7.1

Re: [PATCH] udf: Fix deadlock when converting file from in-ICB one to normal one

[Namjae Jeon]

2011/12/10 Jan Kara <jack@suse.cz>:
> During BKL removal, conversion of files from in-ICB format to normal format got
> broken. We call ->writepage with i_data_sem held but udf_get_block() also
> acquires i_data_sem thus creating A-A deadlock.
>
> We fix the problem by dropping i_data_sem before calling ->writepage() which is
> safe since i_mutex still protects us against any changes in the file. Also fix
> pagelock - i_data_sem lock inversion in udf_expand_file_adinicb() by dropping
> i_data_sem before calling find_or_create_page().
>
> Reported-by: Matthias Matiak <netzpython@mail-on.us>
> Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
> ---
>  fs/udf/file.c  |    6 +++---
>  fs/udf/inode.c |   20 +++++++++++++++++---
>  2 files changed, 20 insertions(+), 6 deletions(-)
>
>  I plan to merge this fix through my tree soon.
>
> +/*
> + * Expand file stored in ICB to a normal one-block-file
> + *
> + * This function requires i_data_sem for writing and releases it.
> + * This function requires i_mutex held
> + */
>  int udf_expand_file_adinicb(struct inode *inode)
>  {
>        struct page *page;
> @@ -171,6 +177,11 @@ int udf_expand_file_adinicb(struct inode *inode)
>                mark_inode_dirty(inode);
                  up_write(&iinfo->i_data_sem);
Hi Jan.
I do not know if that helps, Would it need here ?
Thanks.
>                return 0;
>        }
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] udf: Fix deadlock when converting file from in-ICB one to normal one

[Jan Kara]

On Sat 10-12-11 13:40:53, Namjae Jeon wrote:
> 2011/12/10 Jan Kara <jack@suse.cz>:
> > During BKL removal, conversion of files from in-ICB format to normal format got
> > broken. We call ->writepage with i_data_sem held but udf_get_block() also
> > acquires i_data_sem thus creating A-A deadlock.
> >
> > We fix the problem by dropping i_data_sem before calling ->writepage() which is
> > safe since i_mutex still protects us against any changes in the file. Also fix
> > pagelock - i_data_sem lock inversion in udf_expand_file_adinicb() by dropping
> > i_data_sem before calling find_or_create_page().
> >
> > Reported-by: Matthias Matiak <netzpython@mail-on.us>
> > Signed-off-by: Jan Kara <jack@suse.cz>
> Reviewed-by: Namjae Jeon <linkinjeon@gmail.com>
  Thanks.

> > ---
> >  fs/udf/file.c  |    6 +++---
> >  fs/udf/inode.c |   20 +++++++++++++++++---
> >  2 files changed, 20 insertions(+), 6 deletions(-)
> >
> >  I plan to merge this fix through my tree soon.
> >
> > +/*
> > + * Expand file stored in ICB to a normal one-block-file
> > + *
> > + * This function requires i_data_sem for writing and releases it.
> > + * This function requires i_mutex held
> > + */
> >  int udf_expand_file_adinicb(struct inode *inode)
> >  {
> >        struct page *page;
> > @@ -171,6 +177,11 @@ int udf_expand_file_adinicb(struct inode *inode)
> >                mark_inode_dirty(inode);
>                   up_write(&iinfo->i_data_sem);
> Hi Jan.
> I do not know if that helps, Would it need here ?
  Thanks for spotting this! Indeed it was a bug not to release i_data_sem
here! I have fixed it now.

								Honza
-- 
Jan Kara <jack@suse.cz>
SUSE Labs, CR
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html