From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Kirill A. Shutemov" <kirill@shutemov.name>
Subject: [BUG] Rewriting backing_dev_info in MTD
Date: Tue, 13 Apr 2010 14:33:01 +0300
Message-ID: <g2ycc557aab1004130433g537f417ch401a97e5031f77ff@mail.gmail.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Cc: linux-fsdevel@vger.kernel.org, linux-mtd@lists.infradead.org,
	David Howells <dhowells@redhat.com>,
	Bernd Schmidt <bernd.schmidt@analog.com>,
	Alexander Shishkin <virtuoso@slind.org>
To: Alexander Viro <viro@zeniv.linux.org.uk>,
	David Woodhouse <dwmw2@infradead.org>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from mail-ww0-f46.google.com ([74.125.82.46]:51698 "EHLO
	mail-ww0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750931Ab0DMLdE (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 13 Apr 2010 07:33:04 -0400
Received: by wwi17 with SMTP id 17so2814094wwi.19
        for <linux-fsdevel@vger.kernel.org>; Tue, 13 Apr 2010 04:33:01 -0700 (PDT)
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

I've got NULL-pointer dereference in __mark_inode_dirty() on chmod()
for MTD device node. wb->bdi was NULL in this case.

During investigation I've found that MTD subsystem rewrites
file->f_mapping->backing_dev_info on openning to get mmap() work on
MMU-less systems. But in fact it rewrites
inode->i_mapping->backing_dev_info too, since inode->i_mapping ==
file->f_mapping (see __dentry_open() in fs/open.c). It breaks
writeback of inode changes.

I guess the right way to fix this is changing of __dentry_open() to
create _copy_ of i_mapping to assign to f_mapping since in common case
f_mapping != i_mapping. But I'm not sure were the copy should be
freed.

What do you think?