From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg KH <gregkh@linuxfoundation.org>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>,
Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
Subject: [ 11/82] nilfs2: fix deadlock issue between chcp and thaw ioctls
Date: Mon, 13 Aug 2012 13:18:47 -0700 [thread overview]
Message-ID: <20120813201747.417677768@linuxfoundation.org> (raw)
In-Reply-To: <20120813201746.448504360@linuxfoundation.org>
From: Greg KH <gregkh@linuxfoundation.org>
3.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
commit 572d8b3945a31bee7c40d21556803e4807fd9141 upstream.
An fs-thaw ioctl causes deadlock with a chcp or mkcp -s command:
chcp D ffff88013870f3d0 0 1325 1324 0x00000004
...
Call Trace:
nilfs_transaction_begin+0x11c/0x1a0 [nilfs2]
wake_up_bit+0x20/0x20
copy_from_user+0x18/0x30 [nilfs2]
nilfs_ioctl_change_cpmode+0x7d/0xcf [nilfs2]
nilfs_ioctl+0x252/0x61a [nilfs2]
do_page_fault+0x311/0x34c
get_unmapped_area+0x132/0x14e
do_vfs_ioctl+0x44b/0x490
__set_task_blocked+0x5a/0x61
vm_mmap_pgoff+0x76/0x87
__set_current_blocked+0x30/0x4a
sys_ioctl+0x4b/0x6f
system_call_fastpath+0x16/0x1b
thaw D ffff88013870d890 0 1352 1351 0x00000004
...
Call Trace:
rwsem_down_failed_common+0xdb/0x10f
call_rwsem_down_write_failed+0x13/0x20
down_write+0x25/0x27
thaw_super+0x13/0x9e
do_vfs_ioctl+0x1f5/0x490
vm_mmap_pgoff+0x76/0x87
sys_ioctl+0x4b/0x6f
filp_close+0x64/0x6c
system_call_fastpath+0x16/0x1b
where the thaw ioctl deadlocked at thaw_super() when called while chcp was
waiting at nilfs_transaction_begin() called from
nilfs_ioctl_change_cpmode(). This deadlock is 100% reproducible.
This is because nilfs_ioctl_change_cpmode() first locks sb->s_umount in
read mode and then waits for unfreezing in nilfs_transaction_begin(),
whereas thaw_super() locks sb->s_umount in write mode. The locking of
sb->s_umount here was intended to make snapshot mounts and the downgrade
of snapshots to checkpoints exclusive.
This fixes the deadlock issue by replacing the sb->s_umount usage in
nilfs_ioctl_change_cpmode() with a dedicated mutex which protects snapshot
mounts.
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Cc: Fernando Luis Vazquez Cao <fernando@oss.ntt.co.jp>
Tested-by: Ryusuke Konishi <konishi.ryusuke@lab.ntt.co.jp>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/ioctl.c | 4 ++--
fs/nilfs2/super.c | 3 +++
fs/nilfs2/the_nilfs.c | 1 +
fs/nilfs2/the_nilfs.h | 2 ++
4 files changed, 8 insertions(+), 2 deletions(-)
--- a/fs/nilfs2/ioctl.c
+++ b/fs/nilfs2/ioctl.c
@@ -182,7 +182,7 @@ static int nilfs_ioctl_change_cpmode(str
if (copy_from_user(&cpmode, argp, sizeof(cpmode)))
goto out;
- down_read(&inode->i_sb->s_umount);
+ mutex_lock(&nilfs->ns_snapshot_mount_mutex);
nilfs_transaction_begin(inode->i_sb, &ti, 0);
ret = nilfs_cpfile_change_cpmode(
@@ -192,7 +192,7 @@ static int nilfs_ioctl_change_cpmode(str
else
nilfs_transaction_commit(inode->i_sb); /* never fails */
- up_read(&inode->i_sb->s_umount);
+ mutex_unlock(&nilfs->ns_snapshot_mount_mutex);
out:
mnt_drop_write_file(filp);
return ret;
--- a/fs/nilfs2/super.c
+++ b/fs/nilfs2/super.c
@@ -948,6 +948,8 @@ static int nilfs_attach_snapshot(struct
struct nilfs_root *root;
int ret;
+ mutex_lock(&nilfs->ns_snapshot_mount_mutex);
+
down_read(&nilfs->ns_segctor_sem);
ret = nilfs_cpfile_is_snapshot(nilfs->ns_cpfile, cno);
up_read(&nilfs->ns_segctor_sem);
@@ -972,6 +974,7 @@ static int nilfs_attach_snapshot(struct
ret = nilfs_get_root_dentry(s, root, root_dentry);
nilfs_put_root(root);
out:
+ mutex_unlock(&nilfs->ns_snapshot_mount_mutex);
return ret;
}
--- a/fs/nilfs2/the_nilfs.c
+++ b/fs/nilfs2/the_nilfs.c
@@ -76,6 +76,7 @@ struct the_nilfs *alloc_nilfs(struct blo
nilfs->ns_bdev = bdev;
atomic_set(&nilfs->ns_ndirtyblks, 0);
init_rwsem(&nilfs->ns_sem);
+ mutex_init(&nilfs->ns_snapshot_mount_mutex);
INIT_LIST_HEAD(&nilfs->ns_dirty_files);
INIT_LIST_HEAD(&nilfs->ns_gc_inodes);
spin_lock_init(&nilfs->ns_inode_lock);
--- a/fs/nilfs2/the_nilfs.h
+++ b/fs/nilfs2/the_nilfs.h
@@ -47,6 +47,7 @@ enum {
* @ns_flags: flags
* @ns_bdev: block device
* @ns_sem: semaphore for shared states
+ * @ns_snapshot_mount_mutex: mutex to protect snapshot mounts
* @ns_sbh: buffer heads of on-disk super blocks
* @ns_sbp: pointers to super block data
* @ns_sbwtime: previous write time of super block
@@ -99,6 +100,7 @@ struct the_nilfs {
struct block_device *ns_bdev;
struct rw_semaphore ns_sem;
+ struct mutex ns_snapshot_mount_mutex;
/*
* used for
next prev parent reply other threads:[~2012-08-13 20:20 UTC|newest]
Thread overview: 89+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-08-13 20:18 [ 00/82] 3.5.2-stable review Greg Kroah-Hartman
2012-08-13 20:18 ` [ 01/82] virtio-blk: Call del_gendisk() before disable guest kick Greg Kroah-Hartman
2012-08-13 20:18 ` [ 02/82] virtio-blk: Reset device after blk_cleanup_queue() Greg Kroah-Hartman
2012-08-13 20:18 ` [ 03/82] virtio-blk: Use block layer provided spinlock Greg Kroah-Hartman
2012-08-13 20:18 ` [ 04/82] [IA64] Redefine ATOMIC_INIT and ATOMIC64_INIT to drop the casts Greg Kroah-Hartman
2012-08-13 20:18 ` [ 05/82] asus-wmi: use ASUS_WMI_METHODID_DSTS2 as default DSTS ID Greg Kroah-Hartman
2012-08-13 20:18 ` [ 06/82] selinux: fix selinux_inode_setxattr oops Greg Kroah-Hartman
2012-08-13 20:18 ` [ 07/82] lib/vsprintf.c: kptr_restrict: fix pK-error in SysRq show-all-timers(Q) Greg Kroah-Hartman
2012-08-13 20:18 ` [ 08/82] sunrpc: clnt: Add missing braces Greg Kroah-Hartman
2012-08-13 20:18 ` [ 09/82] SUNRPC: return negative value in case rpcbind client creation error Greg Kroah-Hartman
2012-08-13 20:18 ` [ 10/82] mISDN: Bugfix only few bytes are transfered on a connection Greg Kroah-Hartman
2012-08-13 20:18 ` Greg Kroah-Hartman [this message]
2012-08-13 20:18 ` [ 12/82] media: ene_ir: Fix driver initialisation Greg Kroah-Hartman
2012-08-13 20:18 ` [ 13/82] media: m5mols: Correct reported ISO values Greg Kroah-Hartman
2012-08-13 20:18 ` [ 14/82] media: videobuf-dma-contig: restore buffer mapping for uncached bufers Greg Kroah-Hartman
2012-08-13 20:18 ` [ 15/82] pcdp: use early_ioremap/early_iounmap to access pcdp table Greg Kroah-Hartman
2012-08-13 20:18 ` [ 16/82] memcg: prevent OOM with too many dirty pages Greg Kroah-Hartman
2012-08-13 20:18 ` [ 17/82] memcg: further " Greg Kroah-Hartman
2012-08-13 20:18 ` [ 18/82] mm: fix wrong argument of migrate_huge_pages() in soft_offline_huge_page() Greg Kroah-Hartman
2012-08-13 20:18 ` [ 19/82] ARM: 7466/1: disable interrupt before spinning endlessly Greg Kroah-Hartman
2012-08-13 20:18 ` [ 20/82] ARM: 7467/1: mutex: use generic xchg-based implementation for ARMv6+ Greg Kroah-Hartman
2012-08-15 13:56 ` Ben Hutchings
2012-08-15 14:08 ` Greg Kroah-Hartman
2012-08-15 14:11 ` Ben Hutchings
2012-08-15 14:49 ` Nicolas Pitre
2012-08-15 14:49 ` Greg Kroah-Hartman
2012-08-15 14:55 ` Will Deacon
2012-08-13 20:18 ` [ 21/82] ARM: 7476/1: vfp: only clear vfp state for current cpu in vfp_pm_suspend Greg Kroah-Hartman
2012-08-13 20:18 ` [ 22/82] ARM: 7477/1: vfp: Always save VFP state in vfp_pm_suspend on UP Greg Kroah-Hartman
2012-08-13 20:18 ` [ 23/82] ARM: 7478/1: errata: extend workaround for erratum #720789 Greg Kroah-Hartman
2012-08-13 20:19 ` [ 24/82] ARM: 7479/1: mm: avoid NULL dereference when flushing gate_vma with VIVT caches Greg Kroah-Hartman
2012-08-13 20:19 ` [ 25/82] ARM: 7480/1: only call smp_send_stop() on SMP Greg Kroah-Hartman
2012-08-13 20:19 ` [ 26/82] ARM: Fix undefined instruction exception handling Greg Kroah-Hartman
2012-08-13 20:19 ` [ 27/82] ALSA: hda - add dock support for Thinkpad T430s Greg Kroah-Hartman
2012-08-13 20:19 ` [ 28/82] ALSA: hda - add dock support for Thinkpad X230 Greg Kroah-Hartman
2012-08-13 20:19 ` [ 29/82] ALSA: hda - remove quirk for Dell Vostro 1015 Greg Kroah-Hartman
2012-08-13 20:19 ` [ 30/82] ALSA: hda - Fix double quirk for Quanta FL1 / Lenovo Ideapad Greg Kroah-Hartman
2012-08-13 20:19 ` [ 31/82] mm: setup pageblock_order before its used by sparsemem Greg Kroah-Hartman
2012-08-13 20:19 ` [ 32/82] mm: mmu_notifier: fix freed page still mapped in secondary MMU Greg Kroah-Hartman
2012-08-13 20:19 ` [ 33/82] md/raid1: dont abort a resync on the first badblock Greg Kroah-Hartman
2012-08-13 20:19 ` [ 34/82] video/smscufx: fix line counting in fb_write Greg Kroah-Hartman
2012-08-13 20:19 ` [ 35/82] block: uninitialized ioc->nr_tasks triggers WARN_ON Greg Kroah-Hartman
2012-08-13 20:19 ` [ 36/82] sh: Fix up recursive fault in oops with unset TTB Greg Kroah-Hartman
2012-08-13 20:19 ` [ 37/82] ore: Fix out-of-bounds access in _ios_obj() Greg Kroah-Hartman
2012-08-13 20:19 ` [ 38/82] ACPI processor: Fix tick_broadcast_mask online/offline regression Greg Kroah-Hartman
2012-08-13 20:19 ` [ 39/82] mISDN: Bugfix for layer2 fixed TEI mode Greg Kroah-Hartman
2012-08-13 20:19 ` [ 40/82] mac80211: cancel mesh path timer Greg Kroah-Hartman
2012-08-13 20:19 ` [ 41/82] ath9k: Add PID/VID support for AR1111 Greg Kroah-Hartman
2012-08-13 20:19 ` [ 42/82] wireless: reg: restore previous behaviour of chan->max_power calculations Greg Kroah-Hartman
2012-08-13 20:19 ` [ 43/82] x86, nops: Missing break resulting in incorrect selection on Intel Greg Kroah-Hartman
2012-08-13 20:19 ` [ 44/82] x86-64, kcmp: The kcmp system call can be common Greg Kroah-Hartman
2012-08-13 20:19 ` [ 45/82] Input: synaptics - handle out of bounds values from the hardware Greg Kroah-Hartman
2012-08-13 20:19 ` [ 46/82] random: make add_interrupt_randomness() do something sane Greg Kroah-Hartman
2012-08-13 20:19 ` [ 47/82] random: use lockless techniques in the interrupt path Greg Kroah-Hartman
2012-08-13 20:19 ` [ 48/82] random: create add_device_randomness() interface Greg Kroah-Hartman
2012-08-13 20:19 ` [ 49/82] usb: feed USB device information to the /dev/random driver Greg Kroah-Hartman
2012-08-13 20:19 ` [ 50/82] net: feed /dev/random with the MAC address when registering a device Greg Kroah-Hartman
2012-08-13 20:19 ` [ 51/82] random: use the arch-specific rng in xfer_secondary_pool Greg Kroah-Hartman
2012-08-13 20:19 ` [ 52/82] random: add new get_random_bytes_arch() function Greg Kroah-Hartman
2012-08-13 20:19 ` [ 53/82] random: add tracepoints for easier debugging and verification Greg Kroah-Hartman
2012-08-13 20:19 ` [ 54/82] MAINTAINERS: Theodore Tso is taking over the random driver Greg Kroah-Hartman
2012-08-13 20:19 ` [ 55/82] rtc: wm831x: Feed the write counter into device_add_randomness() Greg Kroah-Hartman
2012-08-13 20:19 ` [ 56/82] mfd: wm831x: Feed the device UUID " Greg Kroah-Hartman
2012-08-13 20:19 ` [ 57/82] random: remove rand_initialize_irq() Greg Kroah-Hartman
2012-08-13 20:19 ` [ 58/82] random: Add comment to random_initialize() Greg Kroah-Hartman
2012-08-13 20:19 ` [ 59/82] dmi: Feed DMI table to /dev/random driver Greg Kroah-Hartman
2012-08-13 20:19 ` [ 60/82] random: mix in architectural randomness in extract_buf() Greg Kroah-Hartman
2012-08-13 20:19 ` [ 61/82] HID: multitouch: add support for Novatek touchscreen Greg Kroah-Hartman
2012-08-13 20:19 ` [ 62/82] HID: add support for Cypress barcode scanner 04B4:ED81 Greg Kroah-Hartman
2012-08-13 20:19 ` [ 63/82] HID: add ASUS AIO keyboard model AK1D Greg Kroah-Hartman
2012-08-13 20:19 ` [ 64/82] mm: hugetlbfs: close race during teardown of hugetlbfs shared page tables Greg Kroah-Hartman
2012-08-13 20:19 ` [ 65/82] target: Add range checking to UNMAP emulation Greg Kroah-Hartman
2012-08-13 20:19 ` [ 66/82] target: Fix reading of data length fields for UNMAP commands Greg Kroah-Hartman
2012-08-13 20:19 ` [ 67/82] target: Fix possible integer underflow in UNMAP emulation Greg Kroah-Hartman
2012-08-13 20:19 ` [ 68/82] target: Check number of unmap descriptors against our limit Greg Kroah-Hartman
2012-08-13 20:19 ` [ 69/82] ARM: clk-imx31: Fix the keypad clock name Greg Kroah-Hartman
2012-08-13 20:19 ` [ 70/82] ARM: imx: enable emi_slow_gate clock for imx5 Greg Kroah-Hartman
2012-08-13 20:19 ` [ 71/82] ARM: mxs: Remove MMAP_MIN_ADDR setting from mxs_defconfig Greg Kroah-Hartman
2012-08-13 20:19 ` [ 72/82] ARM: dts: imx53-ard: add regulators for lan9220 Greg Kroah-Hartman
2012-08-13 20:19 ` [ 73/82] ARM: pxa: remove irq_to_gpio from ezx-pcap driver Greg Kroah-Hartman
2012-08-13 20:19 ` [ 74/82] cfg80211: process pending events when unregistering net device Greg Kroah-Hartman
2012-08-13 20:19 ` [ 75/82] printk: Fix calculation of length used to discard records Greg Kroah-Hartman
2012-08-13 20:19 ` [ 76/82] tun: dont zeroize sock->file on detach Greg Kroah-Hartman
2012-08-13 20:19 ` [ 77/82] Yama: higher restrictions should block PTRACE_TRACEME Greg Kroah-Hartman
2012-08-13 20:19 ` [ 78/82] iwlwifi: disable greenfield transmissions as a workaround Greg Kroah-Hartman
2012-08-13 20:19 ` [ 79/82] e1000e: NIC goes up and immediately goes down Greg Kroah-Hartman
2012-08-13 20:19 ` [ 80/82] Input: eeti_ts: pass gpio value instead of IRQ Greg Kroah-Hartman
2012-08-13 20:19 ` [ 81/82] Input: wacom - Bamboo One 1024 pressure fix Greg Kroah-Hartman
2012-08-13 20:19 ` [ 82/82] rt61pci: fix NULL pointer dereference in config_lna_gain Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120813201747.417677768@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=fernando@oss.ntt.co.jp \
--cc=konishi.ryusuke@lab.ntt.co.jp \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).