diff options
| author | Zhihao Cheng <chengzhihao1@huawei.com> | 2021-06-18 16:11:03 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2021-07-20 16:16:13 +0200 |
| commit | e6afff12ac74a5e5eef4b6656a07de24080b712a (patch) | |
| tree | 773d3a1b49a3ce4eeb2f181a0ff601affca77044 /fs | |
| parent | 0704f617040c397ae73c1f88f3956787ec5d6529 (diff) | |
| download | linux-stable-e6afff12ac74a5e5eef4b6656a07de24080b712a.tar.gz linux-stable-e6afff12ac74a5e5eef4b6656a07de24080b712a.tar.bz2 linux-stable-e6afff12ac74a5e5eef4b6656a07de24080b712a.zip | |
ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode
[ Upstream commit a801fcfeef96702fa3f9b22ad56c5eb1989d9221 ]
xfstests-generic/476 reports a warning message as below:
WARNING: CPU: 2 PID: 30347 at fs/inode.c:361 inc_nlink+0x52/0x70
Call Trace:
do_rename+0x502/0xd40 [ubifs]
ubifs_rename+0x8b/0x180 [ubifs]
vfs_rename+0x476/0x1080
do_renameat2+0x67c/0x7b0
__x64_sys_renameat2+0x6e/0x90
do_syscall_64+0x66/0xe0
entry_SYSCALL_64_after_hwframe+0x44/0xae
Following race case can cause this:
rename_whiteout(Thread 1) wb_workfn(Thread 2)
ubifs_rename
do_rename
__writeback_single_inode
spin_lock(&inode->i_lock)
whiteout->i_state |= I_LINKABLE
inode->i_state &= ~dirty;
---- How race happens on i_state:
(tmp = whiteout->i_state | I_LINKABLE)
(tmp = inode->i_state & ~dirty)
(whiteout->i_state = tmp)
(inode->i_state = tmp)
----
spin_unlock(&inode->i_lock)
inc_nlink(whiteout)
WARN_ON(!(inode->i_state & I_LINKABLE)) !!!
Fix to add i_lock to avoid i_state update race condition.
Fixes: 9e0a1fff8db56ea ("ubifs: Implement RENAME_WHITEOUT")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'fs')
| -rw-r--r-- | fs/ubifs/dir.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/fs/ubifs/dir.c b/fs/ubifs/dir.c index 8fe2ee5462a0..dbdf6a4230fb 100644 --- a/fs/ubifs/dir.c +++ b/fs/ubifs/dir.c @@ -1354,7 +1354,10 @@ static int do_rename(struct inode *old_dir, struct dentry *old_dentry, goto out_release; } + spin_lock(&whiteout->i_lock); whiteout->i_state |= I_LINKABLE; + spin_unlock(&whiteout->i_lock); + whiteout_ui = ubifs_inode(whiteout); whiteout_ui->data = dev; whiteout_ui->data_len = ubifs_encode_dev(dev, MKDEV(0, 0)); @@ -1447,7 +1450,11 @@ static int do_rename(struct inode *old_dir, struct dentry *old_dentry, inc_nlink(whiteout); mark_inode_dirty(whiteout); + + spin_lock(&whiteout->i_lock); whiteout->i_state &= ~I_LINKABLE; + spin_unlock(&whiteout->i_lock); + iput(whiteout); } |