Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-11-10 22:21:40 +00:00
Code Issues Packages Projects Releases Wiki Activity
60eb3b9c9f
linux/fs/ubifs
History
Zhihao Cheng 60eb3b9c9f ubifs: Fix 'ui->dirty' race between do_tmpfile() and writeback work 
'ui->dirty' is not protected by 'ui_mutex' in function do_tmpfile() which
may race with ubifs_write_inode[wb_workfn] to access/update 'ui->dirty',
finally dirty space is released twice.

	open(O_TMPFILE)                wb_workfn
do_tmpfile
  ubifs_budget_space(ino_req = { .dirtied_ino = 1})
  d_tmpfile // mark inode(tmpfile) dirty
  ubifs_jnl_update // without holding tmpfile's ui_mutex
    mark_inode_clean(ui)
      if (ui->dirty)
        ubifs_release_dirty_inode_budget(ui)  // release first time
                                   ubifs_write_inode
				     mutex_lock(&ui->ui_mutex)
                                     ubifs_release_dirty_inode_budget(ui)
				     // release second time
				     mutex_unlock(&ui->ui_mutex)
      ui->dirty = 0

Run generic/476 can reproduce following message easily
(See reproducer in [Link]):

  UBIFS error (ubi0:0 pid 2578): ubifs_assert_failed [ubifs]: UBIFS assert
  failed: c->bi.dd_growth >= 0, in fs/ubifs/budget.c:554
  UBIFS warning (ubi0:0 pid 2578): ubifs_ro_mode [ubifs]: switched to
  read-only mode, error -22
  Workqueue: writeback wb_workfn (flush-ubifs_0_0)
  Call Trace:
    ubifs_ro_mode+0x54/0x60 [ubifs]
    ubifs_assert_failed+0x4b/0x80 [ubifs]
    ubifs_release_budget+0x468/0x5a0 [ubifs]
    ubifs_release_dirty_inode_budget+0x53/0x80 [ubifs]
    ubifs_write_inode+0x121/0x1f0 [ubifs]
    ...
    wb_workfn+0x283/0x7b0

Fix it by holding tmpfile ubifs inode lock during ubifs_jnl_update().
Similar problem exists in whiteout renaming, but previous fix("ubifs:
Rename whiteout atomically") has solved the problem.

Fixes: 474b93704f ("ubifs: Implement O_TMPFILE")
Link: https://bugzilla.kernel.org/show_bug.cgi?id=214765
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
2022-01-10 22:01:04 +01:00
..
auth.c ubifs: Fix memleak in ubifs_init_authentication 2021-02-12 21:53:22 +01:00
budget.c ubifs: Limit the number of pages in shrink_liability 2019-08-22 17:25:33 +02:00
commit.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
compress.c ubifs: Add support for zstd compression. 2019-07-08 19:43:53 +02:00
crypto.c fscrypt: remove fscrypt_operations::max_namelen 2021-09-20 19:32:33 -07:00
debug.c ubifs: fix snprintf() checking 2021-06-18 22:04:47 +02:00
debug.h ubifs: ubifs_dump_sleb: Remove unused function 2020-12-13 22:12:38 +01:00
dir.c ubifs: Fix 'ui->dirty' race between do_tmpfile() and writeback work 2022-01-10 22:01:04 +01:00
file.c ubifs: report correct st_size for encrypted symlinks 2021-07-25 20:01:07 -07:00
find.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
gc.c ubifs: read-only if LEB may always be taken in ubifs_garbage_collect 2021-12-23 22:30:38 +01:00
io.c ubifs: Export filesystem error counters 2021-12-23 20:23:42 +01:00
ioctl.c ubifs: convert to fileattr 2021-04-12 15:04:30 +02:00
journal.c ubifs: Rename whiteout atomically 2022-01-10 21:58:37 +01:00
Kconfig fscrypt: Allow modular crypto algorithms 2019-12-31 10:33:51 -06:00
key.h ubifs: allow both hash and disk name to be provided in no-key names 2020-01-22 14:49:56 -08:00
log.c ubifs: remove unnecessary check in ubifs_log_start_commit 2019-07-08 19:43:51 +02:00
lprops.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
lpt_commit.c mm: remove the pgprot argument to __vmalloc 2020-06-02 10:59:11 -07:00
lpt.c ubifs: Fix the printing type of c->big_lpt 2020-12-13 21:57:10 +01:00
Makefile ubifs: Export filesystem error counters 2021-12-23 20:23:42 +01:00
master.c ubifs: Fix spelling mistakes 2021-06-22 09:21:39 +02:00
misc.c ubifs: Allow setting assert action as mount parameter 2018-08-15 00:25:21 +02:00
misc.h ubifs: misc.h: delete a duplicated word 2020-08-02 22:59:03 +02:00
orphan.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
recovery.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
replay.c ubifs: Fix spelling mistakes 2021-12-23 20:23:40 +01:00
sb.c ubifs: Default to zstd compression 2021-04-15 22:00:26 +02:00
scan.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
shrinker.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 336 2019-06-05 17:37:07 +02:00
super.c ubifs: Export filesystem error counters 2021-12-23 20:23:42 +01:00
sysfs.c ubifs: fix snprintf() length check 2021-12-23 22:08:19 +01:00
tnc_commit.c ubifs: Fix spelling mistakes 2021-06-22 09:21:39 +02:00
tnc_misc.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
tnc.c ubifs: Pass node length in all node dumping callers 2020-12-13 22:12:32 +01:00
ubifs-media.h ubifs: Add support for zstd compression. 2019-07-08 19:43:53 +02:00
ubifs.h ubifs: Fix wrong number of inodes locked by ui_mutex in ubifs_inode comment 2022-01-09 21:35:38 +01:00
xattr.c ubifs: Remove ui_mutex in ubifs_xattr_get and change_xattr 2021-06-18 22:04:47 +02:00