fs/super.c: fix race between freeze_super() and thaw_super()
Change thaw_super() to check frozen != SB_FREEZE_COMPLETE rather than frozen == SB_UNFROZEN, otherwise it can race with freeze_super() which drops sb->s_umount after SB_FREEZE_WRITE to preserve the lock ordering. In this case thaw_super() will wrongly call s_op->unfreeze_fs() before it was actually frozen, and call sb_freeze_unlock() which leads to the unbalanced percpu_up_write(). Unfortunately lockdep can't detect this, so this triggers misc BUG_ON()'s in kernel/rcu/sync.c. Reported-and-tested-by: Nikolay Borisov <kernel@kyup.com> Signed-off-by: Oleg Nesterov <oleg@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This commit is contained in:
parent
655042cc14
commit
89f39af129
|
@ -1379,8 +1379,8 @@ int freeze_super(struct super_block *sb)
|
|||
}
|
||||
}
|
||||
/*
|
||||
* This is just for debugging purposes so that fs can warn if it
|
||||
* sees write activity when frozen is set to SB_FREEZE_COMPLETE.
|
||||
* For debugging purposes so that fs can warn if it sees write activity
|
||||
* when frozen is set to SB_FREEZE_COMPLETE, and for thaw_super().
|
||||
*/
|
||||
sb->s_writers.frozen = SB_FREEZE_COMPLETE;
|
||||
up_write(&sb->s_umount);
|
||||
|
@ -1399,7 +1399,7 @@ int thaw_super(struct super_block *sb)
|
|||
int error;
|
||||
|
||||
down_write(&sb->s_umount);
|
||||
if (sb->s_writers.frozen == SB_UNFROZEN) {
|
||||
if (sb->s_writers.frozen != SB_FREEZE_COMPLETE) {
|
||||
up_write(&sb->s_umount);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue