linux/fs
OGAWA Hirofumi 09d967c6f3 [PATCH] Fix a race condition between ->i_mapping and iput()
This race became a cause of oops, and can reproduce by the following.

    while true; do
	dd if=/dev/zero of=/dev/.static/dev/hdg1 bs=512 count=1000 & sync
    done

This race condition was between __sync_single_inode() and iput().

          cpu0 (fs's inode)                 cpu1 (bdev's inode)
          -----------------                 -------------------
                                       close("/dev/hda2")
                                       [...]
__sync_single_inode()
   /* copy the bdev's ->i_mapping */
   mapping = inode->i_mapping;

                                       generic_forget_inode()
                                          bdev_clear_inode()
					     /* restre the fs's ->i_mapping */
				             inode->i_mapping = &inode->i_data;
				          /* bdev's inode was freed */
                                          destroy_inode(inode);

   if (wait) {
      /* dereference a freed bdev's mapping->host */
      filemap_fdatawait(mapping);  /* Oops */

Since __sync_single_inode() is only taking a ref-count of fs's inode, the
another process can be close() and freeing the bdev's inode while writing
fs's inode.  So, __sync_signle_inode() accesses the freed ->i_mapping,
oops.

This patch takes a ref-count on the bdev's inode for the fs's inode before
setting a ->i_mapping, and the clear_inode() of the fs's inode does iput() on
the bdev's inode.  So if the fs's inode is still living, bdev's inode
shouldn't be freed.

Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-22 15:05:57 -07:00
..
9p [PATCH] v9fs: signal handling fixes 2006-05-15 11:20:56 -07:00
adfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
affs [PATCH] affs: possible null pointer dereference in affs_rename() 2006-05-26 11:55:46 -07:00
afs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
autofs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
autofs4 [PATCH] autofs4: NFY_NONE wait race fix 2006-05-15 11:20:54 -07:00
befs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
bfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
cifs [[CIFS] Pass truncate open flag through on file open in case setattr fails 2006-05-30 18:09:31 +00:00
coda [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
configfs configfs: configfs_mkdir() failed to cleanup linkage. 2006-05-17 14:38:51 -07:00
cramfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
debugfs [PATCH] debugfs inode leak 2006-06-08 15:14:24 -07:00
devfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
devpts
efs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
exportfs [PATCH] NFS server subtree_check returns dubious value 2006-05-21 12:59:16 -07:00
ext2 [PATCH] Introduce sys_splice() system call 2006-03-30 12:28:18 -08:00
ext3 Merge git://git.infradead.org/~dwmw2/rbtree-2.6 2006-06-20 14:51:22 -07:00
fat [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
freevxfs BUG_ON() Conversion in fs/freevxfs/ 2006-04-02 13:41:02 +02:00
fuse [fuse] fix race between checking and setting file->private_data 2006-04-26 10:49:16 +02:00
hfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
hfsplus BUG_ON() Conversion in fs/hfsplus/ 2006-04-01 01:14:43 +02:00
hostfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
hpfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
hppfs [PATCH] uml: __user annotations 2006-03-31 12:18:51 -08:00
hugetlbfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
isofs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
jbd
jffs [MTD] Remove silly MTD_WRITE/READ macros 2006-05-29 15:06:50 +02:00
jffs2 Merge git://git.infradead.org/~dwmw2/rbtree-2.6 2006-06-20 14:51:22 -07:00
jfs JFS: Fix multiple errors in metapage_releasepage 2006-05-24 07:43:38 -05:00
lockd NFS: make 2 functions static 2006-04-19 12:43:47 -04:00
minix [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
msdos [PATCH] fat: kill reserved names 2006-03-31 12:18:55 -08:00
ncpfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
nfs NFS: remove needless check in nfs_opendir() 2006-04-19 13:06:37 -04:00
nfs_common
nfsd [PATCH] knfsd: Fix two problems that can cause rmmod nfsd to die 2006-05-23 10:35:31 -07:00
nls
ntfs [PATCH] NTFS: Critical bug fix (affects MIPS and possibly others) 2006-06-22 15:05:55 -07:00
ocfs2 ocfs2: fix gfp mask in some file system paths 2006-05-17 14:38:49 -07:00
openpromfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
partitions [PATCH] Driver core: add generic "subsystem" link to all devices 2006-06-21 12:40:49 -07:00
proc [PATCH] proc_loginuid_write() uses simple_strtoul() on non-terminated array 2006-06-20 05:25:24 -04:00
qnx4 [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
ramfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
reiserfs [PATCH] Fix reiserfs deadlock 2006-04-22 09:19:53 -07:00
romfs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
smbfs [PATCH] smbfs: Fix slab corruption in samba error path 2006-05-15 11:20:56 -07:00
sysfs [PATCH] sysfs: Allow sysfs attribute files to be pollable 2006-04-14 11:41:24 -07:00
sysv BUG_ON() Conversion in fs/sysv/ 2006-04-02 13:39:21 +02:00
udf BUG_ON() Conversion in fs/udf/ 2006-04-02 13:40:13 +02:00
ufs [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
vfat [PATCH] fat: kill reserved names 2006-03-31 12:18:55 -08:00
xfs [XFS] Remove files from the build that are now unused. 2006-06-20 14:53:51 +10:00
aio.c
attr.c
bad_inode.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
binfmt_aout.c
binfmt_elf_fdpic.c
binfmt_elf.c
binfmt_em86.c
binfmt_flat.c [PATCH] binfmt_flat: don't check for EMFILE 2006-05-21 12:59:17 -07:00
binfmt_misc.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
binfmt_script.c
binfmt_som.c
bio.c [PATCH] Fix missing ret assignment in __bio_map_user() error path 2006-06-17 10:52:12 -07:00
block_dev.c [PATCH] Fix a race condition between ->i_mapping and iput() 2006-06-22 15:05:57 -07:00
buffer.c [PATCH] for_each_online_pgdat: renaming for_each_pgdat 2006-03-27 08:44:48 -08:00
char_dev.c [PATCH] Simplify proc/devices and fix early termination regression 2006-03-31 12:18:53 -08:00
compat_ioctl.c
compat.c [PATCH] NFS: fix error handling on access_ok in compat_sys_nfsservctl 2006-05-21 12:59:16 -07:00
dcache.c [PATCH] dcache: Add helper d_hash_and_lookup 2006-03-31 12:19:00 -08:00
dcookies.c
direct-io.c BUG_ON() Conversion in fs/direct-io.c 2006-04-01 01:10:13 +02:00
dnotify.c
dquot.c BUG_ON() Conversion in fs/dquot.c 2006-04-02 13:36:13 +02:00
drop_caches.c
eventpoll.c [RBTREE] Update eventpoll.c to use rb_parent() accessor macro. 2006-04-21 13:17:24 +01:00
exec.c [PATCH] execve argument logging 2006-06-20 05:25:21 -04:00
fcntl.c BUG_ON() Conversion in fs/fcntl.c 2006-04-02 13:37:19 +02:00
fifo.c [PATCH] pipe.c/fifo.c code cleanups 2006-04-11 13:53:33 +02:00
file_table.c
file.c [PATCH] for_each_possible_cpu: fixes for generic part 2006-03-28 09:16:05 -08:00
filesystems.c
fs-writeback.c
inode.c BUG_ON() Conversion in fs/inode.c 2006-04-02 13:38:18 +02:00
inotify_user.c [PATCH] inotify (3/5): add interfaces to kernel API 2006-06-20 05:25:18 -04:00
inotify.c [PATCH] inotify (4/5): allow watch removal from event handler 2006-06-20 05:25:19 -04:00
ioctl.c
ioprio.c
Kconfig Merge branch 'audit.b21' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current 2006-06-20 15:37:56 -07:00
Kconfig.binfmt
libfs.c [PATCH] Make most file operations structs in fs/ const 2006-03-28 09:16:06 -08:00
locks.c [PATCH] Return error in case flock_lock_file failure 2006-06-14 08:59:44 -07:00
Makefile [PATCH] inotify (1/5): split kernel API from userspace support 2006-06-20 05:25:17 -04:00
mbcache.c [PATCH] Typo fixes 2006-03-28 09:16:08 -08:00
mpage.c
namei.c [PATCH] log more info for directory entry change events 2006-06-20 05:25:28 -04:00
namespace.c [PATCH] revert "vfs: propagate mnt_flags into do_loopback/vfsmount" 2006-05-15 11:20:57 -07:00
nfsctl.c
open.c [PATCH] log more info for directory entry change events 2006-06-20 05:25:28 -04:00
pipe.c [PATCH] vmsplice: restrict stealing a little more 2006-05-02 15:29:57 +02:00
pnode.c
pnode.h
posix_acl.c
quota_v1.c
quota_v2.c
quota.c
read_write.c [PATCH] splice: unlikely() optimizations 2006-04-11 13:56:09 +02:00
readdir.c
select.c [PATCH] select: don't overflow if (SELECT_STACK_ALLOC % sizeof(long) != 0) 2006-04-11 06:18:41 -07:00
seq_file.c
splice.c [PATCH] splice: redo page lookup if add_to_page_cache() returns -EEXIST 2006-05-04 06:55:12 +02:00
stat.c [PATCH] powerpc: Wire up *at syscalls 2006-04-28 21:04:59 +10:00
super.c
sync.c [PATCH] sync_file_range(): use unsigned for flags 2006-04-11 06:18:40 -07:00
xattr_acl.c
xattr.c [PATCH] log more info for directory entry change events 2006-06-20 05:25:28 -04:00