fs/super.c: fix race between freeze_super() and thaw_super()

Change thaw_super() to check frozen != SB_FREEZE_COMPLETE rather than frozen == SB_UNFROZEN, otherwise it can race with freeze_super() which drops sb->s_umount after SB_FREEZE_WRITE to preserve the lock ordering. In this case thaw_super() will wrongly call s_op->unfreeze_fs() before it was actually frozen, and call sb_freeze_unlock() which leads to the unbalanced percpu_up_write(). Unfortunately lockdep can't detect this, so this triggers misc BUG_ON()'s in kernel/rcu/sync.c. Reported-and-tested-by: N Nikolay Borisov <kernel@kyup.com> Signed-off-by: N Oleg Nesterov <oleg@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk>

fs/super.c: fix race between freeze_super() and thaw_super()
Change thaw_super() to check frozen != SB_FREEZE_COMPLETE rather than frozen == SB_UNFROZEN, otherwise it can race with freeze_super() which drops sb->s_umount after SB_FREEZE_WRITE to preserve the lock ordering. In this case thaw_super() will wrongly call s_op->unfreeze_fs() before it was actually frozen, and call sb_freeze_unlock() which leads to the unbalanced percpu_up_write(). Unfortunately lockdep can't detect this, so this triggers misc BUG_ON()'s in kernel/rcu/sync.c. Reported-and-tested-by: N Nikolay Borisov <kernel@kyup.com> Signed-off-by: N Oleg Nesterov <oleg@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: N Al Viro <viro@zeniv.linux.org.uk>
89f39af1 · Oleg Nesterov · Al Viro · 655042cc · 89f39af1
隐藏空白更改
内联并排

Showing with 3 addition and 3 deletion

fs/super.c fs/super.c +3 -3

未找到文件。
--- a/fs/super.c
+++ b/fs/super.c
@@ -1379,8 +1379,8 @@ int freeze_super(struct super_block *sb)
 		}
 	}
 	/*
-	 * This is just for debugging purposes so that fs can warn if it
-	 * sees write activity when frozen is set to SB_FREEZE_COMPLETE.
+	 * For debugging purposes so that fs can warn if it sees write activity
+	 * when frozen is set to SB_FREEZE_COMPLETE, and for thaw_super().
 	 */
 	sb->s_writers.frozen = SB_FREEZE_COMPLETE;
 	up_write(&sb->s_umount);
@@ -1399,7 +1399,7 @@ int thaw_super(struct super_block *sb)
 	int error;

 	down_write(&sb->s_umount);
-	if (sb->s_writers.frozen == SB_UNFROZEN) {
+	if (sb->s_writers.frozen != SB_FREEZE_COMPLETE) {
 		up_write(&sb->s_umount);
 		return -EINVAL;
 	}