[PATCH] fix deadlock in ext2

Fix a deadlock possible in the ext2 file system implementation. This deadlock occurs when a file is removed from an ext2 file system which was mounted with the "sync" mount option. The problem is that ext2_xattr_delete_inode() was invoking the routine, sync_dirty_buffer(), using a buffer head which was previously locked via lock_buffer(). The first thing that sync_dirty_buffer() does is to lock the buffer head that it was passed. It does this via lock_buffer(). Oops. The solution is to unlock the buffer head in ext2_xattr_delete_inode() before invoking sync_dirty_buffer(). This makes the code in ext2_xattr_delete_inode() obey the same locking rules as all other callers of sync_dirty_buffer() in the ext2 file system implementation. Signed-off-by: Peter Staubach <staubach@redhat.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] fix deadlock in ext2
Fix a deadlock possible in the ext2 file system implementation. This deadlock occurs when a file is removed from an ext2 file system which was mounted with the "sync" mount option. The problem is that ext2_xattr_delete_inode() was invoking the routine, sync_dirty_buffer(), using a buffer head which was previously locked via lock_buffer(). The first thing that sync_dirty_buffer() does is to lock the buffer head that it was passed. It does this via lock_buffer(). Oops. The solution is to unlock the buffer head in ext2_xattr_delete_inode() before invoking sync_dirty_buffer(). This makes the code in ext2_xattr_delete_inode() obey the same locking rules as all other callers of sync_dirty_buffer() in the ext2 file system implementation. Signed-off-by: Peter Staubach <staubach@redhat.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Peter Staubach · Linus Torvalds
1 parent 614f8f50ca
Showing 1 changed file with 4 additions and 2 deletions Side-by-side Diff
fs/ext2/xattr.c
@@ -792,18 +792,20 @@
 		ext2_free_blocks(inode, EXT2_I(inode)->i_file_acl, 1);
 		get_bh(bh);
 		bforget(bh);
+		unlock_buffer(bh);
 	} else {
 		HDR(bh)->h_refcount = cpu_to_le32(
 			le32_to_cpu(HDR(bh)->h_refcount) - 1);
 		if (ce)
 			mb_cache_entry_release(ce);
+		ea_bdebug(bh, "refcount now=%d",
+			le32_to_cpu(HDR(bh)->h_refcount));
+		unlock_buffer(bh);
 		mark_buffer_dirty(bh);
 		if (IS_SYNC(inode))
 			sync_dirty_buffer(bh);
 		DQUOT_FREE_BLOCK(inode, 1);
 	}
-	ea_bdebug(bh, "refcount now=%d", le32_to_cpu(HDR(bh)->h_refcount) - 1);
-	unlock_buffer(bh);
 	EXT2_I(inode)->i_file_acl = 0;
  
 cleanup:
...	...	@@ -792,18 +792,20 @@
792	792	ext2_free_blocks(inode, EXT2_I(inode)->i_file_acl, 1);
793	793	get_bh(bh);
794	794	bforget(bh);
	795	+ unlock_buffer(bh);
795	796	} else {
796	797	HDR(bh)->h_refcount = cpu_to_le32(
797	798	le32_to_cpu(HDR(bh)->h_refcount) - 1);
798	799	if (ce)
799	800	mb_cache_entry_release(ce);
	801	+ ea_bdebug(bh, "refcount now=%d",
	802	+ le32_to_cpu(HDR(bh)->h_refcount));
	803	+ unlock_buffer(bh);
800	804	mark_buffer_dirty(bh);
801	805	if (IS_SYNC(inode))
802	806	sync_dirty_buffer(bh);
803	807	DQUOT_FREE_BLOCK(inode, 1);
804	808	}
805		- ea_bdebug(bh, "refcount now=%d", le32_to_cpu(HDR(bh)->h_refcount) - 1);
806		- unlock_buffer(bh);
807	809	EXT2_I(inode)->i_file_acl = 0;
808	810
809	811	cleanup: