Commit 3c522cedb572bb8d2e4867f358bdaa7d0c53d88c
Committed by
Linus Torvalds
Linus Torvalds
1 parent
dcace5ac85
Exists in
master
and in
20 other branches
block: fix refcounting in BLKBSZSET
Adam Kovari and others reported that disconnecting an USB drive with an ntfs-3g filesystem would cause "kernel BUG at fs/inode.c:1421!" to be triggered. The BUG could be traced back to ioctl(BLKBSZSET), which would erroneously decrement the refcount on the bdev. This is because blkdev_get() expects the refcount to be already incremented and either returns success or decrements the refcount and returns an error. The bug was introduced by e525fd89 (block: make blkdev_get/put() handle exclusive access), which didn't take into account this behavior of blkdev_get(). This fixes https://bugzilla.kernel.org/show_bug.cgi?id=29202 (and likely 29792 too) Reported-by: Adam Kovari <kovariadam@gmail.com> Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Showing 1 changed file with 5 additions and 3 deletions Side-by-side Diff
block/ioctl.c
| ... | ... | @@ -294,9 +294,11 @@ |
| 294 | 294 | return -EINVAL; |
| 295 | 295 | if (get_user(n, (int __user *) arg)) |
| 296 | 296 | return -EFAULT; |
| 297 | - if (!(mode & FMODE_EXCL) && | |
| 298 | - blkdev_get(bdev, mode | FMODE_EXCL, &bdev) < 0) | |
| 299 | - return -EBUSY; | |
| 297 | + if (!(mode & FMODE_EXCL)) { | |
| 298 | + bdgrab(bdev); | |
| 299 | + if (blkdev_get(bdev, mode | FMODE_EXCL, &bdev) < 0) | |
| 300 | + return -EBUSY; | |
| 301 | + } | |
| 300 | 302 | ret = set_blocksize(bdev, n); |
| 301 | 303 | if (!(mode & FMODE_EXCL)) |
| 302 | 304 | blkdev_put(bdev, mode | FMODE_EXCL); |