[PATCH] block: fix refcounting in BLKBSZSET

From: Miklos Szeredi
Date: Thu Feb 24 2011 - 09:49:17 EST

[and lkml cc-d too]

This fixes bug 29202 in the 2.6.38 regression list.

Please apply.


Subject: block: fix refcounting in BLKBSZSET

From: Miklos Szeredi <mszeredi@xxxxxxx>

Adam Kovari and others reported that disconnecting an USB drive with
an ntfs-3g filesystem would cause "kernel BUG at fs/inode.c:1421!" to
be triggered.

The BUG could be traced back to ioctl(BLKBSZSET), which would
erroneously decrement the refcount on the bdev. This is because
blkdev_get() expects the refcount to be already incremented and either
returns success or decrements the refcount and returns an error.

The bug was introduced by e525fd89 (block: make blkdev_get/put()
handle exclusive access), which didn't take into account this behavior
of blkdev_get().

Reported-by: Adam Kovari <kovariadam@xxxxxxxxx>
CC: Tejun Heo <tj@xxxxxxxxxx>
Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxx>
block/ioctl.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)

Index: linux.git/block/ioctl.c
--- linux.git.orig/block/ioctl.c 2011-01-18 09:02:44.000000000 +0100
+++ linux.git/block/ioctl.c 2011-02-24 14:23:56.000000000 +0100
@@ -294,9 +294,11 @@ int blkdev_ioctl(struct block_device *bd
return -EINVAL;
if (get_user(n, (int __user *) arg))
return -EFAULT;
- if (!(mode & FMODE_EXCL) &&
- blkdev_get(bdev, mode | FMODE_EXCL, &bdev) < 0)
- return -EBUSY;
+ if (!(mode & FMODE_EXCL)) {
+ bdgrab(bdev);
+ if (blkdev_get(bdev, mode | FMODE_EXCL, &bdev) < 0)
+ return -EBUSY;
+ }
ret = set_blocksize(bdev, n);
if (!(mode & FMODE_EXCL))
blkdev_put(bdev, mode | FMODE_EXCL);

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/