aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMiklos Szeredi2011-02-24 08:45:41 -0600
committerLinus Torvalds2011-02-24 10:54:21 -0600
commit3c522cedb572bb8d2e4867f358bdaa7d0c53d88c (patch)
treeb348cabd2574638702f9abcccd0b8b711b136162 /block/ioctl.c
parentdcace5ac85c628af21878a1fa151e5e6403fb8eb (diff)
downloadkernel-common-3c522cedb572bb8d2e4867f358bdaa7d0c53d88c.tar.gz
kernel-common-3c522cedb572bb8d2e4867f358bdaa7d0c53d88c.tar.xz
kernel-common-3c522cedb572bb8d2e4867f358bdaa7d0c53d88c.zip
block: fix refcounting in BLKBSZSET
Adam Kovari and others reported that disconnecting an USB drive with an ntfs-3g filesystem would cause "kernel BUG at fs/inode.c:1421!" to be triggered. The BUG could be traced back to ioctl(BLKBSZSET), which would erroneously decrement the refcount on the bdev. This is because blkdev_get() expects the refcount to be already incremented and either returns success or decrements the refcount and returns an error. The bug was introduced by e525fd89 (block: make blkdev_get/put() handle exclusive access), which didn't take into account this behavior of blkdev_get(). This fixes https://bugzilla.kernel.org/show_bug.cgi?id=29202 (and likely 29792 too) Reported-by: Adam Kovari <kovariadam@gmail.com> Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'block/ioctl.c')
-rw-r--r--block/ioctl.c8
1 files changed, 5 insertions, 3 deletions
diff --git a/block/ioctl.c b/block/ioctl.c
index 9049d460fa8..1124cd29726 100644
--- a/block/ioctl.c
+++ b/block/ioctl.c
@@ -294,9 +294,11 @@ int blkdev_ioctl(struct block_device *bdev, fmode_t mode, unsigned cmd,
294 return -EINVAL; 294 return -EINVAL;
295 if (get_user(n, (int __user *) arg)) 295 if (get_user(n, (int __user *) arg))
296 return -EFAULT; 296 return -EFAULT;
297 if (!(mode & FMODE_EXCL) && 297 if (!(mode & FMODE_EXCL)) {
298 blkdev_get(bdev, mode | FMODE_EXCL, &bdev) < 0) 298 bdgrab(bdev);
299 return -EBUSY; 299 if (blkdev_get(bdev, mode | FMODE_EXCL, &bdev) < 0)
300 return -EBUSY;
301 }
300 ret = set_blocksize(bdev, n); 302 ret = set_blocksize(bdev, n);
301 if (!(mode & FMODE_EXCL)) 303 if (!(mode & FMODE_EXCL))
302 blkdev_put(bdev, mode | FMODE_EXCL); 304 blkdev_put(bdev, mode | FMODE_EXCL);