Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > 27922b4260f65d317aabda37e42bbbff > files > 389

kernel-2.6.18-238.el5.src.rpm

From: Eric Sandeen <sandeen@redhat.com>
Subject: [RHEL5 PATCH] Fix NULL bio crash in loop worker thread
Date: Mon, 04 Jun 2007 14:36:16 -0500
Bugzilla: 236880
Message-Id: <466469B0.7070406@redhat.com>
Changelog: [block] Fix NULL bio crash in loop worker thread


For Bug 236880: [PATCH] Fix NULL bio crash in loop worker thread

Alexey found the problem, testcase, and patch, and I have verified
the problem & the fix using the steps he outlines below.

Description of problem:

After LOOP_SET_FD/LOOP_CLR_FD combo loop device's queue gets request
handler which is persistent.

After, say

        mount -t iso9660 /dev/loop0 /mnt        # sic, fails

this request handler is called directly with
a) ->lo_state being Lo_unbound
b) ->lo_pending being zero

Error path in loop_make_request() completes ->lo_bh_done completion
which is persistent as well.

Now, let's start worker thread as usual. It'll set ->lo_pending to 1,
don't wait for completion because it was already completed (brokenly),
and will not get out of infinite loop because of ->lo_pending. Loop
device doesn't have bios at this point and triggers BUG_ON.

So, don't complete ->lo_bh_done when loop device isn't setup fully.

How reproducible: always
Steps to Reproduce:

#!/bin/sh -x
ISO=1.iso
mount -o loop $ISO /mnt
umount /mnt
mount -t iso9660 /dev/loop0 /mnt        # sic
mount -o loop $ISO /mnt
  
Actual results: BUG_ON(!bio); in loop_thread triggers

Signed-off-by: Alexey Dobriyan <adobriyan@sw.ru>
---

Index: linux-2.6.18-20.EL/drivers/block/loop.c
===================================================================
--- linux-2.6.18-20.EL.orig/drivers/block/loop.c
+++ linux-2.6.18-20.EL/drivers/block/loop.c
@@ -519,7 +519,7 @@ static int loop_make_request(request_que
 
 	spin_lock_irq(&lo->lo_lock);
 	if (lo->lo_state != Lo_bound)
-		goto out;
+		goto out_not_bound;
 	if (unlikely(rw == WRITE && (lo->lo_flags & LO_FLAGS_READ_ONLY)))
 		goto out;
 	lo->lo_pending++;
@@ -531,6 +531,7 @@ static int loop_make_request(request_que
 out:
 	if (lo->lo_pending == 0)
 		complete(&lo->lo_bh_done);
+out_not_bound:
 	spin_unlock_irq(&lo->lo_lock);
 	bio_io_error(old_bio, old_bio->bi_size);
 	return 0;