[patch 07/20] spufs: fix deadlock in spu_create error path
Michael Ellerman
michael at ellerman.id.au
Tue Jun 20 11:16:52 EST 2006
On Mon, 2006-06-19 at 20:33 +0200, arnd at arndb.de wrote:
> plain text document attachment (spufs-rmdir-3.diff)
> From: Michael Ellerman <michael at ellerman.id.au>
>
> spufs_rmdir tries to acquire the spufs root
> i_mutex, which is already held by spufs_create_thread.
>
> This was tracked as Bug #H9512.
>
> Signed-off-by: Arnd Bergmann <arnd.bergmann at de.ibm.com>
I should have signed this off when I sent it .. but FWIW:
Signed-off-by: Michael Ellerman <michael at ellerman.id.au>
> ---
>
> Index: powerpc.git/arch/powerpc/platforms/cell/spufs/inode.c
> ===================================================================
> --- powerpc.git.orig/arch/powerpc/platforms/cell/spufs/inode.c
> +++ powerpc.git/arch/powerpc/platforms/cell/spufs/inode.c
> @@ -157,20 +157,12 @@ static void spufs_prune_dir(struct dentr
> mutex_unlock(&dir->d_inode->i_mutex);
> }
>
> +/* Caller must hold root->i_mutex */
> static int spufs_rmdir(struct inode *root, struct dentry *dir_dentry)
> {
> - struct spu_context *ctx;
> -
> /* remove all entries */
> - mutex_lock(&root->i_mutex);
> spufs_prune_dir(dir_dentry);
> - mutex_unlock(&root->i_mutex);
>
> - /* We have to give up the mm_struct */
> - ctx = SPUFS_I(dir_dentry->d_inode)->i_ctx;
> - spu_forget(ctx);
> -
> - /* XXX Do we need to hold i_mutex here ? */
> return simple_rmdir(root, dir_dentry);
> }
>
> @@ -199,16 +191,23 @@ out:
>
> static int spufs_dir_close(struct inode *inode, struct file *file)
> {
> + struct spu_context *ctx;
> struct inode *dir;
> struct dentry *dentry;
> int ret;
>
> dentry = file->f_dentry;
> dir = dentry->d_parent->d_inode;
> + ctx = SPUFS_I(dentry->d_inode)->i_ctx;
>
> + mutex_lock(&dir->i_mutex);
> ret = spufs_rmdir(dir, dentry);
> + mutex_unlock(&dir->i_mutex);
> WARN_ON(ret);
>
> + /* We have to give up the mm_struct */
> + spu_forget(ctx);
> +
> return dcache_dir_close(inode, file);
> }
>
> @@ -324,8 +323,13 @@ long spufs_create_thread(struct nameidat
> * in error path of *_open().
> */
> ret = spufs_context_open(dget(dentry), mntget(nd->mnt));
> - if (ret < 0)
> - spufs_rmdir(nd->dentry->d_inode, dentry);
> + if (ret < 0) {
> + WARN_ON(spufs_rmdir(nd->dentry->d_inode, dentry));
> + mutex_unlock(&nd->dentry->d_inode->i_mutex);
> + spu_forget(SPUFS_I(dentry->d_inode)->i_ctx);
> + dput(dentry);
> + goto out;
> + }
>
> out_dput:
> dput(dentry);
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: This is a digitally signed message part
URL: <http://lists.ozlabs.org/pipermail/linuxppc-dev/attachments/20060620/df51de4a/attachment.pgp>
More information about the Linuxppc-dev
mailing list