ubifs: Fix oops when remounting with no_bulk_read.
When remounting with the no_bulk_read option,
there is a problem accessing the "bulk_read buffer(bu.buf)"
which has already been freed.
If the bulk_read option is enabled,
ubifs_tnc_bulk_read uses the pre-allocated bu.buf.
While bu.buf is being used by ubifs_tnc_bulk_read,
remounting with no_bulk_read frees bu.buf.
So I added code to check the use of "bu.buf" to avoid this situation.
------
I tested as follows(kernel v3.18) :
Use the script to repeat "no_bulk_read <-> bulk_read"
remount.sh
#!/bin/sh
while true do;
mount -o remount,no_bulk_read ${MOUNT_POINT};
sleep 1;
mount -o remount,bulk_read ${MOUNT_POINT};
sleep 1;
done
Perform read operation
cat ${MOUNT_POINT}/* > /dev/null
The problem is reproduced immediately.
[ 234.256845][kernel.0]Internal error: Oops: 17 [#1] PREEMPT ARM
[ 234.258557][kernel.0]CPU: 0 PID: 2752 Comm: cat Tainted: G W O 3.18.31+ #51
[ 234.259531][kernel.0]task:
cbff8580 ti:
cbd66000 task.ti:
cbd66000
[ 234.260306][kernel.0]PC is at validate_data_node+0x10/0x264
[ 234.260994][kernel.0]LR is at ubifs_tnc_bulk_read+0x388/0x3ec
[ 234.261712][kernel.0]pc : [<
c01d98fc>] lr : [<
c01dc300>] psr:
80000013
[ 234.261712][kernel.0]sp :
cbd67ba0 ip :
00000001 fp :
00000000
[ 234.263337][kernel.0]r10:
cd3e0260 r9 :
c0df2008 r8 :
00000000
[ 234.264087][kernel.0]r7 :
cd3e0000 r6 :
00000000 r5 :
cd3e0278 r4 :
cd3e0000
[ 234.264999][kernel.0]r3 :
00000003 r2 :
cd3e0280 r1 :
00000000 r0 :
cd3e0000
[ 234.265910][kernel.0]Flags: Nzcv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user
[ 234.266896][kernel.0]Control:
10c53c7d Table:
8c40c059 DAC:
00000015
[ 234.267711][kernel.0]Process cat (pid: 2752, stack limit = 0xcbd66400)
[ 234.268525][kernel.0]Stack: (0xcbd67ba0 to 0xcbd68000)
[ 234.269169][kernel.0]7ba0:
cd7c3940 c03d8650 0001bfe0 00002ab2 00000000 cbd67c5c cbd67c58 0001bfe0
[ 234.270287][kernel.0]7bc0:
cd3e0000 00002ab2 0001bfe0 00000014 cbd66000 cd3e0260 00000000 c01d6660
[ 234.271403][kernel.0]7be0:
00002ab2 00000000 c82a5800 ffffffff cd3e0298 cd3e0278 00000000 cd3e0000
[ 234.272520][kernel.0]7c00:
00000000 00000000 cd3e0260 c01dc300 00002ab2 00000000 60000013 d663affa
[ 234.273639][kernel.0]7c20:
cd3e01f0 cd3e01f0 60000013 c09397ec 00000000 cd3e0278 00002ab2 00000000
[ 234.274755][kernel.0]7c40:
cd3e0000 c01dbf48 00000014 00000003 00000160 00000015 00000004 d663affa
[ 234.275874][kernel.0]7c60:
ccdaa978 cd3e0278 cd3e0000 cf32a5f4 ccdaa820 00000044 cbd66000 cd3e0260
[ 234.276992][kernel.0]7c80:
00000003 c01cec84 ccdaa8dc cbd67cc4 cbd67ec0 00000010 ccdaa978 00000000
[ 234.278108][kernel.0]7ca0:
0000015e ccdaa8dc 00000000 00000000 cf32a5d0 00000000 0000015f ccdaa8dc
[ 234.279228][kernel.0]7cc0:
00000000 c8488300 0009e5a4 0000000e cbd66000 0000015e cf32a5f4 c0113c04
[ 234.280346][kernel.0]7ce0:
0000009f 0000003c c00098c4 ffffffff 00001000 00000000 000000ad 00000010
[ 234.281463][kernel.0]7d00:
00000038 cd68f580 00000150 c8488360 00000000 cbd67d30 cbd67d70 0000000e
[ 234.282579][kernel.0]7d20:
00000010 00000000 c0951874 c0112a9c cf379b60 cf379b84 cf379890 cf3798b4
[ 234.283699][kernel.0]7d40:
cf379578 cf37959c cf379380 cf3793a4 cf3790b0 cf3790d4 cf378fd8 cf378ffc
[ 234.284814][kernel.0]7d60:
cf378f48 cf378f6c cf32a5f4 cf32a5d0 00000000 00001000 00000018 00000000
[ 234.285932][kernel.0]7d80:
00001000 c0050da4 00000000 00001000 cec04c00 00000000 00001000 c0e11328
[ 234.287049][kernel.0]7da0:
00000000 00001000 cbd66000 00000000 00001000 c0012a60 00000000 00001000
[ 234.288166][kernel.0]7dc0:
cbd67dd4 00000000 00001000 80000013 00000000 00001000 cd68f580 00000000
[ 234.289285][kernel.0]7de0:
00001000 c915d600 00000000 00001000 cbd67e48 00000000 00001000 00000018
[ 234.290402][kernel.0]7e00:
00000000 00001000 00000000 00000000 00001000 c915d768 c915d768 c0113550
[ 234.291522][kernel.0]7e20:
cd68f580 cbd67e48 cd68f580 cb6713c0 00010000 000ac5a4 00000000 001fc5a4
[ 234.292637][kernel.0]7e40:
00000000 c8488300 cbd67ec0 00eb0000 cd68f580 c0113ee4 00000000 cbd67ec0
[ 234.293754][kernel.0]7e60:
cd68f580 c8488300 cbd67ec0 00eb0000 cd68f580 00150000 c8488300 00eb0000
[ 234.294874][kernel.0]7e80:
00010000 c0112fd0 00000000 cbd67ec0 cd68f580 00150000 00000000 cd68f580
[ 234.295991][kernel.0]7ea0:
cbd67ef0 c011308c 00000000 00000002 cd768850 00010000 00000000 c01133fc
[ 234.297110][kernel.0]7ec0:
00150000 00000000 cbd67f50 00000000 00000000 cb6713c0 01000000 cbd67f48
[ 234.298226][kernel.0]7ee0:
cbd67f50 c8488300 00000000 c0113204 00010000 01000000 00000000 cb6713c0
[ 234.299342][kernel.0]7f00:
00150000 00000000 cbd67f50 00000000 00000000 00000000 00000000 00000000
[ 234.300462][kernel.0]7f20:
cbd67f50 01000000 01000000 cb6713c0 c8488300 c00ebba8 01000000 00000000
[ 234.301577][kernel.0]7f40:
c8488300 cb6713c0 00000000 00000000 00000000 00000000 ccdaa820 00000000
[ 234.302697][kernel.0]7f60:
00000000 01000000 00000003 00000001 cbd66000 00000000 00000001 c00ec678
[ 234.303813][kernel.0]7f80:
00000000 00000200 00000000 01000000 01000000 00000000 00000000 000000ef
[ 234.304933][kernel.0]7fa0:
c000e904 c000e780 01000000 00000000 00000001 00000003 00000000 01000000
[ 234.306049][kernel.0]7fc0:
01000000 00000000 00000000 000000ef 00000001 00000003 01000000 00000001
[ 234.307165][kernel.0]7fe0:
00000000 beafb78c 0000ad08 00128d1c 60000010 00000001 00000000 00000000
[ 234.308292][kernel.0][<
c01d98fc>] (validate_data_node) from [<
c01dc300>] (ubifs_tnc_bulk_read+0x388/0x3ec)
[ 234.309493][kernel.0][<
c01dc300>] (ubifs_tnc_bulk_read) from [<
c01cec84>] (ubifs_readpage+0x1dc/0x46c)
[ 234.310656][kernel.0][<
c01cec84>] (ubifs_readpage) from [<
c0113c04>] (__generic_file_splice_read+0x29c/0x4cc)
[ 234.311890][kernel.0][<
c0113c04>] (__generic_file_splice_read) from [<
c0113ee4>] (generic_file_splice_read+0xb0/0xf4)
[ 234.313214][kernel.0][<
c0113ee4>] (generic_file_splice_read) from [<
c0112fd0>] (do_splice_to+0x68/0x7c)
[ 234.314386][kernel.0][<
c0112fd0>] (do_splice_to) from [<
c011308c>] (splice_direct_to_actor+0xa8/0x190)
[ 234.315544][kernel.0][<
c011308c>] (splice_direct_to_actor) from [<
c0113204>] (do_splice_direct+0x90/0xb8)
[ 234.316741][kernel.0][<
c0113204>] (do_splice_direct) from [<
c00ebba8>] (do_sendfile+0x17c/0x2b8)
[ 234.317838][kernel.0][<
c00ebba8>] (do_sendfile) from [<
c00ec678>] (SyS_sendfile64+0xc4/0xcc)
[ 234.318890][kernel.0][<
c00ec678>] (SyS_sendfile64) from [<
c000e780>] (ret_fast_syscall+0x0/0x38)
[ 234.319983][kernel.0]Code:
e92d47f0 e24dd050 e59f9228 e1a04000 (
e5d18014)
Signed-off-by: karam.lee <karam.lee@lge.com>
Signed-off-by: Richard Weinberger <richard@nod.at>