<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/mtd/mtd_blkdevs.c, branch linux-3.12.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>mtd: blkdevs: fix potential deadlock + lockdep warnings</title>
<updated>2016-11-28T21:22:56+00:00</updated>
<author>
<name>Brian Norris</name>
<email>computersforpeace@gmail.com</email>
</author>
<published>2015-10-26T17:20:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=727cf4032ef3da19c28dd0fb11f792ea4203d842'/>
<id>727cf4032ef3da19c28dd0fb11f792ea4203d842</id>
<content type='text'>
commit f3c63795e90f0c6238306883b6c72f14d5355721 upstream.

Commit 073db4a51ee4 ("mtd: fix: avoid race condition when accessing
mtd-&gt;usecount") fixed a race condition but due to poor ordering of the
mutex acquisition, introduced a potential deadlock.

The deadlock can occur, for example, when rmmod'ing the m25p80 module, which
will delete one or more MTDs, along with any corresponding mtdblock
devices. This could potentially race with an acquisition of the block
device as follows.

 -&gt; blktrans_open()
    -&gt;  mutex_lock(&amp;dev-&gt;lock);
    -&gt;  mutex_lock(&amp;mtd_table_mutex);

 -&gt; del_mtd_device()
    -&gt;  mutex_lock(&amp;mtd_table_mutex);
    -&gt;  blktrans_notify_remove() -&gt; del_mtd_blktrans_dev()
       -&gt;  mutex_lock(&amp;dev-&gt;lock);

This is a classic (potential) ABBA deadlock, which can be fixed by
making the A-&gt;B ordering consistent everywhere. There was no real
purpose to the ordering in the original patch, AFAIR, so this shouldn't
be a problem. This ordering was actually already present in
del_mtd_blktrans_dev(), for one, where the function tried to ensure that
its caller already held mtd_table_mutex before it acquired &amp;dev-&gt;lock:

        if (mutex_trylock(&amp;mtd_table_mutex)) {
                mutex_unlock(&amp;mtd_table_mutex);
                BUG();
        }

So, reverse the ordering of acquisition of &amp;dev-&gt;lock and &amp;mtd_table_mutex so
we always acquire mtd_table_mutex first.

Snippets of the lockdep output follow:

  # modprobe -r m25p80
  [   53.419251]
  [   53.420838] ======================================================
  [   53.427300] [ INFO: possible circular locking dependency detected ]
  [   53.433865] 4.3.0-rc6 #96 Not tainted
  [   53.437686] -------------------------------------------------------
  [   53.444220] modprobe/372 is trying to acquire lock:
  [   53.449320]  (&amp;new-&gt;lock){+.+...}, at: [&lt;c043fe4c&gt;] del_mtd_blktrans_dev+0x80/0xdc
  [   53.457271]
  [   53.457271] but task is already holding lock:
  [   53.463372]  (mtd_table_mutex){+.+.+.}, at: [&lt;c0439994&gt;] del_mtd_device+0x18/0x100
  [   53.471321]
  [   53.471321] which lock already depends on the new lock.
  [   53.471321]
  [   53.479856]
  [   53.479856] the existing dependency chain (in reverse order) is:
  [   53.487660]
  -&gt; #1 (mtd_table_mutex){+.+.+.}:
  [   53.492331]        [&lt;c043fc5c&gt;] blktrans_open+0x34/0x1a4
  [   53.497879]        [&lt;c01afce0&gt;] __blkdev_get+0xc4/0x3b0
  [   53.503364]        [&lt;c01b0bb8&gt;] blkdev_get+0x108/0x320
  [   53.508743]        [&lt;c01713c0&gt;] do_dentry_open+0x218/0x314
  [   53.514496]        [&lt;c0180454&gt;] path_openat+0x4c0/0xf9c
  [   53.519959]        [&lt;c0182044&gt;] do_filp_open+0x5c/0xc0
  [   53.525336]        [&lt;c0172758&gt;] do_sys_open+0xfc/0x1cc
  [   53.530716]        [&lt;c000f740&gt;] ret_fast_syscall+0x0/0x1c
  [   53.536375]
  -&gt; #0 (&amp;new-&gt;lock){+.+...}:
  [   53.540587]        [&lt;c063f124&gt;] mutex_lock_nested+0x38/0x3cc
  [   53.546504]        [&lt;c043fe4c&gt;] del_mtd_blktrans_dev+0x80/0xdc
  [   53.552606]        [&lt;c043f164&gt;] blktrans_notify_remove+0x7c/0x84
  [   53.558891]        [&lt;c04399f0&gt;] del_mtd_device+0x74/0x100
  [   53.564544]        [&lt;c043c670&gt;] del_mtd_partitions+0x80/0xc8
  [   53.570451]        [&lt;c0439aa0&gt;] mtd_device_unregister+0x24/0x48
  [   53.576637]        [&lt;c046ce6c&gt;] spi_drv_remove+0x1c/0x34
  [   53.582207]        [&lt;c03de0f0&gt;] __device_release_driver+0x88/0x114
  [   53.588663]        [&lt;c03de19c&gt;] device_release_driver+0x20/0x2c
  [   53.594843]        [&lt;c03dd9e8&gt;] bus_remove_device+0xd8/0x108
  [   53.600748]        [&lt;c03dacc0&gt;] device_del+0x10c/0x210
  [   53.606127]        [&lt;c03dadd0&gt;] device_unregister+0xc/0x20
  [   53.611849]        [&lt;c046d878&gt;] __unregister+0x10/0x20
  [   53.617211]        [&lt;c03da868&gt;] device_for_each_child+0x50/0x7c
  [   53.623387]        [&lt;c046eae8&gt;] spi_unregister_master+0x58/0x8c
  [   53.629578]        [&lt;c03e12f0&gt;] release_nodes+0x15c/0x1c8
  [   53.635223]        [&lt;c03de0f8&gt;] __device_release_driver+0x90/0x114
  [   53.641689]        [&lt;c03de900&gt;] driver_detach+0xb4/0xb8
  [   53.647147]        [&lt;c03ddc78&gt;] bus_remove_driver+0x4c/0xa0
  [   53.652970]        [&lt;c00cab50&gt;] SyS_delete_module+0x11c/0x1e4
  [   53.658976]        [&lt;c000f740&gt;] ret_fast_syscall+0x0/0x1c
  [   53.664621]
  [   53.664621] other info that might help us debug this:
  [   53.664621]
  [   53.672979]  Possible unsafe locking scenario:
  [   53.672979]
  [   53.679169]        CPU0                    CPU1
  [   53.683900]        ----                    ----
  [   53.688633]   lock(mtd_table_mutex);
  [   53.692383]                                lock(&amp;new-&gt;lock);
  [   53.698306]                                lock(mtd_table_mutex);
  [   53.704658]   lock(&amp;new-&gt;lock);
  [   53.707946]
  [   53.707946]  *** DEADLOCK ***

Fixes: 073db4a51ee4 ("mtd: fix: avoid race condition when accessing mtd-&gt;usecount")
Reported-by: Felipe Balbi &lt;balbi@ti.com&gt;
Tested-by: Felipe Balbi &lt;balbi@ti.com&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f3c63795e90f0c6238306883b6c72f14d5355721 upstream.

Commit 073db4a51ee4 ("mtd: fix: avoid race condition when accessing
mtd-&gt;usecount") fixed a race condition but due to poor ordering of the
mutex acquisition, introduced a potential deadlock.

The deadlock can occur, for example, when rmmod'ing the m25p80 module, which
will delete one or more MTDs, along with any corresponding mtdblock
devices. This could potentially race with an acquisition of the block
device as follows.

 -&gt; blktrans_open()
    -&gt;  mutex_lock(&amp;dev-&gt;lock);
    -&gt;  mutex_lock(&amp;mtd_table_mutex);

 -&gt; del_mtd_device()
    -&gt;  mutex_lock(&amp;mtd_table_mutex);
    -&gt;  blktrans_notify_remove() -&gt; del_mtd_blktrans_dev()
       -&gt;  mutex_lock(&amp;dev-&gt;lock);

This is a classic (potential) ABBA deadlock, which can be fixed by
making the A-&gt;B ordering consistent everywhere. There was no real
purpose to the ordering in the original patch, AFAIR, so this shouldn't
be a problem. This ordering was actually already present in
del_mtd_blktrans_dev(), for one, where the function tried to ensure that
its caller already held mtd_table_mutex before it acquired &amp;dev-&gt;lock:

        if (mutex_trylock(&amp;mtd_table_mutex)) {
                mutex_unlock(&amp;mtd_table_mutex);
                BUG();
        }

So, reverse the ordering of acquisition of &amp;dev-&gt;lock and &amp;mtd_table_mutex so
we always acquire mtd_table_mutex first.

Snippets of the lockdep output follow:

  # modprobe -r m25p80
  [   53.419251]
  [   53.420838] ======================================================
  [   53.427300] [ INFO: possible circular locking dependency detected ]
  [   53.433865] 4.3.0-rc6 #96 Not tainted
  [   53.437686] -------------------------------------------------------
  [   53.444220] modprobe/372 is trying to acquire lock:
  [   53.449320]  (&amp;new-&gt;lock){+.+...}, at: [&lt;c043fe4c&gt;] del_mtd_blktrans_dev+0x80/0xdc
  [   53.457271]
  [   53.457271] but task is already holding lock:
  [   53.463372]  (mtd_table_mutex){+.+.+.}, at: [&lt;c0439994&gt;] del_mtd_device+0x18/0x100
  [   53.471321]
  [   53.471321] which lock already depends on the new lock.
  [   53.471321]
  [   53.479856]
  [   53.479856] the existing dependency chain (in reverse order) is:
  [   53.487660]
  -&gt; #1 (mtd_table_mutex){+.+.+.}:
  [   53.492331]        [&lt;c043fc5c&gt;] blktrans_open+0x34/0x1a4
  [   53.497879]        [&lt;c01afce0&gt;] __blkdev_get+0xc4/0x3b0
  [   53.503364]        [&lt;c01b0bb8&gt;] blkdev_get+0x108/0x320
  [   53.508743]        [&lt;c01713c0&gt;] do_dentry_open+0x218/0x314
  [   53.514496]        [&lt;c0180454&gt;] path_openat+0x4c0/0xf9c
  [   53.519959]        [&lt;c0182044&gt;] do_filp_open+0x5c/0xc0
  [   53.525336]        [&lt;c0172758&gt;] do_sys_open+0xfc/0x1cc
  [   53.530716]        [&lt;c000f740&gt;] ret_fast_syscall+0x0/0x1c
  [   53.536375]
  -&gt; #0 (&amp;new-&gt;lock){+.+...}:
  [   53.540587]        [&lt;c063f124&gt;] mutex_lock_nested+0x38/0x3cc
  [   53.546504]        [&lt;c043fe4c&gt;] del_mtd_blktrans_dev+0x80/0xdc
  [   53.552606]        [&lt;c043f164&gt;] blktrans_notify_remove+0x7c/0x84
  [   53.558891]        [&lt;c04399f0&gt;] del_mtd_device+0x74/0x100
  [   53.564544]        [&lt;c043c670&gt;] del_mtd_partitions+0x80/0xc8
  [   53.570451]        [&lt;c0439aa0&gt;] mtd_device_unregister+0x24/0x48
  [   53.576637]        [&lt;c046ce6c&gt;] spi_drv_remove+0x1c/0x34
  [   53.582207]        [&lt;c03de0f0&gt;] __device_release_driver+0x88/0x114
  [   53.588663]        [&lt;c03de19c&gt;] device_release_driver+0x20/0x2c
  [   53.594843]        [&lt;c03dd9e8&gt;] bus_remove_device+0xd8/0x108
  [   53.600748]        [&lt;c03dacc0&gt;] device_del+0x10c/0x210
  [   53.606127]        [&lt;c03dadd0&gt;] device_unregister+0xc/0x20
  [   53.611849]        [&lt;c046d878&gt;] __unregister+0x10/0x20
  [   53.617211]        [&lt;c03da868&gt;] device_for_each_child+0x50/0x7c
  [   53.623387]        [&lt;c046eae8&gt;] spi_unregister_master+0x58/0x8c
  [   53.629578]        [&lt;c03e12f0&gt;] release_nodes+0x15c/0x1c8
  [   53.635223]        [&lt;c03de0f8&gt;] __device_release_driver+0x90/0x114
  [   53.641689]        [&lt;c03de900&gt;] driver_detach+0xb4/0xb8
  [   53.647147]        [&lt;c03ddc78&gt;] bus_remove_driver+0x4c/0xa0
  [   53.652970]        [&lt;c00cab50&gt;] SyS_delete_module+0x11c/0x1e4
  [   53.658976]        [&lt;c000f740&gt;] ret_fast_syscall+0x0/0x1c
  [   53.664621]
  [   53.664621] other info that might help us debug this:
  [   53.664621]
  [   53.672979]  Possible unsafe locking scenario:
  [   53.672979]
  [   53.679169]        CPU0                    CPU1
  [   53.683900]        ----                    ----
  [   53.688633]   lock(mtd_table_mutex);
  [   53.692383]                                lock(&amp;new-&gt;lock);
  [   53.698306]                                lock(mtd_table_mutex);
  [   53.704658]   lock(&amp;new-&gt;lock);
  [   53.707946]
  [   53.707946]  *** DEADLOCK ***

Fixes: 073db4a51ee4 ("mtd: fix: avoid race condition when accessing mtd-&gt;usecount")
Reported-by: Felipe Balbi &lt;balbi@ti.com&gt;
Tested-by: Felipe Balbi &lt;balbi@ti.com&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mtd: fix: avoid race condition when accessing mtd-&gt;usecount</title>
<updated>2015-07-30T12:10:52+00:00</updated>
<author>
<name>Brian Norris</name>
<email>computersforpeace@gmail.com</email>
</author>
<published>2015-05-08T00:55:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6be3211b6225d942b29e628f2e36ecff905a621a'/>
<id>6be3211b6225d942b29e628f2e36ecff905a621a</id>
<content type='text'>
commit 073db4a51ee43ccb827f54a4261c0583b028d5ab upstream.

On A MIPS 32-cores machine a BUG_ON was triggered because some acesses to
mtd-&gt;usecount were done without taking mtd_table_mutex.
kernel: Call Trace:
kernel: [&lt;ffffffff80401818&gt;] __put_mtd_device+0x20/0x50
kernel: [&lt;ffffffff804086f4&gt;] blktrans_release+0x8c/0xd8
kernel: [&lt;ffffffff802577e0&gt;] __blkdev_put+0x1a8/0x200
kernel: [&lt;ffffffff802579a4&gt;] blkdev_close+0x1c/0x30
kernel: [&lt;ffffffff8022006c&gt;] __fput+0xac/0x250
kernel: [&lt;ffffffff80171208&gt;] task_work_run+0xd8/0x120
kernel: [&lt;ffffffff8012c23c&gt;] work_notifysig+0x10/0x18
kernel:
kernel:
        Code: 2442ffff  ac8202d8  000217fe &lt;00020336&gt; dc820128  10400003
               00000000  0040f809  00000000
kernel: ---[ end trace 080fbb4579b47a73 ]---

Fixed by taking the mutex in blktrans_open and blktrans_release.

Note that this locking is already suggested in
include/linux/mtd/blktrans.h:

struct mtd_blktrans_ops {
...
	/* Called with mtd_table_mutex held; no race with add/remove */
	int (*open)(struct mtd_blktrans_dev *dev);
	void (*release)(struct mtd_blktrans_dev *dev);
...
};

But we weren't following it.

Originally reported by (and patched by) Zhang and Giuseppe,
independently. Improved and rewritten.

Reported-by: Zhang Xingcai &lt;zhangxingcai@huawei.com&gt;
Reported-by: Giuseppe Cantavenera &lt;giuseppe.cantavenera.ext@nokia.com&gt;
Tested-by: Giuseppe Cantavenera &lt;giuseppe.cantavenera.ext@nokia.com&gt;
Acked-by: Alexander Sverdlin &lt;alexander.sverdlin@nokia.com&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 073db4a51ee43ccb827f54a4261c0583b028d5ab upstream.

On A MIPS 32-cores machine a BUG_ON was triggered because some acesses to
mtd-&gt;usecount were done without taking mtd_table_mutex.
kernel: Call Trace:
kernel: [&lt;ffffffff80401818&gt;] __put_mtd_device+0x20/0x50
kernel: [&lt;ffffffff804086f4&gt;] blktrans_release+0x8c/0xd8
kernel: [&lt;ffffffff802577e0&gt;] __blkdev_put+0x1a8/0x200
kernel: [&lt;ffffffff802579a4&gt;] blkdev_close+0x1c/0x30
kernel: [&lt;ffffffff8022006c&gt;] __fput+0xac/0x250
kernel: [&lt;ffffffff80171208&gt;] task_work_run+0xd8/0x120
kernel: [&lt;ffffffff8012c23c&gt;] work_notifysig+0x10/0x18
kernel:
kernel:
        Code: 2442ffff  ac8202d8  000217fe &lt;00020336&gt; dc820128  10400003
               00000000  0040f809  00000000
kernel: ---[ end trace 080fbb4579b47a73 ]---

Fixed by taking the mutex in blktrans_open and blktrans_release.

Note that this locking is already suggested in
include/linux/mtd/blktrans.h:

struct mtd_blktrans_ops {
...
	/* Called with mtd_table_mutex held; no race with add/remove */
	int (*open)(struct mtd_blktrans_dev *dev);
	void (*release)(struct mtd_blktrans_dev *dev);
...
};

But we weren't following it.

Originally reported by (and patched by) Zhang and Giuseppe,
independently. Improved and rewritten.

Reported-by: Zhang Xingcai &lt;zhangxingcai@huawei.com&gt;
Reported-by: Giuseppe Cantavenera &lt;giuseppe.cantavenera.ext@nokia.com&gt;
Tested-by: Giuseppe Cantavenera &lt;giuseppe.cantavenera.ext@nokia.com&gt;
Acked-by: Alexander Sverdlin &lt;alexander.sverdlin@nokia.com&gt;
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>block_device_operations-&gt;release() should return void</title>
<updated>2013-05-07T06:16:21+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2013-05-06T01:52:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=db2a144bedd58b3dcf19950c2f476c58c9f39d18'/>
<id>db2a144bedd58b3dcf19950c2f476c58c9f39d18</id>
<content type='text'>
The value passed is 0 in all but "it can never happen" cases (and those
only in a couple of drivers) *and* it would've been lost on the way
out anyway, even if something tried to pass something meaningful.
Just don't bother.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The value passed is 0 in all but "it can never happen" cases (and those
only in a couple of drivers) *and* it would've been lost on the way
out anyway, even if something tried to pass something meaningful.
Just don't bother.

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mtd_blktrans_ops-&gt;release() should return void</title>
<updated>2013-05-06T01:31:22+00:00</updated>
<author>
<name>Al Viro</name>
<email>viro@zeniv.linux.org.uk</email>
</author>
<published>2013-05-06T01:31:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a8ca889ed9585894d53fd8919d80cbe8baff09e7'/>
<id>a8ca889ed9585894d53fd8919d80cbe8baff09e7</id>
<content type='text'>
Both existing instances always return 0 and even if they didn't,
the value would be lost on the way out.  Just don't bother...

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Both existing instances always return 0 and even if they didn't,
the value would be lost on the way out.  Just don't bother...

Signed-off-by: Al Viro &lt;viro@zeniv.linux.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mtd: mtd_blkdevs: Replace request handler kthread with a workqueue</title>
<updated>2012-11-21T15:02:23+00:00</updated>
<author>
<name>Ezequiel Garcia</name>
<email>elezegarcia@gmail.com</email>
</author>
<published>2012-11-10T16:08:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=22a8578fca5a47e643bb4f70c232d0ec84db9e4e'/>
<id>22a8578fca5a47e643bb4f70c232d0ec84db9e4e</id>
<content type='text'>
By replacing a kthread with a workqueue, the code is now a bit clearer.
There's also a slight reduction of code size (numbers apply for x86):
Before:
   text	   data	    bss	    dec	    hex	filename
   3248	     36	      0	   3284	    cd4	drivers/mtd/mtd_blkdevs.o

After:
   text	   data	    bss	    dec	    hex	filename
   3150	     36	      0	   3186	    c72	drivers/mtd/mtd_blkdevs.o

Due to lack of real hardware, tests have been performed on an emulated
environment with mtdswap and mtdblock over nandsim devices.
Some real testing should be done, before merging this patch.

Signed-off-by: Ezequiel Garcia &lt;elezegarcia@gmail.com&gt;
Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
By replacing a kthread with a workqueue, the code is now a bit clearer.
There's also a slight reduction of code size (numbers apply for x86):
Before:
   text	   data	    bss	    dec	    hex	filename
   3248	     36	      0	   3284	    cd4	drivers/mtd/mtd_blkdevs.o

After:
   text	   data	    bss	    dec	    hex	filename
   3150	     36	      0	   3186	    c72	drivers/mtd/mtd_blkdevs.o

Due to lack of real hardware, tests have been performed on an emulated
environment with mtdswap and mtdblock over nandsim devices.
Some real testing should be done, before merging this patch.

Signed-off-by: Ezequiel Garcia &lt;elezegarcia@gmail.com&gt;
Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mtd: mtd_blkdev: Use a different name for block_device_operations variable</title>
<updated>2012-11-21T15:02:05+00:00</updated>
<author>
<name>Ezequiel Garcia</name>
<email>elezegarcia@gmail.com</email>
</author>
<published>2012-11-09T15:36:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=9329c5eb5b087d6e6af905bd7e4f7eee13f9f7e5'/>
<id>9329c5eb5b087d6e6af905bd7e4f7eee13f9f7e5</id>
<content type='text'>
struct mtd_blktrans_ops is a type, and mtd_blktrans_ops is a variable.
To improve code clarity it's better to not use the same names,
so we just change the latter.

Signed-off-by: Ezequiel Garcia &lt;elezegarcia@gmail.com&gt;
Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@linux.intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
struct mtd_blktrans_ops is a type, and mtd_blktrans_ops is a variable.
To improve code clarity it's better to not use the same names,
so we just change the latter.

Signed-off-by: Ezequiel Garcia &lt;elezegarcia@gmail.com&gt;
Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@linux.intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mtd: mtdblock: call mtd_sync() only if opened for write</title>
<updated>2012-03-26T23:11:11+00:00</updated>
<author>
<name>Alexander Stein</name>
<email>alexander.stein@systec-electronic.com</email>
</author>
<published>2012-01-10T12:26:58+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=70d5098a4b1551864dd7df43f67b7f606a1a6438'/>
<id>70d5098a4b1551864dd7df43f67b7f606a1a6438</id>
<content type='text'>
Because it is useless to call it if the device is opened in R/O mode, and also
harmful: on CFI NOR flash it may block for long time waiting for erase
operations to complete is another partition with a R/W file-system on this
chip.

Artem Bityutskiy: write commit message, amend the patch to match the latest
tree (we use mtd_sync(), not mtd-&gt;sync() nowadays).

Signed-off-by: Alexander Stein &lt;alexander.stein@systec-electronic.com&gt;
Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@linux.intel.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Because it is useless to call it if the device is opened in R/O mode, and also
harmful: on CFI NOR flash it may block for long time waiting for erase
operations to complete is another partition with a R/W file-system on this
chip.

Artem Bityutskiy: write commit message, amend the patch to match the latest
tree (we use mtd_sync(), not mtd-&gt;sync() nowadays).

Signed-off-by: Alexander Stein &lt;alexander.stein@systec-electronic.com&gt;
Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@linux.intel.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mtd: mtd_blkdevs: don't increase 'open' count on error path</title>
<updated>2012-01-09T18:04:01+00:00</updated>
<author>
<name>Brian Norris</name>
<email>computersforpeace@gmail.com</email>
</author>
<published>2011-11-07T23:51:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=342ff28f5a2e5aa3236617bd2bddf6c749677ef2'/>
<id>342ff28f5a2e5aa3236617bd2bddf6c749677ef2</id>
<content type='text'>
Some error paths in mtd_blkdevs were fixed in the following commit:

    commit 94735ec4044a6d318b83ad3c5794e931ed168d10
    mtd: mtd_blkdevs: fix error path in blktrans_open

But on these error paths, the block device's `dev-&gt;open' count is
already incremented before we check for errors. This meant that, while
the error path was handled correctly on the first time through
blktrans_open(), the device is erroneously considered already open on
the second time through.

This problem can be seen, for instance, when a UBI volume is
simultaneously mounted as a UBIFS partition and read through its
corresponding gluebi mtdblockX device. This results in blktrans_open()
passing its error checks (with `dev-&gt;open &gt; 0') without actually having
a handle on the device. Here's a summarized log of the actions and
results with nandsim:

    # modprobe nandsim
    # modprobe mtdblock
    # modprobe gluebi
    # modprobe ubifs
    # ubiattach /dev/ubi_ctrl -m 0
    ...
    # ubimkvol /dev/ubi0 -N test -s 16MiB
    ...
    # mount -t ubifs ubi0:test /mnt
    # ls /dev/mtdblock*
    /dev/mtdblock0  /dev/mtdblock1
    # cat /dev/mtdblock1 &gt; /dev/null
    cat: can't open '/dev/mtdblock4': Device or resource busy
    # cat /dev/mtdblock1 &gt; /dev/null

    CPU 0 Unable to handle kernel paging request at virtual address
    fffffff0, epc == 8031536c, ra == 8031f280
    Oops[#1]:
    ...
    Call Trace:
    [&lt;8031536c&gt;] ubi_leb_read+0x14/0x164
    [&lt;8031f280&gt;] gluebi_read+0xf0/0x148
    [&lt;802edba8&gt;] mtdblock_readsect+0x64/0x198
    [&lt;802ecfe4&gt;] mtd_blktrans_thread+0x330/0x3f4
    [&lt;8005be98&gt;] kthread+0x88/0x90
    [&lt;8000bc04&gt;] kernel_thread_helper+0x10/0x18

Cc: stable@kernel.org [3.0+]
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Artem Bityutskiy &lt;Artem.Bityutskiy@linux.intel.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Some error paths in mtd_blkdevs were fixed in the following commit:

    commit 94735ec4044a6d318b83ad3c5794e931ed168d10
    mtd: mtd_blkdevs: fix error path in blktrans_open

But on these error paths, the block device's `dev-&gt;open' count is
already incremented before we check for errors. This meant that, while
the error path was handled correctly on the first time through
blktrans_open(), the device is erroneously considered already open on
the second time through.

This problem can be seen, for instance, when a UBI volume is
simultaneously mounted as a UBIFS partition and read through its
corresponding gluebi mtdblockX device. This results in blktrans_open()
passing its error checks (with `dev-&gt;open &gt; 0') without actually having
a handle on the device. Here's a summarized log of the actions and
results with nandsim:

    # modprobe nandsim
    # modprobe mtdblock
    # modprobe gluebi
    # modprobe ubifs
    # ubiattach /dev/ubi_ctrl -m 0
    ...
    # ubimkvol /dev/ubi0 -N test -s 16MiB
    ...
    # mount -t ubifs ubi0:test /mnt
    # ls /dev/mtdblock*
    /dev/mtdblock0  /dev/mtdblock1
    # cat /dev/mtdblock1 &gt; /dev/null
    cat: can't open '/dev/mtdblock4': Device or resource busy
    # cat /dev/mtdblock1 &gt; /dev/null

    CPU 0 Unable to handle kernel paging request at virtual address
    fffffff0, epc == 8031536c, ra == 8031f280
    Oops[#1]:
    ...
    Call Trace:
    [&lt;8031536c&gt;] ubi_leb_read+0x14/0x164
    [&lt;8031f280&gt;] gluebi_read+0xf0/0x148
    [&lt;802edba8&gt;] mtdblock_readsect+0x64/0x198
    [&lt;802ecfe4&gt;] mtd_blktrans_thread+0x330/0x3f4
    [&lt;8005be98&gt;] kthread+0x88/0x90
    [&lt;8000bc04&gt;] kernel_thread_helper+0x10/0x18

Cc: stable@kernel.org [3.0+]
Signed-off-by: Brian Norris &lt;computersforpeace@gmail.com&gt;
Signed-off-by: Artem Bityutskiy &lt;Artem.Bityutskiy@linux.intel.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mtd: mark block device queue as non-rotational</title>
<updated>2011-10-14T08:22:48+00:00</updated>
<author>
<name>Dan McGee</name>
<email>dpmcgee@gmail.com</email>
</author>
<published>2011-09-28T05:21:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=16f7eca5871ad09b8f6c44ba8cb4d8185833a1ee'/>
<id>16f7eca5871ad09b8f6c44ba8cb4d8185833a1ee</id>
<content type='text'>
This is similar to what the nbd driver does, among others.

Signed-off-by: Dan McGee &lt;dpmcgee@gmail.com&gt;
Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This is similar to what the nbd driver does, among others.

Signed-off-by: Dan McGee &lt;dpmcgee@gmail.com&gt;
Signed-off-by: Artem Bityutskiy &lt;artem.bityutskiy@intel.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mtd: mtd_blkdevs: fix error path in blktrans_open</title>
<updated>2011-05-25T00:53:45+00:00</updated>
<author>
<name>Artem Bityutskiy</name>
<email>Artem.Bityutskiy@nokia.com</email>
</author>
<published>2011-04-18T04:50:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=94735ec4044a6d318b83ad3c5794e931ed168d10'/>
<id>94735ec4044a6d318b83ad3c5794e931ed168d10</id>
<content type='text'>
The 'blktrans_open()' does not handle possible '__get_mtd_device()' failures
because it does not check the error code. Moreover, the 'dev-&gt;tr-&gt;open()'
failures are not handled correctly because in this case the function just
goes ahead and gets the mtd device, then returns an error. But Instead, it
should _not_ try to get the mtd device, then it should put back the module
and the kref.

This patch fixes the issue. Note, I only compile-tested it. This patch was
inspired by a bug report about a similar issue in 2.6.34 kernels
sent by Mike Turner &lt;admin@islandsoftware.co.uk&gt; to the MTD mailing list:

http://lists.infradead.org/pipermail/linux-mtd/2011-April/034980.html

Signed-off-by: Artem Bityutskiy &lt;Artem.Bityutskiy@nokia.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The 'blktrans_open()' does not handle possible '__get_mtd_device()' failures
because it does not check the error code. Moreover, the 'dev-&gt;tr-&gt;open()'
failures are not handled correctly because in this case the function just
goes ahead and gets the mtd device, then returns an error. But Instead, it
should _not_ try to get the mtd device, then it should put back the module
and the kref.

This patch fixes the issue. Note, I only compile-tested it. This patch was
inspired by a bug report about a similar issue in 2.6.34 kernels
sent by Mike Turner &lt;admin@islandsoftware.co.uk&gt; to the MTD mailing list:

http://lists.infradead.org/pipermail/linux-mtd/2011-April/034980.html

Signed-off-by: Artem Bityutskiy &lt;Artem.Bityutskiy@nokia.com&gt;
Signed-off-by: David Woodhouse &lt;David.Woodhouse@intel.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
