From nobody Tue Feb 10 07:39:10 2026
Received: from m16.mail.163.com (m16.mail.163.com [220.197.31.5])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 478676EB4C
	for <linux-kernel@vger.kernel.org>; Wed,  1 Jan 2025 13:22:22 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=220.197.31.5
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1735737747; cv=none;
 b=kvib4u/JEI4LSOMBgH2V/ESV7qQP5aGFiySon6mdnJ3nwmRGc45ifdNzxglV05XdjYXZKDi0eFzhb5/9EI8XQTUxMGH1NEO5mUQqKRsXi+vyjaQ55ES4wgopK9EF/sGwNOcnKUWD/ntT8hHFV7FWqOD6XuJY10ZuvZvoc47VfjU=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1735737747; c=relaxed/simple;
	bh=i4bqqiLA6Yow6XSaF1IfoVeNTajIwv6RKOurt1nK87g=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=dUzkKUBVwd09uYO2+SepjXokQ7oEn3O11SkimM36pBx+hFsmGwRyKuRgQzQpwhKefTTUkoyudDw846JahR+7gVXrGIAJ1PxHYq1SLey/djRWdE7DgQ5ciYqtrD+TCFp37X9HRU/psU7aGTJzxGU66+q7mKHfB8B5pMdkxJ7q2Tg=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=163.com;
 spf=pass smtp.mailfrom=163.com;
 dkim=pass (1024-bit key) header.d=163.com header.i=@163.com
 header.b=LwbN3yXx; arc=none smtp.client-ip=220.197.31.5
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=163.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=163.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (1024-bit key) header.d=163.com header.i=@163.com
 header.b="LwbN3yXx"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
	s=s110527; h=From:Subject:Date:Message-ID:MIME-Version; bh=t+IVN
	00vfyaGCXL1HKpUe/N6OjICYFcwPF5f8SD3zEI=; b=LwbN3yXxmKcHOfP6hXYm0
	hcTzlNpGw20yK25tmBspkeJAa7jnKpV54YJdgn6JCdx11mEZP6KDOk3e1qRYcKye
	NDiAEFAVGWQDkJT/8urcDr2BLUWpEbUHsrB9YpQ90Kd5vNky5sdrtWT5v0SjOcD5
	AVum1it/6xVaTky3+HpNXg=
Received: from Jerry-PC.. (unknown [])
	by gzga-smtp-mtada-g0-2 (Coremail) with SMTP id
 _____wBnMgt4QXVnQkWDDA--.50735S2;
	Wed, 01 Jan 2025 21:22:04 +0800 (CST)
From: Jerry <jerrydeng079@163.com>
To: akpm@linux-foundation.org
Cc: linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	Jerry <jerrydeng079@163.com>
Subject: [PATCH] mm: fix dead-loop bug
Date: Wed,  1 Jan 2025 21:21:48 +0800
Message-ID: <20250101132148.126393-1-jerrydeng079@163.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
X-CM-TRANSID: _____wBnMgt4QXVnQkWDDA--.50735S2
X-Coremail-Antispam: 1Uf129KBjvJXoW3GFW5AryUXF43Cw4rXFy7ZFb_yoWxXw45pF
	WaywnYyrW8Jry7Wrs3Aa4UZF1agw4xuF43J3W7GasIyrsIkF1UKFyayFyIyr1IkrZ5GrWa
	vr4YqrW7Gr48Cr7anT9S1TB71UUUUU7qnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
	9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x0JUeMKAUUUUU=
X-CM-SenderInfo: xmhu25pghqwiixz6il2tof0z/1tbioBfH22d1QDoQQwABsR
Content-Type: text/plain; charset="utf-8"

KERNEL-5.10.232.generic_perform_write()->balance_dirty_pages_ratelimited()-=
>       =20
balance_dirty_pages() At this point,if the block device removed,=20
the process  may trapped in a dead loop.and the memory of the bdi=20
device hass also been released.

Insert a USB flash and directly writing to device node.
Remove the USB flash while writing, and the writing process=20
may trapped in a dead loop.

user code:

int fd =3D open("/dev/sda", O_RDWR);
char *p =3D malloc(0x1000000);
memset(p, 0xa, 0x1000000);
for(int i=3D0; i<100; i++) {


	write(fd, p, 0x1000000);


}
return;

ISSUE 1: Dead loop may occr here.
CALL trace:

schedule_timeout()

io_schedule_timeout()

balance_dirty_pages()

balance_dirty_pages_ratelimited()

balance_dirty_pages_ratelimited)

ISSUE 2 , BDI&WB memory illegal .
void balance_dirty_pages_ratelimited(struct address_space *mapping)
{
	struct inode *inode =3D mapping->host;
	struct backing_dev_info *bdi =3D inode_to_bdi(inode);
	struct bdi_writeback *wb =3D NULL;
	int ratelimit;
	.....

}
BDI&WB memory belong to SCSI device. If the USB flash remove,=20
The BDI&WB memeory released by below process:

bdi_unregister()

del_gendisk()

sd_remove()

__device_release_driver()

device_release_driver()

bus_remove_device()

device_del()

__scsi_remove_deice()

scsi_forget_host()

scsi_remove_host()

usb_stor_disconnect()

...

usb_unbind_initerface()

usb_disable_device()

usb_disconnect()

Signed-off-by: Jerry <jerrydeng079@163.com>
---
 mm/backing-dev.c    |  1 +
 mm/filemap.c        |  6 ++++-
 mm/page-writeback.c | 56 ++++++++++++++++++++++++++++++++++++++++-----
 3 files changed, 56 insertions(+), 7 deletions(-)

diff --git a/mm/backing-dev.c b/mm/backing-dev.c
index dd08ab928..0b86bd980 100755
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -878,6 +878,7 @@ void bdi_unregister(struct backing_dev_info *bdi)
 	/* make sure nobody finds us on the bdi_list anymore */
 	bdi_remove_from_list(bdi);
 	wb_shutdown(&bdi->wb);
+	wake_up(&(bdi->wb_waitq));
 	cgwb_bdi_unregister(bdi);
=20
 	/*
diff --git a/mm/filemap.c b/mm/filemap.c
index 3b0d8c6dd..48424240f 100755
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -3300,6 +3300,7 @@ ssize_t generic_perform_write(struct file *file,
 	long status =3D 0;
 	ssize_t written =3D 0;
 	unsigned int flags =3D 0;
+	errseq_t err =3D 0;
=20
 	do {
 		struct page *page;
@@ -3368,8 +3369,11 @@ ssize_t generic_perform_write(struct file *file,
 		}
 		pos +=3D copied;
 		written +=3D copied;
-
+	=09
 		balance_dirty_pages_ratelimited(mapping);
+		err =3D errseq_check(&mapping->wb_err, 0);
+		if (err)
+			return err;
 	} while (iov_iter_count(i));
=20
 	return written ? written : status;
diff --git a/mm/page-writeback.c b/mm/page-writeback.c
index b2c916474..001dd0c5e 100755
--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -146,6 +146,13 @@ struct dirty_throttle_control {
 	unsigned long		pos_ratio;
 };
=20
+struct bdi_wq_callback_entry {
+	struct task_struct *tsk;
+	struct wait_queue_entry  wq_entry;
+	int bdi_unregister;
+};
+
+
 /*
  * Length of period for aging writeout fractions of bdis. This is an
  * arbitrarily chosen number. The longer the period, the slower fractions =
will
@@ -1567,6 +1574,22 @@ static inline void wb_dirty_limits(struct dirty_thro=
ttle_control *dtc)
 	}
 }
=20
+
+static int wake_up_bdi_waitq(wait_queue_entry_t *wait, unsigned int mode,
+				int sync, void *key)
+{
+
+	struct bdi_wq_callback_entry *bwce =3D
+		container_of(wait, struct bdi_wq_callback_entry, wq_entry);
+
+	bwce->bdi_unregister =3D 1;
+	if (bwce->tsk)
+		wake_up_process(bwce->tsk);
+
+	return 0;
+}
+
+
 /*
  * balance_dirty_pages() must be called by processes which are generating =
dirty
  * data.  It looks at the number of dirty pages in the machine and will fo=
rce
@@ -1574,7 +1597,7 @@ static inline void wb_dirty_limits(struct dirty_throt=
tle_control *dtc)
  * If we're over `background_thresh' then the writeback threads are woken =
to
  * perform some writeout.
  */
-static void balance_dirty_pages(struct bdi_writeback *wb,
+static int balance_dirty_pages(struct bdi_writeback *wb,
 				unsigned long pages_dirtied)
 {
 	struct dirty_throttle_control gdtc_stor =3D { GDTC_INIT(wb) };
@@ -1595,7 +1618,15 @@ static void balance_dirty_pages(struct bdi_writeback=
 *wb,
 	struct backing_dev_info *bdi =3D wb->bdi;
 	bool strictlimit =3D bdi->capabilities & BDI_CAP_STRICTLIMIT;
 	unsigned long start_time =3D jiffies;
+	struct bdi_wq_callback_entry bwce =3D {NULL};
+	int ret =3D 0;
=20
+	if (!test_bit(WB_registered, &wb->state))
+		return -EIO;
+=09
+	init_waitqueue_func_entry(&(bwce.wq_entry), wake_up_bdi_waitq);
+	bwce.tsk =3D current;
+	add_wait_queue(&(bdi->wb_waitq), &(bwce.wq_entry));
 	for (;;) {
 		unsigned long now =3D jiffies;
 		unsigned long dirty, thresh, bg_thresh;
@@ -1816,6 +1847,11 @@ static void balance_dirty_pages(struct bdi_writeback=
 *wb,
 		wb->dirty_sleep =3D now;
 		io_schedule_timeout(pause);
=20
+		/* bid is unregister NULL, all bdi memory is illegal */
+		if (bwce.bdi_unregister) {
+			ret =3D -EIO;
+			break;
+		}
 		current->dirty_paused_when =3D now + pause;
 		current->nr_dirtied =3D 0;
 		current->nr_dirtied_pause =3D nr_dirtied_pause;
@@ -1844,11 +1880,14 @@ static void balance_dirty_pages(struct bdi_writebac=
k *wb,
 			break;
 	}
=20
+	if (bwce.bdi_unregister =3D=3D 0)
+		remove_wait_queue(&(bdi->wb_waitq), &(bwce.wq_entry));
+=09
 	if (!dirty_exceeded && wb->dirty_exceeded)
 		wb->dirty_exceeded =3D 0;
=20
 	if (writeback_in_progress(wb))
-		return;
+		return ret;
=20
 	/*
 	 * In laptop mode, we wait until hitting the higher threshold before
@@ -1859,10 +1898,12 @@ static void balance_dirty_pages(struct bdi_writebac=
k *wb,
 	 * background_thresh, to keep the amount of dirty memory low.
 	 */
 	if (laptop_mode)
-		return;
+		return ret;
=20
 	if (nr_reclaimable > gdtc->bg_thresh)
 		wb_start_background_writeback(wb);
+
+	return ret;
 }
=20
 static DEFINE_PER_CPU(int, bdp_ratelimits);
@@ -1944,9 +1985,12 @@ void balance_dirty_pages_ratelimited(struct address_=
space *mapping)
 	}
 	preempt_enable();
=20
-	if (unlikely(current->nr_dirtied >=3D ratelimit))
-		balance_dirty_pages(wb, current->nr_dirtied);
-
+	if (unlikely(current->nr_dirtied >=3D ratelimit)) {
+=09
+		if (balance_dirty_pages(wb, current->nr_dirtied) < 0)
+			errseq_set(&(mapping->wb_err), -EIO);
+	}
+=09
 	wb_put(wb);
 }
 EXPORT_SYMBOL(balance_dirty_pages_ratelimited);
--=20
2.43.0