Josef Bacik
2013-Jan-31 16:35 UTC
[PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex V2
I hit this error when reproducing a bug that would end in a transaction abort. We take the delayed ref head''s mutex to keep anybody from processing it while we''re destroying it, but we fail to drop the mutex before we carry on and free the damned thing. Fix this by doing the remove logic for the head ourselves and unlock the mutex, that way we can avoid use after free''s or hung tasks waiting on that mutex to come back so they know the delayed ref completed. Thanks, Signed-off-by: Josef Bacik <jbacik@fusionio.com> --- V1->V2: don''t duplicate the freeing stuff, just unlock if we have a head. fs/btrfs/disk-io.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c index 12ef591..42f83aa 100644 --- a/fs/btrfs/disk-io.c +++ b/fs/btrfs/disk-io.c @@ -3615,11 +3615,11 @@ int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans, } while ((node = rb_first(&delayed_refs->root)) != NULL) { - ref = rb_entry(node, struct btrfs_delayed_ref_node, rb_node); + struct btrfs_delayed_ref_head *head = NULL; + ref = rb_entry(node, struct btrfs_delayed_ref_node, rb_node); atomic_set(&ref->refs, 1); if (btrfs_delayed_ref_is_head(ref)) { - struct btrfs_delayed_ref_head *head; head = btrfs_delayed_node_to_head(ref); if (!mutex_trylock(&head->mutex)) { @@ -3641,10 +3641,12 @@ int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans, delayed_refs->num_heads_ready--; list_del_init(&head->cluster); } + ref->in_tree = 0; rb_erase(&ref->rb_node, &delayed_refs->root); delayed_refs->num_entries--; - + if (head) + mutex_unlock(&head->mutex); spin_unlock(&delayed_refs->lock); btrfs_put_delayed_ref(ref); -- 1.7.7.6 -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Zach Brown
2013-Jan-31 20:23 UTC
Re: [PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex V2
> V1->V2: don''t duplicate the freeing stuff, just unlock if we have a head.Nice, that''s what I was picturing if we needed the freeing stuff to be covered by the mutex. Thanks for cleaning it up. - z -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Reasonably Related Threads
- [PATCH] Btrfs: make some functions return void
- [PATCH v0 00/18] btfs: Subvolume Quota Groups
- [PATCH 1/2] Btrfs: fix wrong handle at error path of create_snapshot() when the commit fails
- [PATCH] Btrfs: proper metadata -ENOSPC handling
- [patch 00/65] Error handling patchset v3