subject:"\[PATCH\] Btrfs\: fix freeing delayed ref head while still holding its mutex"

Re: [PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex

2013-01-31 Thread Josef Bacik

On Wed, Jan 30, 2013 at 03:16:35PM -0700, Zach Brown wrote:
 On Wed, Jan 30, 2013 at 04:06:18PM -0500, Josef Bacik wrote:
  I hit this error when reproducing a bug that would end in a transaction
  abort.  We take the delayed ref head's mutex to keep anybody from processing
  it while we're destroying it, but we fail to drop the mutex before we carry
  on and free the damned thing.  Fix this by doing the remove logic for the
  head ourselves and unlock the mutex, that way we can avoid use after free's
  or hung tasks waiting on that mutex to come back so they know the delayed
  ref completed.  Thanks,
  
 
  +   ref-in_tree = 0;
  +   rb_erase(ref-rb_node, delayed_refs-root);
  +   delayed_refs-num_entries--;
  +   mutex_unlock(head-mutex);
  +   } else {
  +   ref-in_tree = 0;
  +   rb_erase(ref-rb_node, delayed_refs-root);
  +   delayed_refs-num_entries--;
 
 Do you really need to duplicate the removal under the mutex?  Isn't all
 that protected by the delayed_refs-lock?
 
 Isn't it enough to just add the mutex_unlock()?
 

Yeah I could re-arrange I guess, either way it's not pretty but I guess not
duplicating stuff is better.  Thanks,

Josef
--
To unsubscribe from this list: send the line unsubscribe linux-btrfs in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex V2

2013-01-31 Thread Josef Bacik

I hit this error when reproducing a bug that would end in a transaction
abort.  We take the delayed ref head's mutex to keep anybody from processing
it while we're destroying it, but we fail to drop the mutex before we carry
on and free the damned thing.  Fix this by doing the remove logic for the
head ourselves and unlock the mutex, that way we can avoid use after free's
or hung tasks waiting on that mutex to come back so they know the delayed
ref completed.  Thanks,

Signed-off-by: Josef Bacik jba...@fusionio.com
---
V1-V2: don't duplicate the freeing stuff, just unlock if we have a head.

 fs/btrfs/disk-io.c |8 +---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 12ef591..42f83aa 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3615,11 +3615,11 @@ int btrfs_destroy_delayed_refs(struct btrfs_transaction 
*trans,
}
 
while ((node = rb_first(delayed_refs-root)) != NULL) {
-   ref = rb_entry(node, struct btrfs_delayed_ref_node, rb_node);
+   struct btrfs_delayed_ref_head *head = NULL;
 
+   ref = rb_entry(node, struct btrfs_delayed_ref_node, rb_node);
atomic_set(ref-refs, 1);
if (btrfs_delayed_ref_is_head(ref)) {
-   struct btrfs_delayed_ref_head *head;
 
head = btrfs_delayed_node_to_head(ref);
if (!mutex_trylock(head-mutex)) {
@@ -3641,10 +3641,12 @@ int btrfs_destroy_delayed_refs(struct btrfs_transaction 
*trans,
delayed_refs-num_heads_ready--;
list_del_init(head-cluster);
}
+
ref-in_tree = 0;
rb_erase(ref-rb_node, delayed_refs-root);
delayed_refs-num_entries--;
-
+   if (head)
+   mutex_unlock(head-mutex);
spin_unlock(delayed_refs-lock);
btrfs_put_delayed_ref(ref);
 
-- 
1.7.7.6

--
To unsubscribe from this list: send the line unsubscribe linux-btrfs in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex V2

2013-01-31 Thread Zach Brown

 V1-V2: don't duplicate the freeing stuff, just unlock if we have a head.

Nice, that's what I was picturing if we needed the freeing stuff to be
covered by the mutex.  Thanks for cleaning it up.

- z
--
To unsubscribe from this list: send the line unsubscribe linux-btrfs in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex

2013-01-30 Thread Josef Bacik

I hit this error when reproducing a bug that would end in a transaction
abort.  We take the delayed ref head's mutex to keep anybody from processing
it while we're destroying it, but we fail to drop the mutex before we carry
on and free the damned thing.  Fix this by doing the remove logic for the
head ourselves and unlock the mutex, that way we can avoid use after free's
or hung tasks waiting on that mutex to come back so they know the delayed
ref completed.  Thanks,

Signed-off-by: Josef Bacik jba...@fusionio.com
---
 fs/btrfs/disk-io.c |   11 ---
 1 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 12a9547..51bff86 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3640,10 +3640,15 @@ int btrfs_destroy_delayed_refs(struct btrfs_transaction 
*trans,
if (list_empty(head-cluster))
delayed_refs-num_heads_ready--;
list_del_init(head-cluster);
+   ref-in_tree = 0;
+   rb_erase(ref-rb_node, delayed_refs-root);
+   delayed_refs-num_entries--;
+   mutex_unlock(head-mutex);
+   } else {
+   ref-in_tree = 0;
+   rb_erase(ref-rb_node, delayed_refs-root);
+   delayed_refs-num_entries--;
}
-   ref-in_tree = 0;
-   rb_erase(ref-rb_node, delayed_refs-root);
-   delayed_refs-num_entries--;
 
spin_unlock(delayed_refs-lock);
btrfs_put_delayed_ref(ref);
-- 
1.7.7.6

--
To unsubscribe from this list: send the line unsubscribe linux-btrfs in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex

2013-01-30 Thread Zach Brown

On Wed, Jan 30, 2013 at 04:06:18PM -0500, Josef Bacik wrote:
 I hit this error when reproducing a bug that would end in a transaction
 abort.  We take the delayed ref head's mutex to keep anybody from processing
 it while we're destroying it, but we fail to drop the mutex before we carry
 on and free the damned thing.  Fix this by doing the remove logic for the
 head ourselves and unlock the mutex, that way we can avoid use after free's
 or hung tasks waiting on that mutex to come back so they know the delayed
 ref completed.  Thanks,
 

 + ref-in_tree = 0;
 + rb_erase(ref-rb_node, delayed_refs-root);
 + delayed_refs-num_entries--;
 + mutex_unlock(head-mutex);
 + } else {
 + ref-in_tree = 0;
 + rb_erase(ref-rb_node, delayed_refs-root);
 + delayed_refs-num_entries--;

Do you really need to duplicate the removal under the mutex?  Isn't all
that protected by the delayed_refs-lock?

Isn't it enough to just add the mutex_unlock()?

- z
--
To unsubscribe from this list: send the line unsubscribe linux-btrfs in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex

[PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex V2

Re: [PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex V2

[PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex

Re: [PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex

5 matches

Site Navigation

Mail list logo

Footer information