Author: kib
Date: Tue Jan 9 10:51:44 2018
New Revision: 327723
URL: https://svnweb.freebsd.org/changeset/base/327723
Log:
Generalize the fix from r322757 and apply it to several more places.
The code accesses bp->b_dep without owning the ufs mount softdep lock,
which makes it possible for the derefenced workitem to be freed in
parallel. In particular, the deallocate_dependencies(),
softdep_disk_io_initiation() and softdep_disk_write_complete() are
affected.
Move the code to safely calculate ump from the buffer with
dependencies into the helper softdep_bp_to_mp() and use it for all
found cases.
Tested by: pho (as part of the bigger patch)
Reviewed by: mckusick (as part of the bigger patch)
Sponsored by: The FreeBSD Foundation
MFC after: 1 week
Modified:
head/sys/ufs/ffs/ffs_softdep.c
Modified: head/sys/ufs/ffs/ffs_softdep.c
==============================================================================
--- head/sys/ufs/ffs/ffs_softdep.c Tue Jan 9 10:44:17 2018
(r327722)
+++ head/sys/ufs/ffs/ffs_softdep.c Tue Jan 9 10:51:44 2018
(r327723)
@@ -906,6 +906,7 @@ static int request_cleanup(struct mount *, int);
static int softdep_request_cleanup_flush(struct mount *, struct ufsmount *);
static void schedule_cleanup(struct mount *);
static void softdep_ast_cleanup_proc(struct thread *);
+static struct ufsmount *softdep_bp_to_mp(struct buf *bp);
static int process_worklist_item(struct mount *, int, int);
static void process_removes(struct vnode *);
static void process_truncates(struct vnode *);
@@ -7249,9 +7250,9 @@ deallocate_dependencies(bp, freeblks, off)
struct worklist *wk, *wkn;
struct ufsmount *ump;
- if ((wk = LIST_FIRST(&bp->b_dep)) == NULL)
+ ump = softdep_bp_to_mp(bp);
+ if (ump == NULL)
goto done;
- ump = VFSTOUFS(wk->wk_mp);
ACQUIRE_LOCK(ump);
LIST_FOREACH_SAFE(wk, &bp->b_dep, wk_list, wkn) {
switch (wk->wk_type) {
@@ -9976,9 +9977,9 @@ softdep_disk_io_initiation(bp)
panic("softdep_disk_io_initiation: Writing buffer with "
"background write in progress: %p", bp);
- if ((wk = LIST_FIRST(&bp->b_dep)) == NULL)
+ ump = softdep_bp_to_mp(bp);
+ if (ump == NULL)
return;
- ump = VFSTOUFS(wk->wk_mp);
marker.wk_type = D_LAST + 1; /* Not a normal workitem */
PHOLD(curproc); /* Don't swap out kernel stack */
@@ -10978,9 +10979,9 @@ softdep_disk_write_complete(bp)
struct freeblks *freeblks;
struct buf *sbp;
- if ((wk = LIST_FIRST(&bp->b_dep)) == NULL)
+ ump = softdep_bp_to_mp(bp);
+ if (ump == NULL)
return;
- ump = VFSTOUFS(wk->wk_mp);
/*
* If an error occurred while doing the write, then the data
@@ -11020,8 +11021,9 @@ softdep_disk_write_complete(bp)
return;
}
LIST_INIT(&reattach);
+
/*
- * This lock must not be released anywhere in this code segment.
+ * Ump SU lock must not be released anywhere in this code segment.
*/
sbp = NULL;
owk = NULL;
@@ -13895,6 +13897,39 @@ softdep_freework(wkhd)
FREE_LOCK(ump);
}
+static struct ufsmount *
+softdep_bp_to_mp(bp)
+ struct buf *bp;
+{
+ struct mount *mp;
+ struct vnode *vp;
+
+ if (LIST_EMPTY(&bp->b_dep))
+ return (NULL);
+ vp = bp->b_vp;
+
+ /*
+ * The ump mount point is stable after we get a correct
+ * pointer, since bp is locked and this prevents unmount from
+ * proceeding. But to get to it, we cannot dereference bp->b_dep
+ * head wk_mp, because we do not yet own SU ump lock and
+ * workitem might be freed while dereferenced.
+ */
+retry:
+ if (vp->v_type == VCHR) {
+ VI_LOCK(vp);
+ mp = vp->v_type == VCHR ? vp->v_rdev->si_mountpt : NULL;
+ VI_UNLOCK(vp);
+ if (mp == NULL)
+ goto retry;
+ } else if (vp->v_type == VREG || vp->v_type == VDIR) {
+ mp = vp->v_mount;
+ } else {
+ return (NULL);
+ }
+ return (VFSTOUFS(mp));
+}
+
/*
* Function to determine if the buffer has outstanding dependencies
* that will cause a roll-back if the buffer is written. If wantcount
@@ -13918,36 +13953,12 @@ softdep_count_dependencies(bp, wantcount)
struct newblk *newblk;
struct mkdir *mkdir;
struct diradd *dap;
- struct vnode *vp;
- struct mount *mp;
int i, retval;
- retval = 0;
- if (LIST_EMPTY(&bp->b_dep))
+ ump = softdep_bp_to_mp(bp);
+ if (ump == NULL)
return (0);
- vp = bp->b_vp;
-
- /*
- * The ump mount point is stable after we get a correct
- * pointer, since bp is locked and this prevents unmount from
- * proceed. But to get to it, we cannot dereference bp->b_dep
- * head wk_mp, because we do not yet own SU ump lock and
- * workitem might be freed while dereferenced.
- */
-retry:
- if (vp->v_type == VCHR) {
- VI_LOCK(vp);
- mp = vp->v_type == VCHR ? vp->v_rdev->si_mountpt : NULL;
- VI_UNLOCK(vp);
- if (mp == NULL)
- goto retry;
- } else if (vp->v_type == VREG) {
- mp = vp->v_mount;
- } else {
- return (0);
- }
- ump = VFSTOUFS(mp);
-
+ retval = 0;
ACQUIRE_LOCK(ump);
LIST_FOREACH(wk, &bp->b_dep, wk_list) {
switch (wk->wk_type) {
_______________________________________________
[email protected] mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
