From: Liu Bo <bo.li.liu@oracle.com>
To: Omar Sandoval <osandov@osandov.com>
Cc: Chris Mason <clm@fb.com>, Josef Bacik <jbacik@fb.com>,
David Sterba <dsterba@suse.cz>,
linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2 2/3] btrfs: fix race on ENOMEM in alloc_extent_buffer
Date: Wed, 18 Mar 2015 22:21:33 +0800 [thread overview]
Message-ID: <20150318142132.GA31530@localhost.localdomain> (raw)
In-Reply-To: <bb30d69d671243192fb08002b31375e55afe9644.1424773781.git.osandov@osandov.com>
On Tue, Feb 24, 2015 at 02:47:05AM -0800, Omar Sandoval wrote:
> Consider the following interleaving of overlapping calls to
> alloc_extent_buffer:
>
> Call 1:
>
> - Successfully allocates a few pages with find_or_create_page
> - find_or_create_page fails, goto free_eb
> - Unlocks the allocated pages
>
> Call 2:
> - Calls find_or_create_page and gets a page in call 1's extent_buffer
> - Finds that the page is already associated with an extent_buffer
> - Grabs a reference to the half-written extent_buffer and calls
> mark_extent_buffer_accessed on it
>
> mark_extent_buffer_accessed will then try to call mark_page_accessed on
> a null page and panic.
>
> The fix is to decrement the reference count on the half-written
> extent_buffer before unlocking the pages so call 2 won't use it. We
> should also set exists = NULL in the case that we don't use exists to
> avoid accidentally returning a freed extent_buffer in an error case.
Reviewed-by: Liu Bo <bo.li.liu@oracle.com>
>
> Signed-off-by: Omar Sandoval <osandov@osandov.com>
> ---
> fs/btrfs/extent_io.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
> index c7233ff..7ecfae0 100644
> --- a/fs/btrfs/extent_io.c
> +++ b/fs/btrfs/extent_io.c
> @@ -4867,6 +4867,7 @@ struct extent_buffer *alloc_extent_buffer(struct btrfs_fs_info *fs_info,
> mark_extent_buffer_accessed(exists, p);
> goto free_eb;
> }
> + exists = NULL;
>
> /*
> * Do this so attach doesn't complain and we need to
> @@ -4930,12 +4931,12 @@ again:
> return eb;
>
> free_eb:
> + WARN_ON(!atomic_dec_and_test(&eb->refs));
> for (i = 0; i < num_pages; i++) {
> if (eb->pages[i])
> unlock_page(eb->pages[i]);
> }
>
> - WARN_ON(!atomic_dec_and_test(&eb->refs));
> btrfs_release_extent_buffer(eb);
> return exists;
> }
> --
> 2.3.0
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2015-03-18 14:21 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-24 10:47 [PATCH v2 0/3] btrfs: ENOMEM bugfixes Omar Sandoval
2015-02-24 10:47 ` [PATCH v2 1/3] btrfs: handle ENOMEM in btrfs_alloc_tree_block Omar Sandoval
2015-03-13 13:34 ` David Sterba
2015-02-24 10:47 ` [PATCH v2 2/3] btrfs: fix race on ENOMEM in alloc_extent_buffer Omar Sandoval
2015-03-13 13:31 ` David Sterba
2015-03-18 14:21 ` Liu Bo [this message]
2015-02-24 10:47 ` [PATCH v2 3/3] btrfs: check io_ctl_prepare_pages return in __btrfs_write_out_cache Omar Sandoval
2015-03-12 4:40 ` [PATCH v2 0/3] btrfs: ENOMEM bugfixes Omar Sandoval
2015-03-13 11:04 ` David Sterba
2015-03-13 19:43 ` Omar Sandoval
2015-03-27 21:06 ` Omar Sandoval
2015-04-13 21:32 ` Omar Sandoval
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150318142132.GA31530@localhost.localdomain \
--to=bo.li.liu@oracle.com \
--cc=clm@fb.com \
--cc=dsterba@suse.cz \
--cc=jbacik@fb.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=osandov@osandov.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.