From: piaojun <piaojun@huawei.com>
To: ocfs2-devel@oss.oracle.com
Subject: [Ocfs2-devel] [PATCH] ocfs2: don't use iocb when EIOCBQUEUED returns
Date: Wed, 11 Apr 2018 08:51:51 +0800 [thread overview]
Message-ID: <5ACD5C27.4080205@huawei.com> (raw)
In-Reply-To: <1523361653-14439-1-git-send-email-ge.changwei@h3c.com>
Hi Changwei,
It looks like a code bug, and 'iocb' should not be freed at this place.
Could this BUG reproduced easily?
thanks,
Jun
On 2018/4/10 20:00, Changwei Ge wrote:
> When -EIOCBQUEUED returns, it means that aio_complete() will be called
> from dio_complete(), which is an asynchronous progress against write_iter.
> Generally, IO is a very slow progress than executing instruction, but we
> still can't take the risk to access a freed iocb.
>
> And we do face a BUG crash issue.
>>From crash tool, iocb is obviously freed already.
> crash> struct -x kiocb ffff881a350f5900
> struct kiocb {
> ki_filp = 0xffff881a350f5a80,
> ki_pos = 0x0,
> ki_complete = 0x0,
> private = 0x0,
> ki_flags = 0x0
> }
>
> And the backtrace shows:
> ocfs2_file_write_iter+0xcaa/0xd00 [ocfs2]
> ? ocfs2_check_range_for_refcount+0x150/0x150 [ocfs2]
> aio_run_iocb+0x229/0x2f0
> ? try_to_wake_up+0x380/0x380
> do_io_submit+0x291/0x540
> ? syscall_trace_leave+0xad/0x130
> SyS_io_submit+0x10/0x20
> system_call_fastpath+0x16/0x75
>
> Signed-off-by: Changwei Ge <ge.changwei@h3c.com>
> ---
> fs/ocfs2/file.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
> index 5d1784a..1393ff2 100644
> --- a/fs/ocfs2/file.c
> +++ b/fs/ocfs2/file.c
> @@ -2343,7 +2343,7 @@ static ssize_t ocfs2_file_write_iter(struct kiocb *iocb,
>
> written = __generic_file_write_iter(iocb, from);
> /* buffered aio wouldn't have proper lock coverage today */
> - BUG_ON(written == -EIOCBQUEUED && !(iocb->ki_flags & IOCB_DIRECT));
> + BUG_ON(written == -EIOCBQUEUED && !direct_io);
>
> /*
> * deep in g_f_a_w_n()->ocfs2_direct_IO we pass in a ocfs2_dio_end_io
> @@ -2463,7 +2463,7 @@ static ssize_t ocfs2_file_read_iter(struct kiocb *iocb,
> trace_generic_file_aio_read_ret(ret);
>
> /* buffered aio wouldn't have proper lock coverage today */
> - BUG_ON(ret == -EIOCBQUEUED && !(iocb->ki_flags & IOCB_DIRECT));
> + BUG_ON(ret == -EIOCBQUEUED && !direct_io);
>
> /* see ocfs2_file_write_iter */
> if (ret == -EIOCBQUEUED || !ocfs2_iocb_is_rw_locked(iocb)) {
>
next prev parent reply other threads:[~2018-04-11 0:51 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-10 12:00 [Ocfs2-devel] [PATCH] ocfs2: don't use iocb when EIOCBQUEUED returns Changwei Ge
2018-04-11 0:51 ` piaojun [this message]
2018-04-11 1:07 ` Changwei Ge
2018-04-11 1:51 ` piaojun
2018-04-11 2:01 ` Changwei Ge
2018-04-11 2:51 ` Gang He
2018-05-08 15:23 ` Changwei Ge
2018-05-09 1:41 ` Joseph Qi
2018-05-09 2:14 ` Changwei Ge
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5ACD5C27.4080205@huawei.com \
--to=piaojun@huawei.com \
--cc=ocfs2-devel@oss.oracle.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.