Re: [PATCH] Btrfs: fix scrub race leading to use-after-free

linux-btrfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Chris Mason <clm@fb.com>
To: Filipe Manana <fdmanana@suse.com>
Cc: <linux-btrfs@vger.kernel.org>
Subject: Re: [PATCH] Btrfs: fix scrub race leading to use-after-free
Date: Mon, 9 Feb 2015 14:07:12 -0500	[thread overview]
Message-ID: <1423508832.26622.2@mail.thefacebook.com> (raw)
In-Reply-To: <1422375078-6916-1-git-send-email-fdmanana@suse.com>



On Tue, Jan 27, 2015 at 11:11 AM, Filipe Manana <fdmanana@suse.com> 
wrote:
> While running a scrub on a kernel with CONFIG_DEBUG_PAGEALLOC=y, I got
> the following trace:

This actually trades one bug for another:

[ 1928.950319] BUG: sleeping function called from invalid context at 
kernel/locking/mutex.c:621^M
[ 1928.967334] in_atomic(): 1, irqs_disabled(): 0, pid: 149670, name: 
fsstress^M
[ 1928.981324] INFO: lockdep is turned off.^M
[ 1928.989244] CPU: 24 PID: 149670 Comm: fsstress Tainted: G        W   
   3.19.0-rc7-mason+ #41^M
[ 1929.006418] Hardware name: ZTSYSTEMS Echo Ridge T4  /A9DRPF-10D, 
BIOS 1.07 05/10/2012^M
[ 1929.022207]  ffffffff81a22cf8 ffff881076e03b78 ffffffff816b8dd9 
ffff881076e03b78^M
[ 1929.037267]  ffff880d8e828710 ffff881076e03ba8 ffffffff810856c4 
ffff881076e03bc8^M
[ 1929.052315]  0000000000000000 000000000000026d ffffffff81a22cf8 
ffff881076e03bd8^M
[ 1929.067381] Call Trace:^M
[ 1929.072344]  <IRQ>  [<ffffffff816b8dd9>] dump_stack+0x4f/0x6e^M
[ 1929.083968]  [<ffffffff810856c4>] ___might_sleep+0x174/0x230^M
[ 1929.095352]  [<ffffffff810857d2>] __might_sleep+0x52/0x90^M
[ 1929.106223]  [<ffffffff816bb68f>] mutex_lock_nested+0x2f/0x3b0^M
[ 1929.117951]  [<ffffffff810ab37d>] ? trace_hardirqs_on+0xd/0x10^M
[ 1929.129708]  [<ffffffffa05dc838>] scrub_pending_bio_dec+0x38/0x70 
[btrfs]^M
[ 1929.143370]  [<ffffffffa05dd0e0>] scrub_parity_bio_endio+0x50/0x70 
[btrfs]^M
[ 1929.157191]  [<ffffffff812fa603>] bio_endio+0x53/0xa0^M
[ 1929.167382]  [<ffffffffa05f96bc>] rbio_orig_end_io+0x7c/0xa0 
[btrfs]^M
[ 1929.180161]  [<ffffffffa05f97ba>] raid_write_parity_end_io+0x5a/0x80 
[btrfs]^M
[ 1929.194318]  [<ffffffff812fa603>] bio_endio+0x53/0xa0^M
[ 1929.204496]  [<ffffffff8130401b>] blk_update_request+0x1eb/0x450^M
[ 1929.216569]  [<ffffffff81096e58>] ? trigger_load_balance+0x78/0x500^M
[ 1929.229176]  [<ffffffff8144c74d>] scsi_end_request+0x3d/0x1f0^M
[ 1929.240740]  [<ffffffff8144ccac>] scsi_io_completion+0xac/0x5b0^M
[ 1929.252654]  [<ffffffff81441c50>] scsi_finish_command+0xf0/0x150^M
[ 1929.264725]  [<ffffffff8144d317>] scsi_softirq_done+0x147/0x170^M
[ 1929.276635]  [<ffffffff8130ace6>] blk_done_softirq+0x86/0xa0^M
[ 1929.288014]  [<ffffffff8105d92e>] __do_softirq+0xde/0x600^M
[ 1929.298885]  [<ffffffff8105df6d>] irq_exit+0xbd/0xd0^M
[ 1929.308879]  [<ffffffff81034ea5>] 
smp_call_function_single_interrupt+0x35/0x40^M
[ 1929.323455]  [<ffffffff816c126f>] 
call_function_single_interrupt+0x6f/0x80^M
[ 1929.337270]  <EOI>  [<ffffffff811fc745>] ? 
sync_inodes_sb+0x1b5/0x2a0^M
[ 1929.350261]  [<ffffffff811fc728>] ? sync_inodes_sb+0x198/0x2a0^M
[ 1929.361991]  [<ffffffff816badcf>] ? wait_for_completion+0xef/0x120^M
[ 1929.374423]  [<ffffffff812028d0>] ? fdatawrite_one_bdev+0x20/0x20^M
[ 1929.386671]  [<ffffffff812028d0>] ? fdatawrite_one_bdev+0x20/0x20^M
[ 1929.398930]  [<ffffffff812028ed>] sync_inodes_one_sb+0x1d/0x30^M
[ 1929.410668]  [<ffffffff811cf4c6>] iterate_supers+0xb6/0xf0^M
[ 1929.421712]  [<ffffffff81202935>] sys_sync+0x35/0x90^M
[ 1929.431704]  [<ffffffff816bfed2>] system_call_fastpath+0x12/0x17^M

So we'll have to either put in a refcount or a spinlock instead.

-chris

     prev parent reply	other threads:[~2015-02-09 19:07 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-01-27 16:11 [PATCH] Btrfs: fix scrub race leading to use-after-free Filipe Manana
2015-01-27 23:06 ` [PATCH v2] " Filipe Manana
2015-02-09 19:07 ` Chris Mason [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1423508832.26622.2@mail.thefacebook.com \
    --to=clm@fb.com \
    --cc=fdmanana@suse.com \
    --cc=linux-btrfs@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).