[PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex V2

linux-btrfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex V2
@ 2013-01-31 16:35 Josef Bacik
  2013-01-31 20:23 ` Zach Brown
  0 siblings, 1 reply; 2+ messages in thread
From: Josef Bacik @ 2013-01-31 16:35 UTC (permalink / raw)
  To: linux-btrfs

I hit this error when reproducing a bug that would end in a transaction
abort.  We take the delayed ref head's mutex to keep anybody from processing
it while we're destroying it, but we fail to drop the mutex before we carry
on and free the damned thing.  Fix this by doing the remove logic for the
head ourselves and unlock the mutex, that way we can avoid use after free's
or hung tasks waiting on that mutex to come back so they know the delayed
ref completed.  Thanks,

Signed-off-by: Josef Bacik <jbacik@fusionio.com>
---
V1->V2: don't duplicate the freeing stuff, just unlock if we have a head.

 fs/btrfs/disk-io.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 12ef591..42f83aa 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3615,11 +3615,11 @@ int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
 	}
 
 	while ((node = rb_first(&delayed_refs->root)) != NULL) {
-		ref = rb_entry(node, struct btrfs_delayed_ref_node, rb_node);
+		struct btrfs_delayed_ref_head *head = NULL;
 
+		ref = rb_entry(node, struct btrfs_delayed_ref_node, rb_node);
 		atomic_set(&ref->refs, 1);
 		if (btrfs_delayed_ref_is_head(ref)) {
-			struct btrfs_delayed_ref_head *head;
 
 			head = btrfs_delayed_node_to_head(ref);
 			if (!mutex_trylock(&head->mutex)) {
@@ -3641,10 +3641,12 @@ int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
 				delayed_refs->num_heads_ready--;
 			list_del_init(&head->cluster);
 		}
+
 		ref->in_tree = 0;
 		rb_erase(&ref->rb_node, &delayed_refs->root);
 		delayed_refs->num_entries--;
-
+		if (head)
+			mutex_unlock(&head->mutex);
 		spin_unlock(&delayed_refs->lock);
 		btrfs_put_delayed_ref(ref);
 
-- 
1.7.7.6


^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex V2
  2013-01-31 16:35 [PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex V2 Josef Bacik
@ 2013-01-31 20:23 ` Zach Brown
  0 siblings, 0 replies; 2+ messages in thread
From: Zach Brown @ 2013-01-31 20:23 UTC (permalink / raw)
  To: Josef Bacik; +Cc: linux-btrfs

> V1->V2: don't duplicate the freeing stuff, just unlock if we have a head.

Nice, that's what I was picturing if we needed the freeing stuff to be
covered by the mutex.  Thanks for cleaning it up.

- z

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2013-01-31 20:23 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-01-31 16:35 [PATCH] Btrfs: fix freeing delayed ref head while still holding its mutex V2 Josef Bacik
2013-01-31 20:23 ` Zach Brown

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).