[PATCH 0/2] ext4: Fix some crashes on umount

linux-ext4.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH 0/2] ext4: Fix some crashes on umount
@ 2012-05-29 23:36 Salman Qazi
  2012-05-29 23:36 ` [PATCH 1/2] ext4: Add ext4_mb_unload_buddy in the error path Salman Qazi
  2012-05-29 23:36 ` [PATCH 2/2] ext4: remove mb_groups before tearing buddy_cache Salman Qazi
  0 siblings, 2 replies; 5+ messages in thread
From: Salman Qazi @ 2012-05-29 23:36 UTC (permalink / raw)
  To: Ted Ts'o, linux-ext4

The following series fixes two potential ways to get crashes
during umount;  The crash signature is:

[  189.910292] RIP: 0010:[<ffffffff8118a490>]  [<ffffffff8118a490>] clear_inode+0x60/0x70
.
.
.
[  189.910292]  [<ffffffff812342fe>] ext4_clear_inode+0x1e/0x80
[  189.910292]  [<ffffffff8121944e>] ext4_evict_inode+0x7e/0x4a0
[  189.910292]  [<ffffffff8118af5f>] evict+0xaf/0x1b0
[  189.910292]  [<ffffffff8118b163>] iput+0x103/0x210
[  189.910292]  [<ffffffff81248ddb>] ext4_mb_release+0x26b/0x3c0
[  189.910292]  [<ffffffff815479bd>] ? wait_for_completion+0x1d/0x20
[  189.910292]  [<ffffffff81233abb>] ext4_put_super+0x9b/0x350
[  189.910292]  [<ffffffff8118bc8f>] ? evict_inodes+0xbf/0x120
[  189.910292]  [<ffffffff81173f12>] generic_shutdown_super+0x62/0xf0
[  189.910292]  [<ffffffff81173fd0>] kill_block_super+0x30/0x80
[  189.910292]  [<ffffffff811741e5>] deactivate_locked_super+0x45/0x70
[  189.910292]  [<ffffffff8117444e>] deactivate_super+0x4e/0x70
[  189.910292]  [<ffffffff8118efa1>] mntput_no_expire+0xf1/0x140
[  189.910292]  [<ffffffff8118fd4e>] sys_umount+0x6e/0x380
[  189.910292]  [<ffffffff810750da>] ? sys32_stat64+0x1a/0x40
[  189.910292]  [<ffffffff81190070>] sys_oldumount+0x10/0x20
[  189.910292]  [<ffffffff81551edf>] sysenter_dispatch+0x7/0x1a

and happens because the buddy cache inode still has pages at the
time of umount.  One way for this to happen is for pages to leak
in an error path.  The second way, which we reproduced involves
a race with reading the mb_groups proc file.


---

Salman Qazi (2):
      ext4: Add ext4_mb_unload_buddy in the error path
      ext4: remove mb_groups before tearing buddy_cache


 fs/ext4/mballoc.c |    6 ++++--
 1 files changed, 4 insertions(+), 2 deletions(-)

-- 
Salman Qazi

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 1/2] ext4: Add ext4_mb_unload_buddy in the error path
  2012-05-29 23:36 [PATCH 0/2] ext4: Fix some crashes on umount Salman Qazi
@ 2012-05-29 23:36 ` Salman Qazi
  2012-06-01  4:09   ` Ted Ts'o
  2012-05-29 23:36 ` [PATCH 2/2] ext4: remove mb_groups before tearing buddy_cache Salman Qazi
  1 sibling, 1 reply; 5+ messages in thread
From: Salman Qazi @ 2012-05-29 23:36 UTC (permalink / raw)
  To: Ted Ts'o, linux-ext4

ext4_free_blocks fails to pair an ext4_mb_load_buddy with a matching
ext4_mb_unload_buddy when it fails a memory allocation.

Signed-off-by: Salman Qazi <sqazi@google.com>
---
 fs/ext4/mballoc.c |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 99ab428..5c315ab 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -4636,6 +4636,7 @@ do_more:
 		 */
 		new_entry = kmem_cache_alloc(ext4_free_data_cachep, GFP_NOFS);
 		if (!new_entry) {
+			ext4_mb_unload_buddy(&e4b);
 			err = -ENOMEM;
 			goto error_return;
 		}


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 1/2] ext4: Add ext4_mb_unload_buddy in the error path
  2012-05-29 23:36 ` [PATCH 1/2] ext4: Add ext4_mb_unload_buddy in the error path Salman Qazi
@ 2012-06-01  4:09   ` Ted Ts'o
  0 siblings, 0 replies; 5+ messages in thread
From: Ted Ts'o @ 2012-06-01  4:09 UTC (permalink / raw)
  To: Salman Qazi; +Cc: Ted Ts'o, linux-ext4

On Tue, May 29, 2012 at 04:36:09PM -0700, Salman Qazi wrote:
> ext4_free_blocks fails to pair an ext4_mb_load_buddy with a matching
> ext4_mb_unload_buddy when it fails a memory allocation.
> 
> Signed-off-by: Salman Qazi <sqazi@google.com>

Applied, thanks.

					- Ted

^ permalink raw reply	[flat|nested] 5+ messages in thread

* [PATCH 2/2] ext4: remove mb_groups before tearing buddy_cache
  2012-05-29 23:36 [PATCH 0/2] ext4: Fix some crashes on umount Salman Qazi
  2012-05-29 23:36 ` [PATCH 1/2] ext4: Add ext4_mb_unload_buddy in the error path Salman Qazi
@ 2012-05-29 23:36 ` Salman Qazi
  2012-06-01  4:09   ` Ted Ts'o
  1 sibling, 1 reply; 5+ messages in thread
From: Salman Qazi @ 2012-05-29 23:36 UTC (permalink / raw)
  To: Ted Ts'o, linux-ext4

We can't have references held on pages in the s_buddy_cache while we are
trying to truncate its pages and put the inode.  All the pages must be
gone before we reach clear_inode.  This can only be gauranteed if we
can prevent new users from grabbing references to s_buddy_cache's pages.

The original bug can be reproduced and the bug fix can be verified by:

while true; do mount -t ext4 /dev/ram0 /export/hda3/ram0; \
	umount /export/hda3/ram0; done &

while true; do cat /proc/fs/ext4/ram0/mb_groups; done

Signed-off-by: Salman Qazi <sqazi@google.com>
---
 fs/ext4/mballoc.c |    5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 5c315ab..6b0a57e 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2517,6 +2517,9 @@ int ext4_mb_release(struct super_block *sb)
 	struct ext4_sb_info *sbi = EXT4_SB(sb);
 	struct kmem_cache *cachep = get_groupinfo_cache(sb->s_blocksize_bits);
 
+	if (sbi->s_proc)
+		remove_proc_entry("mb_groups", sbi->s_proc);
+
 	if (sbi->s_group_info) {
 		for (i = 0; i < ngroups; i++) {
 			grinfo = ext4_get_group_info(sb, i);
@@ -2564,8 +2567,6 @@ int ext4_mb_release(struct super_block *sb)
 	}
 
 	free_percpu(sbi->s_locality_groups);
-	if (sbi->s_proc)
-		remove_proc_entry("mb_groups", sbi->s_proc);
 
 	return 0;
 }


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH 2/2] ext4: remove mb_groups before tearing buddy_cache
  2012-05-29 23:36 ` [PATCH 2/2] ext4: remove mb_groups before tearing buddy_cache Salman Qazi
@ 2012-06-01  4:09   ` Ted Ts'o
  0 siblings, 0 replies; 5+ messages in thread
From: Ted Ts'o @ 2012-06-01  4:09 UTC (permalink / raw)
  To: Salman Qazi; +Cc: Ted Ts'o, linux-ext4

On Tue, May 29, 2012 at 04:36:14PM -0700, Salman Qazi wrote:
> We can't have references held on pages in the s_buddy_cache while we are
> trying to truncate its pages and put the inode.  All the pages must be
> gone before we reach clear_inode.  This can only be gauranteed if we
> can prevent new users from grabbing references to s_buddy_cache's pages.
> 
> The original bug can be reproduced and the bug fix can be verified by:
> 
> while true; do mount -t ext4 /dev/ram0 /export/hda3/ram0; \
> 	umount /export/hda3/ram0; done &
> 
> while true; do cat /proc/fs/ext4/ram0/mb_groups; done
> 
> Signed-off-by: Salman Qazi <sqazi@google.com>

Applied, thanks.

						- Ted

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2012-06-01  4:09 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-05-29 23:36 [PATCH 0/2] ext4: Fix some crashes on umount Salman Qazi
2012-05-29 23:36 ` [PATCH 1/2] ext4: Add ext4_mb_unload_buddy in the error path Salman Qazi
2012-06-01  4:09   ` Ted Ts'o
2012-05-29 23:36 ` [PATCH 2/2] ext4: remove mb_groups before tearing buddy_cache Salman Qazi
2012-06-01  4:09   ` Ted Ts'o

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).