From mboxrd@z Thu Jan  1 00:00:00 1970
From: Chris Mason <mason@suse.com>
Subject: [patch 1/6] reiserfs v3 patches
Date: Sun, 15 Jan 2006 19:50:03 -0500
Message-ID: <20060116005310.656215000@watt.suse.com>
References: <20060116005002.398989000@watt.suse.com>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from cantor2.suse.de ([195.135.220.15]:12241 "EHLO mx2.suse.de")
	by vger.kernel.org with ESMTP id S932108AbWAPAxN (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Sun, 15 Jan 2006 19:53:13 -0500
To: akpm@osdl.org, linux-fsdevel@vger.kernel.org,
	reiserfs-list@namesys.com
Content-Disposition: inline; filename=reiserfs_invalidatepage-race-fix
From: Chris Mason <mason@suse.com>
Subject: [patch 1/6] fix reiserfs_invalidatepage race against data=ordered
Sender: linux-fsdevel-owner@vger.kernel.org
List-Id: linux-fsdevel.vger.kernel.org

After a transaction has closed but before it has finished commit, there
is a window where data=ordered mode requires invalidatepage to pin pages
instead of freeing them.  This patch fixes a race between the
invalidatepage checks and data=ordered writeback, and it also adds a
check to the reiserfs write_ordered_buffers routines to write any
anonymous buffers that were dirtied after its first writeback loop.

That bug works like this:

proc1: transaction closes and a new one starts
proc1: write_ordered_buffers starts processing data=ordered list
proc1: buffer A is cleaned and written
proc2: buffer A is dirtied by another process
proc2: File is truncated to zero, page A goes through invalidatepage
proc2: reiserfs_invalidatepage sees dirty buffer A with reiserfs
       journal head, pins it
proc1: write_ordered_buffers frees the journal head on buffer A

At this point, buffer A stays dirty forever

diff -r 21be96fa294a fs/reiserfs/inode.c
--- a/fs/reiserfs/inode.c	Fri Jan 13 13:48:03 2006 -0500
+++ b/fs/reiserfs/inode.c	Fri Jan 13 13:50:37 2006 -0500
@@ -2743,6 +2743,7 @@ static int invalidatepage_can_drop(struc
 	int ret = 1;
 	struct reiserfs_journal *j = SB_JOURNAL(inode->i_sb);
 
+	lock_buffer(bh);
 	spin_lock(&j->j_dirty_buffers_lock);
 	if (!buffer_mapped(bh)) {
 		goto free_jh;
@@ -2758,7 +2759,7 @@ static int invalidatepage_can_drop(struc
 		if (buffer_journaled(bh) || buffer_journal_dirty(bh)) {
 			ret = 0;
 		}
-	} else if (buffer_dirty(bh) || buffer_locked(bh)) {
+	} else  if (buffer_dirty(bh)) {
 		struct reiserfs_journal_list *jl;
 		struct reiserfs_jh *jh = bh->b_private;
 
@@ -2784,6 +2785,7 @@ static int invalidatepage_can_drop(struc
 		reiserfs_free_jh(bh);
 	}
 	spin_unlock(&j->j_dirty_buffers_lock);
+	unlock_buffer(bh);
 	return ret;
 }
 
diff -r 21be96fa294a fs/reiserfs/journal.c
--- a/fs/reiserfs/journal.c	Fri Jan 13 13:48:03 2006 -0500
+++ b/fs/reiserfs/journal.c	Fri Jan 13 13:50:37 2006 -0500
@@ -878,6 +878,19 @@ static int write_ordered_buffers(spinloc
 		}
 		if (!buffer_uptodate(bh)) {
 			ret = -EIO;
+		}
+		/* ugly interaction with invalidatepage here.
+		 * reiserfs_invalidate_page will pin any buffer that has a valid
+		 * journal head from an older transaction.  If someone else sets
+		 * our buffer dirty after we write it in the first loop, and
+		 * then someone truncates the page away, nobody will ever write
+		 * the buffer. We're safe if we write the page one last time
+		 * after freeing the journal header.
+		 */
+		if (buffer_dirty(bh) && unlikely(bh->b_page->mapping == NULL)) {
+			spin_unlock(lock);
+			ll_rw_block(WRITE, 1, &bh);
+			spin_lock(lock);
 		}
 		put_bh(bh);
 		cond_resched_lock(lock);

--