btrfs: fix crash when tracepoint arguments are freed by wq callbacks

commit ac0c7cf8be00f269f82964cf7b144ca3edc5dbc4 upstream. Enabling btrfs tracepoints leads to instant crash, as reported. The wq callbacks could free the memory and the tracepoints started to dereference the members to get to fs_info. The proposed fix https://marc.info/?l=linux-btrfs&m=148172436722606&w=2 removed the tracepoints but we could preserve them by passing only the required data in a safe way. Fixes: bc074524e123 ("btrfs: prefix fsid to all trace events") Reported-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Reviewed-by: Qu Wenruo <quwenruo@cn.fujitsu.com> Signed-off-by: David Sterba <dsterba@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
author: David Sterba <dsterba@suse.com> 2017-01-06 08:12:51 -0500
committer: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2017-01-19 14:18:02 -0500
commit: 28dad9aa9b367b81f99a36a06d16e89e649133ce (patch)
tree: bd7f2e951fd7cabc7d8989dbc639daf829b8473e /fs
parent: 4d0f302bf56a03b8023f06a27b811c1a4625c20d (diff)
1 files changed, 11 insertions, 4 deletions
diff --git a/fs/btrfs/async-thread.c b/fs/btrfs/async-thread.c
index 63d197724519..ff0b0be92d61 100644
--- a/fs/btrfs/async-thread.c
+++ b/fs/btrfs/async-thread.c
@@ -273,6 +273,8 @@ static void run_ordered_work(struct __btrfs_workqueue *wq)
        unsigned long flags;
        while (1) {
+                void *wtag;
                spin_lock_irqsave(lock, flags);
                if (list_empty(list))
                        break;
@@ -299,11 +301,13 @@ static void run_ordered_work(struct __btrfs_workqueue *wq)
                spin_unlock_irqrestore(lock, flags);
                /*
-                 * we don't want to call the ordered free functions
+                 * We don't want to call the ordered free functions with the
-                 * with the lock held though
+                 * lock held though. Save the work as tag for the trace event,
+                 * because the callback could free the structure.
                 */
+                wtag = work;
                work->ordered_free(work);
-                trace_btrfs_all_work_done(work);
+                trace_btrfs_all_work_done(wq->fs_info, wtag);
        }
        spin_unlock_irqrestore(lock, flags);
 }
@@ -311,6 +315,7 @@ static void run_ordered_work(struct __btrfs_workqueue *wq)
 static void normal_work_helper(struct btrfs_work *work)
 {
        struct __btrfs_workqueue *wq;
+        void *wtag;
        int need_order = 0;
        /*
@@ -324,6 +329,8 @@ static void normal_work_helper(struct btrfs_work *work)
        if (work->ordered_func)
                need_order = 1;
        wq = work->wq;
+        /* Safe for tracepoints in case work gets freed by the callback */
+        wtag = work;
        trace_btrfs_work_sched(work);
        thresh_exec_hook(wq);
@@ -333,7 +340,7 @@ static void normal_work_helper(struct btrfs_work *work)
                run_ordered_work(wq);
        }
        if (!need_order)
-                trace_btrfs_all_work_done(work);
+                trace_btrfs_all_work_done(wq->fs_info, wtag);
 }
 void btrfs_init_work(struct btrfs_work *work, btrfs_work_func_t uniq_func,
author	David Sterba <dsterba@suse.com>	2017-01-06 08:12:51 -0500
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-01-19 14:18:02 -0500
commit	28dad9aa9b367b81f99a36a06d16e89e649133ce (patch)
tree	bd7f2e951fd7cabc7d8989dbc639daf829b8473e /fs
parent	4d0f302bf56a03b8023f06a27b811c1a4625c20d (diff)