diff options
| author | Filipe Manana <fdmanana@suse.com> | 2014-12-02 13:07:30 -0500 |
|---|---|---|
| committer | Chris Mason <clm@fb.com> | 2014-12-02 21:35:10 -0500 |
| commit | 495e64f4fe0363bc79fa0dfb41c271787e01b5c3 (patch) | |
| tree | b316fdc48d547db5fb20112f45183a527fa21e9a | |
| parent | 946ddbe805cba88755fcea733597a287f9a18bce (diff) | |
Btrfs: fix fs mapping extent map leak
On chunk allocation error (label "error_del_extent"), after adding the
extent map to the tree and to the pending chunks list, we would leave
decrementing the extent map's refcount by 2 instead of 3 (our allocation
+ tree reference + list reference).
Also, on chunk/block group removal, if the block group was on the list
pending_chunks we weren't decrementing the respective list reference.
Detected by 'rmmod btrfs':
[20770.105881] kmem_cache_destroy btrfs_extent_map: Slab cache still has objects
[20770.106127] CPU: 2 PID: 11093 Comm: rmmod Tainted: G W L 3.17.0-rc5-btrfs-next-1+ #1
[20770.106128] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.7.5-0-ge51488c-20140602_164612-nilsson.home.kraxel.org 04/01/2014
[20770.106130] 0000000000000000 ffff8800ba867eb8 ffffffff813e7a13 ffff8800a2e11040
[20770.106132] ffff8800ba867ed0 ffffffff81105d0c 0000000000000000 ffff8800ba867ee0
[20770.106134] ffffffffa035d65e ffff8800ba867ef0 ffffffffa03b0654 ffff8800ba867f78
[20770.106136] Call Trace:
[20770.106142] [<ffffffff813e7a13>] dump_stack+0x45/0x56
[20770.106145] [<ffffffff81105d0c>] kmem_cache_destroy+0x4b/0x90
[20770.106164] [<ffffffffa035d65e>] extent_map_exit+0x1a/0x1c [btrfs]
[20770.106176] [<ffffffffa03b0654>] exit_btrfs_fs+0x27/0x9d3 [btrfs]
[20770.106179] [<ffffffff8109dc97>] SyS_delete_module+0x153/0x1c4
[20770.106182] [<ffffffff8121261b>] ? trace_hardirqs_on_thunk+0x3a/0x3c
[20770.106184] [<ffffffff813ebf52>] system_call_fastpath+0x16/0x1b
This applies on top (depends on) of my previous patch titled:
"Btrfs: fix race between fs trimming and block group remove/allocation"
But the issue in fact was already present before that change, it only
became easier to hit after Josef's 3.18 patch that added automatic
removal of empty block groups.
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: Chris Mason <clm@fb.com>
| -rw-r--r-- | fs/btrfs/extent-tree.c | 4 | ||||
| -rw-r--r-- | fs/btrfs/volumes.c | 2 |
2 files changed, 6 insertions, 0 deletions
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c index 1b85cf503aec..ba7042e2390b 100644 --- a/fs/btrfs/extent-tree.c +++ b/fs/btrfs/extent-tree.c | |||
| @@ -9469,6 +9469,10 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, | |||
| 9469 | memcpy(&key, &block_group->key, sizeof(key)); | 9469 | memcpy(&key, &block_group->key, sizeof(key)); |
| 9470 | 9470 | ||
| 9471 | lock_chunks(root); | 9471 | lock_chunks(root); |
| 9472 | if (!list_empty(&em->list)) { | ||
| 9473 | /* We're in the transaction->pending_chunks list. */ | ||
| 9474 | free_extent_map(em); | ||
| 9475 | } | ||
| 9472 | spin_lock(&block_group->lock); | 9476 | spin_lock(&block_group->lock); |
| 9473 | block_group->removed = 1; | 9477 | block_group->removed = 1; |
| 9474 | /* | 9478 | /* |
diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c index 588f37e0a564..ff2b35114972 100644 --- a/fs/btrfs/volumes.c +++ b/fs/btrfs/volumes.c | |||
| @@ -4501,6 +4501,8 @@ error_del_extent: | |||
| 4501 | free_extent_map(em); | 4501 | free_extent_map(em); |
| 4502 | /* One for the tree reference */ | 4502 | /* One for the tree reference */ |
| 4503 | free_extent_map(em); | 4503 | free_extent_map(em); |
| 4504 | /* One for the pending_chunks list reference */ | ||
| 4505 | free_extent_map(em); | ||
| 4504 | error: | 4506 | error: |
| 4505 | kfree(devices_info); | 4507 | kfree(devices_info); |
| 4506 | return ret; | 4508 | return ret; |