Btrfs: fix use-after-free in the finishing procedure of the device replace

During device replace test, we hit a null pointer deference (It was very easy
to reproduce it by running xfstests' btrfs/011 on the devices with the virtio
scsi driver). There were two bugs that caused this problem:
- We might allocate new chunks on the replaced device after we updated
  the mapping tree. And we forgot to replace the source device in those
  mapping of the new chunks.
- We might get the mapping information which including the source device
  before the mapping information update. And then submit the bio which was
  based on that mapping information after we freed the source device.

For the first bug, we can fix it by doing mapping tree update and source
device remove in the same context of the chunk mutex. The chunk mutex is
used to protect the allocable device list, the above method can avoid
the new chunk allocation, and after we remove the source device, all
the new chunks will be allocated on the new device. So it can fix
the first bug.

For the second bug, we need make sure all flighting bios are finished and
no new bios are produced during we are removing the source device. To fix
this problem, we introduced a global @bio_counter, we not only inc/dec
@bio_counter outsize of map_blocks, but also inc it before submitting bio
and dec @bio_counter when ending bios.

Since Raid56 is a little different and device replace dosen't support raid56
yet, it is not addressed in the patch and I add comments to make sure we will
fix it in the future.

Reported-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com>
Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>

1 files changed, 67 insertions, 7 deletions

diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c
index b20d59e5e5dd..ec1c3f3a775d 100644
--- a/fs/btrfs/dev-replace.c
+++ b/fs/btrfs/dev-replace.c
@@ -431,6 +431,35 @@ leave_no_lock:
         return ret;
 }
 
+/*
+ * blocked until all flighting bios are finished.
+ */
+static void btrfs_rm_dev_replace_blocked(struct btrfs_fs_info *fs_info)
+{
+        s64 writers;
+        DEFINE_WAIT(wait);
+
+        set_bit(BTRFS_FS_STATE_DEV_REPLACING, &fs_info->fs_state);
+        do {
+                prepare_to_wait(&fs_info->replace_wait, &wait,
+                                TASK_UNINTERRUPTIBLE);
+                writers = percpu_counter_sum(&fs_info->bio_counter);
+                if (writers)
+                        schedule();
+                finish_wait(&fs_info->replace_wait, &wait);
+        } while (writers);
+}
+
+/*
+ * we have removed target device, it is safe to allow new bios request.
+ */
+static void btrfs_rm_dev_replace_unblocked(struct btrfs_fs_info *fs_info)
+{
+        clear_bit(BTRFS_FS_STATE_DEV_REPLACING, &fs_info->fs_state);
+        if (waitqueue_active(&fs_info->replace_wait))
+                wake_up(&fs_info->replace_wait);
+}
+
 static int btrfs_dev_replace_finishing(struct btrfs_fs_info *fs_info,
                                        int scrub_ret)
 {
@@ -458,12 +487,6 @@ static int btrfs_dev_replace_finishing(struct btrfs_fs_info *fs_info,
         src_device = dev_replace->srcdev;
         btrfs_dev_replace_unlock(dev_replace);
 
-        /* replace old device with new one in mapping tree */
-        if (!scrub_ret)
-                btrfs_dev_replace_update_device_in_mapping_tree(fs_info,
-                                                                src_device,
-                                                                tgt_device);
-
         /*
          * flush all outstanding I/O and inode extent mappings before the
          * copy operation is declared as being finished
@@ -495,7 +518,12 @@ static int btrfs_dev_replace_finishing(struct btrfs_fs_info *fs_info,
         dev_replace->time_stopped = get_seconds();
         dev_replace->item_needs_writeback = 1;
 
-        if (scrub_ret) {
+        /* replace old device with new one in mapping tree */
+        if (!scrub_ret) {
+                btrfs_dev_replace_update_device_in_mapping_tree(fs_info,
+                                                                src_device,
+                                                                tgt_device);
+        } else {
                 printk_in_rcu(KERN_ERR
                               "BTRFS: btrfs_scrub_dev(%s, %llu, %s) failed %d\n",
                               src_device->missing ? "<missing disk>" :
@@ -534,8 +562,12 @@ static int btrfs_dev_replace_finishing(struct btrfs_fs_info *fs_info,
                 fs_info->fs_devices->latest_bdev = tgt_device->bdev;
         list_add(&tgt_device->dev_alloc_list, &fs_info->fs_devices->alloc_list);
 
+        btrfs_rm_dev_replace_blocked(fs_info);
+
         btrfs_rm_dev_replace_srcdev(fs_info, src_device);
 
+        btrfs_rm_dev_replace_unblocked(fs_info);
+
         /*
          * this is again a consistent state where no dev_replace procedure
          * is running, the target device is part of the filesystem, the
@@ -865,3 +897,31 @@ void btrfs_dev_replace_unlock(struct btrfs_dev_replace *dev_replace)
                 mutex_unlock(&dev_replace->lock_management_lock);
         }
 }
+
+void btrfs_bio_counter_inc_noblocked(struct btrfs_fs_info *fs_info)
+{
+        percpu_counter_inc(&fs_info->bio_counter);
+}
+
+void btrfs_bio_counter_dec(struct btrfs_fs_info *fs_info)
+{
+        percpu_counter_dec(&fs_info->bio_counter);
+
+        if (waitqueue_active(&fs_info->replace_wait))
+                wake_up(&fs_info->replace_wait);
+}
+
+void btrfs_bio_counter_inc_blocked(struct btrfs_fs_info *fs_info)
+{
+        DEFINE_WAIT(wait);
+again:
+        percpu_counter_inc(&fs_info->bio_counter);
+        if (test_bit(BTRFS_FS_STATE_DEV_REPLACING, &fs_info->fs_state)) {
+                btrfs_bio_counter_dec(fs_info);
+                wait_event(fs_info->replace_wait,
+                           !test_bit(BTRFS_FS_STATE_DEV_REPLACING,
+                                     &fs_info->fs_state));
+                goto again;
+        }
+
+}