diff options
Diffstat (limited to 'fs/xfs/xfs_buf_item.c')
| -rw-r--r-- | fs/xfs/xfs_buf_item.c | 28 |
1 files changed, 21 insertions, 7 deletions
diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c index 12d8455bfbb2..010db5f8fb00 100644 --- a/fs/xfs/xfs_buf_item.c +++ b/fs/xfs/xfs_buf_item.c | |||
| @@ -1233,9 +1233,23 @@ xfs_buf_iodone( | |||
| 1233 | } | 1233 | } |
| 1234 | 1234 | ||
| 1235 | /* | 1235 | /* |
| 1236 | * Requeue a failed buffer for writeback | 1236 | * Requeue a failed buffer for writeback. |
| 1237 | * | 1237 | * |
| 1238 | * Return true if the buffer has been re-queued properly, false otherwise | 1238 | * We clear the log item failed state here as well, but we have to be careful |
| 1239 | * about reference counts because the only active reference counts on the buffer | ||
| 1240 | * may be the failed log items. Hence if we clear the log item failed state | ||
| 1241 | * before queuing the buffer for IO we can release all active references to | ||
| 1242 | * the buffer and free it, leading to use after free problems in | ||
| 1243 | * xfs_buf_delwri_queue. It makes no difference to the buffer or log items which | ||
| 1244 | * order we process them in - the buffer is locked, and we own the buffer list | ||
| 1245 | * so nothing on them is going to change while we are performing this action. | ||
| 1246 | * | ||
| 1247 | * Hence we can safely queue the buffer for IO before we clear the failed log | ||
| 1248 | * item state, therefore always having an active reference to the buffer and | ||
| 1249 | * avoiding the transient zero-reference state that leads to use-after-free. | ||
| 1250 | * | ||
| 1251 | * Return true if the buffer was added to the buffer list, false if it was | ||
| 1252 | * already on the buffer list. | ||
| 1239 | */ | 1253 | */ |
| 1240 | bool | 1254 | bool |
| 1241 | xfs_buf_resubmit_failed_buffers( | 1255 | xfs_buf_resubmit_failed_buffers( |
| @@ -1243,16 +1257,16 @@ xfs_buf_resubmit_failed_buffers( | |||
| 1243 | struct list_head *buffer_list) | 1257 | struct list_head *buffer_list) |
| 1244 | { | 1258 | { |
| 1245 | struct xfs_log_item *lip; | 1259 | struct xfs_log_item *lip; |
| 1260 | bool ret; | ||
| 1261 | |||
| 1262 | ret = xfs_buf_delwri_queue(bp, buffer_list); | ||
| 1246 | 1263 | ||
| 1247 | /* | 1264 | /* |
| 1248 | * Clear XFS_LI_FAILED flag from all items before resubmit | 1265 | * XFS_LI_FAILED set/clear is protected by ail_lock, caller of this |
| 1249 | * | ||
| 1250 | * XFS_LI_FAILED set/clear is protected by ail_lock, caller this | ||
| 1251 | * function already have it acquired | 1266 | * function already have it acquired |
| 1252 | */ | 1267 | */ |
| 1253 | list_for_each_entry(lip, &bp->b_li_list, li_bio_list) | 1268 | list_for_each_entry(lip, &bp->b_li_list, li_bio_list) |
| 1254 | xfs_clear_li_failed(lip); | 1269 | xfs_clear_li_failed(lip); |
| 1255 | 1270 | ||
| 1256 | /* Add this buffer back to the delayed write list */ | 1271 | return ret; |
| 1257 | return xfs_buf_delwri_queue(bp, buffer_list); | ||
| 1258 | } | 1272 | } |