ext4: fix race between unwritten extent conversion and truncate

The following comment in ext4_end_io_dio caught my attention: /* XXX: probably should move into the real I/O completion handler */ inode_dio_done(inode); The truncate code takes i_mutex, then calls inode_dio_wait. Because the ext4 code path above will end up dropping the mutex before it is reacquired by the worker thread that does the extent conversion, it seems to me that the truncate can happen out of order. Jan Kara mentioned that this might result in error messages in the system logs, but that should be the extent of the "damage." The fix is pretty straight-forward: don't call inode_dio_done until the extent conversion is complete. Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Jeff Moyer <jmoyer@redhat.com> Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> Cc: stable@vger.kernel.org
author: Jeff Moyer <jmoyer@redhat.com> 2012-02-20 17:59:24 -0500
committer: Theodore Ts'o <tytso@mit.edu> 2012-02-20 17:59:24 -0500
commit: 266991b13890049ee1a6bb95b9817f06339ee3d7 (patch)
tree: 55c4f0e3c0b978e563ced079002bcf7ea60d9767
parent: d4dc462f556afe510d58d3b12b3d66c2cabff539 (diff)
3 files changed, 8 insertions, 5 deletions
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index c2314dcbe4fb..4076746d721d 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -184,6 +184,7 @@ struct mpage_da_data {
 #define EXT4_IO_END_UNWRITTEN   0x0001
 #define EXT4_IO_END_ERROR       0x0002
 #define EXT4_IO_END_QUEUED      0x0004
+#define EXT4_IO_END_DIRECT      0x0008
 struct ext4_io_page {
        struct page     *p_page;
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index a58812ef5ea3..aafc626d64ac 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -2796,9 +2796,6 @@ out:
        /* queue the work to convert unwritten extents to written */
        queue_work(wq, &io_end->work);
-        /* XXX: probably should move into the real I/O completion handler */
-        inode_dio_done(inode);
 }
 static void ext4_end_io_buffer_write(struct buffer_head *bh, int uptodate)
@@ -2922,9 +2919,12 @@ static ssize_t ext4_ext_direct_IO(int rw, struct kiocb *iocb,
                iocb->private = NULL;
                EXT4_I(inode)->cur_aio_dio = NULL;
                if (!is_sync_kiocb(iocb)) {
-                        iocb->private = ext4_init_io_end(inode, GFP_NOFS);
+                        ext4_io_end_t *io_end =
-                        if (!iocb->private)
+                                ext4_init_io_end(inode, GFP_NOFS);
+                        if (!io_end)
                                return -ENOMEM;
+                        io_end->flag |= EXT4_IO_END_DIRECT;
+                        iocb->private = io_end;
                        /*
                         * we save the io structure for current async
                         * direct IO, so that later ext4_map_blocks()
diff --git a/fs/ext4/page-io.c b/fs/ext4/page-io.c
index 475851896518..9e1b8eb1e7ac 100644
--- a/fs/ext4/page-io.c
+++ b/fs/ext4/page-io.c
@@ -110,6 +110,8 @@ int ext4_end_io_nolock(ext4_io_end_t *io)
        if (io->iocb)
                aio_complete(io->iocb, io->result, 0);
+        if (io->flag & EXT4_IO_END_DIRECT)
+                inode_dio_done(inode);
        /* Wake up anyone waiting on unwritten extent conversion */
        if (atomic_dec_and_test(&EXT4_I(inode)->i_aiodio_unwritten))
                wake_up_all(ext4_ioend_wq(io->inode));
author	Jeff Moyer <jmoyer@redhat.com>	2012-02-20 17:59:24 -0500
committer	Theodore Ts'o <tytso@mit.edu>	2012-02-20 17:59:24 -0500
commit	266991b13890049ee1a6bb95b9817f06339ee3d7 (patch)
tree	55c4f0e3c0b978e563ced079002bcf7ea60d9767
parent	d4dc462f556afe510d58d3b12b3d66c2cabff539 (diff)