diff options
author | Nathaniel W. Turner <nate@houseofnate.net> | 2009-11-16 14:51:48 -0500 |
---|---|---|
committer | Alex Elder <aelder@sgi.com> | 2009-11-17 11:26:49 -0500 |
commit | 6c06f072c2d797ddbb2270363de97c53ebbe0385 (patch) | |
tree | 03654fd6af68f5ba0004f9e7c2b6945504de53f3 | |
parent | 8ec6dba2581754e375be66f7bedd708d856d8b30 (diff) |
xfs: copy li_lsn before dropping AIL lock
Access to log items on the AIL is generally protected by m_ail_lock;
this is particularly needed when we're getting or setting the 64-bit
li_lsn on a 32-bit platform. This patch fixes a couple places where we
were accessing the log item after dropping the AIL lock on 32-bit
machines.
This can result in a partially-zeroed log->l_tail_lsn if
xfs_trans_ail_delete is racing with xfs_trans_ail_update, and in at
least some cases, this can leave the l_tail_lsn with a zero cycle
number, which means xlog_space_left will think the log is full (unless
CONFIG_XFS_DEBUG is set, in which case we'll trip an ASSERT), leading to
processes stuck forever in xlog_grant_log_space.
Thanks to Adrian VanderSpek for first spotting the race potential and to
Dave Chinner for debug assistance.
Signed-off-by: Nathaniel W. Turner <nate@houseofnate.net>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Alex Elder <aelder@sgi.com>
-rw-r--r-- | fs/xfs/xfs_trans_ail.c | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/fs/xfs/xfs_trans_ail.c b/fs/xfs/xfs_trans_ail.c index f31271c30de9..2ffc570679be 100644 --- a/fs/xfs/xfs_trans_ail.c +++ b/fs/xfs/xfs_trans_ail.c | |||
@@ -467,6 +467,7 @@ xfs_trans_ail_update( | |||
467 | { | 467 | { |
468 | xfs_log_item_t *dlip = NULL; | 468 | xfs_log_item_t *dlip = NULL; |
469 | xfs_log_item_t *mlip; /* ptr to minimum lip */ | 469 | xfs_log_item_t *mlip; /* ptr to minimum lip */ |
470 | xfs_lsn_t tail_lsn; | ||
470 | 471 | ||
471 | mlip = xfs_ail_min(ailp); | 472 | mlip = xfs_ail_min(ailp); |
472 | 473 | ||
@@ -483,8 +484,16 @@ xfs_trans_ail_update( | |||
483 | 484 | ||
484 | if (mlip == dlip) { | 485 | if (mlip == dlip) { |
485 | mlip = xfs_ail_min(ailp); | 486 | mlip = xfs_ail_min(ailp); |
487 | /* | ||
488 | * It is not safe to access mlip after the AIL lock is | ||
489 | * dropped, so we must get a copy of li_lsn before we do | ||
490 | * so. This is especially important on 32-bit platforms | ||
491 | * where accessing and updating 64-bit values like li_lsn | ||
492 | * is not atomic. | ||
493 | */ | ||
494 | tail_lsn = mlip->li_lsn; | ||
486 | spin_unlock(&ailp->xa_lock); | 495 | spin_unlock(&ailp->xa_lock); |
487 | xfs_log_move_tail(ailp->xa_mount, mlip->li_lsn); | 496 | xfs_log_move_tail(ailp->xa_mount, tail_lsn); |
488 | } else { | 497 | } else { |
489 | spin_unlock(&ailp->xa_lock); | 498 | spin_unlock(&ailp->xa_lock); |
490 | } | 499 | } |
@@ -514,6 +523,7 @@ xfs_trans_ail_delete( | |||
514 | { | 523 | { |
515 | xfs_log_item_t *dlip; | 524 | xfs_log_item_t *dlip; |
516 | xfs_log_item_t *mlip; | 525 | xfs_log_item_t *mlip; |
526 | xfs_lsn_t tail_lsn; | ||
517 | 527 | ||
518 | if (lip->li_flags & XFS_LI_IN_AIL) { | 528 | if (lip->li_flags & XFS_LI_IN_AIL) { |
519 | mlip = xfs_ail_min(ailp); | 529 | mlip = xfs_ail_min(ailp); |
@@ -527,9 +537,16 @@ xfs_trans_ail_delete( | |||
527 | 537 | ||
528 | if (mlip == dlip) { | 538 | if (mlip == dlip) { |
529 | mlip = xfs_ail_min(ailp); | 539 | mlip = xfs_ail_min(ailp); |
540 | /* | ||
541 | * It is not safe to access mlip after the AIL lock | ||
542 | * is dropped, so we must get a copy of li_lsn | ||
543 | * before we do so. This is especially important | ||
544 | * on 32-bit platforms where accessing and updating | ||
545 | * 64-bit values like li_lsn is not atomic. | ||
546 | */ | ||
547 | tail_lsn = mlip ? mlip->li_lsn : 0; | ||
530 | spin_unlock(&ailp->xa_lock); | 548 | spin_unlock(&ailp->xa_lock); |
531 | xfs_log_move_tail(ailp->xa_mount, | 549 | xfs_log_move_tail(ailp->xa_mount, tail_lsn); |
532 | (mlip ? mlip->li_lsn : 0)); | ||
533 | } else { | 550 | } else { |
534 | spin_unlock(&ailp->xa_lock); | 551 | spin_unlock(&ailp->xa_lock); |
535 | } | 552 | } |