diff options
| author | Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> | 2009-01-05 21:38:26 -0500 |
|---|---|---|
| committer | Theodore Ts'o <tytso@mit.edu> | 2009-01-05 21:38:26 -0500 |
| commit | e8134b27e351e813414da3b95aa8eac6d3908088 (patch) | |
| tree | c2d9939f92cc326b4ecfc3903a489fb753cb344c | |
| parent | 5d1b1b3f492f8696ea18950a454a141381b0f926 (diff) | |
ext4: Fix race between read_block_bitmap() and mark_diskspace_used()
We need to make sure we update the block bitmap and clear
EXT4_BG_BLOCK_UNINIT flag with sb_bgl_lock held, since
ext4_read_block_bitmap() looks at EXT4_BG_BLOCK_UNINIT to decide
whether to initialize the block bitmap each time it is called
(introduced by commit c806e68f), and this can race with block
allocations in ext4_mb_mark_diskspace_used().
ext4_read_block_bitmap does:
spin_lock(sb_bgl_lock(EXT4_SB(sb), block_group));
if (desc->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
ext4_init_block_bitmap(sb, bh, block_group, desc);
Now on the block allocation side we do
mb_set_bits(sb_bgl_lock(sbi, ac->ac_b_ex.fe_group), bitmap_bh->b_data,
ac->ac_b_ex.fe_start, ac->ac_b_ex.fe_len);
....
spin_lock(sb_bgl_lock(sbi, ac->ac_b_ex.fe_group));
if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) {
gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT);
ie on allocation we update the bitmap then we take the sb_bgl_lock
and clear the EXT4_BG_BLOCK_UNINIT flag. What can happen is a
parallel ext4_read_block_bitmap can zero out the bitmap in between
the above mb_set_bits and spin_lock(sb_bg_lock..)
The race results in below user visible errors
EXT4-fs error (device sdb1): ext4_mb_release_inode_pa: free 100, pa_free 105
EXT4-fs error (device sdb1): mb_free_blocks: double-free of inode 0's block ..
Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@kernel.org
| -rw-r--r-- | fs/ext4/mballoc.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index cda69632eea3..d559a03f3eb2 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c | |||
| @@ -1070,7 +1070,10 @@ static void mb_clear_bits(spinlock_t *lock, void *bm, int cur, int len) | |||
| 1070 | cur += 32; | 1070 | cur += 32; |
| 1071 | continue; | 1071 | continue; |
| 1072 | } | 1072 | } |
| 1073 | mb_clear_bit_atomic(lock, cur, bm); | 1073 | if (lock) |
| 1074 | mb_clear_bit_atomic(lock, cur, bm); | ||
| 1075 | else | ||
| 1076 | mb_clear_bit(cur, bm); | ||
| 1074 | cur++; | 1077 | cur++; |
| 1075 | } | 1078 | } |
| 1076 | } | 1079 | } |
| @@ -1088,7 +1091,10 @@ static void mb_set_bits(spinlock_t *lock, void *bm, int cur, int len) | |||
| 1088 | cur += 32; | 1091 | cur += 32; |
| 1089 | continue; | 1092 | continue; |
| 1090 | } | 1093 | } |
| 1091 | mb_set_bit_atomic(lock, cur, bm); | 1094 | if (lock) |
| 1095 | mb_set_bit_atomic(lock, cur, bm); | ||
| 1096 | else | ||
| 1097 | mb_set_bit(cur, bm); | ||
| 1092 | cur++; | 1098 | cur++; |
| 1093 | } | 1099 | } |
| 1094 | } | 1100 | } |
| @@ -3035,10 +3041,9 @@ ext4_mb_mark_diskspace_used(struct ext4_allocation_context *ac, | |||
| 3035 | } | 3041 | } |
| 3036 | } | 3042 | } |
| 3037 | #endif | 3043 | #endif |
| 3038 | mb_set_bits(sb_bgl_lock(sbi, ac->ac_b_ex.fe_group), bitmap_bh->b_data, | ||
| 3039 | ac->ac_b_ex.fe_start, ac->ac_b_ex.fe_len); | ||
| 3040 | |||
| 3041 | spin_lock(sb_bgl_lock(sbi, ac->ac_b_ex.fe_group)); | 3044 | spin_lock(sb_bgl_lock(sbi, ac->ac_b_ex.fe_group)); |
| 3045 | mb_set_bits(NULL, bitmap_bh->b_data, | ||
| 3046 | ac->ac_b_ex.fe_start, ac->ac_b_ex.fe_len); | ||
| 3042 | if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { | 3047 | if (gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)) { |
| 3043 | gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); | 3048 | gdp->bg_flags &= cpu_to_le16(~EXT4_BG_BLOCK_UNINIT); |
| 3044 | gdp->bg_free_blocks_count = | 3049 | gdp->bg_free_blocks_count = |