Btrfs: fix unlock after free on rewinded tree blocks

When tree_mod_log_rewind decides to make a copy of the current tree buffer for its modifications, it subsequently freed the buffer before unlocking it. Obviously, those operations are required in reverse order. Signed-off-by: Jan Schmidt <list.btrfs@jan-o-sch.net> Signed-off-by: Josef Bacik <jbacik@fusionio.com>
author: Jan Schmidt <list.btrfs@jan-o-sch.net> 2013-04-13 09:19:55 -0400
committer: Josef Bacik <jbacik@fusionio.com> 2013-05-06 15:54:48 -0400
commit: 47fb091fb787420cd195e66f162737401cce023f (patch)
tree: 0214d77b462613aa605d3107633bec7445d53d57 /fs/btrfs/ctree.c
parent: 30b0463a9394d9e41596e96def5461fe33222f13 (diff)
1 files changed, 11 insertions, 7 deletions
diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
index d7e0576038fb..c3c3d37f9c58 100644
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -1191,6 +1191,13 @@ __tree_mod_log_rewind(struct extent_buffer *eb, u64 time_seq,
        btrfs_set_header_nritems(eb, n);
 }
+/*
+ * Called with eb read locked. If the buffer cannot be rewinded, the same buffer
+ * is returned. If rewind operations happen, a fresh buffer is returned. The
+ * returned buffer is always read-locked. If the returned buffer is not the
+ * input buffer, the lock on the input buffer is released and the input buffer
+ * is freed (its refcount is decremented).
+ */
 static struct extent_buffer *
 tree_mod_log_rewind(struct btrfs_fs_info *fs_info, struct extent_buffer *eb,
                    u64 time_seq)
@@ -1224,8 +1231,11 @@ tree_mod_log_rewind(struct btrfs_fs_info *fs_info, struct extent_buffer *eb,
        }
        extent_buffer_get(eb_rewin);
+        btrfs_tree_read_unlock(eb);
        free_extent_buffer(eb);
+        extent_buffer_get(eb_rewin);
+        btrfs_tree_read_lock(eb_rewin);
        __tree_mod_log_rewind(eb_rewin, time_seq, tm);
        WARN_ON(btrfs_header_nritems(eb_rewin) >
                BTRFS_NODEPTRS_PER_BLOCK(fs_info->tree_root));
@@ -2794,15 +2804,9 @@ again:
                                btrfs_clear_path_blocking(p, b,
                                                          BTRFS_READ_LOCK);
                        }
+                        b = tree_mod_log_rewind(root->fs_info, b, time_seq);
                        p->locks[level] = BTRFS_READ_LOCK;
                        p->nodes[level] = b;
-                        b = tree_mod_log_rewind(root->fs_info, b, time_seq);
-                        if (b != p->nodes[level]) {
-                                btrfs_tree_unlock_rw(p->nodes[level],
-                                                     p->locks[level]);
-                                p->locks[level] = 0;
-                                p->nodes[level] = b;
-                        }
                } else {
                        p->slots[level] = slot;
                        unlock_up(p, level, lowest_unlock, 0, NULL);
author	Jan Schmidt <list.btrfs@jan-o-sch.net>	2013-04-13 09:19:55 -0400
committer	Josef Bacik <jbacik@fusionio.com>	2013-05-06 15:54:48 -0400
commit	47fb091fb787420cd195e66f162737401cce023f (patch)
tree	0214d77b462613aa605d3107633bec7445d53d57 /fs/btrfs/ctree.c
parent	30b0463a9394d9e41596e96def5461fe33222f13 (diff)