diff options
| author | Miao Xie <miaox@cn.fujitsu.com> | 2014-09-03 09:35:43 -0400 |
|---|---|---|
| committer | Chris Mason <clm@fb.com> | 2014-09-17 16:38:44 -0400 |
| commit | 67a2c45ee7f4f250458279a2e1244679c5d9735c (patch) | |
| tree | 0f1806d2aead6af9629bb701101b75b28863b986 /fs/btrfs/dev-replace.c | |
| parent | adbbb8631beda8e4e5d2c964b8b47e04cfa0a2ae (diff) | |
Btrfs: fix use-after-free problem of the device during device replace
The problem is:
Task0(device scan task) Task1(device replace task)
scan_one_device()
mutex_lock(&uuid_mutex)
device = find_device()
mutex_lock(&device_list_mutex)
lock_chunk()
rm_and_free_source_device
unlock_chunk()
mutex_unlock(&device_list_mutex)
check device
Destroying the target device if device replace fails also has the same problem.
We fix this problem by locking uuid_mutex during destroying source device or
target device, just like the device remove operation.
It is a temporary solution, we can fix this problem and make the code more
clear by atomic counter in the future.
Signed-off-by: Miao Xie <miaox@cn.fujitsu.com>
Signed-off-by: Chris Mason <clm@fb.com>
Diffstat (limited to 'fs/btrfs/dev-replace.c')
| -rw-r--r-- | fs/btrfs/dev-replace.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/fs/btrfs/dev-replace.c b/fs/btrfs/dev-replace.c index aa4c82863c73..e9cbbdb72978 100644 --- a/fs/btrfs/dev-replace.c +++ b/fs/btrfs/dev-replace.c | |||
| @@ -509,6 +509,7 @@ static int btrfs_dev_replace_finishing(struct btrfs_fs_info *fs_info, | |||
| 509 | ret = btrfs_commit_transaction(trans, root); | 509 | ret = btrfs_commit_transaction(trans, root); |
| 510 | WARN_ON(ret); | 510 | WARN_ON(ret); |
| 511 | 511 | ||
| 512 | mutex_lock(&uuid_mutex); | ||
| 512 | /* keep away write_all_supers() during the finishing procedure */ | 513 | /* keep away write_all_supers() during the finishing procedure */ |
| 513 | mutex_lock(&root->fs_info->fs_devices->device_list_mutex); | 514 | mutex_lock(&root->fs_info->fs_devices->device_list_mutex); |
| 514 | mutex_lock(&root->fs_info->chunk_mutex); | 515 | mutex_lock(&root->fs_info->chunk_mutex); |
| @@ -536,6 +537,7 @@ static int btrfs_dev_replace_finishing(struct btrfs_fs_info *fs_info, | |||
| 536 | btrfs_dev_replace_unlock(dev_replace); | 537 | btrfs_dev_replace_unlock(dev_replace); |
| 537 | mutex_unlock(&root->fs_info->chunk_mutex); | 538 | mutex_unlock(&root->fs_info->chunk_mutex); |
| 538 | mutex_unlock(&root->fs_info->fs_devices->device_list_mutex); | 539 | mutex_unlock(&root->fs_info->fs_devices->device_list_mutex); |
| 540 | mutex_unlock(&uuid_mutex); | ||
| 539 | if (tgt_device) | 541 | if (tgt_device) |
| 540 | btrfs_destroy_dev_replace_tgtdev(fs_info, tgt_device); | 542 | btrfs_destroy_dev_replace_tgtdev(fs_info, tgt_device); |
| 541 | mutex_unlock(&dev_replace->lock_finishing_cancel_unmount); | 543 | mutex_unlock(&dev_replace->lock_finishing_cancel_unmount); |
| @@ -591,6 +593,7 @@ static int btrfs_dev_replace_finishing(struct btrfs_fs_info *fs_info, | |||
| 591 | */ | 593 | */ |
| 592 | mutex_unlock(&root->fs_info->chunk_mutex); | 594 | mutex_unlock(&root->fs_info->chunk_mutex); |
| 593 | mutex_unlock(&root->fs_info->fs_devices->device_list_mutex); | 595 | mutex_unlock(&root->fs_info->fs_devices->device_list_mutex); |
| 596 | mutex_unlock(&uuid_mutex); | ||
| 594 | 597 | ||
| 595 | /* write back the superblocks */ | 598 | /* write back the superblocks */ |
| 596 | trans = btrfs_start_transaction(root, 0); | 599 | trans = btrfs_start_transaction(root, 0); |