Btrfs: only use the existing eb if it's count isn't 0

We can run into a problem where we find an eb for our existing page already on the radix tree but it has a ref count of 0. It hasn't yet been removed by RCU yet so this can cause issues where we will use the EB after free. So do atomic_inc_not_zero on the exists->refs and if it is zero just do synchronize_rcu() and try again. We won't have to worry about new allocators coming in since they will block on the page lock at this point. Thanks, Signed-off-by: Josef Bacik <josef@redhat.com>
author: Josef Bacik <josef@redhat.com> 2012-03-09 09:51:43 -0500
committer: Chris Mason <chris.mason@oracle.com> 2012-03-26 16:51:08 -0400
commit: 115391d2315239164e400a8259b26392afccf3bd (patch)
tree: 83f6bd7698b5bfddbe3be57d6411a120eced2399 /fs/btrfs/extent_io.c
parent: 4f2de97acee6532b36dd6e995b858343771ad126 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index 0381b6007ae4..0f74262911be 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -3750,7 +3750,7 @@ struct extent_buffer *alloc_extent_buffer(struct extent_io_tree *tree,
        }
        if (uptodate)
                set_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags);
+again:
        ret = radix_tree_preload(GFP_NOFS & ~__GFP_HIGHMEM);
        if (ret)
                goto free_eb;
@@ -3760,7 +3760,13 @@ struct extent_buffer *alloc_extent_buffer(struct extent_io_tree *tree,
        if (ret == -EEXIST) {
                exists = radix_tree_lookup(&tree->buffer,
                                                start >> PAGE_CACHE_SHIFT);
-                atomic_inc(&exists->refs);
+                if (!atomic_inc_not_zero(&exists->refs)) {
+                        spin_unlock(&tree->buffer_lock);
+                        radix_tree_preload_end();
+                        synchronize_rcu();
+                        exists = NULL;
+                        goto again;
+                }
                spin_unlock(&tree->buffer_lock);
                radix_tree_preload_end();
                goto free_eb;
author	Josef Bacik <josef@redhat.com>	2012-03-09 09:51:43 -0500
committer	Chris Mason <chris.mason@oracle.com>	2012-03-26 16:51:08 -0400
commit	115391d2315239164e400a8259b26392afccf3bd (patch)
tree	83f6bd7698b5bfddbe3be57d6411a120eced2399 /fs/btrfs/extent_io.c
parent	4f2de97acee6532b36dd6e995b858343771ad126 (diff)

diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 0381b6007ae4..0f74262911be 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c
@@ -3750,7 +3750,7 @@ struct extent_buffer alloc_extent_buffer(struct extent_io_tree tree,
3750	}	3750	}
3751	if (uptodate)	3751	if (uptodate)
3752	set_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags);	3752	set_bit(EXTENT_BUFFER_UPTODATE, &eb->bflags);
3753		3753	again:
3754	ret = radix_tree_preload(GFP_NOFS & ~__GFP_HIGHMEM);	3754	ret = radix_tree_preload(GFP_NOFS & ~__GFP_HIGHMEM);
3755	if (ret)	3755	if (ret)
3756	goto free_eb;	3756	goto free_eb;
@@ -3760,7 +3760,13 @@ struct extent_buffer alloc_extent_buffer(struct extent_io_tree tree,
3760	if (ret == -EEXIST) {	3760	if (ret == -EEXIST) {
3761	exists = radix_tree_lookup(&tree->buffer,	3761	exists = radix_tree_lookup(&tree->buffer,
3762	start >> PAGE_CACHE_SHIFT);	3762	start >> PAGE_CACHE_SHIFT);
3763	atomic_inc(&exists->refs);	3763	if (!atomic_inc_not_zero(&exists->refs)) {
		3764	spin_unlock(&tree->buffer_lock);
		3765	radix_tree_preload_end();
		3766	synchronize_rcu();
		3767	exists = NULL;
		3768	goto again;
		3769	}
3764	spin_unlock(&tree->buffer_lock);	3770	spin_unlock(&tree->buffer_lock);
3765	radix_tree_preload_end();	3771	radix_tree_preload_end();
3766	goto free_eb;	3772	goto free_eb;