Btrfs: fix race between snapshot deletion and getting inode

While running snapshot testscript created by Mitch and David, the race between autodefrag and snapshot deletion can lead to corruption of dead_root list so that we can get crash on btrfs_clean_old_snapshots(). And besides autodefrag, scrub also does the same thing, ie. read root first and get inode. Here is the story(take autodefrag as an example): (1) when we delete a snapshot or subvolume, it will set its root's refs to zero and do a iput() on its own inode, and if this inode happens to be the only active in-meory one in root's inode rbtree, it will add itself to the global dead_roots list for later cleanup. (2) after (1), the autodefrag thread may read another inode for defrag and the inode is just in the deleted snapshot/subvolume, but all of these are without checking if the root is still valid(refs > 0). So the end up result is adding the deleted snapshot/subvolume's root to the global dead_roots list AGAIN. Fortunately, we already have a srcu lock to avoid the race, ie. subvol_srcu. So all we need to do is to take the lock to protect 'read root and get inode', since we synchronize to wait for the rcu grace period before adding something to the global dead_roots list. Reported-by: Mitch Harder <mitch.harder@sabayonlinux.org> Signed-off-by: Liu Bo <bo.li.liu@oracle.com> Signed-off-by: Josef Bacik <jbacik@fusionio.com>
author: Liu Bo <bo.li.liu@oracle.com> 2013-01-28 22:22:10 -0500
committer: Josef Bacik <jbacik@fusionio.com> 2013-02-05 16:09:13 -0500
commit: 6f1c36055f96e80031c7fdda3fd5be826b8d7782 (patch)
tree: a7417741e5f6680981dc64dabaffe7d0c1a02f53 /fs/btrfs/file.c
parent: 843fcf35733164076a77ad833c72c32da8228ad0 (diff)
1 files changed, 18 insertions, 4 deletions
diff --git a/fs/btrfs/file.c b/fs/btrfs/file.c
index a902faab7161..b06d289f998f 100644
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -293,15 +293,24 @@ static int __btrfs_run_defrag_inode(struct btrfs_fs_info *fs_info,
        struct btrfs_key key;
        struct btrfs_ioctl_defrag_range_args range;
        int num_defrag;
+        int index;
+        int ret;
        /* get the inode */
        key.objectid = defrag->root;
        btrfs_set_key_type(&key, BTRFS_ROOT_ITEM_KEY);
        key.offset = (u64)-1;
+        index = srcu_read_lock(&fs_info->subvol_srcu);
        inode_root = btrfs_read_fs_root_no_name(fs_info, &key);
        if (IS_ERR(inode_root)) {
-                kmem_cache_free(btrfs_inode_defrag_cachep, defrag);
+                ret = PTR_ERR(inode_root);
-                return PTR_ERR(inode_root);
+                goto cleanup;
+        }
+        if (btrfs_root_refs(&inode_root->root_item) == 0) {
+                ret = -ENOENT;
+                goto cleanup;
        }
        key.objectid = defrag->ino;
@@ -309,9 +318,10 @@ static int __btrfs_run_defrag_inode(struct btrfs_fs_info *fs_info,
        key.offset = 0;
        inode = btrfs_iget(fs_info->sb, &key, inode_root, NULL);
        if (IS_ERR(inode)) {
-                kmem_cache_free(btrfs_inode_defrag_cachep, defrag);
+                ret = PTR_ERR(inode);
-                return PTR_ERR(inode);
+                goto cleanup;
        }
+        srcu_read_unlock(&fs_info->subvol_srcu, index);
        /* do a chunk of defrag */
        clear_bit(BTRFS_INODE_IN_DEFRAG, &BTRFS_I(inode)->runtime_flags);
@@ -346,6 +356,10 @@ static int __btrfs_run_defrag_inode(struct btrfs_fs_info *fs_info,
        iput(inode);
        return 0;
+cleanup:
+        srcu_read_unlock(&fs_info->subvol_srcu, index);
+        kmem_cache_free(btrfs_inode_defrag_cachep, defrag);
+        return ret;
 }
 /*
author	Liu Bo <bo.li.liu@oracle.com>	2013-01-28 22:22:10 -0500
committer	Josef Bacik <jbacik@fusionio.com>	2013-02-05 16:09:13 -0500
commit	6f1c36055f96e80031c7fdda3fd5be826b8d7782 (patch)
tree	a7417741e5f6680981dc64dabaffe7d0c1a02f53 /fs/btrfs/file.c
parent	843fcf35733164076a77ad833c72c32da8228ad0 (diff)