Btrfs: fix NULL pointer after aborting a transaction

While doing cleanup work on an aborted transaction, we've set
the global running transaction pointer to NULL _before_ waiting all
other transaction handles to finish, so others'd hit NULL pointer
crash when referencing the global running transaction pointer.

This first sets a hint to avoid new transaction handle joining, then
waits other existing handles to abort or finish so that we can safely
set the above global pointer to NULL.

Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Signed-off-by: Josef Bacik <jbacik@fusionio.com>

1 files changed, 7 insertions, 1 deletions

diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
index 4330433b7b4f..3733c4939a27 100644
--- a/fs/btrfs/transaction.c
+++ b/fs/btrfs/transaction.c
@@ -1447,6 +1447,7 @@ static void cleanup_transaction(struct btrfs_trans_handle *trans,
                                 struct btrfs_root *root, int err)
 {
         struct btrfs_transaction *cur_trans = trans->transaction;
+        DEFINE_WAIT(wait);
 
         WARN_ON(trans->use_count > 1);
 
@@ -1455,8 +1456,13 @@ static void cleanup_transaction(struct btrfs_trans_handle *trans,
         spin_lock(&root->fs_info->trans_lock);
         list_del_init(&cur_trans->list);
         if (cur_trans == root->fs_info->running_transaction) {
+                root->fs_info->trans_no_join = 1;
+                spin_unlock(&root->fs_info->trans_lock);
+                wait_event(cur_trans->writer_wait,
+                           atomic_read(&cur_trans->num_writers) == 1);
+
+                spin_lock(&root->fs_info->trans_lock);
                 root->fs_info->running_transaction = NULL;
-                root->fs_info->trans_no_join = 0;
         }
         spin_unlock(&root->fs_info->trans_lock);