[XFS] Fix double free of log tickets

When an I/O error occurs during an intermediate commit on a rolling transaction, xfs_trans_commit() will free the transaction structure and the related ticket. However, the duplicate transaction that gets used as the transaction continues still contains a pointer to the ticket. Hence when the duplicate transaction is cancelled and freed, we free the ticket a second time. Add reference counting to the ticket so that we hold an extra reference to the ticket over the transaction commit. We drop the extra reference once we have checked that the transaction commit did not return an error, thus avoiding a double free on commit error. Credit to Nick Piggin for tripping over the problem. SGI-PV: 989741 Signed-off-by: Dave Chinner <david@fromorbit.com> Reviewed-by: Christoph Hellwig <hch@lst.de> Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
author: Dave Chinner <david@fromorbit.com> 2008-11-17 01:37:10 -0500
committer: Lachlan McIlroy <lachlan@redback.melbourne.sgi.com> 2008-11-17 01:37:10 -0500
commit: cc09c0dc57de7f7d2ed89d480b5653e5f6a32f2c (patch)
tree: 3c6145ccb00f603c47e020cfa45f159ab76cf9bf /fs/xfs/xfs_log.c
parent: 6307091fe69ae74747298bdcaf43119ad67bda3a (diff)
1 files changed, 25 insertions, 14 deletions
diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c
index 92c20a8d9e69..4bf44aef644c 100644
--- a/fs/xfs/xfs_log.c
+++ b/fs/xfs/xfs_log.c
@@ -100,12 +100,11 @@ STATIC void xlog_ungrant_log_space(xlog_t	 *log,
 /* local ticket functions */
-STATIC xlog_ticket_t    *xlog_ticket_get(xlog_t *log,
+STATIC xlog_ticket_t    *xlog_ticket_alloc(xlog_t *log,
                                         int    unit_bytes,
                                         int    count,
                                         char   clientid,
                                         uint   flags);
-STATIC void             xlog_ticket_put(xlog_t *log, xlog_ticket_t *ticket);
 #if defined(DEBUG)
 STATIC void     xlog_verify_dest_ptr(xlog_t *log, __psint_t ptr);
@@ -360,7 +359,7 @@ xfs_log_done(xfs_mount_t	*mp,
                 */
                xlog_trace_loggrant(log, ticket, "xfs_log_done: (non-permanent)");
                xlog_ungrant_log_space(log, ticket);
-                xlog_ticket_put(log, ticket);
+                xfs_log_ticket_put(ticket);
        } else {
                xlog_trace_loggrant(log, ticket, "xfs_log_done: (permanent)");
                xlog_regrant_reserve_log_space(log, ticket);
@@ -514,7 +513,7 @@ xfs_log_reserve(xfs_mount_t	 *mp,
                retval = xlog_regrant_write_log_space(log, internal_ticket);
        } else {
                /* may sleep if need to allocate more tickets */
-                internal_ticket = xlog_ticket_get(log, unit_bytes, cnt,
+                internal_ticket = xlog_ticket_alloc(log, unit_bytes, cnt,
                                                  client, flags);
                if (!internal_ticket)
                        return XFS_ERROR(ENOMEM);
@@ -749,7 +748,7 @@ xfs_log_unmount_write(xfs_mount_t *mp)
                if (tic) {
                        xlog_trace_loggrant(log, tic, "unmount rec");
                        xlog_ungrant_log_space(log, tic);
-                        xlog_ticket_put(log, tic);
+                        xfs_log_ticket_put(tic);
                }
        } else {
                /*
@@ -3222,22 +3221,33 @@ xlog_state_want_sync(xlog_t *log, xlog_in_core_t *iclog)
 */
 /*
- * Free a used ticket.
+ * Free a used ticket when it's refcount falls to zero.
 */
-STATIC void
+void
-xlog_ticket_put(xlog_t          *log,
+xfs_log_ticket_put(
-                xlog_ticket_t   *ticket)
+        xlog_ticket_t   *ticket)
 {
-        sv_destroy(&ticket->t_wait);
+        ASSERT(atomic_read(&ticket->t_ref) > 0);
-        kmem_zone_free(xfs_log_ticket_zone, ticket);
+        if (atomic_dec_and_test(&ticket->t_ref)) {
-}       /* xlog_ticket_put */
+                sv_destroy(&ticket->t_wait);
+                kmem_zone_free(xfs_log_ticket_zone, ticket);
+        }
+}
+xlog_ticket_t *
+xfs_log_ticket_get(
+        xlog_ticket_t   *ticket)
+{
+        ASSERT(atomic_read(&ticket->t_ref) > 0);
+        atomic_inc(&ticket->t_ref);
+        return ticket;
+}
 /*
 * Allocate and initialise a new log ticket.
 */
 STATIC xlog_ticket_t *
-xlog_ticket_get(xlog_t          *log,
+xlog_ticket_alloc(xlog_t                *log,
                int             unit_bytes,
                int             cnt,
                char            client,
@@ -3308,6 +3318,7 @@ xlog_ticket_get(xlog_t		*log,
                unit_bytes += 2*BBSIZE;
        }
+        atomic_set(&tic->t_ref, 1);
        tic->t_unit_res         = unit_bytes;
        tic->t_curr_res         = unit_bytes;
        tic->t_cnt              = cnt;
@@ -3323,7 +3334,7 @@ xlog_ticket_get(xlog_t		*log,
        xlog_tic_reset_res(tic);
        return tic;
-}       /* xlog_ticket_get */
+}
 /******************************************************************************
author	Dave Chinner <david@fromorbit.com>	2008-11-17 01:37:10 -0500
committer	Lachlan McIlroy <lachlan@redback.melbourne.sgi.com>	2008-11-17 01:37:10 -0500
commit	cc09c0dc57de7f7d2ed89d480b5653e5f6a32f2c (patch)
tree	3c6145ccb00f603c47e020cfa45f159ab76cf9bf /fs/xfs/xfs_log.c
parent	6307091fe69ae74747298bdcaf43119ad67bda3a (diff)