Btrfs: fix freeing delayed ref head while still holding its mutex

I hit this error when reproducing a bug that would end in a transaction
abort.  We take the delayed ref head's mutex to keep anybody from processing
it while we're destroying it, but we fail to drop the mutex before we carry
on and free the damned thing.  Fix this by doing the remove logic for the
head ourselves and unlock the mutex, that way we can avoid use after free's
or hung tasks waiting on that mutex to come back so they know the delayed
ref completed.  Thanks,

Signed-off-by: Josef Bacik <jbacik@fusionio.com>

1 files changed, 5 insertions, 3 deletions

diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index bd48bf21118e..8140cb01951f 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -3615,11 +3615,11 @@ int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
         }
 
         while ((node = rb_first(&delayed_refs->root)) != NULL) {
-                ref = rb_entry(node, struct btrfs_delayed_ref_node, rb_node);
+                struct btrfs_delayed_ref_head *head = NULL;
 
+                ref = rb_entry(node, struct btrfs_delayed_ref_node, rb_node);
                 atomic_set(&ref->refs, 1);
                 if (btrfs_delayed_ref_is_head(ref)) {
-                        struct btrfs_delayed_ref_head *head;
 
                         head = btrfs_delayed_node_to_head(ref);
                         if (!mutex_trylock(&head->mutex)) {
@@ -3641,10 +3641,12 @@ int btrfs_destroy_delayed_refs(struct btrfs_transaction *trans,
                                 delayed_refs->num_heads_ready--;
                         list_del_init(&head->cluster);
                 }
+
                 ref->in_tree = 0;
                 rb_erase(&ref->rb_node, &delayed_refs->root);
                 delayed_refs->num_entries--;
-
+                if (head)
+                        mutex_unlock(&head->mutex);
                 spin_unlock(&delayed_refs->lock);
                 btrfs_put_delayed_ref(ref);