diff options
author | Jan Kara <jack@suse.cz> | 2011-06-24 17:11:59 -0400 |
---|---|---|
committer | Jan Kara <jack@suse.cz> | 2011-06-27 05:44:37 -0400 |
commit | bb189247f35688a3353545902c56290fb7d7754a (patch) | |
tree | 02f93da7f642f3e59050d1c2837a7a8a8e61b3aa /include/linux | |
parent | 2c2ea9451fc2a12ee57c8346f0da26969d07ee7f (diff) |
jbd: Fix oops in journal_remove_journal_head()
journal_remove_journal_head() can oops when trying to access journal_head
returned by bh2jh(). This is caused for example by the following race:
TASK1 TASK2
journal_commit_transaction()
...
processing t_forget list
__journal_refile_buffer(jh);
if (!jh->b_transaction) {
jbd_unlock_bh_state(bh);
journal_try_to_free_buffers()
journal_grab_journal_head(bh)
jbd_lock_bh_state(bh)
__journal_try_to_free_buffer()
journal_put_journal_head(jh)
journal_remove_journal_head(bh);
journal_put_journal_head() in TASK2 sees that b_jcount == 0 and buffer is not
part of any transaction and thus frees journal_head before TASK1 gets to doing
so. Note that even buffer_head can be released by try_to_free_buffers() after
journal_put_journal_head() which adds even larger opportunity for oops (but I
didn't see this happen in reality).
Fix the problem by making transactions hold their own journal_head reference
(in b_jcount). That way we don't have to remove journal_head explicitely via
journal_remove_journal_head() and instead just remove journal_head when
b_jcount drops to zero. The result of this is that [__]journal_refile_buffer(),
[__]journal_unfile_buffer(), and __journal_remove_checkpoint() can free
journal_head which needs modification of a few callers. Also we have to be
careful because once journal_head is removed, buffer_head might be freed as
well. So we have to get our own buffer_head reference where it matters.
Signed-off-by: Jan Kara <jack@suse.cz>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/jbd.h | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/include/linux/jbd.h b/include/linux/jbd.h index e06965081ba5..e6a5e34bed4f 100644 --- a/include/linux/jbd.h +++ b/include/linux/jbd.h | |||
@@ -940,7 +940,6 @@ extern int journal_force_commit(journal_t *); | |||
940 | */ | 940 | */ |
941 | struct journal_head *journal_add_journal_head(struct buffer_head *bh); | 941 | struct journal_head *journal_add_journal_head(struct buffer_head *bh); |
942 | struct journal_head *journal_grab_journal_head(struct buffer_head *bh); | 942 | struct journal_head *journal_grab_journal_head(struct buffer_head *bh); |
943 | void journal_remove_journal_head(struct buffer_head *bh); | ||
944 | void journal_put_journal_head(struct journal_head *jh); | 943 | void journal_put_journal_head(struct journal_head *jh); |
945 | 944 | ||
946 | /* | 945 | /* |