From: Qu Wenruo <quwenruo@cn.fujitsu.com>
To: <linux-btrfs@vger.kernel.org>
Subject: [PATCH 4/5] btrfs: raid56: Don't keep rbio for later steal
Date: Fri, 3 Feb 2017 16:20:22 +0800 [thread overview]
Message-ID: <20170203082023.3577-5-quwenruo@cn.fujitsu.com> (raw)
In-Reply-To: <20170203082023.3577-1-quwenruo@cn.fujitsu.com>
Before this patch, btrfs raid56 will keep raid56 rbio even all its IO is
done.
This may save some time allocating rbio, but it can cause deadly
use-after-free bug, for the following case:
Original fs: 4 devices RAID5
Process A | Process B
--------------------------------------------------------------------------
| Start device replace
| Now the fs has 5 devices
| devid 0: replace device
| devid 1~4: old devices
btrfs_map_bio() |
|- __btrfs_map_block() |
| bbio has 5 stripes |
| including devid 0 |
|- raid56_parity_write() |
|
raid_write_end_io() |
|- rbio_orig_end_io() |
|- unlock_stripe() |
Keeps the old rbio for |
later steal, which has |
stripe for devid 0 |
| Cancel device replace
| Now the fs has 4 devices
| devid 0 is freed
Some IO happens |
raid_write_end_io() |
|- rbio_orig_end_io() |
|- unlock_stripe() |
|- steal_rbio() |
Use old rbio, whose |
bbio has freed devid 0|
stripe |
Any access to rbio->bbio will |
cause general protection or NULL |
pointer dereference |
Such bug can already be triggered by fstests btrfs/069 for RAID5/6
profiles.
Fix it by not keeping old rbio in unlock_stripe(), so we just free the
finished rbio and rbio->bbio, so above problem wont' happen.
Signed-off-by: Qu Wenruo <quwenruo@cn.fujitsu.com>
---
fs/btrfs/raid56.c | 18 +-----------------
1 file changed, 1 insertion(+), 17 deletions(-)
diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c
index 453eefdcb591..aba82b95ec73 100644
--- a/fs/btrfs/raid56.c
+++ b/fs/btrfs/raid56.c
@@ -776,7 +776,6 @@ static noinline void unlock_stripe(struct btrfs_raid_bio *rbio)
int bucket;
struct btrfs_stripe_hash *h;
unsigned long flags;
- int keep_cache = 0;
bucket = rbio_bucket(rbio);
h = rbio->fs_info->stripe_hash_table->table + bucket;
@@ -788,19 +787,6 @@ static noinline void unlock_stripe(struct btrfs_raid_bio *rbio)
spin_lock(&rbio->bio_list_lock);
if (!list_empty(&rbio->hash_list)) {
- /*
- * if we're still cached and there is no other IO
- * to perform, just leave this rbio here for others
- * to steal from later
- */
- if (list_empty(&rbio->plug_list) &&
- test_bit(RBIO_CACHE_BIT, &rbio->flags)) {
- keep_cache = 1;
- clear_bit(RBIO_RMW_LOCKED_BIT, &rbio->flags);
- BUG_ON(!bio_list_empty(&rbio->bio_list));
- goto done;
- }
-
list_del_init(&rbio->hash_list);
atomic_dec(&rbio->refs);
@@ -848,13 +834,11 @@ static noinline void unlock_stripe(struct btrfs_raid_bio *rbio)
goto done_nolock;
}
}
-done:
spin_unlock(&rbio->bio_list_lock);
spin_unlock_irqrestore(&h->lock, flags);
done_nolock:
- if (!keep_cache)
- remove_rbio_from_cache(rbio);
+ remove_rbio_from_cache(rbio);
}
static void __free_raid_bio(struct btrfs_raid_bio *rbio)
--
2.11.0
next prev parent reply other threads:[~2017-02-03 8:21 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-03 8:20 [PATCH 0/5] raid56: variant bug fixes Qu Wenruo
2017-02-03 8:20 ` [PATCH 1/5] btrfs: scrub: Introduce full stripe lock for RAID56 Qu Wenruo
2017-02-03 8:20 ` [PATCH 2/5] btrfs: scrub: Fix RAID56 recovery race condition Qu Wenruo
2017-02-03 8:20 ` [PATCH 3/5] btrfs: raid56: Use correct stolen pages to calculate P/Q Qu Wenruo
2017-03-16 5:36 ` Liu Bo
2017-03-16 8:30 ` Qu Wenruo
2017-03-17 6:31 ` Qu Wenruo
2017-03-17 22:19 ` Liu Bo
2017-03-20 4:33 ` Qu Wenruo
2017-02-03 8:20 ` Qu Wenruo [this message]
2017-03-17 4:44 ` [PATCH 4/5] btrfs: raid56: Don't keep rbio for later steal Liu Bo
2017-03-17 5:28 ` Qu Wenruo
2017-03-18 2:03 ` Liu Bo
2017-03-20 6:21 ` Qu Wenruo
2017-03-20 20:23 ` Liu Bo
2017-03-21 0:44 ` Qu Wenruo
2017-03-21 2:08 ` Liu Bo
2017-03-21 2:23 ` Qu Wenruo
2017-03-21 5:45 ` Liu Bo
2017-03-21 7:00 ` Qu Wenruo
2017-02-03 8:20 ` [PATCH 5/5] btrfs: replace: Use ref counts to avoid destroying target device when canceled Qu Wenruo
2017-03-18 2:12 ` Liu Bo
2017-03-20 6:30 ` Qu Wenruo
2017-03-20 19:31 ` Liu Bo
2017-03-07 3:48 ` [PATCH 0/5] raid56: variant bug fixes Qu Wenruo
2017-03-14 13:47 ` David Sterba
2017-03-14 21:30 ` Goffredo Baroncelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170203082023.3577-5-quwenruo@cn.fujitsu.com \
--to=quwenruo@cn.fujitsu.com \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.