diff options
author | Naohiro Aota <naota@elisp.net> | 2015-01-05 17:01:03 +0100 |
---|---|---|
committer | Chris Mason <clm@fb.com> | 2015-02-03 04:24:51 +0100 |
commit | 289454ad26a2d752e04b07234a175feda9ec0f4e (patch) | |
tree | ebb643f38213a77d2e6349ed159dec71aee396f6 /fs | |
parent | Btrfs: fix scrub race leading to use-after-free (diff) | |
download | linux-289454ad26a2d752e04b07234a175feda9ec0f4e.tar.xz linux-289454ad26a2d752e04b07234a175feda9ec0f4e.zip |
btrfs: clear bio reference after submit_one_bio()
After submit_one_bio(), `bio' can go away. However submit_extent_page()
leave `bio' referable if submit_one_bio() failed (e.g. -ENOMEM on OOM).
It will cause invalid paging request when submit_extent_page() is called
next time.
I reproduced ENOMEM case with the following script (need
CONFIG_FAIL_PAGE_ALLOC, and CONFIG_FAULT_INJECTION_DEBUG_FS).
#!/bin/bash
dmesgout=dmesg.txt
start=100000
end=300000
step=1000
# btrfs options
device=/dev/vdb1
directory=/mnt/btrfs
# fault-injection options
percent=100
times=3
mkdir -p $directory || exit 1
mount -o compress $device $directory || exit 1
rm -f $directory/file || exit 1
dd if=/dev/zero of=$directory/file bs=1M count=512 || exit 1
for interval in `seq $start $step $end`; do
dmesg -C
echo 1 > /proc/sys/vm/drop_caches
sync
export FAILCMD_TYPE=fail_page_alloc
./failcmd.sh -p $percent -t $times -i $interval \
--ignore-gfp-highmem=N --ignore-gfp-wait=N --min-order=0 \
-- \
cat $directory/file > /dev/null
dmesg > ${dmesgout}
if grep -q BUG: ${dmesgout}; then
cat ${dmesgout}
exit 1
fi
done
umount $directory
exit 0
Signed-off-by: Naohiro Aota <naota@elisp.net>
Tested-by: Satoru Takeuchi <takeuchi_satoru@jp.fujitsu.com>
Signed-off-by: Chris Mason <clm@fb.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/btrfs/extent_io.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index dab8af4450e1..a7f66009519a 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -2817,8 +2817,10 @@ static int submit_extent_page(int rw, struct extent_io_tree *tree, bio_add_page(bio, page, page_size, offset) < page_size) { ret = submit_one_bio(rw, bio, mirror_num, prev_bio_flags); - if (ret < 0) + if (ret < 0) { + *bio_ret = NULL; return ret; + } bio = NULL; } else { return 0; |