 298a8f9cf1
			
		
	
	
	298a8f9cf1
	
	
	
		
			
			While running balance, scrub, fsstress concurrently we hit the following kernel crash: [56561.448845] BTRFS info (device sde): relocating block group 11005853696 flags 132 [56561.524077] BUG: unable to handle kernel NULL pointer dereference at 0000000000000078 [56561.524237] IP: [<ffffffffa038956d>] scrub_chunk.isra.12+0xdd/0x130 [btrfs] [56561.524297] PGD 9be28067 PUD 7f3dd067 PMD 0 [56561.524325] Oops: 0000 [#1] SMP [....] [56561.527237] Call Trace: [56561.527309] [<ffffffffa038980e>] scrub_enumerate_chunks+0x24e/0x490 [btrfs] [56561.527392] [<ffffffff810abe00>] ? abort_exclusive_wait+0x50/0xb0 [56561.527476] [<ffffffffa038add4>] btrfs_scrub_dev+0x1a4/0x530 [btrfs] [56561.527561] [<ffffffffa0368107>] btrfs_ioctl+0x13f7/0x2a90 [btrfs] [56561.527639] [<ffffffff811c82f0>] do_vfs_ioctl+0x2e0/0x4c0 [56561.527712] [<ffffffff8109c384>] ? vtime_account_user+0x54/0x60 [56561.527788] [<ffffffff810f768c>] ? __audit_syscall_entry+0x9c/0xf0 [56561.527870] [<ffffffff811c8551>] SyS_ioctl+0x81/0xa0 [56561.527941] [<ffffffff815707f7>] tracesys+0xdd/0xe2 [...] [56561.528304] RIP [<ffffffffa038956d>] scrub_chunk.isra.12+0xdd/0x130 [btrfs] [56561.528395] RSP <ffff88004c0f5be8> [56561.528454] CR2: 0000000000000078 This is because in btrfs_relocate_chunk(), we will free @bdev directly while scrub may still hold extent mapping, and may access freed memory. Fix this problem by wrapping freeing @bdev work into free_extent_map() which is based on reference count. Reported-by: Qu Wenruo <quwenruo@cn.fujitsu.com> Signed-off-by: Wang Shilong <wangsl.fnst@cn.fujitsu.com> Signed-off-by: Miao Xie <miaox@cn.fujitsu.com> Signed-off-by: Chris Mason <clm@fb.com>
		
			
				
	
	
		
			85 lines
		
	
	
	
		
			2.4 KiB
			
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			85 lines
		
	
	
	
		
			2.4 KiB
			
		
	
	
	
		
			C
		
	
	
	
	
	
| #ifndef __EXTENTMAP__
 | |
| #define __EXTENTMAP__
 | |
| 
 | |
| #include <linux/rbtree.h>
 | |
| 
 | |
| #define EXTENT_MAP_LAST_BYTE ((u64)-4)
 | |
| #define EXTENT_MAP_HOLE ((u64)-3)
 | |
| #define EXTENT_MAP_INLINE ((u64)-2)
 | |
| #define EXTENT_MAP_DELALLOC ((u64)-1)
 | |
| 
 | |
| /* bits for the flags field */
 | |
| #define EXTENT_FLAG_PINNED 0 /* this entry not yet on disk, don't free it */
 | |
| #define EXTENT_FLAG_COMPRESSED 1
 | |
| #define EXTENT_FLAG_VACANCY 2 /* no file extent item found */
 | |
| #define EXTENT_FLAG_PREALLOC 3 /* pre-allocated extent */
 | |
| #define EXTENT_FLAG_LOGGING 4 /* Logging this extent */
 | |
| #define EXTENT_FLAG_FILLING 5 /* Filling in a preallocated extent */
 | |
| #define EXTENT_FLAG_FS_MAPPING 6 /* filesystem extent mapping type */
 | |
| 
 | |
| struct extent_map {
 | |
| 	struct rb_node rb_node;
 | |
| 
 | |
| 	/* all of these are in bytes */
 | |
| 	u64 start;
 | |
| 	u64 len;
 | |
| 	u64 mod_start;
 | |
| 	u64 mod_len;
 | |
| 	u64 orig_start;
 | |
| 	u64 orig_block_len;
 | |
| 	u64 ram_bytes;
 | |
| 	u64 block_start;
 | |
| 	u64 block_len;
 | |
| 	u64 generation;
 | |
| 	unsigned long flags;
 | |
| 	struct block_device *bdev;
 | |
| 	atomic_t refs;
 | |
| 	unsigned int compress_type;
 | |
| 	struct list_head list;
 | |
| };
 | |
| 
 | |
| struct extent_map_tree {
 | |
| 	struct rb_root map;
 | |
| 	struct list_head modified_extents;
 | |
| 	rwlock_t lock;
 | |
| };
 | |
| 
 | |
| static inline int extent_map_in_tree(const struct extent_map *em)
 | |
| {
 | |
| 	return !RB_EMPTY_NODE(&em->rb_node);
 | |
| }
 | |
| 
 | |
| static inline u64 extent_map_end(struct extent_map *em)
 | |
| {
 | |
| 	if (em->start + em->len < em->start)
 | |
| 		return (u64)-1;
 | |
| 	return em->start + em->len;
 | |
| }
 | |
| 
 | |
| static inline u64 extent_map_block_end(struct extent_map *em)
 | |
| {
 | |
| 	if (em->block_start + em->block_len < em->block_start)
 | |
| 		return (u64)-1;
 | |
| 	return em->block_start + em->block_len;
 | |
| }
 | |
| 
 | |
| void extent_map_tree_init(struct extent_map_tree *tree);
 | |
| struct extent_map *lookup_extent_mapping(struct extent_map_tree *tree,
 | |
| 					 u64 start, u64 len);
 | |
| int add_extent_mapping(struct extent_map_tree *tree,
 | |
| 		       struct extent_map *em, int modified);
 | |
| int remove_extent_mapping(struct extent_map_tree *tree, struct extent_map *em);
 | |
| void replace_extent_mapping(struct extent_map_tree *tree,
 | |
| 			    struct extent_map *cur,
 | |
| 			    struct extent_map *new,
 | |
| 			    int modified);
 | |
| 
 | |
| struct extent_map *alloc_extent_map(void);
 | |
| void free_extent_map(struct extent_map *em);
 | |
| int __init extent_map_init(void);
 | |
| void extent_map_exit(void);
 | |
| int unpin_extent_cache(struct extent_map_tree *tree, u64 start, u64 len, u64 gen);
 | |
| void clear_em_logging(struct extent_map_tree *tree, struct extent_map *em);
 | |
| struct extent_map *search_extent_mapping(struct extent_map_tree *tree,
 | |
| 					 u64 start, u64 len);
 | |
| #endif
 |