From patchwork Tue Feb 17 10:51:08 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Omar Sandoval <osandov@osandov.com>
X-Patchwork-Id: 5838331
Return-Path: <linux-btrfs-owner@kernel.org>
X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork2.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.29.136])
	by patchwork2.web.kernel.org (Postfix) with ESMTP id DDA9CBF440
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Tue, 17 Feb 2015 10:52:32 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 171AC2011E
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Tue, 17 Feb 2015 10:52:32 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 41DA620160
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Tue, 17 Feb 2015 10:52:31 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S933748AbbBQKwL (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Tue, 17 Feb 2015 05:52:11 -0500
Received: from mail-pd0-f171.google.com ([209.85.192.171]:45956 "EHLO
	mail-pd0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S933705AbbBQKvb (ORCPT
	<rfc822;linux-btrfs@vger.kernel.org>);
	Tue, 17 Feb 2015 05:51:31 -0500
Received: by pdjz10 with SMTP id z10so42909893pdj.12
	for <linux-btrfs@vger.kernel.org>;
	Tue, 17 Feb 2015 02:51:31 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:in-reply-to:references;
	bh=Pbz7EIt/tLx6FM0wvIo29eygQRFW8wUf3YtDrr4n330=;
	b=hewUNVonwI0TV1qI4qc/8WWWu7LSspqYKBXSD0/YXDsjAfIaflyRB2gj4hT8T2BDey
	aclp8JJQMGu7RnQutgsuDf+HMZ6+lrcXxwdQv8M3QsoB5FAy5ab9ZgKHZus33XM4gOVp
	l33bzWJSXdHcSUelJTzJU1s+bNfZvvRrmqj3mvH6KA+vyiPYpL6Xt8uusr7ZEDT8vcyA
	HQf6NJnZz1qKKVI/8BdUGm9qX1jKkPjewE5w/tyKO1f9z5hIQ6G8pINfFJf0elnDdV5T
	eVhEibst3PpPkbxDsgbUlb8dO9hP4m2X6UYEKKRzj8ECoJVtDFehKgMNjpv3QcwEkwMs
	UOhw==
X-Gm-Message-State: 
 ALoCoQnDKM50X9SzgcGEPTU0Xxar3VVwbHFhZvHtnuuz1jU+5h2tjYkAnAyfC9DvkmeXrZPeI7Ol
X-Received: by 10.66.146.193 with SMTP id te1mr47881703pab.109.1424170290940;
	Tue, 17 Feb 2015 02:51:30 -0800 (PST)
Received: from mew.localdomain (c-76-104-211-44.hsd1.wa.comcast.net.
	[76.104.211.44]) by mx.google.com with ESMTPSA id
	em4sm17214616pbc.46.2015.02.17.02.51.29
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Tue, 17 Feb 2015 02:51:30 -0800 (PST)
From: Omar Sandoval <osandov@osandov.com>
To: Chris Mason <clm@fb.com>, Josef Bacik <jbacik@fb.com>,
	David Sterba <dsterba@suse.cz>
Cc: linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org,
	Omar Sandoval <osandov@osandov.com>
Subject: [PATCH 2/3] btrfs: handle race on ENOMEM in alloc_extent_buffer
Date: Tue, 17 Feb 2015 02:51:08 -0800
Message-Id: 
 <4fcdbbd7d6dc95598323b46dcf5db4356cb7dee8.1424168589.git.osandov@osandov.com>
X-Mailer: git-send-email 2.3.0
In-Reply-To: <cover.1424168589.git.osandov@osandov.com>
References: <cover.1424168589.git.osandov@osandov.com>
In-Reply-To: <cover.1424168589.git.osandov@osandov.com>
References: <cover.1424168589.git.osandov@osandov.com>
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Spam-Status: No, score=-6.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_HI,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=unavailable version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

Consider the following interleaving of overlapping calls to
alloc_extent_buffer:

Call 1:

- Successfully allocates a few pages with find_or_create_page
- find_or_create_page fails, goto free_eb
- Unlocks the allocated pages

Call 2:
- Calls find_or_create_page and gets a page in call 1's extent_buffer
- Finds that the page is already associated with an extent_buffer
- Grabs a reference to the half-written extent_buffer and calls
  mark_extent_buffer_accessed on it

mark_extent_buffer_accessed will then try to call mark_page_accessed on
a null page and panic.

The fix is to clear page->private of the half-written extent_buffer's
pages all at once while holding mapping->private_lock.

Signed-off-by: Omar Sandoval <osandov@osandov.com>
---
 fs/btrfs/extent_io.c | 20 ++++++++++++++++----
 1 file changed, 16 insertions(+), 4 deletions(-)

diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c
index c73df6a..6024db9 100644
--- a/fs/btrfs/extent_io.c
+++ b/fs/btrfs/extent_io.c
@@ -4850,6 +4850,7 @@ struct extent_buffer *alloc_extent_buffer(struct btrfs_fs_info *fs_info,
 				mark_extent_buffer_accessed(exists, p);
 				goto free_eb;
 			}
+			exists = NULL;
 
 			/*
 			 * Do this so attach doesn't complain and we need to
@@ -4913,13 +4914,24 @@ again:
 	return eb;
 
 free_eb:
+	spin_lock(&mapping->private_lock);
 	for (i = 0; i < num_pages; i++) {
-		if (eb->pages[i])
-			unlock_page(eb->pages[i]);
-	}
+		struct page *page = eb->pages[i];
 
+		if (page) {
+			unlock_page(page);
+			ClearPagePrivate(page);
+			set_page_private(page, 0);
+			/* One for the page private */
+			page_cache_release(page);
+			/* One for when we alloced the page */
+			page_cache_release(page);
+		}
+	}
+	spin_unlock(&mapping->private_lock);
 	WARN_ON(!atomic_dec_and_test(&eb->refs));
-	btrfs_release_extent_buffer(eb);
+	__free_extent_buffer(eb);
+
 	return exists;
 }