diff mbox

f2fs: fix ref of discard command

Message ID 20170612030449.79290-1-jaegeuk@kernel.org (mailing list archive)
State New, archived
Headers show

Commit Message

Jaegeuk Kim June 12, 2017, 3:04 a.m. UTC 
This patch resolves kernel panic for xfstests/081, caused by recent f2fs_bug_on

  f2fs: add f2fs_bug_on in __remove_discard_cmd

Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
 fs/f2fs/segment.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Chao Yu June 12, 2017, 11:17 a.m. UTC | #1 
Hi Jaegeuk,

On 2017/6/12 11:04, Jaegeuk Kim wrote:
> This patch resolves kernel panic for xfstests/081, caused by recent f2fs_bug_on
> 
>   f2fs: add f2fs_bug_on in __remove_discard_cmd
> 
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> ---
>  fs/f2fs/segment.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
> index 86a0c1095939..a6d77388a806 100644
> --- a/fs/f2fs/segment.c
> +++ b/fs/f2fs/segment.c
> @@ -1025,6 +1025,8 @@ static void __wait_discard_cmd(struct f2fs_sb_info *sbi, bool wait_cond)
>  	list_for_each_entry_safe(dc, tmp, wait_list, list) {
>  		if (!wait_cond || (dc->state == D_DONE && !dc->ref)) {
>  			wait_for_completion_io(&dc->wait);
> +			if (dc->state == D_DONE && dc->ref)
> +				dc->ref--;

Should set dc->ref to 0 to avoid panic once we add other referrers?

Thanks,

>  			__remove_discard_cmd(sbi, dc);
>  		} else {
>  			dc->ref++;
>
Jaegeuk Kim June 14, 2017, 2:26 p.m. UTC | #2 
On 06/12, Chao Yu wrote:
> Hi Jaegeuk,
> 
> On 2017/6/12 11:04, Jaegeuk Kim wrote:
> > This patch resolves kernel panic for xfstests/081, caused by recent f2fs_bug_on
> > 
> >   f2fs: add f2fs_bug_on in __remove_discard_cmd
> > 
> > Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> > ---
> >  fs/f2fs/segment.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
> > index 86a0c1095939..a6d77388a806 100644
> > --- a/fs/f2fs/segment.c
> > +++ b/fs/f2fs/segment.c
> > @@ -1025,6 +1025,8 @@ static void __wait_discard_cmd(struct f2fs_sb_info *sbi, bool wait_cond)
> >  	list_for_each_entry_safe(dc, tmp, wait_list, list) {
> >  		if (!wait_cond || (dc->state == D_DONE && !dc->ref)) {
> >  			wait_for_completion_io(&dc->wait);
> > +			if (dc->state == D_DONE && dc->ref)
> > +				dc->ref--;
> 
> Should set dc->ref to 0 to avoid panic once we add other referrers?

Sorry, could you please explain this in more detail?

Thanks,

> 
> Thanks,
> 
> >  			__remove_discard_cmd(sbi, dc);
> >  		} else {
> >  			dc->ref++;
> >
Chao Yu June 14, 2017, 2:58 p.m. UTC | #3 
On 2017/6/14 22:26, Jaegeuk Kim wrote:
> On 06/12, Chao Yu wrote:
>> Hi Jaegeuk,
>>
>> On 2017/6/12 11:04, Jaegeuk Kim wrote:
>>> This patch resolves kernel panic for xfstests/081, caused by recent f2fs_bug_on
>>>
>>>   f2fs: add f2fs_bug_on in __remove_discard_cmd
>>>
>>> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
>>> ---
>>>  fs/f2fs/segment.c | 2 ++
>>>  1 file changed, 2 insertions(+)
>>>
>>> diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
>>> index 86a0c1095939..a6d77388a806 100644
>>> --- a/fs/f2fs/segment.c
>>> +++ b/fs/f2fs/segment.c
>>> @@ -1025,6 +1025,8 @@ static void __wait_discard_cmd(struct f2fs_sb_info *sbi, bool wait_cond)
>>>  	list_for_each_entry_safe(dc, tmp, wait_list, list) {
>>>  		if (!wait_cond || (dc->state == D_DONE && !dc->ref)) {
>>>  			wait_for_completion_io(&dc->wait);
>>> +			if (dc->state == D_DONE && dc->ref)
>>> +				dc->ref--;
>>
>> Should set dc->ref to 0 to avoid panic once we add other referrers?
> 
> Sorry, could you please explain this in more detail?

Oh, I just assume later we may add another referrer for some reason
which will make dc->ref = 2, so dc->ref-- is not enough to avoid the
bug_on in __remove_discard_cmd. I think reseting dc->ref is more safe
here, how do you think?

Thanks,

> 
> Thanks,
> 
>>
>> Thanks,
>>
>>>  			__remove_discard_cmd(sbi, dc);
>>>  		} else {
>>>  			dc->ref++;
>>>
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Linux-f2fs-devel mailing list
> Linux-f2fs-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
>
Jaegeuk Kim June 14, 2017, 3:20 p.m. UTC | #4 
On 06/14, Chao Yu wrote:
> On 2017/6/14 22:26, Jaegeuk Kim wrote:
> > On 06/12, Chao Yu wrote:
> >> Hi Jaegeuk,
> >>
> >> On 2017/6/12 11:04, Jaegeuk Kim wrote:
> >>> This patch resolves kernel panic for xfstests/081, caused by recent f2fs_bug_on
> >>>
> >>>   f2fs: add f2fs_bug_on in __remove_discard_cmd
> >>>
> >>> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> >>> ---
> >>>  fs/f2fs/segment.c | 2 ++
> >>>  1 file changed, 2 insertions(+)
> >>>
> >>> diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
> >>> index 86a0c1095939..a6d77388a806 100644
> >>> --- a/fs/f2fs/segment.c
> >>> +++ b/fs/f2fs/segment.c
> >>> @@ -1025,6 +1025,8 @@ static void __wait_discard_cmd(struct f2fs_sb_info *sbi, bool wait_cond)
> >>>  	list_for_each_entry_safe(dc, tmp, wait_list, list) {
> >>>  		if (!wait_cond || (dc->state == D_DONE && !dc->ref)) {
> >>>  			wait_for_completion_io(&dc->wait);
> >>> +			if (dc->state == D_DONE && dc->ref)
> >>> +				dc->ref--;
> >>
> >> Should set dc->ref to 0 to avoid panic once we add other referrers?
> > 
> > Sorry, could you please explain this in more detail?
> 
> Oh, I just assume later we may add another referrer for some reason
> which will make dc->ref = 2, so dc->ref-- is not enough to avoid the
> bug_on in __remove_discard_cmd. I think reseting dc->ref is more safe
> here, how do you think?

Well, for now, it makes more sense to do like this when considering ref flow,
IIUC. What will make dc->ref = 2 later? Even in that case, why not making zero
by adding dc->ref-- appropriately?

Thanks,

> 
> Thanks,
> 
> > 
> > Thanks,
> > 
> >>
> >> Thanks,
> >>
> >>>  			__remove_discard_cmd(sbi, dc);
> >>>  		} else {
> >>>  			dc->ref++;
> >>>
> > 
> > ------------------------------------------------------------------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Linux-f2fs-devel mailing list
> > Linux-f2fs-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
> >
Chao Yu June 14, 2017, 3:40 p.m. UTC | #5 
On 2017/6/14 23:20, Jaegeuk Kim wrote:
> On 06/14, Chao Yu wrote:
>> On 2017/6/14 22:26, Jaegeuk Kim wrote:
>>> On 06/12, Chao Yu wrote:
>>>> Hi Jaegeuk,
>>>>
>>>> On 2017/6/12 11:04, Jaegeuk Kim wrote:
>>>>> This patch resolves kernel panic for xfstests/081, caused by recent f2fs_bug_on
>>>>>
>>>>>   f2fs: add f2fs_bug_on in __remove_discard_cmd
>>>>>
>>>>> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
>>>>> ---
>>>>>  fs/f2fs/segment.c | 2 ++
>>>>>  1 file changed, 2 insertions(+)
>>>>>
>>>>> diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
>>>>> index 86a0c1095939..a6d77388a806 100644
>>>>> --- a/fs/f2fs/segment.c
>>>>> +++ b/fs/f2fs/segment.c
>>>>> @@ -1025,6 +1025,8 @@ static void __wait_discard_cmd(struct f2fs_sb_info *sbi, bool wait_cond)
>>>>>  	list_for_each_entry_safe(dc, tmp, wait_list, list) {
>>>>>  		if (!wait_cond || (dc->state == D_DONE && !dc->ref)) {
>>>>>  			wait_for_completion_io(&dc->wait);
>>>>> +			if (dc->state == D_DONE && dc->ref)
>>>>> +				dc->ref--;
>>>>
>>>> Should set dc->ref to 0 to avoid panic once we add other referrers?
>>>
>>> Sorry, could you please explain this in more detail?
>>
>> Oh, I just assume later we may add another referrer for some reason
>> which will make dc->ref = 2, so dc->ref-- is not enough to avoid the
>> bug_on in __remove_discard_cmd. I think reseting dc->ref is more safe
>> here, how do you think?
> 
> Well, for now, it makes more sense to do like this when considering ref flow,
> IIUC. What will make dc->ref = 2 later? Even in that case, why not making zero

It's just assumption, till now, I do not have it in my mind ;)

> by adding dc->ref-- appropriately?

You mean as below?

dc->ref--;
if (dc->ref > 0)
	dc->ref--;

Thanks,

> 
> Thanks,
> 
>>
>> Thanks,
>>
>>>
>>> Thanks,
>>>
>>>>
>>>> Thanks,
>>>>
>>>>>  			__remove_discard_cmd(sbi, dc);
>>>>>  		} else {
>>>>>  			dc->ref++;
>>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Check out the vibrant tech community on one of the world's most
>>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>>> _______________________________________________
>>> Linux-f2fs-devel mailing list
>>> Linux-f2fs-devel@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
>>>
Chao Yu June 23, 2017, 8:16 a.m. UTC | #6 
Hi Jaegeuk,

On 2017/6/12 11:04, Jaegeuk Kim wrote:
> This patch resolves kernel panic for xfstests/081, caused by recent f2fs_bug_on
> 
>   f2fs: add f2fs_bug_on in __remove_discard_cmd
> 
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> ---
>  fs/f2fs/segment.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
> index 86a0c1095939..a6d77388a806 100644
> --- a/fs/f2fs/segment.c
> +++ b/fs/f2fs/segment.c
> @@ -1025,6 +1025,8 @@ static void __wait_discard_cmd(struct f2fs_sb_info *sbi, bool wait_cond)
>  	list_for_each_entry_safe(dc, tmp, wait_list, list) {
>  		if (!wait_cond || (dc->state == D_DONE && !dc->ref)) {
>  			wait_for_completion_io(&dc->wait);
> +			if (dc->state == D_DONE && dc->ref)
> +				dc->ref--;

How about using ("f2fs: stop discard thread in prior during umount") instead of
this one? As dereference of dc here will lead use-after-free of real referrer.

Thanks,

>  			__remove_discard_cmd(sbi, dc);
>  		} else {
>  			dc->ref++;
>
Jaegeuk Kim June 24, 2017, 4:26 p.m. UTC | #7 
On 06/23, Chao Yu wrote:
> Hi Jaegeuk,
> 
> On 2017/6/12 11:04, Jaegeuk Kim wrote:
> > This patch resolves kernel panic for xfstests/081, caused by recent f2fs_bug_on
> > 
> >   f2fs: add f2fs_bug_on in __remove_discard_cmd
> > 
> > Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
> > ---
> >  fs/f2fs/segment.c | 2 ++
> >  1 file changed, 2 insertions(+)
> > 
> > diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
> > index 86a0c1095939..a6d77388a806 100644
> > --- a/fs/f2fs/segment.c
> > +++ b/fs/f2fs/segment.c
> > @@ -1025,6 +1025,8 @@ static void __wait_discard_cmd(struct f2fs_sb_info *sbi, bool wait_cond)
> >  	list_for_each_entry_safe(dc, tmp, wait_list, list) {
> >  		if (!wait_cond || (dc->state == D_DONE && !dc->ref)) {
> >  			wait_for_completion_io(&dc->wait);
> > +			if (dc->state == D_DONE && dc->ref)
> > +				dc->ref--;
> 
> How about using ("f2fs: stop discard thread in prior during umount") instead of
> this one? As dereference of dc here will lead use-after-free of real referrer.

Yup, I'll also verify that.
Thank you. :)

> 
> Thanks,
> 
> >  			__remove_discard_cmd(sbi, dc);
> >  		} else {
> >  			dc->ref++;
> >
diff mbox

Patch

diff --git a/fs/f2fs/segment.c b/fs/f2fs/segment.c
index 86a0c1095939..a6d77388a806 100644
--- a/fs/f2fs/segment.c
+++ b/fs/f2fs/segment.c
@@ -1025,6 +1025,8 @@  static void __wait_discard_cmd(struct f2fs_sb_info *sbi, bool wait_cond)
 	list_for_each_entry_safe(dc, tmp, wait_list, list) {
 		if (!wait_cond || (dc->state == D_DONE && !dc->ref)) {
 			wait_for_completion_io(&dc->wait);
+			if (dc->state == D_DONE && dc->ref)
+				dc->ref--;
 			__remove_discard_cmd(sbi, dc);
 		} else {
 			dc->ref++;