From: Darrick J. Wong <djwong@xxxxxxxxxx>
When we're servicing an INUMBERS or BULKSTAT request, grab an empty
transaction so that we don't hit an ABBA buffer deadlock if the inode
btree contains a cycle.
Found by fuzzing an inode btree pointer to introduce a cycle into the
tree (xfs/365).
Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx>
---
fs/xfs/xfs_itable.c | 46 ++++++++++++++++++++++++++++++++++++++++++----
1 file changed, 42 insertions(+), 4 deletions(-)
diff --git a/fs/xfs/xfs_itable.c b/fs/xfs/xfs_itable.c
index ca310a125d1e..2339a1874efa 100644
--- a/fs/xfs/xfs_itable.c
+++ b/fs/xfs/xfs_itable.c
@@ -19,6 +19,7 @@
#include "xfs_error.h"
#include "xfs_icache.h"
#include "xfs_health.h"
+#include "xfs_trans.h"
/*
* Bulk Stat
@@ -166,6 +167,7 @@ xfs_bulkstat_one(
.formatter = formatter,
.breq = breq,
};
+ struct xfs_trans *tp;
int error;
ASSERT(breq->icount == 1);
@@ -175,9 +177,20 @@ xfs_bulkstat_one(
if (!bc.buf)
return -ENOMEM;
+ /*
+ * Grab freeze protection and allocate an empty transaction so that
+ * we avoid deadlocking if the inobt is corrupt.
+ */
+ sb_start_write(breq->mp->m_super);
+ error = xfs_trans_alloc_empty(breq->mp, &tp);
+ if (error)
+ goto out;
+
error = xfs_bulkstat_one_int(breq->mp, breq->mnt_userns, NULL,
breq->startino, &bc);
-
+ xfs_trans_cancel(tp);
+out:
+ sb_end_write(breq->mp->m_super);
kmem_free(bc.buf);
/*
@@ -241,6 +254,7 @@ xfs_bulkstat(
.formatter = formatter,
.breq = breq,
};
+ struct xfs_trans *tp;
int error;
if (breq->mnt_userns != &init_user_ns) {
@@ -256,9 +270,20 @@ xfs_bulkstat(
if (!bc.buf)
return -ENOMEM;
- error = xfs_iwalk(breq->mp, NULL, breq->startino, breq->flags,
+ /*
+ * Grab freeze protection and allocate an empty transaction so that
+ * we avoid deadlocking if the inobt is corrupt.
+ */
+ sb_start_write(breq->mp->m_super);
+ error = xfs_trans_alloc_empty(breq->mp, &tp);
+ if (error)
+ goto out;
+
+ error = xfs_iwalk(breq->mp, tp, breq->startino, breq->flags,
xfs_bulkstat_iwalk, breq->icount, &bc);
-
+ xfs_trans_cancel(tp);
+out:
+ sb_end_write(breq->mp->m_super);
kmem_free(bc.buf);
/*
@@ -371,13 +396,26 @@ xfs_inumbers(
.formatter = formatter,
.breq = breq,
};
+ struct xfs_trans *tp;
int error = 0;
if (xfs_bulkstat_already_done(breq->mp, breq->startino))
return 0;
- error = xfs_inobt_walk(breq->mp, NULL, breq->startino, breq->flags,
+ /*
+ * Grab freeze protection and allocate an empty transaction so that
+ * we avoid deadlocking if the inobt is corrupt.
+ */
+ sb_start_write(breq->mp->m_super);
+ error = xfs_trans_alloc_empty(breq->mp, &tp);
+ if (error)
+ goto out;
+
+ error = xfs_inobt_walk(breq->mp, tp, breq->startino, breq->flags,
xfs_inumbers_walk, breq->icount, &ic);
+ xfs_trans_cancel(tp);
+out:
+ sb_end_write(breq->mp->m_super);
/*
* We found some inode groups, so clear the error status and return
