Re: xfs_vm_releasepage() causing BUG at free_buffer_head()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

first off I didn't mean to imply that this is exactly the same problem,
merely a related symptom due to buffer shrinking crashing your party.

On 07/19/16 10:43, Alex Lyakas wrote:
> Thank you for your response. I see that xfs_finish_page_writeback()
> has been added very recently and is called from xfs_destroy_ioend().
> In my kernel (3.18.19), the xfs_destroy_ioend() is [1]. I think it
> doesn't suffer from the problem of xfs_finish_page_writeback().
> Looking at other usage of "b_this_page" in my kernel, they all seem
> valid, and similar to what Linus's tree has.

Unwinding this a bit, all I superficially understand is that

  e10de3723c "don't chain ioends during writepage submission"

made the window for bh corruption smaller, and then both

  bb18782aa4 "build bios directly in xfs_add_to_ioend" and
  37992c18bb "don't release bios on completion immediately"

changed that to track page state instead, presumably because
the bh traversing was indeed racy. That was still incomplete, as
Calvin found.

So I don't see why your current version of xfs_submit_ioend() wouldn't
suffer from the same problem(s). You just walked into the bh BUG later,
instead of a use-after-free as it can happen now.

> Looking at b_private usage to link buffer heads, the only suspicious
> code is in xfs_submit_ioend():
> 
>        for (bh = ioend->io_buffer_head; bh; bh = bh->b_private) {
> 
>            if (!bio) {
> retry:
>                bio = xfs_alloc_ioend_bio(bh);
>            } else if (bh->b_blocknr != lastblock + 1) {
>                xfs_submit_ioend_bio(wbc, ioend, bio);
>                goto retry;
>            }
> 
>            if (xfs_bio_add_buffer(bio, bh) != bh->b_size) {
>                xfs_submit_ioend_bio(wbc, ioend, bio);
>                goto retry;
>            }
> 
>            lastblock = bh->b_blocknr;
>        }
>
> Can it happen that when the for loop does "bh = bh->b_private", the
> bh has already been completed and freed? With this in mind, the "goto
> retry" also seem suspicious for the same reason.
> 
> What do you think?

I think all this is dark and full of terrors. As for what you could
do - other than backport half of mainline XFS - I guess only Dave can
make a realistic suggestion.

-h

_______________________________________________
xfs mailing list
xfs@xxxxxxxxxxx
http://oss.sgi.com/mailman/listinfo/xfs
[Index of Archives]     [Linux XFS Devel]     [Linux Filesystem Development]     [Filesystem Testing]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux