ext4: fix warning in ext4_evict_inode()
authorJan Kara <jack@suse.cz>
Thu, 11 Jul 2013 01:31:04 +0000 (21:31 -0400)
committerTheodore Ts'o <tytso@mit.edu>
Thu, 11 Jul 2013 01:31:04 +0000 (21:31 -0400)
commit822dbba33458cd6ad0e715f3f4a57ebc99d54d1b
treec1fdc94004905dba9fd3ad72d7611d10b6f7c308
parent960fd856fdc3b08b3638f3f9b6b4bfceb77660c7
ext4: fix warning in ext4_evict_inode()

The following race can lead to ext4_evict_inode() seeing i_ioend_count
> 0 and thus triggering a sanity check warning:

        CPU1                                    CPU2
ext4_end_bio()                          ext4_evict_inode()
  ext4_finish_bio()
    end_page_writeback();
                                          truncate_inode_pages()
                                            evict page
                                        WARN_ON(i_ioend_count > 0);
  ext4_put_io_end_defer()
    ext4_release_io_end()
      dec i_ioend_count

This is possible use-after-free bug since we decrement i_ioend_count in
possibly released inode.

Since i_ioend_count is used only for sanity checks one possible solution
would be to just remove it but for now I'd like to keep those sanity
checks to help debugging the new ext4 writeback code.

This patch changes ext4_end_bio() to call ext4_put_io_end_defer() before
ext4_finish_bio() in the shortcut case when unwritten extent conversion
isn't needed.  In that case we don't need the io_end so we are safe to
drop it early.

Reported-by: Guenter Roeck <linux@roeck-us.net>
Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
fs/ext4/page-io.c