btrfs: fix crash in remount(thread_pool=) case

Message ID	1396857346-24877-1-git-send-email-slyich@gmail.com (mailing list archive)
State	Accepted
Headers	show Return-Path: <linux-btrfs-owner@kernel.org> sender: slyfox) by smtp.gentoo.org (Postfix) with ESMTPSA id BDC3D33FD21; Mon, 7 Apr 2014 07:56:02 +0000 (UTC) From: Sergei Trofimovich <slyich@gmail.com> To: Qu Wenruo <quwenruo@cn.fujitsu.com> Cc: Sergei Trofimovich <slyfox@gentoo.org>, Chris Mason <clm@fb.com>, Josef Bacik <jbacik@fb.com>, linux-btrfs@vger.kernel.org Subject: [PATCH] btrfs: fix crash in remount(thread_pool=) case Date: Mon, 7 Apr 2014 10:55:46 +0300 Message-Id: <1396857346-24877-1-git-send-email-slyich@gmail.com> Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk

Message ID

1396857346-24877-1-git-send-email-slyich@gmail.com (mailing list archive)

State

Accepted

Headers

From: Sergei Trofimovich <slyich@gmail.com>
To: Qu Wenruo <quwenruo@cn.fujitsu.com>
Cc: Sergei Trofimovich <slyfox@gentoo.org>, Chris Mason <clm@fb.com>,
	Josef Bacik <jbacik@fb.com>, linux-btrfs@vger.kernel.org
Subject: [PATCH] btrfs: fix crash in remount(thread_pool=) case
Date: Mon,  7 Apr 2014 10:55:46 +0300
Message-Id: <1396857346-24877-1-git-send-email-slyich@gmail.com>
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk

Commit Message

Sergei Trofimovich April 7, 2014, 7:55 a.m. UTC

From: Sergei Trofimovich <slyfox@gentoo.org>

Reproducer:
    mount /dev/ubda /mnt
    mount -oremount,thread_pool=42 /mnt

Gives a crash:
    ? btrfs_workqueue_set_max+0x0/0x70
    btrfs_resize_thread_pool+0xe3/0xf0
    ? sync_filesystem+0x0/0xc0
    ? btrfs_resize_thread_pool+0x0/0xf0
    btrfs_remount+0x1d2/0x570
    ? kern_path+0x0/0x80
    do_remount_sb+0xd9/0x1c0
    do_mount+0x26a/0xbf0
    ? kfree+0x0/0x1b0
    SyS_mount+0xc4/0x110

It's a call
    btrfs_workqueue_set_max(fs_info->scrub_wr_completion_workers, new_pool_size);
with
    fs_info->scrub_wr_completion_workers = NULL;

as scrub wqs get created only on user's demand.

Patch skips not-created-yet workqueues.

Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
CC: Qu Wenruo <quwenruo@cn.fujitsu.com>
CC: Chris Mason <clm@fb.com>
CC: Josef Bacik <jbacik@fb.com>
CC: linux-btrfs@vger.kernel.org

---
 fs/btrfs/async-thread.c | 2 ++
 1 file changed, 2 insertions(+)

Comments

Qu Wenruo April 8, 2014, 1:28 a.m. UTC | #1

? 2014?04?07? 15:55, Sergei Trofimovich ??:
> From: Sergei Trofimovich <slyfox@gentoo.org>
>
> Reproducer:
>      mount /dev/ubda /mnt
>      mount -oremount,thread_pool=42 /mnt
>
> Gives a crash:
>      ? btrfs_workqueue_set_max+0x0/0x70
>      btrfs_resize_thread_pool+0xe3/0xf0
>      ? sync_filesystem+0x0/0xc0
>      ? btrfs_resize_thread_pool+0x0/0xf0
>      btrfs_remount+0x1d2/0x570
>      ? kern_path+0x0/0x80
>      do_remount_sb+0xd9/0x1c0
>      do_mount+0x26a/0xbf0
>      ? kfree+0x0/0x1b0
>      SyS_mount+0xc4/0x110
>
> It's a call
>      btrfs_workqueue_set_max(fs_info->scrub_wr_completion_workers, new_pool_size);
> with
>      fs_info->scrub_wr_completion_workers = NULL;
>
> as scrub wqs get created only on user's demand.
>
> Patch skips not-created-yet workqueues.
>
> Signed-off-by: Sergei Trofimovich <slyfox@gentoo.org>
> CC: Qu Wenruo <quwenruo@cn.fujitsu.com>
> CC: Chris Mason <clm@fb.com>
> CC: Josef Bacik <jbacik@fb.com>
> CC: linux-btrfs@vger.kernel.org
>
> ---
>   fs/btrfs/async-thread.c | 2 ++
>   1 file changed, 2 insertions(+)
>
> diff --git a/fs/btrfs/async-thread.c b/fs/btrfs/async-thread.c
> index ecb5832..5a201d8 100644
> --- a/fs/btrfs/async-thread.c
> +++ b/fs/btrfs/async-thread.c
> @@ -323,6 +323,8 @@ void btrfs_destroy_workqueue(struct btrfs_workqueue *wq)
>   
>   void btrfs_workqueue_set_max(struct btrfs_workqueue *wq, int max)
>   {
> +	if (!wq)
> +		return;
>   	wq->normal->max_active = max;
>   	if (wq->high)
>   		wq->high->max_active = max;
Oh, that's my fault. You got me.

Thanks for the patch.
Qu.
--
To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/fs/btrfs/async-thread.c b/fs/btrfs/async-thread.c
index ecb5832..5a201d8 100644
--- a/fs/btrfs/async-thread.c
+++ b/fs/btrfs/async-thread.c
@@ -323,6 +323,8 @@  void btrfs_destroy_workqueue(struct btrfs_workqueue *wq)
 
 void btrfs_workqueue_set_max(struct btrfs_workqueue *wq, int max)
 {
+	if (!wq)
+		return;
 	wq->normal->max_active = max;
 	if (wq->high)
 		wq->high->max_active = max;