Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge tag 'for-4.16-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux
Pull btrfs fixes from David Sterba:
"We have a few assorted fixes, some of them show up during fstests so I
gave them more testing"
* tag 'for-4.16-rc1-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device
Btrfs: fix null pointer dereference when replacing missing device
btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes
btrfs: Ignore errors from btrfs_qgroup_trace_extent_post
Btrfs: fix unexpected -EEXIST when creating new inode
Btrfs: fix use-after-free on root->orphan_block_rsv
Btrfs: fix btrfs_evict_inode to handle abnormal inodes correctly
Btrfs: fix extent state leak from tree log
Btrfs: fix crash due to not cleaning up tree log block's dirty bits
Btrfs: fix deadlock in run_delalloc_nocow
+81
-22
+10
-1
fs/btrfs/backref.c
+10
-1
fs/btrfs/backref.c
···
1264
1264
while (node) {
1265
1265
ref = rb_entry(node, struct prelim_ref, rbnode);
1266
1266
node = rb_next(&ref->rbnode);
1267
-
WARN_ON(ref->count < 0);
1267
+
/*
1268
+
* ref->count < 0 can happen here if there are delayed
1269
+
* refs with a node->action of BTRFS_DROP_DELAYED_REF.
1270
+
* prelim_ref_insert() relies on this when merging
1271
+
* identical refs to keep the overall count correct.
1272
+
* prelim_ref_insert() will merge only those refs
1273
+
* which compare identically. Any refs having
1274
+
* e.g. different offsets would not be merged,
1275
+
* and would retain their original ref->count < 0.
1276
+
*/
1268
1277
if (roots && ref->count && ref->root_id && ref->parent == 0) {
1269
1278
if (sc && sc->root_objectid &&
1270
1279
ref->root_id != sc->root_objectid) {
+2
-1
fs/btrfs/delayed-ref.c
+2
-1
fs/btrfs/delayed-ref.c
+4
fs/btrfs/extent-tree.c
+4
fs/btrfs/extent-tree.c
+27
-16
fs/btrfs/inode.c
+27
-16
fs/btrfs/inode.c
···
1335
1335
leaf = path->nodes[0];
1336
1336
if (path->slots[0] >= btrfs_header_nritems(leaf)) {
1337
1337
ret = btrfs_next_leaf(root, path);
1338
-
if (ret < 0)
1338
+
if (ret < 0) {
1339
+
if (cow_start != (u64)-1)
1340
+
cur_offset = cow_start;
1339
1341
goto error;
1342
+
}
1340
1343
if (ret > 0)
1341
1344
break;
1342
1345
leaf = path->nodes[0];
···
3388
3385
ret = btrfs_orphan_reserve_metadata(trans, inode);
3389
3386
ASSERT(!ret);
3390
3387
if (ret) {
3388
+
/*
3389
+
* dec doesn't need spin_lock as ->orphan_block_rsv
3390
+
* would be released only if ->orphan_inodes is
3391
+
* zero.
3392
+
*/
3391
3393
atomic_dec(&root->orphan_inodes);
3392
3394
clear_bit(BTRFS_INODE_ORPHAN_META_RESERVED,
3393
3395
&inode->runtime_flags);
···
3407
3399
if (insert >= 1) {
3408
3400
ret = btrfs_insert_orphan_item(trans, root, btrfs_ino(inode));
3409
3401
if (ret) {
3410
-
atomic_dec(&root->orphan_inodes);
3411
3402
if (reserve) {
3412
3403
clear_bit(BTRFS_INODE_ORPHAN_META_RESERVED,
3413
3404
&inode->runtime_flags);
3414
3405
btrfs_orphan_release_metadata(inode);
3415
3406
}
3407
+
/*
3408
+
* btrfs_orphan_commit_root may race with us and set
3409
+
* ->orphan_block_rsv to zero, in order to avoid that,
3410
+
* decrease ->orphan_inodes after everything is done.
3411
+
*/
3412
+
atomic_dec(&root->orphan_inodes);
3416
3413
if (ret != -EEXIST) {
3417
3414
clear_bit(BTRFS_INODE_HAS_ORPHAN_ITEM,
3418
3415
&inode->runtime_flags);
···
3449
3436
{
3450
3437
struct btrfs_root *root = inode->root;
3451
3438
int delete_item = 0;
3452
-
int release_rsv = 0;
3453
3439
int ret = 0;
3454
3440
3455
-
spin_lock(&root->orphan_lock);
3456
3441
if (test_and_clear_bit(BTRFS_INODE_HAS_ORPHAN_ITEM,
3457
3442
&inode->runtime_flags))
3458
3443
delete_item = 1;
3459
3444
3445
+
if (delete_item && trans)
3446
+
ret = btrfs_del_orphan_item(trans, root, btrfs_ino(inode));
3447
+
3460
3448
if (test_and_clear_bit(BTRFS_INODE_ORPHAN_META_RESERVED,
3461
3449
&inode->runtime_flags))
3462
-
release_rsv = 1;
3463
-
spin_unlock(&root->orphan_lock);
3464
-
3465
-
if (delete_item) {
3466
-
atomic_dec(&root->orphan_inodes);
3467
-
if (trans)
3468
-
ret = btrfs_del_orphan_item(trans, root,
3469
-
btrfs_ino(inode));
3470
-
}
3471
-
3472
-
if (release_rsv)
3473
3450
btrfs_orphan_release_metadata(inode);
3451
+
3452
+
/*
3453
+
* btrfs_orphan_commit_root may race with us and set ->orphan_block_rsv
3454
+
* to zero, in order to avoid that, decrease ->orphan_inodes after
3455
+
* everything is done.
3456
+
*/
3457
+
if (delete_item)
3458
+
atomic_dec(&root->orphan_inodes);
3474
3459
3475
3460
return ret;
3476
3461
}
···
5292
5281
trace_btrfs_inode_evict(inode);
5293
5282
5294
5283
if (!root) {
5295
-
kmem_cache_free(btrfs_inode_cachep, BTRFS_I(inode));
5284
+
clear_inode(inode);
5296
5285
return;
5297
5286
}
5298
5287
+7
-2
fs/btrfs/qgroup.c
+7
-2
fs/btrfs/qgroup.c
···
1442
1442
int ret;
1443
1443
1444
1444
ret = btrfs_find_all_roots(NULL, fs_info, bytenr, 0, &old_root, false);
1445
-
if (ret < 0)
1446
-
return ret;
1445
+
if (ret < 0) {
1446
+
fs_info->qgroup_flags |= BTRFS_QGROUP_STATUS_FLAG_INCONSISTENT;
1447
+
btrfs_warn(fs_info,
1448
+
"error accounting new delayed refs extent (err code: %d), quota inconsistent",
1449
+
ret);
1450
+
return 0;
1451
+
}
1447
1452
1448
1453
/*
1449
1454
* Here we don't need to get the lock of
+30
-2
fs/btrfs/tree-log.c
+30
-2
fs/btrfs/tree-log.c
···
29
29
#include "hash.h"
30
30
#include "compression.h"
31
31
#include "qgroup.h"
32
+
#include "inode-map.h"
32
33
33
34
/* magic values for the inode_only field in btrfs_log_inode:
34
35
*
···
2473
2472
clean_tree_block(fs_info, next);
2474
2473
btrfs_wait_tree_block_writeback(next);
2475
2474
btrfs_tree_unlock(next);
2475
+
} else {
2476
+
if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
2477
+
clear_extent_buffer_dirty(next);
2476
2478
}
2477
2479
2478
2480
WARN_ON(root_owner !=
···
2556
2552
clean_tree_block(fs_info, next);
2557
2553
btrfs_wait_tree_block_writeback(next);
2558
2554
btrfs_tree_unlock(next);
2555
+
} else {
2556
+
if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
2557
+
clear_extent_buffer_dirty(next);
2559
2558
}
2560
2559
2561
2560
WARN_ON(root_owner != BTRFS_TREE_LOG_OBJECTID);
···
2637
2630
clean_tree_block(fs_info, next);
2638
2631
btrfs_wait_tree_block_writeback(next);
2639
2632
btrfs_tree_unlock(next);
2633
+
} else {
2634
+
if (test_and_clear_bit(EXTENT_BUFFER_DIRTY, &next->bflags))
2635
+
clear_extent_buffer_dirty(next);
2640
2636
}
2641
2637
2642
2638
WARN_ON(log->root_key.objectid !=
···
3028
3018
3029
3019
while (1) {
3030
3020
ret = find_first_extent_bit(&log->dirty_log_pages,
3031
-
0, &start, &end, EXTENT_DIRTY | EXTENT_NEW,
3021
+
0, &start, &end,
3022
+
EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT,
3032
3023
NULL);
3033
3024
if (ret)
3034
3025
break;
3035
3026
3036
3027
clear_extent_bits(&log->dirty_log_pages, start, end,
3037
-
EXTENT_DIRTY | EXTENT_NEW);
3028
+
EXTENT_DIRTY | EXTENT_NEW | EXTENT_NEED_WAIT);
3038
3029
}
3039
3030
3040
3031
/*
···
5686
5675
if (!ret && wc.stage == LOG_WALK_REPLAY_ALL) {
5687
5676
ret = fixup_inode_link_counts(trans, wc.replay_dest,
5688
5677
path);
5678
+
}
5679
+
5680
+
if (!ret && wc.stage == LOG_WALK_REPLAY_ALL) {
5681
+
struct btrfs_root *root = wc.replay_dest;
5682
+
5683
+
btrfs_release_path(path);
5684
+
5685
+
/*
5686
+
* We have just replayed everything, and the highest
5687
+
* objectid of fs roots probably has changed in case
5688
+
* some inode_item's got replayed.
5689
+
*
5690
+
* root->objectid_mutex is not acquired as log replay
5691
+
* could only happen during mount.
5692
+
*/
5693
+
ret = btrfs_find_highest_objectid(root,
5694
+
&root->highest_objectid);
5689
5695
}
5690
5696
5691
5697
key.offset = found_key.offset - 1;