Commit ad576e63 authored by Nick Piggin's avatar Nick Piggin Committed by Linus Torvalds

[PATCH] __block_write_full_page race fix

When running
	fsstress -v -d $DIR/tmp -n 1000 -p 1000 -l 2
on an ext2 filesystem with 1024 byte block size, on SMP i386 with 4096 byte
page size over loopback to an image file on a tmpfs filesystem, I would
very quickly hit
	BUG_ON(!buffer_async_write(bh));
in fs/buffer.c:end_buffer_async_write

It seems that more than one request would be submitted for a given bh
at a time.

What would happen is the following:
2 threads doing __mpage_writepages on the same page.
Thread 1 - lock the page first, and enter __block_write_full_page.
Thread 1 - (eg.) mark_buffer_async_write on the first 2 buffers.
Thread 1 - set page writeback, unlock page.
Thread 2 - lock page, wait on page writeback
Thread 1 - submit_bh on the first 2 buffers.
=> both requests complete, none of the page buffers are async_write,
   end_page_writeback is called.
Thread 2 - wakes up. enters __block_write_full_page.
Thread 2 - mark_buffer_async_write on (eg.) the last buffer
Thread 1 - finds the last buffer has async_write set, submit_bh on that.
Thread 2 - submit_bh on the last buffer.
=> oops.

So change __block_write_full_page to explicitly keep track of the last bh
we need to issue, so we don't touch anything after issuing the last
request.
Signed-off-by: default avatarNick Piggin <nickpiggin@yahoo.com.au>
Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
parent f3ddbdc6
...@@ -1751,7 +1751,7 @@ static int __block_write_full_page(struct inode *inode, struct page *page, ...@@ -1751,7 +1751,7 @@ static int __block_write_full_page(struct inode *inode, struct page *page,
int err; int err;
sector_t block; sector_t block;
sector_t last_block; sector_t last_block;
struct buffer_head *bh, *head; struct buffer_head *bh, *head, *last_bh = NULL;
int nr_underway = 0; int nr_underway = 0;
BUG_ON(!PageLocked(page)); BUG_ON(!PageLocked(page));
...@@ -1809,7 +1809,6 @@ static int __block_write_full_page(struct inode *inode, struct page *page, ...@@ -1809,7 +1809,6 @@ static int __block_write_full_page(struct inode *inode, struct page *page,
} while (bh != head); } while (bh != head);
do { do {
get_bh(bh);
if (!buffer_mapped(bh)) if (!buffer_mapped(bh))
continue; continue;
/* /*
...@@ -1827,6 +1826,8 @@ static int __block_write_full_page(struct inode *inode, struct page *page, ...@@ -1827,6 +1826,8 @@ static int __block_write_full_page(struct inode *inode, struct page *page,
} }
if (test_clear_buffer_dirty(bh)) { if (test_clear_buffer_dirty(bh)) {
mark_buffer_async_write(bh); mark_buffer_async_write(bh);
get_bh(bh);
last_bh = bh;
} else { } else {
unlock_buffer(bh); unlock_buffer(bh);
} }
...@@ -1845,10 +1846,13 @@ static int __block_write_full_page(struct inode *inode, struct page *page, ...@@ -1845,10 +1846,13 @@ static int __block_write_full_page(struct inode *inode, struct page *page,
if (buffer_async_write(bh)) { if (buffer_async_write(bh)) {
submit_bh(WRITE, bh); submit_bh(WRITE, bh);
nr_underway++; nr_underway++;
}
put_bh(bh); put_bh(bh);
if (bh == last_bh)
break;
}
bh = next; bh = next;
} while (bh != head); } while (bh != head);
bh = head;
err = 0; err = 0;
done: done:
...@@ -1887,10 +1891,11 @@ recover: ...@@ -1887,10 +1891,11 @@ recover:
bh = head; bh = head;
/* Recovery: lock and submit the mapped buffers */ /* Recovery: lock and submit the mapped buffers */
do { do {
get_bh(bh);
if (buffer_mapped(bh) && buffer_dirty(bh)) { if (buffer_mapped(bh) && buffer_dirty(bh)) {
lock_buffer(bh); lock_buffer(bh);
mark_buffer_async_write(bh); mark_buffer_async_write(bh);
get_bh(bh);
last_bh = bh;
} else { } else {
/* /*
* The buffer may have been set dirty during * The buffer may have been set dirty during
...@@ -1909,10 +1914,13 @@ recover: ...@@ -1909,10 +1914,13 @@ recover:
clear_buffer_dirty(bh); clear_buffer_dirty(bh);
submit_bh(WRITE, bh); submit_bh(WRITE, bh);
nr_underway++; nr_underway++;
}
put_bh(bh); put_bh(bh);
if (bh == last_bh)
break;
}
bh = next; bh = next;
} while (bh != head); } while (bh != head);
bh = head;
goto done; goto done;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment