Message ID | 20190401125440.29962-2-andrea.righi@canonical.com |
---|---|
State | New |
Headers | show |
Series | btrfs: raid56: fix page unmapping bug | expand |
On 4/1/19 2:54 PM, Andrea Righi wrote: > Buglink: https://bugs.launchpad.net/bugs/1812845 > > Parity page is incorrectly unmapped in finish_parity_scrub(), triggering > a reference counter bug on i386, i.e.: > > [ 157.662401] kernel BUG at mm/highmem.c:349! > [ 157.666725] invalid opcode: 0000 [#1] SMP PTI > > The reason is that kunmap(p_page) was completely left out, so we never > did an unmap for the p_page and the loop unmapping the rbio page was > iterating over the wrong number of stripes: unmapping should be done > with nr_data instead of rbio->real_stripes. > > Test case to reproduce the bug: > > - create a raid5 btrfs filesystem: > # mkfs.btrfs -m raid5 -d raid5 /dev/sdb /dev/sdc /dev/sdd /dev/sde > > - mount it: > # mount /dev/sdb /mnt > > - run btrfs scrub in a loop: > # while :; do btrfs scrub start -BR /mnt; done > > BugLink: https://bugs.launchpad.net/bugs/1812845 > Fixes: 5a6ac9eacb49 ("Btrfs, raid56: support parity scrub on raid56") > CC: stable@vger.kernel.org # 4.4+ > Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> > Signed-off-by: Andrea Righi <andrea.righi@canonical.com> > Reviewed-by: David Sterba <dsterba@suse.com> > Signed-off-by: David Sterba <dsterba@suse.com> > (cherry picked from commit 3897b6f0a859288c22fb793fad11ec2327e60fcd) > Signed-off-by: Andrea Righi <andrea.righi@canonical.com> Same patch already ack'ed for B/C. Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> > --- > fs/btrfs/raid56.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c > index e74455eb42f9..6976e2280771 100644 > --- a/fs/btrfs/raid56.c > +++ b/fs/btrfs/raid56.c > @@ -2429,8 +2429,9 @@ static noinline void finish_parity_scrub(struct btrfs_raid_bio *rbio, > bitmap_clear(rbio->dbitmap, pagenr, 1); > kunmap(p); > > - for (stripe = 0; stripe < rbio->real_stripes; stripe++) > + for (stripe = 0; stripe < nr_data; stripe++) > kunmap(page_in_rbio(rbio, stripe, pagenr, 0)); > + kunmap(p_page); > } > > __free_page(p_page);
Clean cherry-pick, nice SRU.
Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Applied to disco master-next branch. Thanks. Cascardo.
On 4/1/19 2:54 PM, Andrea Righi wrote: > Buglink: https://bugs.launchpad.net/bugs/1812845 > > Parity page is incorrectly unmapped in finish_parity_scrub(), triggering > a reference counter bug on i386, i.e.: > > [ 157.662401] kernel BUG at mm/highmem.c:349! > [ 157.666725] invalid opcode: 0000 [#1] SMP PTI > > The reason is that kunmap(p_page) was completely left out, so we never > did an unmap for the p_page and the loop unmapping the rbio page was > iterating over the wrong number of stripes: unmapping should be done > with nr_data instead of rbio->real_stripes. > > Test case to reproduce the bug: > > - create a raid5 btrfs filesystem: > # mkfs.btrfs -m raid5 -d raid5 /dev/sdb /dev/sdc /dev/sdd /dev/sde > > - mount it: > # mount /dev/sdb /mnt > > - run btrfs scrub in a loop: > # while :; do btrfs scrub start -BR /mnt; done > > BugLink: https://bugs.launchpad.net/bugs/1812845 > Fixes: 5a6ac9eacb49 ("Btrfs, raid56: support parity scrub on raid56") > CC: stable@vger.kernel.org # 4.4+ > Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de> > Signed-off-by: Andrea Righi <andrea.righi@canonical.com> > Reviewed-by: David Sterba <dsterba@suse.com> > Signed-off-by: David Sterba <dsterba@suse.com> > (cherry picked from commit 3897b6f0a859288c22fb793fad11ec2327e60fcd) > Signed-off-by: Andrea Righi <andrea.righi@canonical.com> > --- > fs/btrfs/raid56.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c > index e74455eb42f9..6976e2280771 100644 > --- a/fs/btrfs/raid56.c > +++ b/fs/btrfs/raid56.c > @@ -2429,8 +2429,9 @@ static noinline void finish_parity_scrub(struct btrfs_raid_bio *rbio, > bitmap_clear(rbio->dbitmap, pagenr, 1); > kunmap(p); > > - for (stripe = 0; stripe < rbio->real_stripes; stripe++) > + for (stripe = 0; stripe < nr_data; stripe++) > kunmap(page_in_rbio(rbio, stripe, pagenr, 0)); > + kunmap(p_page); > } > > __free_page(p_page); > Applied to xenial/master-next branch. Thanks, Kleber
diff --git a/fs/btrfs/raid56.c b/fs/btrfs/raid56.c index e74455eb42f9..6976e2280771 100644 --- a/fs/btrfs/raid56.c +++ b/fs/btrfs/raid56.c @@ -2429,8 +2429,9 @@ static noinline void finish_parity_scrub(struct btrfs_raid_bio *rbio, bitmap_clear(rbio->dbitmap, pagenr, 1); kunmap(p); - for (stripe = 0; stripe < rbio->real_stripes; stripe++) + for (stripe = 0; stripe < nr_data; stripe++) kunmap(page_in_rbio(rbio, stripe, pagenr, 0)); + kunmap(p_page); } __free_page(p_page);