The reference count of inode is incremented by ihold. It should be
dropped if not used. However, the reference count is not dropped if
error occurs during updating the inode or deleting orphan items. This
patch fixes the bug.
Signed-off-by: Pan Bian <[email protected]>
---
V2: move ihold just before device_initialize to make code clearer
---
fs/btrfs/inode.c | 54 +++++++++++++++++++++++++-----------------------------
1 file changed, 25 insertions(+), 29 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 82fdda8..d6630df 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6579,7 +6579,7 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb);
u64 index;
int err;
- int drop_inode = 0;
+ int log_mode;
/* do not allow sys_link's with other subvols of the same device */
if (root->root_key.objectid != BTRFS_I(inode)->root->root_key.objectid)
@@ -6616,41 +6616,37 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
err = btrfs_add_nondir(trans, BTRFS_I(dir), dentry, BTRFS_I(inode),
1, index);
- if (err) {
- drop_inode = 1;
- } else {
- struct dentry *parent = dentry->d_parent;
- int ret;
+ if (err)
+ goto err_link;
- err = btrfs_update_inode(trans, root, inode);
+ err = btrfs_update_inode(trans, root, inode);
+ if (err)
+ goto err_link;
+ if (inode->i_nlink == 1) {
+ /*
+ * If new hard link count is 1, it's a file created
+ * with open(2) O_TMPFILE flag.
+ */
+ err = btrfs_orphan_del(trans, BTRFS_I(inode));
if (err)
- goto fail;
- if (inode->i_nlink == 1) {
- /*
- * If new hard link count is 1, it's a file created
- * with open(2) O_TMPFILE flag.
- */
- err = btrfs_orphan_del(trans, BTRFS_I(inode));
- if (err)
- goto fail;
- }
- BTRFS_I(inode)->last_link_trans = trans->transid;
- d_instantiate(dentry, inode);
- ret = btrfs_log_new_name(trans, BTRFS_I(inode), NULL, parent,
- true, NULL);
- if (ret == BTRFS_NEED_TRANS_COMMIT) {
- err = btrfs_commit_transaction(trans);
- trans = NULL;
- }
+ goto err_link;
+ }
+ BTRFS_I(inode)->last_link_trans = trans->transid;
+ ihold(inode);
+ d_instantiate(dentry, inode);
+ log_mode = btrfs_log_new_name(trans, BTRFS_I(inode), NULL,
+ dentry->d_parent, true, NULL);
+ if (log_mode == BTRFS_NEED_TRANS_COMMIT) {
+ err = btrfs_commit_transaction(trans);
+ trans = NULL;
}
+err_link:
+ if (err)
+ inode_dec_link_count(inode);
fail:
if (trans)
btrfs_end_transaction(trans);
- if (drop_inode) {
- inode_dec_link_count(inode);
- iput(inode);
- }
btrfs_btree_balance_dirty(fs_info);
return err;
}
--
2.7.4
On 18.04.19 г. 14:06 ч., Pan Bian wrote:
> The reference count of inode is incremented by ihold. It should be
> dropped if not used. However, the reference count is not dropped if
> error occurs during updating the inode or deleting orphan items. This
> patch fixes the bug.
>
> Signed-off-by: Pan Bian <[email protected]>
> ---
> V2: move ihold just before device_initialize to make code clearer
> ---
> fs/btrfs/inode.c | 54 +++++++++++++++++++++++++-----------------------------
> 1 file changed, 25 insertions(+), 29 deletions(-)
>
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index 82fdda8..d6630df 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -6579,7 +6579,7 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
> struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb);
> u64 index;
> int err;
> - int drop_inode = 0;
> + int log_mode;
>
> /* do not allow sys_link's with other subvols of the same device */
> if (root->root_key.objectid != BTRFS_I(inode)->root->root_key.objectid)
> @@ -6616,41 +6616,37 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
> err = btrfs_add_nondir(trans, BTRFS_I(dir), dentry, BTRFS_I(inode),
> 1, index);
>
> - if (err) {
> - drop_inode = 1;
> - } else {
> - struct dentry *parent = dentry->d_parent;
> - int ret;
> + if (err)
> + goto err_link;
>
> - err = btrfs_update_inode(trans, root, inode);
> + err = btrfs_update_inode(trans, root, inode);
> + if (err)
> + goto err_link;
> + if (inode->i_nlink == 1) {
> + /*
> + * If new hard link count is 1, it's a file created
> + * with open(2) O_TMPFILE flag.
> + */
> + err = btrfs_orphan_del(trans, BTRFS_I(inode));
> if (err)
> - goto fail;
> - if (inode->i_nlink == 1) {
> - /*
> - * If new hard link count is 1, it's a file created
> - * with open(2) O_TMPFILE flag.
> - */
> - err = btrfs_orphan_del(trans, BTRFS_I(inode));
> - if (err)
> - goto fail;
> - }
> - BTRFS_I(inode)->last_link_trans = trans->transid;
> - d_instantiate(dentry, inode);
> - ret = btrfs_log_new_name(trans, BTRFS_I(inode), NULL, parent,
> - true, NULL);
> - if (ret == BTRFS_NEED_TRANS_COMMIT) {
> - err = btrfs_commit_transaction(trans);
> - trans = NULL;
> - }
> + goto err_link;
> + }
> + BTRFS_I(inode)->last_link_trans = trans->transid;
> + ihold(inode);
> + d_instantiate(dentry, inode);
> + log_mode = btrfs_log_new_name(trans, BTRFS_I(inode), NULL,
> + dentry->d_parent, true, NULL);
> + if (log_mode == BTRFS_NEED_TRANS_COMMIT) {
> + err = btrfs_commit_transaction(trans);
> + trans = NULL;
> }
>
> +err_link:
> + if (err)
> + inode_dec_link_count(inode);
Any particular reason why you moved this before ending the transaction?
It potentially has an effect during tyransaction commit since doing
inode_dec_link_count does mark_inode_dirty which moves the inode on the
dirty list. Have you explicitly thought about that ? Note, I'm not
saying it's wrong but I want the rationale for the code move.
> fail:
> if (trans)
> btrfs_end_transaction(trans);
> - if (drop_inode) {
> - inode_dec_link_count(inode);
> - iput(inode);
> - }
> btrfs_btree_balance_dirty(fs_info);
> return err;
> }
>
On Thu, Apr 18, 2019 at 03:50:00PM +0300, Nikolay Borisov wrote:
>
>
> On 18.04.19 г. 14:06 ч., Pan Bian wrote:
> > The reference count of inode is incremented by ihold. It should be
> > dropped if not used. However, the reference count is not dropped if
> > error occurs during updating the inode or deleting orphan items. This
> > patch fixes the bug.
> >
> > Signed-off-by: Pan Bian <[email protected]>
> > ---
> > V2: move ihold just before device_initialize to make code clearer
> > ---
> > fs/btrfs/inode.c | 54 +++++++++++++++++++++++++-----------------------------
> > 1 file changed, 25 insertions(+), 29 deletions(-)
> >
> > diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> > index 82fdda8..d6630df 100644
> > --- a/fs/btrfs/inode.c
> > +++ b/fs/btrfs/inode.c
> > @@ -6579,7 +6579,7 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
> > struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb);
> > u64 index;
> > int err;
> > - int drop_inode = 0;
> > + int log_mode;
> >
> > /* do not allow sys_link's with other subvols of the same device */
> > if (root->root_key.objectid != BTRFS_I(inode)->root->root_key.objectid)
> > @@ -6616,41 +6616,37 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
> > err = btrfs_add_nondir(trans, BTRFS_I(dir), dentry, BTRFS_I(inode),
> > 1, index);
> >
> > - if (err) {
> > - drop_inode = 1;
> > - } else {
> > - struct dentry *parent = dentry->d_parent;
> > - int ret;
> > + if (err)
> > + goto err_link;
> >
> > - err = btrfs_update_inode(trans, root, inode);
> > + err = btrfs_update_inode(trans, root, inode);
> > + if (err)
> > + goto err_link;
> > + if (inode->i_nlink == 1) {
> > + /*
> > + * If new hard link count is 1, it's a file created
> > + * with open(2) O_TMPFILE flag.
> > + */
> > + err = btrfs_orphan_del(trans, BTRFS_I(inode));
> > if (err)
> > - goto fail;
> > - if (inode->i_nlink == 1) {
> > - /*
> > - * If new hard link count is 1, it's a file created
> > - * with open(2) O_TMPFILE flag.
> > - */
> > - err = btrfs_orphan_del(trans, BTRFS_I(inode));
> > - if (err)
> > - goto fail;
> > - }
> > - BTRFS_I(inode)->last_link_trans = trans->transid;
> > - d_instantiate(dentry, inode);
> > - ret = btrfs_log_new_name(trans, BTRFS_I(inode), NULL, parent,
> > - true, NULL);
> > - if (ret == BTRFS_NEED_TRANS_COMMIT) {
> > - err = btrfs_commit_transaction(trans);
> > - trans = NULL;
> > - }
> > + goto err_link;
> > + }
> > + BTRFS_I(inode)->last_link_trans = trans->transid;
> > + ihold(inode);
Where is the iput for this ihold?
Josef
On 18.04.19 г. 17:07 ч., Josef Bacik wrote:
> On Thu, Apr 18, 2019 at 03:50:00PM +0300, Nikolay Borisov wrote:
>>
>>
>> On 18.04.19 г. 14:06 ч., Pan Bian wrote:
>>> The reference count of inode is incremented by ihold. It should be
>>> dropped if not used. However, the reference count is not dropped if
>>> error occurs during updating the inode or deleting orphan items. This
>>> patch fixes the bug.
>>>
>>> Signed-off-by: Pan Bian <[email protected]>
>>> ---
>>> V2: move ihold just before device_initialize to make code clearer
>>> ---
>>> fs/btrfs/inode.c | 54 +++++++++++++++++++++++++-----------------------------
>>> 1 file changed, 25 insertions(+), 29 deletions(-)
>>>
>>> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
>>> index 82fdda8..d6630df 100644
>>> --- a/fs/btrfs/inode.c
>>> +++ b/fs/btrfs/inode.c
>>> @@ -6579,7 +6579,7 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
>>> struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb);
>>> u64 index;
>>> int err;
>>> - int drop_inode = 0;
>>> + int log_mode;
>>>
>>> /* do not allow sys_link's with other subvols of the same device */
>>> if (root->root_key.objectid != BTRFS_I(inode)->root->root_key.objectid)
>>> @@ -6616,41 +6616,37 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
>>> err = btrfs_add_nondir(trans, BTRFS_I(dir), dentry, BTRFS_I(inode),
>>> 1, index);
>>>
>>> - if (err) {
>>> - drop_inode = 1;
>>> - } else {
>>> - struct dentry *parent = dentry->d_parent;
>>> - int ret;
>>> + if (err)
>>> + goto err_link;
>>>
>>> - err = btrfs_update_inode(trans, root, inode);
>>> + err = btrfs_update_inode(trans, root, inode);
>>> + if (err)
>>> + goto err_link;
>>> + if (inode->i_nlink == 1) {
>>> + /*
>>> + * If new hard link count is 1, it's a file created
>>> + * with open(2) O_TMPFILE flag.
>>> + */
>>> + err = btrfs_orphan_del(trans, BTRFS_I(inode));
>>> if (err)
>>> - goto fail;
>>> - if (inode->i_nlink == 1) {
>>> - /*
>>> - * If new hard link count is 1, it's a file created
>>> - * with open(2) O_TMPFILE flag.
>>> - */
>>> - err = btrfs_orphan_del(trans, BTRFS_I(inode));
>>> - if (err)
>>> - goto fail;
>>> - }
>>> - BTRFS_I(inode)->last_link_trans = trans->transid;
>>> - d_instantiate(dentry, inode);
>>> - ret = btrfs_log_new_name(trans, BTRFS_I(inode), NULL, parent,
>>> - true, NULL);
>>> - if (ret == BTRFS_NEED_TRANS_COMMIT) {
>>> - err = btrfs_commit_transaction(trans);
>>> - trans = NULL;
>>> - }
>>> + goto err_link;
>>> + }
>>> + BTRFS_I(inode)->last_link_trans = trans->transid;
>>> + ihold(inode);
>
> Where is the iput for this ihold?
This ihold is sort of "given" to the d_instantiate. I.e the iput happens
when the respective dentry is unhashed/removed.
>
> Josef
>
On Thu, Apr 18, 2019 at 05:09:44PM +0300, Nikolay Borisov wrote:
>
>
> On 18.04.19 г. 17:07 ч., Josef Bacik wrote:
> > On Thu, Apr 18, 2019 at 03:50:00PM +0300, Nikolay Borisov wrote:
> >>
> >>
> >> On 18.04.19 г. 14:06 ч., Pan Bian wrote:
> >>> The reference count of inode is incremented by ihold. It should be
> >>> dropped if not used. However, the reference count is not dropped if
> >>> error occurs during updating the inode or deleting orphan items. This
> >>> patch fixes the bug.
> >>>
> >>> Signed-off-by: Pan Bian <[email protected]>
> >>> ---
> >>> V2: move ihold just before device_initialize to make code clearer
> >>> ---
> >>> fs/btrfs/inode.c | 54 +++++++++++++++++++++++++-----------------------------
> >>> 1 file changed, 25 insertions(+), 29 deletions(-)
> >>>
> >>> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> >>> index 82fdda8..d6630df 100644
> >>> --- a/fs/btrfs/inode.c
> >>> +++ b/fs/btrfs/inode.c
> >>> @@ -6579,7 +6579,7 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
> >>> struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb);
> >>> u64 index;
> >>> int err;
> >>> - int drop_inode = 0;
> >>> + int log_mode;
> >>>
> >>> /* do not allow sys_link's with other subvols of the same device */
> >>> if (root->root_key.objectid != BTRFS_I(inode)->root->root_key.objectid)
> >>> @@ -6616,41 +6616,37 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
> >>> err = btrfs_add_nondir(trans, BTRFS_I(dir), dentry, BTRFS_I(inode),
> >>> 1, index);
> >>>
> >>> - if (err) {
> >>> - drop_inode = 1;
> >>> - } else {
> >>> - struct dentry *parent = dentry->d_parent;
> >>> - int ret;
> >>> + if (err)
> >>> + goto err_link;
> >>>
> >>> - err = btrfs_update_inode(trans, root, inode);
> >>> + err = btrfs_update_inode(trans, root, inode);
> >>> + if (err)
> >>> + goto err_link;
> >>> + if (inode->i_nlink == 1) {
> >>> + /*
> >>> + * If new hard link count is 1, it's a file created
> >>> + * with open(2) O_TMPFILE flag.
> >>> + */
> >>> + err = btrfs_orphan_del(trans, BTRFS_I(inode));
> >>> if (err)
> >>> - goto fail;
> >>> - if (inode->i_nlink == 1) {
> >>> - /*
> >>> - * If new hard link count is 1, it's a file created
> >>> - * with open(2) O_TMPFILE flag.
> >>> - */
> >>> - err = btrfs_orphan_del(trans, BTRFS_I(inode));
> >>> - if (err)
> >>> - goto fail;
> >>> - }
> >>> - BTRFS_I(inode)->last_link_trans = trans->transid;
> >>> - d_instantiate(dentry, inode);
> >>> - ret = btrfs_log_new_name(trans, BTRFS_I(inode), NULL, parent,
> >>> - true, NULL);
> >>> - if (ret == BTRFS_NEED_TRANS_COMMIT) {
> >>> - err = btrfs_commit_transaction(trans);
> >>> - trans = NULL;
> >>> - }
> >>> + goto err_link;
> >>> + }
> >>> + BTRFS_I(inode)->last_link_trans = trans->transid;
> >>> + ihold(inode);
> >
> > Where is the iput for this ihold?
>
> This ihold is sort of "given" to the d_instantiate. I.e the iput happens
> when the respective dentry is unhashed/removed.
Ah that's what I was missing, thanks,
Josef
On Thu, Apr 18, 2019 at 07:06:16PM +0800, Pan Bian wrote:
> The reference count of inode is incremented by ihold. It should be
> dropped if not used. However, the reference count is not dropped if
> error occurs during updating the inode or deleting orphan items. This
> patch fixes the bug.
>
> Signed-off-by: Pan Bian <[email protected]>
> ---
> V2: move ihold just before device_initialize to make code clearer
There's nothing like device_initialize, what does this refer to?
> ---
> fs/btrfs/inode.c | 54 +++++++++++++++++++++++++-----------------------------
> 1 file changed, 25 insertions(+), 29 deletions(-)
>
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index 82fdda8..d6630df 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -6579,7 +6579,7 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
> struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb);
> u64 index;
> int err;
> - int drop_inode = 0;
> + int log_mode;
>
> /* do not allow sys_link's with other subvols of the same device */
> if (root->root_key.objectid != BTRFS_I(inode)->root->root_key.objectid)
> @@ -6616,41 +6616,37 @@ static int btrfs_link(struct dentry *old_dentry, struct inode *dir,
> err = btrfs_add_nondir(trans, BTRFS_I(dir), dentry, BTRFS_I(inode),
> 1, index);
>
> - if (err) {
> - drop_inode = 1;
> - } else {
> - struct dentry *parent = dentry->d_parent;
> - int ret;
> + if (err)
> + goto err_link;
>
> - err = btrfs_update_inode(trans, root, inode);
> + err = btrfs_update_inode(trans, root, inode);
> + if (err)
> + goto err_link;
> + if (inode->i_nlink == 1) {
> + /*
> + * If new hard link count is 1, it's a file created
> + * with open(2) O_TMPFILE flag.
> + */
> + err = btrfs_orphan_del(trans, BTRFS_I(inode));
> if (err)
> - goto fail;
> - if (inode->i_nlink == 1) {
> - /*
> - * If new hard link count is 1, it's a file created
> - * with open(2) O_TMPFILE flag.
> - */
> - err = btrfs_orphan_del(trans, BTRFS_I(inode));
> - if (err)
> - goto fail;
> - }
> - BTRFS_I(inode)->last_link_trans = trans->transid;
> - d_instantiate(dentry, inode);
> - ret = btrfs_log_new_name(trans, BTRFS_I(inode), NULL, parent,
> - true, NULL);
> - if (ret == BTRFS_NEED_TRANS_COMMIT) {
> - err = btrfs_commit_transaction(trans);
> - trans = NULL;
> - }
> + goto err_link;
> + }
> + BTRFS_I(inode)->last_link_trans = trans->transid;
> + ihold(inode);
> + d_instantiate(dentry, inode);
So this ihold pairs with d_instantiate, and there's another ihold in the
function, before call to btrfs_add_nondir. Isn't this leaking the
references? In normal case it's 2x ihold, in error case 1x.
6645 /* There are several dir indexes for this inode, clear the cache. */
6646 BTRFS_I(inode)->dir_index = 0ULL;
6647 inc_nlink(inode);
6648 inode_inc_iversion(inode);
6649 inode->i_ctime = current_time(inode);
6650 ihold(inode);
6651 set_bit(BTRFS_INODE_COPY_EVERYTHING, &BTRFS_I(inode)->runtime_flags);
> + log_mode = btrfs_log_new_name(trans, BTRFS_I(inode), NULL,
> + dentry->d_parent, true, NULL);
> + if (log_mode == BTRFS_NEED_TRANS_COMMIT) {
> + err = btrfs_commit_transaction(trans);
> + trans = NULL;
> }
>
> +err_link:
> + if (err)
> + inode_dec_link_count(inode);
> fail:
> if (trans)
> btrfs_end_transaction(trans);
> - if (drop_inode) {
> - inode_dec_link_count(inode);
> - iput(inode);
Ie. this iput does not have any replacement in the new code.
> - }
> btrfs_btree_balance_dirty(fs_info);
> return err;
> }
> --
> 2.7.4
>