gfs2: keep bios separate for each journal

The recovery func can recover multiple journals, but they were all using
the same bio. This resulted in use-after-free related to sdp->sd_log_bio.
This patch moves the variable to the journal descriptor, jd, so that
every recovery can operate on its own bio. And hopefully we never run out.

Signed-off-by: Bob Peterson <rpeterso@redhat.com>

diff --git a/fs/gfs2/incore.h b/fs/gfs2/incore.h
index 8e1ab8e..9933af0 100644 (file)
--- a/fs/gfs2/incore.h
+++ b/fs/gfs2/incore.h
@@ -531,6 +531,7 @@ struct gfs2_jdesc {
        unsigned int nr_extents;
        struct work_struct jd_work;
        struct inode *jd_inode;
+       struct bio *jd_log_bio;
        unsigned long jd_flags;
 #define JDF_RECOVERY 1
        unsigned int jd_jid;
@@ -844,7 +845,6 @@ struct gfs2_sbd {
 
        struct rw_semaphore sd_log_flush_lock;
        atomic_t sd_log_in_flight;
-       struct bio *sd_log_bio;
        wait_queue_head_t sd_log_flush_wait;
        int sd_log_error; /* First log error */
        wait_queue_head_t sd_withdraw_wait;

diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
index 41d13f1..d3fa14e 100644 (file)
--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -822,8 +822,8 @@ void gfs2_write_log_header(struct gfs2_sbd *sdp, struct gfs2_jdesc *jd,
                     sb->s_blocksize - LH_V1_SIZE - 4);
        lh->lh_crc = cpu_to_be32(crc);
 
-       gfs2_log_write(sdp, page, sb->s_blocksize, 0, dblock);
-       gfs2_log_submit_bio(&sdp->sd_log_bio, REQ_OP_WRITE | op_flags);
+       gfs2_log_write(sdp, jd, page, sb->s_blocksize, 0, dblock);
+       gfs2_log_submit_bio(&jd->jd_log_bio, REQ_OP_WRITE | op_flags);
 out:
        log_flush_wait(sdp);
 }
@@ -999,7 +999,7 @@ void gfs2_log_flush(struct gfs2_sbd *sdp, struct gfs2_glock *gl, u32 flags)
        lops_before_commit(sdp, tr);
        if (gfs2_withdrawn(sdp))
                goto out_withdraw;
-       gfs2_log_submit_bio(&sdp->sd_log_bio, REQ_OP_WRITE);
+       gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE);
        if (gfs2_withdrawn(sdp))
                goto out_withdraw;
 

diff --git a/fs/gfs2/lops.c b/fs/gfs2/lops.c
index 9e9dd48..921e156 100644 (file)
--- a/fs/gfs2/lops.c
+++ b/fs/gfs2/lops.c
@@ -322,17 +322,18 @@ static struct bio *gfs2_log_get_bio(struct gfs2_sbd *sdp, u64 blkno,
  * then add the page segment to that.
  */
 
-void gfs2_log_write(struct gfs2_sbd *sdp, struct page *page,
-                   unsigned size, unsigned offset, u64 blkno)
+void gfs2_log_write(struct gfs2_sbd *sdp, struct gfs2_jdesc *jd,
+                   struct page *page, unsigned size, unsigned offset,
+                   u64 blkno)
 {
        struct bio *bio;
        int ret;
 
-       bio = gfs2_log_get_bio(sdp, blkno, &sdp->sd_log_bio, REQ_OP_WRITE,
+       bio = gfs2_log_get_bio(sdp, blkno, &jd->jd_log_bio, REQ_OP_WRITE,
                               gfs2_end_log_write, false);
        ret = bio_add_page(bio, page, size, offset);
        if (ret == 0) {
-               bio = gfs2_log_get_bio(sdp, blkno, &sdp->sd_log_bio,
+               bio = gfs2_log_get_bio(sdp, blkno, &jd->jd_log_bio,
                                       REQ_OP_WRITE, gfs2_end_log_write, true);
                ret = bio_add_page(bio, page, size, offset);
                WARN_ON(ret == 0);
@@ -355,7 +356,8 @@ static void gfs2_log_write_bh(struct gfs2_sbd *sdp, struct buffer_head *bh)
 
        dblock = gfs2_log_bmap(sdp->sd_jdesc, sdp->sd_log_flush_head);
        gfs2_log_incr_head(sdp);
-       gfs2_log_write(sdp, bh->b_page, bh->b_size, bh_offset(bh), dblock);
+       gfs2_log_write(sdp, sdp->sd_jdesc, bh->b_page, bh->b_size,
+                      bh_offset(bh), dblock);
 }
 
 /**
@@ -376,7 +378,7 @@ static void gfs2_log_write_page(struct gfs2_sbd *sdp, struct page *page)
 
        dblock = gfs2_log_bmap(sdp->sd_jdesc, sdp->sd_log_flush_head);
        gfs2_log_incr_head(sdp);
-       gfs2_log_write(sdp, page, sb->s_blocksize, 0, dblock);
+       gfs2_log_write(sdp, sdp->sd_jdesc, page, sb->s_blocksize, 0, dblock);
 }
 
 /**

diff --git a/fs/gfs2/lops.h b/fs/gfs2/lops.h
index 2280f68..9a85b9d 100644 (file)
--- a/fs/gfs2/lops.h
+++ b/fs/gfs2/lops.h
@@ -20,8 +20,9 @@
 extern const struct gfs2_log_operations *gfs2_log_ops[];
 extern void gfs2_log_incr_head(struct gfs2_sbd *sdp);
 extern u64 gfs2_log_bmap(struct gfs2_jdesc *jd, unsigned int lbn);
-extern void gfs2_log_write(struct gfs2_sbd *sdp, struct page *page,
-                          unsigned size, unsigned offset, u64 blkno);
+extern void gfs2_log_write(struct gfs2_sbd *sdp, struct gfs2_jdesc *jd,
+                          struct page *page, unsigned size, unsigned offset,
+                          u64 blkno);
 extern void gfs2_log_submit_bio(struct bio **biop, int opf);
 extern void gfs2_pin(struct gfs2_sbd *sdp, struct buffer_head *bh);
 extern int gfs2_find_jhead(struct gfs2_jdesc *jd,

diff --git a/fs/gfs2/recovery.c b/fs/gfs2/recovery.c
index 74ab1fc..cff8b9a 100644 (file)
--- a/fs/gfs2/recovery.c
+++ b/fs/gfs2/recovery.c
@@ -505,7 +505,7 @@ void gfs2_recover_func(struct work_struct *work)
 
                /* We take the sd_log_flush_lock here primarily to prevent log
                 * flushes and simultaneous journal replays from stomping on
-                * each other wrt sd_log_bio. */
+                * each other wrt jd_log_bio. */
                down_read(&sdp->sd_log_flush_lock);
                for (pass = 0; pass < 2; pass++) {
                        lops_before_scan(jd, &head, pass);