diff options
| author | Jerry Jelinek <jerry.jelinek@joyent.com> | 2015-03-05 12:41:37 +0000 |
|---|---|---|
| committer | Jerry Jelinek <jerry.jelinek@joyent.com> | 2015-03-05 12:41:37 +0000 |
| commit | f50b0b2da0a5a431d4c2e027843710e4f8f2853b (patch) | |
| tree | e20023ea5b509e6c4bcbd2f6d79b4e52ba8ab61b /usr/src | |
| parent | 94d66437ee1f143d2495f6a1e5abbeda0f5fd78c (diff) | |
| parent | cd485b49201b16c079663125308af274b6299e96 (diff) | |
| download | illumos-joyent-f50b0b2da0a5a431d4c2e027843710e4f8f2853b.tar.gz | |
[illumos-gate merge]
commit cd485b49201b16c079663125308af274b6299e96
5630 stale bonus buffer in recycled dnode_t leads to data corruption
Diffstat (limited to 'usr/src')
| -rw-r--r-- | usr/src/uts/common/fs/zfs/dbuf.c | 55 | ||||
| -rw-r--r-- | usr/src/uts/common/fs/zfs/dnode.c | 8 | ||||
| -rw-r--r-- | usr/src/uts/common/fs/zfs/dnode_sync.c | 6 | ||||
| -rw-r--r-- | usr/src/uts/common/fs/zfs/sys/dnode.h | 2 |
4 files changed, 62 insertions, 9 deletions
diff --git a/usr/src/uts/common/fs/zfs/dbuf.c b/usr/src/uts/common/fs/zfs/dbuf.c index e569cde5f1..4b644f7479 100644 --- a/usr/src/uts/common/fs/zfs/dbuf.c +++ b/usr/src/uts/common/fs/zfs/dbuf.c @@ -2212,21 +2212,60 @@ dbuf_rele_and_unlock(dmu_buf_impl_t *db, void *tag) if (holds == 0) { if (db->db_blkid == DMU_BONUS_BLKID) { - mutex_exit(&db->db_mtx); + dnode_t *dn; /* - * If the dnode moves here, we cannot cross this barrier - * until the move completes. + * If the dnode moves here, we cannot cross this + * barrier until the move completes. */ DB_DNODE_ENTER(db); - atomic_dec_32(&DB_DNODE(db)->dn_dbufs_count); + + dn = DB_DNODE(db); + atomic_dec_32(&dn->dn_dbufs_count); + + /* + * Decrementing the dbuf count means that the bonus + * buffer's dnode hold is no longer discounted in + * dnode_move(). The dnode cannot move until after + * the dnode_rele_and_unlock() below. + */ DB_DNODE_EXIT(db); + + /* + * Do not reference db after its lock is dropped. + * Another thread may evict it. + */ + mutex_exit(&db->db_mtx); + /* - * The bonus buffer's dnode hold is no longer discounted - * in dnode_move(). The dnode cannot move until after - * the dnode_rele(). + * If the dnode has been freed, evict the bonus + * buffer immediately. The data in the bonus + * buffer is no longer relevant and this prevents + * a stale bonus buffer from being associated + * with this dnode_t should the dnode_t be reused + * prior to being destroyed. */ - dnode_rele(DB_DNODE(db), db); + mutex_enter(&dn->dn_mtx); + if (dn->dn_type == DMU_OT_NONE || + dn->dn_free_txg != 0) { + /* + * Drop dn_mtx. It is a leaf lock and + * cannot be held when dnode_evict_bonus() + * acquires other locks in order to + * perform the eviction. + * + * Freed dnodes cannot be reused until the + * last hold is released. Since this bonus + * buffer has a hold, the dnode will remain + * in the free state, even without dn_mtx + * held, until the dnode_rele_and_unlock() + * below. + */ + mutex_exit(&dn->dn_mtx); + dnode_evict_bonus(dn); + mutex_enter(&dn->dn_mtx); + } + dnode_rele_and_unlock(dn, db); } else if (db->db_buf == NULL) { /* * This is a special case: we never associated this diff --git a/usr/src/uts/common/fs/zfs/dnode.c b/usr/src/uts/common/fs/zfs/dnode.c index 4e376fc4d9..12d8db76fa 100644 --- a/usr/src/uts/common/fs/zfs/dnode.c +++ b/usr/src/uts/common/fs/zfs/dnode.c @@ -1223,12 +1223,18 @@ dnode_add_ref(dnode_t *dn, void *tag) void dnode_rele(dnode_t *dn, void *tag) { + mutex_enter(&dn->dn_mtx); + dnode_rele_and_unlock(dn, tag); +} + +void +dnode_rele_and_unlock(dnode_t *dn, void *tag) +{ uint64_t refs; /* Get while the hold prevents the dnode from moving. */ dmu_buf_impl_t *db = dn->dn_dbuf; dnode_handle_t *dnh = dn->dn_handle; - mutex_enter(&dn->dn_mtx); refs = refcount_remove(&dn->dn_holds, tag); mutex_exit(&dn->dn_mtx); diff --git a/usr/src/uts/common/fs/zfs/dnode_sync.c b/usr/src/uts/common/fs/zfs/dnode_sync.c index 6a0f8cc3bf..bb18718bed 100644 --- a/usr/src/uts/common/fs/zfs/dnode_sync.c +++ b/usr/src/uts/common/fs/zfs/dnode_sync.c @@ -430,6 +430,12 @@ dnode_evict_dbufs(dnode_t *dn) } mutex_exit(&dn->dn_dbufs_mtx); + dnode_evict_bonus(dn); +} + +void +dnode_evict_bonus(dnode_t *dn) +{ rw_enter(&dn->dn_struct_rwlock, RW_WRITER); if (dn->dn_bonus && refcount_is_zero(&dn->dn_bonus->db_holds)) { mutex_enter(&dn->dn_bonus->db_mtx); diff --git a/usr/src/uts/common/fs/zfs/sys/dnode.h b/usr/src/uts/common/fs/zfs/sys/dnode.h index 406954a653..69cc54dc27 100644 --- a/usr/src/uts/common/fs/zfs/sys/dnode.h +++ b/usr/src/uts/common/fs/zfs/sys/dnode.h @@ -281,6 +281,7 @@ int dnode_hold_impl(struct objset *dd, uint64_t object, int flag, void *ref, dnode_t **dnp); boolean_t dnode_add_ref(dnode_t *dn, void *ref); void dnode_rele(dnode_t *dn, void *ref); +void dnode_rele_and_unlock(dnode_t *dn, void *tag); void dnode_setdirty(dnode_t *dn, dmu_tx_t *tx); void dnode_sync(dnode_t *dn, dmu_tx_t *tx); void dnode_allocate(dnode_t *dn, dmu_object_type_t ot, int blocksize, int ibs, @@ -302,6 +303,7 @@ void dnode_fini(void); int dnode_next_offset(dnode_t *dn, int flags, uint64_t *off, int minlvl, uint64_t blkfill, uint64_t txg); void dnode_evict_dbufs(dnode_t *dn); +void dnode_evict_bonus(dnode_t *dn); #ifdef ZFS_DEBUG |