Btrfs: make sure compressed bios don't complete too soon

When writing a compressed extent, a number of bios are created that
point to a single struct compressed_bio.  At end_io time an atomic counter in
the compressed_bio struct makes sure that all of the bios have finished
before final end_io processing is done.

But when multiple bios are needed to write a compressed extent, the
counter was being incremented after the first bio was sent to submit_bio.
It is possible the bio will complete before the counter is incremented,
making the end_io handler free the compressed_bio struct before
processing is finished.

The fix is to increment the atomic counter before bio submission,
both for compressed reads and writes.

Signed-off-by: Chris Mason <chris.mason@oracle.com>

diff --git a/fs/btrfs/compression.c b/fs/btrfs/compression.c
index 284f21025bcc32134c96f7edbd179e936ee1900b..7397c622fb6a14d4e691f432bc619f1fc0a52e75 100644 (file)
--- a/fs/btrfs/compression.c
+++ b/fs/btrfs/compression.c
@@ -314,6 +314,13 @@ int btrfs_submit_compressed_write(struct inode *inode, u64 start,
                    PAGE_CACHE_SIZE) {
                        bio_get(bio);
 
+                       /*
+                        * inc the count before we submit the bio so
+                        * we know the end IO handler won't happen before
+                        * we inc the count.  Otherwise, the cb might get
+                        * freed before we're done setting it up
+                        */
+                       atomic_inc(&cb->pending_bios);
                        ret = btrfs_bio_wq_end_io(root->fs_info, bio, 0);
                        BUG_ON(ret);
 
@@ -323,7 +330,6 @@ int btrfs_submit_compressed_write(struct inode *inode, u64 start,
                        bio_put(bio);
 
                        bio = compressed_bio_alloc(bdev, first_byte, GFP_NOFS);
-                       atomic_inc(&cb->pending_bios);
                        bio->bi_private = cb;
                        bio->bi_end_io = end_compressed_bio_write;
                        bio_add_page(bio, page, PAGE_CACHE_SIZE, 0);
@@ -573,6 +579,14 @@ int btrfs_submit_compressed_read(struct inode *inode, struct bio *bio,
                        ret = btrfs_bio_wq_end_io(root->fs_info, comp_bio, 0);
                        BUG_ON(ret);
 
+                       /*
+                        * inc the count before we submit the bio so
+                        * we know the end IO handler won't happen before
+                        * we inc the count.  Otherwise, the cb might get
+                        * freed before we're done setting it up
+                        */
+                       atomic_inc(&cb->pending_bios);
+
                        ret = btrfs_map_bio(root, READ, comp_bio, 0, 0);
                        BUG_ON(ret);
 
@@ -580,7 +594,6 @@ int btrfs_submit_compressed_read(struct inode *inode, struct bio *bio,
 
                        comp_bio = compressed_bio_alloc(bdev, cur_disk_byte,
                                                        GFP_NOFS);
-                       atomic_inc(&cb->pending_bios);
                        comp_bio->bi_private = cb;
                        comp_bio->bi_end_io = end_compressed_bio_read;