sgi-xp: fix a use after free
[linux-2.6/linux-acpi-2.6/ibm-acpi-2.6.git] / fs / xfs / xfs_extfree_item.c
blobd22e62623437aafb79d62f5492252e140f3a6cb7
1 /*
2 * Copyright (c) 2000-2001,2005 Silicon Graphics, Inc.
3 * All Rights Reserved.
5 * This program is free software; you can redistribute it and/or
6 * modify it under the terms of the GNU General Public License as
7 * published by the Free Software Foundation.
9 * This program is distributed in the hope that it would be useful,
10 * but WITHOUT ANY WARRANTY; without even the implied warranty of
11 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
12 * GNU General Public License for more details.
14 * You should have received a copy of the GNU General Public License
15 * along with this program; if not, write the Free Software Foundation,
16 * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
18 #include "xfs.h"
19 #include "xfs_fs.h"
20 #include "xfs_types.h"
21 #include "xfs_log.h"
22 #include "xfs_inum.h"
23 #include "xfs_trans.h"
24 #include "xfs_buf_item.h"
25 #include "xfs_sb.h"
26 #include "xfs_ag.h"
27 #include "xfs_mount.h"
28 #include "xfs_trans_priv.h"
29 #include "xfs_extfree_item.h"
32 kmem_zone_t *xfs_efi_zone;
33 kmem_zone_t *xfs_efd_zone;
35 static inline struct xfs_efi_log_item *EFI_ITEM(struct xfs_log_item *lip)
37 return container_of(lip, struct xfs_efi_log_item, efi_item);
40 void
41 xfs_efi_item_free(
42 struct xfs_efi_log_item *efip)
44 if (efip->efi_format.efi_nextents > XFS_EFI_MAX_FAST_EXTENTS)
45 kmem_free(efip);
46 else
47 kmem_zone_free(xfs_efi_zone, efip);
51 * Freeing the efi requires that we remove it from the AIL if it has already
52 * been placed there. However, the EFI may not yet have been placed in the AIL
53 * when called by xfs_efi_release() from EFD processing due to the ordering of
54 * committed vs unpin operations in bulk insert operations. Hence the
55 * test_and_clear_bit(XFS_EFI_COMMITTED) to ensure only the last caller frees
56 * the EFI.
58 STATIC void
59 __xfs_efi_release(
60 struct xfs_efi_log_item *efip)
62 struct xfs_ail *ailp = efip->efi_item.li_ailp;
64 if (!test_and_clear_bit(XFS_EFI_COMMITTED, &efip->efi_flags)) {
65 spin_lock(&ailp->xa_lock);
66 /* xfs_trans_ail_delete() drops the AIL lock. */
67 xfs_trans_ail_delete(ailp, &efip->efi_item);
68 xfs_efi_item_free(efip);
73 * This returns the number of iovecs needed to log the given efi item.
74 * We only need 1 iovec for an efi item. It just logs the efi_log_format
75 * structure.
77 STATIC uint
78 xfs_efi_item_size(
79 struct xfs_log_item *lip)
81 return 1;
85 * This is called to fill in the vector of log iovecs for the
86 * given efi log item. We use only 1 iovec, and we point that
87 * at the efi_log_format structure embedded in the efi item.
88 * It is at this point that we assert that all of the extent
89 * slots in the efi item have been filled.
91 STATIC void
92 xfs_efi_item_format(
93 struct xfs_log_item *lip,
94 struct xfs_log_iovec *log_vector)
96 struct xfs_efi_log_item *efip = EFI_ITEM(lip);
97 uint size;
99 ASSERT(atomic_read(&efip->efi_next_extent) ==
100 efip->efi_format.efi_nextents);
102 efip->efi_format.efi_type = XFS_LI_EFI;
104 size = sizeof(xfs_efi_log_format_t);
105 size += (efip->efi_format.efi_nextents - 1) * sizeof(xfs_extent_t);
106 efip->efi_format.efi_size = 1;
108 log_vector->i_addr = &efip->efi_format;
109 log_vector->i_len = size;
110 log_vector->i_type = XLOG_REG_TYPE_EFI_FORMAT;
111 ASSERT(size >= sizeof(xfs_efi_log_format_t));
116 * Pinning has no meaning for an efi item, so just return.
118 STATIC void
119 xfs_efi_item_pin(
120 struct xfs_log_item *lip)
125 * While EFIs cannot really be pinned, the unpin operation is the last place at
126 * which the EFI is manipulated during a transaction. If we are being asked to
127 * remove the EFI it's because the transaction has been cancelled and by
128 * definition that means the EFI cannot be in the AIL so remove it from the
129 * transaction and free it. Otherwise coordinate with xfs_efi_release() (via
130 * XFS_EFI_COMMITTED) to determine who gets to free the EFI.
132 STATIC void
133 xfs_efi_item_unpin(
134 struct xfs_log_item *lip,
135 int remove)
137 struct xfs_efi_log_item *efip = EFI_ITEM(lip);
139 if (remove) {
140 ASSERT(!(lip->li_flags & XFS_LI_IN_AIL));
141 if (lip->li_desc)
142 xfs_trans_del_item(lip);
143 xfs_efi_item_free(efip);
144 return;
146 __xfs_efi_release(efip);
150 * Efi items have no locking or pushing. However, since EFIs are
151 * pulled from the AIL when their corresponding EFDs are committed
152 * to disk, their situation is very similar to being pinned. Return
153 * XFS_ITEM_PINNED so that the caller will eventually flush the log.
154 * This should help in getting the EFI out of the AIL.
156 STATIC uint
157 xfs_efi_item_trylock(
158 struct xfs_log_item *lip)
160 return XFS_ITEM_PINNED;
164 * Efi items have no locking, so just return.
166 STATIC void
167 xfs_efi_item_unlock(
168 struct xfs_log_item *lip)
170 if (lip->li_flags & XFS_LI_ABORTED)
171 xfs_efi_item_free(EFI_ITEM(lip));
175 * The EFI is logged only once and cannot be moved in the log, so simply return
176 * the lsn at which it's been logged. For bulk transaction committed
177 * processing, the EFI may be processed but not yet unpinned prior to the EFD
178 * being processed. Set the XFS_EFI_COMMITTED flag so this case can be detected
179 * when processing the EFD.
181 STATIC xfs_lsn_t
182 xfs_efi_item_committed(
183 struct xfs_log_item *lip,
184 xfs_lsn_t lsn)
186 struct xfs_efi_log_item *efip = EFI_ITEM(lip);
188 set_bit(XFS_EFI_COMMITTED, &efip->efi_flags);
189 return lsn;
193 * There isn't much you can do to push on an efi item. It is simply
194 * stuck waiting for all of its corresponding efd items to be
195 * committed to disk.
197 STATIC void
198 xfs_efi_item_push(
199 struct xfs_log_item *lip)
204 * The EFI dependency tracking op doesn't do squat. It can't because
205 * it doesn't know where the free extent is coming from. The dependency
206 * tracking has to be handled by the "enclosing" metadata object. For
207 * example, for inodes, the inode is locked throughout the extent freeing
208 * so the dependency should be recorded there.
210 STATIC void
211 xfs_efi_item_committing(
212 struct xfs_log_item *lip,
213 xfs_lsn_t lsn)
218 * This is the ops vector shared by all efi log items.
220 static struct xfs_item_ops xfs_efi_item_ops = {
221 .iop_size = xfs_efi_item_size,
222 .iop_format = xfs_efi_item_format,
223 .iop_pin = xfs_efi_item_pin,
224 .iop_unpin = xfs_efi_item_unpin,
225 .iop_trylock = xfs_efi_item_trylock,
226 .iop_unlock = xfs_efi_item_unlock,
227 .iop_committed = xfs_efi_item_committed,
228 .iop_push = xfs_efi_item_push,
229 .iop_committing = xfs_efi_item_committing
234 * Allocate and initialize an efi item with the given number of extents.
236 struct xfs_efi_log_item *
237 xfs_efi_init(
238 struct xfs_mount *mp,
239 uint nextents)
242 struct xfs_efi_log_item *efip;
243 uint size;
245 ASSERT(nextents > 0);
246 if (nextents > XFS_EFI_MAX_FAST_EXTENTS) {
247 size = (uint)(sizeof(xfs_efi_log_item_t) +
248 ((nextents - 1) * sizeof(xfs_extent_t)));
249 efip = kmem_zalloc(size, KM_SLEEP);
250 } else {
251 efip = kmem_zone_zalloc(xfs_efi_zone, KM_SLEEP);
254 xfs_log_item_init(mp, &efip->efi_item, XFS_LI_EFI, &xfs_efi_item_ops);
255 efip->efi_format.efi_nextents = nextents;
256 efip->efi_format.efi_id = (__psint_t)(void*)efip;
257 atomic_set(&efip->efi_next_extent, 0);
259 return efip;
263 * Copy an EFI format buffer from the given buf, and into the destination
264 * EFI format structure.
265 * The given buffer can be in 32 bit or 64 bit form (which has different padding),
266 * one of which will be the native format for this kernel.
267 * It will handle the conversion of formats if necessary.
270 xfs_efi_copy_format(xfs_log_iovec_t *buf, xfs_efi_log_format_t *dst_efi_fmt)
272 xfs_efi_log_format_t *src_efi_fmt = buf->i_addr;
273 uint i;
274 uint len = sizeof(xfs_efi_log_format_t) +
275 (src_efi_fmt->efi_nextents - 1) * sizeof(xfs_extent_t);
276 uint len32 = sizeof(xfs_efi_log_format_32_t) +
277 (src_efi_fmt->efi_nextents - 1) * sizeof(xfs_extent_32_t);
278 uint len64 = sizeof(xfs_efi_log_format_64_t) +
279 (src_efi_fmt->efi_nextents - 1) * sizeof(xfs_extent_64_t);
281 if (buf->i_len == len) {
282 memcpy((char *)dst_efi_fmt, (char*)src_efi_fmt, len);
283 return 0;
284 } else if (buf->i_len == len32) {
285 xfs_efi_log_format_32_t *src_efi_fmt_32 = buf->i_addr;
287 dst_efi_fmt->efi_type = src_efi_fmt_32->efi_type;
288 dst_efi_fmt->efi_size = src_efi_fmt_32->efi_size;
289 dst_efi_fmt->efi_nextents = src_efi_fmt_32->efi_nextents;
290 dst_efi_fmt->efi_id = src_efi_fmt_32->efi_id;
291 for (i = 0; i < dst_efi_fmt->efi_nextents; i++) {
292 dst_efi_fmt->efi_extents[i].ext_start =
293 src_efi_fmt_32->efi_extents[i].ext_start;
294 dst_efi_fmt->efi_extents[i].ext_len =
295 src_efi_fmt_32->efi_extents[i].ext_len;
297 return 0;
298 } else if (buf->i_len == len64) {
299 xfs_efi_log_format_64_t *src_efi_fmt_64 = buf->i_addr;
301 dst_efi_fmt->efi_type = src_efi_fmt_64->efi_type;
302 dst_efi_fmt->efi_size = src_efi_fmt_64->efi_size;
303 dst_efi_fmt->efi_nextents = src_efi_fmt_64->efi_nextents;
304 dst_efi_fmt->efi_id = src_efi_fmt_64->efi_id;
305 for (i = 0; i < dst_efi_fmt->efi_nextents; i++) {
306 dst_efi_fmt->efi_extents[i].ext_start =
307 src_efi_fmt_64->efi_extents[i].ext_start;
308 dst_efi_fmt->efi_extents[i].ext_len =
309 src_efi_fmt_64->efi_extents[i].ext_len;
311 return 0;
313 return EFSCORRUPTED;
317 * This is called by the efd item code below to release references to the given
318 * efi item. Each efd calls this with the number of extents that it has
319 * logged, and when the sum of these reaches the total number of extents logged
320 * by this efi item we can free the efi item.
322 void
323 xfs_efi_release(xfs_efi_log_item_t *efip,
324 uint nextents)
326 ASSERT(atomic_read(&efip->efi_next_extent) >= nextents);
327 if (atomic_sub_and_test(nextents, &efip->efi_next_extent))
328 __xfs_efi_release(efip);
331 static inline struct xfs_efd_log_item *EFD_ITEM(struct xfs_log_item *lip)
333 return container_of(lip, struct xfs_efd_log_item, efd_item);
336 STATIC void
337 xfs_efd_item_free(struct xfs_efd_log_item *efdp)
339 if (efdp->efd_format.efd_nextents > XFS_EFD_MAX_FAST_EXTENTS)
340 kmem_free(efdp);
341 else
342 kmem_zone_free(xfs_efd_zone, efdp);
346 * This returns the number of iovecs needed to log the given efd item.
347 * We only need 1 iovec for an efd item. It just logs the efd_log_format
348 * structure.
350 STATIC uint
351 xfs_efd_item_size(
352 struct xfs_log_item *lip)
354 return 1;
358 * This is called to fill in the vector of log iovecs for the
359 * given efd log item. We use only 1 iovec, and we point that
360 * at the efd_log_format structure embedded in the efd item.
361 * It is at this point that we assert that all of the extent
362 * slots in the efd item have been filled.
364 STATIC void
365 xfs_efd_item_format(
366 struct xfs_log_item *lip,
367 struct xfs_log_iovec *log_vector)
369 struct xfs_efd_log_item *efdp = EFD_ITEM(lip);
370 uint size;
372 ASSERT(efdp->efd_next_extent == efdp->efd_format.efd_nextents);
374 efdp->efd_format.efd_type = XFS_LI_EFD;
376 size = sizeof(xfs_efd_log_format_t);
377 size += (efdp->efd_format.efd_nextents - 1) * sizeof(xfs_extent_t);
378 efdp->efd_format.efd_size = 1;
380 log_vector->i_addr = &efdp->efd_format;
381 log_vector->i_len = size;
382 log_vector->i_type = XLOG_REG_TYPE_EFD_FORMAT;
383 ASSERT(size >= sizeof(xfs_efd_log_format_t));
387 * Pinning has no meaning for an efd item, so just return.
389 STATIC void
390 xfs_efd_item_pin(
391 struct xfs_log_item *lip)
396 * Since pinning has no meaning for an efd item, unpinning does
397 * not either.
399 STATIC void
400 xfs_efd_item_unpin(
401 struct xfs_log_item *lip,
402 int remove)
407 * Efd items have no locking, so just return success.
409 STATIC uint
410 xfs_efd_item_trylock(
411 struct xfs_log_item *lip)
413 return XFS_ITEM_LOCKED;
417 * Efd items have no locking or pushing, so return failure
418 * so that the caller doesn't bother with us.
420 STATIC void
421 xfs_efd_item_unlock(
422 struct xfs_log_item *lip)
424 if (lip->li_flags & XFS_LI_ABORTED)
425 xfs_efd_item_free(EFD_ITEM(lip));
429 * When the efd item is committed to disk, all we need to do
430 * is delete our reference to our partner efi item and then
431 * free ourselves. Since we're freeing ourselves we must
432 * return -1 to keep the transaction code from further referencing
433 * this item.
435 STATIC xfs_lsn_t
436 xfs_efd_item_committed(
437 struct xfs_log_item *lip,
438 xfs_lsn_t lsn)
440 struct xfs_efd_log_item *efdp = EFD_ITEM(lip);
443 * If we got a log I/O error, it's always the case that the LR with the
444 * EFI got unpinned and freed before the EFD got aborted.
446 if (!(lip->li_flags & XFS_LI_ABORTED))
447 xfs_efi_release(efdp->efd_efip, efdp->efd_format.efd_nextents);
449 xfs_efd_item_free(efdp);
450 return (xfs_lsn_t)-1;
454 * There isn't much you can do to push on an efd item. It is simply
455 * stuck waiting for the log to be flushed to disk.
457 STATIC void
458 xfs_efd_item_push(
459 struct xfs_log_item *lip)
464 * The EFD dependency tracking op doesn't do squat. It can't because
465 * it doesn't know where the free extent is coming from. The dependency
466 * tracking has to be handled by the "enclosing" metadata object. For
467 * example, for inodes, the inode is locked throughout the extent freeing
468 * so the dependency should be recorded there.
470 STATIC void
471 xfs_efd_item_committing(
472 struct xfs_log_item *lip,
473 xfs_lsn_t lsn)
478 * This is the ops vector shared by all efd log items.
480 static struct xfs_item_ops xfs_efd_item_ops = {
481 .iop_size = xfs_efd_item_size,
482 .iop_format = xfs_efd_item_format,
483 .iop_pin = xfs_efd_item_pin,
484 .iop_unpin = xfs_efd_item_unpin,
485 .iop_trylock = xfs_efd_item_trylock,
486 .iop_unlock = xfs_efd_item_unlock,
487 .iop_committed = xfs_efd_item_committed,
488 .iop_push = xfs_efd_item_push,
489 .iop_committing = xfs_efd_item_committing
493 * Allocate and initialize an efd item with the given number of extents.
495 struct xfs_efd_log_item *
496 xfs_efd_init(
497 struct xfs_mount *mp,
498 struct xfs_efi_log_item *efip,
499 uint nextents)
502 struct xfs_efd_log_item *efdp;
503 uint size;
505 ASSERT(nextents > 0);
506 if (nextents > XFS_EFD_MAX_FAST_EXTENTS) {
507 size = (uint)(sizeof(xfs_efd_log_item_t) +
508 ((nextents - 1) * sizeof(xfs_extent_t)));
509 efdp = kmem_zalloc(size, KM_SLEEP);
510 } else {
511 efdp = kmem_zone_zalloc(xfs_efd_zone, KM_SLEEP);
514 xfs_log_item_init(mp, &efdp->efd_item, XFS_LI_EFD, &xfs_efd_item_ops);
515 efdp->efd_efip = efip;
516 efdp->efd_format.efd_nextents = nextents;
517 efdp->efd_format.efd_efi_id = efip->efi_format.efi_id;
519 return efdp;