bcachefs: Fix freeing in bch2_dev_buckets_resize()

We were double-freeing old_buckets and not freeing old_buckets_gens: also, the code was supposed to free buckets, not old_buckets; old_buckets is only needed because we have to use rcu_assign_pointer() instead of swap(), and won't be set if we hit the error path. Signed-off-by: Kent Overstreet <kent.overstreet@gmail.com>
2022-02-06 19:20:36 -05:00 · 2022-02-06 19:20:36 -05:00 · 80bf2f3454
commit 80bf2f3454
parent 35228ecb7e
2 changed files with 7 additions and 5 deletions
--- a/fs/bcachefs/bcachefs.h
+++ b/fs/bcachefs/bcachefs.h
@ -451,7 +451,7 @@ struct bch_dev {
 	 * Or rcu_read_lock(), but only for ptr_stale():
 	 */
 	struct bucket_array __rcu *buckets[2];
-	struct bucket_gens	*bucket_gens;
+	struct bucket_gens __rcu *bucket_gens;
 	unsigned long		*buckets_nouse;
 	struct rw_semaphore	bucket_lock;

--- a/fs/bcachefs/buckets.c
+++ b/fs/bcachefs/buckets.c
@ -2106,7 +2106,7 @@ static void buckets_free_rcu(struct rcu_head *rcu)
 		container_of(rcu, struct bucket_array, rcu);

 	kvpfree(buckets,
-		sizeof(struct bucket_array) +
+		sizeof(*buckets) +
 		buckets->nbuckets * sizeof(struct bucket));
 }

@ -2115,7 +2115,7 @@ static void bucket_gens_free_rcu(struct rcu_head *rcu)
 	struct bucket_gens *buckets =
 		container_of(rcu, struct bucket_gens, rcu);

-	kvpfree(buckets, sizeof(struct bucket_array) + buckets->nbuckets);
+	kvpfree(buckets, sizeof(*buckets) + buckets->nbuckets);
 }

 int bch2_dev_buckets_resize(struct bch_fs *c, struct bch_dev *ca, u64 nbuckets)
@ -2225,9 +2225,9 @@ err:
 	kvpfree(buckets_nouse,
 		BITS_TO_LONGS(nbuckets) * sizeof(unsigned long));
 	if (bucket_gens)
-		call_rcu(&old_buckets->rcu, bucket_gens_free_rcu);
+		call_rcu(&bucket_gens->rcu, bucket_gens_free_rcu);
 	if (buckets)
-		call_rcu(&old_buckets->rcu, buckets_free_rcu);
+		call_rcu(&buckets->rcu, buckets_free_rcu);

 	return ret;
 }
@ -2242,6 +2242,8 @@ void bch2_dev_buckets_free(struct bch_dev *ca)
 		free_fifo(&ca->free[i]);
 	kvpfree(ca->buckets_nouse,
 		BITS_TO_LONGS(ca->mi.nbuckets) * sizeof(unsigned long));
+	kvpfree(rcu_dereference_protected(ca->bucket_gens, 1),
+		sizeof(struct bucket_gens) + ca->mi.nbuckets);
 	kvpfree(rcu_dereference_protected(ca->buckets[0], 1),
 		sizeof(struct bucket_array) +
 		ca->mi.nbuckets * sizeof(struct bucket));