Commit 75c68e9f authored by Filipe Manana's avatar Filipe Manana Committed by Chris Mason

Btrfs: fix race deleting block group from space_info->ro_bgs list

When removing a block group we were deleting it from its space_info's
ro_bgs list without the correct protection - the space info's spinlock.
Fix this by doing the list delete while holding the spinlock of the
corresponding space info, which is the correct lock for any operation
on that list.

This issue was introduced in the 3.19 kernel by the following change:

    Btrfs: move read only block groups onto their own list V2
    commit 633c0aad

I ran into a kernel crash while a task was running statfs, which iterates
the space_info->ro_bgs list while holding the space info's spinlock,
and another task was deleting it from the same list, without holding that
spinlock, as part of the block group remove operation (while running the
function btrfs_remove_block_group). This happened often when running the
stress test xfstests/generic/038 I recently made.
Signed-off-by: default avatarFilipe Manana <fdmanana@suse.com>
Signed-off-by: default avatarChris Mason <clm@fb.com>
parent 379d6854
...@@ -1171,6 +1171,7 @@ struct btrfs_space_info { ...@@ -1171,6 +1171,7 @@ struct btrfs_space_info {
struct percpu_counter total_bytes_pinned; struct percpu_counter total_bytes_pinned;
struct list_head list; struct list_head list;
/* Protected by the spinlock 'lock'. */
struct list_head ro_bgs; struct list_head ro_bgs;
struct rw_semaphore groups_sem; struct rw_semaphore groups_sem;
......
...@@ -9422,7 +9422,6 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, ...@@ -9422,7 +9422,6 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
* are still on the list after taking the semaphore * are still on the list after taking the semaphore
*/ */
list_del_init(&block_group->list); list_del_init(&block_group->list);
list_del_init(&block_group->ro_list);
if (list_empty(&block_group->space_info->block_groups[index])) { if (list_empty(&block_group->space_info->block_groups[index])) {
kobj = block_group->space_info->block_group_kobjs[index]; kobj = block_group->space_info->block_group_kobjs[index];
block_group->space_info->block_group_kobjs[index] = NULL; block_group->space_info->block_group_kobjs[index] = NULL;
...@@ -9464,6 +9463,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans, ...@@ -9464,6 +9463,7 @@ int btrfs_remove_block_group(struct btrfs_trans_handle *trans,
btrfs_remove_free_space_cache(block_group); btrfs_remove_free_space_cache(block_group);
spin_lock(&block_group->space_info->lock); spin_lock(&block_group->space_info->lock);
list_del_init(&block_group->ro_list);
block_group->space_info->total_bytes -= block_group->key.offset; block_group->space_info->total_bytes -= block_group->key.offset;
block_group->space_info->bytes_readonly -= block_group->key.offset; block_group->space_info->bytes_readonly -= block_group->key.offset;
block_group->space_info->disk_total -= block_group->key.offset * factor; block_group->space_info->disk_total -= block_group->key.offset * factor;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment