- 05 Sep, 2023 40 commits
-
-
Bob Peterson authored
This patch is an attempt to force some consistency in quota sync processing. Two functions (qd_fish and gfs2_quota_unlock) called qd_check_sync, after which they both called bh_get, and if that failed, they took the same steps to undo the actions of qd_check_sync. This patch introduces a new function, qd_bh_get_or_undo, which performs the same steps, reducing code redundancy. Signed-off-by:
Bob Peterson <rpeterso@redhat.com> Signed-off-by:
Andreas Gruenbacher <agruenba@redhat.com>
-
Bob Peterson authored
Function do_sync called gfs2_qa_get and put for quota allocation data. But the inode in question is the system master quota file, which is never subject to quotas. Therefore, a qa structure should be unnecessary and if anything accesses it, it's probably a bug. Signed-off-by:
-
Bob Peterson authored
Function gfs2_quota_unlock declared an array of 4 qd elements. We have a constant for that, we should be using it. Signed-off-by:
-
Bob Peterson authored
Func do_sync was called in two places: gfs2_quota_unlock and gfs2_quota_sync. In gfs2_quota_sync it updated qd_sync_gen to the latest superblock sync gen, if do_sync was successful. In gfs2_quota_unlock it didn't update the value. That can only lead to extra work, for example, if the value is synced by gfs2_quota_unlock but still has the old value. This patch moves the setting of qd_sync_gen inside do_sync so we are guaranteed consistency. Signed-off-by:
-
Bob Peterson authored
Function gfs2_adjust_quota set variable err, then set it again to a different value. This patch removes the redundant set. Signed-off-by:
-
Bob Peterson authored
No need to set error = 0 since it's set further down. Signed-off-by:
-
Bob Peterson authored
This patch looks more invasive than it is. It simply moves function qdsb_put before qd_unlock, then changes qd_unlock to call it rather than open coding it. Again, this reduces redundancy. Signed-off-by:
-
Bob Peterson authored
This patch adds some new fields to the gfs2 status file in sysfs to aid in debugging. Signed-off-by:
-
Bob Peterson authored
Function need_sync is supposed to determine if a qd element needs to be synced. If the "change" (qd_change) is zero, it does not need to be synced because there's literally no change in the value. Before this patch need_sync returned false if value < 0. That should be <= 0. This patch changes the check to <=. Signed-off-by:
-
Bob Peterson authored
This patch simplifies function need_sync by eliminating a variable in favor of just returning the appropriate value as soon as we know it. Signed-off-by:
-
Bob Peterson authored
Function gfs2_write_disk_quota checks if its write overflows onto another page, and if so, does a second write. Before this patch it kept two variables for this, but only one is needed. This patch simplifies it by eliminating pg_oflow. Signed-off-by:
-
Bob Peterson authored
Function gfs2_write_buf_to_page uses variable done to exit its loop, but it's unnecessary if we just code an infinite loop and exit when we need. Signed-off-by:
-
Bob Peterson authored
This patch passes the superblock pointer to gfs2_write_buf_to_page so it becomes more apparent it's dealing with the system quota file. Signed-off-by:
-
Bob Peterson authored
Like the previous patch, we now pass the superblock pointer to function gfs2_write_disk_quota. This makes the code more understandable, since it only operates on the quota inode. Signed-off-by:
-
Bob Peterson authored
Before this change function gfs2_adjust_quota's first parameter was an gfs2_inode pointer. But it always pointed to the quota inode. Here we switch that to pass the superblock pointer, sdp, so it is easier to read the code and understand that it's only dealing with the quota inode. Signed-off-by:
-
Bob Peterson authored
Since patch 845802b1 function gfs2_write_buf_to_page checks if the target inode is jdata or ordered. This function only operates on the system quota file, which is always jdata, so the check for jdata is useless. This patch removes it. Signed-off-by:
-
Bob Peterson authored
This patch adds a new mount option quota=quiet which is the same as quota=on but it suppresses gfs2 quota error messages. Signed-off-by:
-
Andreas Gruenbacher authored
Add the device name to the names of the gfs2_logd and gfs2_quotad kernel threads to allow for easier identification. Signed-off-by: -
Andreas Gruenbacher authored
Signed-off-by: -
Andreas Gruenbacher authored
Rename the "gfs_recovery" workqueue to "gfs2_recovery", and gfs_recovery_wq to gfs2_recovery_wq. Signed-off-by: -
Andreas Gruenbacher authored
Function gfs2_withdraw() tries to synchronize concurrent callers by atomically setting the SDF_WITHDRAWN flag in the first caller, setting the SDF_WITHDRAW_IN_PROG flag to indicate that a withdraw is in progress, performing the actual withdraw, and clearing the SDF_WITHDRAW_IN_PROG flag when done. All other callers wait for the SDF_WITHDRAW_IN_PROG flag to be cleared before returning. This leaves a small window in which callers can find the SDF_WITHDRAWN flag set before the SDF_WITHDRAW_IN_PROG flag has been set, causing them to return prematurely, before the withdraw has been completed. Fix that by setting the SDF_WITHDRAWN and SDF_WITHDRAW_IN_PROG flags atomically. Signed-off-by: -
Andreas Gruenbacher authored
Immediately stop the logd and quotad kernel threads when a filesystem withdraw is detected: those threads aren't doing anything useful after a withdraw. (Depends on the extra logd and quotad task struct references held since commit 7a109f383fa3 ("gfs2: Fix asynchronous thread destruction").) In addition, check for kthread_should_stop() in the wait condition in gfs2_quotad() to stop immediately when kthread_stop() is called. Signed-off-by: -
Andreas Gruenbacher authored
In gfs2_quotad(), switch from an open-coded wait loop to wait_event_interruptible_timeout(). Signed-off-by: -
Andreas Gruenbacher authored
The kernel threads are currently stopped and destroyed synchronously by gfs2_make_fs_ro() and gfs2_put_super(), and asynchronously by signal_our_withdraw(), with no synchronization, so the synchronous and asynchronous contexts can race with each other. First, when creating the kernel threads, take an extra task struct reference so that the task struct won't go away immediately when they terminate. This allows those kthreads to terminate immediately when they're done rather than hanging around as zombies until they are reaped by kthread_stop(). When kthread_stop() is called on a terminated kthread, it will return immediately. Second, in signal_our_withdraw(), once the SDF_JOURNAL_LIVE flag has been cleared, wake up the logd and quotad wait queues instead of stopping the logd and quotad kthreads. The kthreads are then expected to terminate automatically within short time, but if they cannot, they will not block the withdraw. For example, if a user process and one of the kthread decide to withdraw at the same time, only one of them will perform the actual withdraw and the other will wait for it to be done. If the kthread ends up being the one to wait, the withdrawing user process won't be able to stop it. Signed-off-by: -
Andreas Gruenbacher authored
[ 81.372851][ T5532] CPU: 1 PID: 5532 Comm: syz-executor.0 Not tainted 6.2.0-rc1-syzkaller-dirty #0 [ 81.382080][ T5532] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023 [ 81.392343][ T5532] Call Trace: [ 81.395654][ T5532] <TASK> [ 81.398603][ T5532] dump_stack_lvl+0x1b1/0x290 [ 81.418421][ T5532] gfs2_assert_warn_i+0x19a/0x2e0 [ 81.423480][ T5532] gfs2_quota_cleanup+0x4c6/0x6b0 [ 81.428611][ T5532] gfs2_make_fs_ro+0x517/0x610 [ 81.457802][ T5532] gfs2_withdraw+0x609/0x1540 [ 81.481452][ T5532] gfs2_inode_refresh+0xb2d/0xf60 [ 81.506658][ T5532] gfs2_instantiate+0x15e/0x220 [ 81.511504][ T5532] gfs2_glock_wait+0x1d9/0x2a0 [ 81.516352][ T5532] do_sync+0x485/0xc80 [ 81.554943][ T5532] gfs2_quota_sync+0x3da/0x8b0 [ 81.559738][ T5532] gfs2_sync_fs+0x49/0xb0 [ 81.564063][ T5532] sync_filesystem+0xe8/0x220 [ 81.568740][ T5532] generic_shutdown_super+0x6b/0x310 [ 81.574112][ T5532] kill_block_super+0x79/0xd0 [ 81.578779][ T5532] deactivate_locked_super+0xa7/0xf0 [ 81.584064][ T5532] cleanup_mnt+0x494/0x520 [ 81.593753][ T5532] task_work_run+0x243/0x300 [ 81.608837][ T5532] exit_to_user_mode_loop+0x124/0x150 [ 81.614232][ T5532] exit_to_user_mode_prepare+0xb2/0x140 [ 81.619820][ T5532] syscall_exit_to_user_mode+0x26/0x60 [ 81.625287][ T5532] do_syscall_64+0x49/0xb0 [ 81.629710][ T5532] entry_SYSCALL_64_after_hwframe+0x63/0xcd In this backtrace, gfs2_quota_sync() takes quota data references and then calls do_sync(). Function do_sync() encounters filesystem corruption and withdraws the filesystem, which (among other things) calls gfs2_quota_cleanup(). Function gfs2_quota_cleanup() wrongly assumes that nobody is holding any quota data references anymore, and destroys all quota data objects. When gfs2_quota_sync() then resumes and dereferences the quota data objects it is holding, those objects are no longer there. Function gfs2_quota_cleanup() deals with resource deallocation and can easily be delayed until gfs2_put_super() in the case of a filesystem withdraw. In fact, most of the other work gfs2_make_fs_ro() does is unnecessary during a withdraw as well, so change signal_our_withdraw() to skip gfs2_make_fs_ro() and perform the necessary steps directly instead. Thanks to Edward Adam Davis <eadavis@sina.com> for the initial patches. Link: https://lore.kernel.org/all/0000000000002b5e2405f14e860f@google.com Reported-by: syzbot+3f6a670108ce43356017@syzkaller.appspotmail.com Signed-off-by:
-
Andreas Gruenbacher authored
In gfs2_quota_cleanup(), wait for the quota data objects to be freed before returning. Otherwise, there is no guarantee that the quota data objects will be gone when their kmem cache is destroyed. Signed-off-by: -
Andreas Gruenbacher authored
Fix the refcount of quota data objects created directly by gfs2_quota_init(): those are placed into the in-memory quota "database" for eventual syncing to the main quota file, but they are not actively held and should thus have an initial refcount of 0. Signed-off-by: -
Andreas Gruenbacher authored
Once a filesystem is withdrawn, don't complain about quota changes that can't be synced to the main quota file anymore. Signed-off-by: -
Andreas Gruenbacher authored
Rename gfs2_qd_dispose() to gfs2_qd_dispose_list(). Move some code duplicated in gfs2_qd_dispose_list() and gfs2_quota_cleanup() into a new gfs2_qd_dispose() function. Signed-off-by: -
Andreas Gruenbacher authored
Change gfs2_quota_cleanup() to move the quota data objects to dispose of on a dispose list and call gfs2_qd_dispose() on that list, like gfs2_qd_shrink_scan() does, instead of disposing of the quota data objects directly. This may look a bit pointless by itself, but it will make more sense in combination with a fix that follows. Signed-off-by: -
Andreas Gruenbacher authored
Function gfs2_qd_isolate must only return LRU_REMOVED when removing the item from the lru list; otherwise, the number of items on the list will go wrong. Signed-off-by: -
Andreas Gruenbacher authored
Rename the SDF_DEACTIVATING flag to SDF_KILL to make it more obvious that this relates to the kill_sb filesystem operation. Signed-off-by: -
Andreas Gruenbacher authored
Rename sd_glock_wait to sd_kill_wait: we'll use it for other things related to "killing" a filesystem on unmount soon (kill_sb). Signed-off-by: -
Bob Peterson authored
Before this patch many of the functions in quota.c got their superblock pointer, sdp, from the quota_data's glock pointer. That's silly because the qd already has its own pointer to the superblock (qd_sbd). This patch changes references to use that instead, eliminating a level of indirection. Signed-off-by:
-
Andreas Gruenbacher authored
Commit f07b3520 ("GFS2: Made logd daemon take into account log demand") changed gfs2_ail_flush_reqd() and gfs2_jrnl_flush_reqd() to take sd_log_blks_needed into account, but the checks in gfs2_log_commit() were not updated correspondingly. Once that is fixed, gfs2_jrnl_flush_reqd() and gfs2_ail_flush_reqd() can be used in gfs2_log_commit(). Make those two helpers available to gfs2_log_commit() by defining them above gfs2_log_commit(). Signed-off-by:
-
Andreas Gruenbacher authored
When quotad detects an I/O error, it sets sd_log_error and then it wakes up logd to withdraw the filesystem. However, logd doesn't wake up when sd_log_error is set. Fix that. Signed-off-by: -
Andreas Gruenbacher authored
First, function gfs2_ail_flush_reqd checks the SDF_FORCE_AIL_FLUSH flag to determine if an AIL flush should be forced in low-memory situations. However, it also immediately clears the flag, and when called repeatedly as in function gfs2_logd, the flag will be lost. Fix that by pulling the SDF_FORCE_AIL_FLUSH flag check out of gfs2_ail_flush_reqd. Second, function gfs2_writepages sets the SDF_FORCE_AIL_FLUSH flag whether or not enough pages were written. If enough pages could be written, flushing the AIL is unnecessary, though. Third, gfs2_writepages doesn't wake up logd after setting the SDF_FORCE_AIL_FLUSH flag, so it can take a long time for logd to react. It would be preferable to wake up logd, but that hurts the performance of some workloads and we don't quite understand why so far, so don't wake up logd so far. Fixes: b066a4ee ("gfs2: forcibly flush ail to relieve memory pressure") Signed-off-by:
-
Andreas Gruenbacher authored
In gfs2_logd(), switch from an open-coded wait loop to wait_event_interruptible_timeout(). Signed-off-by: -
Bob Peterson authored
Consider the following case: 1. A glock is held in shared mode. 2. A process requests the glock in exclusive mode (rename). 3. Before the lock is granted, more processes (read / ls) request the glock in shared mode again. 4. gfs2 sends a request to dlm for the lock in exclusive mode because that holder is at the head of the queue. 5. Somehow the dlm request gets canceled, so dlm sends us back a response with state == LM_ST_SHARED and LM_OUT_CANCELED. So at that point, the glock is still held in shared mode. 6. finish_xmote gets called to process the response from dlm. It detects that the glock is not in the requested mode and no demote is in progress, so it moves the canceled holder to the tail of the queue and finds the new holder at the head of the queue. That holder is requesting the glock in shared mode. 7. finish_xmote calls do_xmote to transition the glock into shared mode, but the glock is already in shared mode and so do_xmote complains about that with: GLOCK_BUG_ON(gl, gl->gl_state == gl->gl_target); Instead, in finish_xmote, after moving the canceled holder to the tail of the queue, check if any new holders can be granted. Only call do_xmote to repeat the dlm request if the holder at the head of the queue is requesting the glock in a mode that is incompatible with the mode the glock is currently held in. Signed-off-by:
-
Andreas Gruenbacher authored
The last user of this flag was removed in commit b77b4a48 ("gfs2: Rework freeze / thaw logic"). Signed-off-by:
-
