mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-05 18:39:59 +00:00
cd6f79d1fb
Brian reported a null pointer dereference failure during unmount in
xfs/006. He tracked the problem down to the AIL being torn down
before a log shutdown had completed and removed all the items from
the AIL. The failure occurred in this path while unmount was
proceeding in another task:
xfs_trans_ail_delete+0x102/0x130 [xfs]
xfs_buf_item_done+0x22/0x30 [xfs]
xfs_buf_ioend+0x73/0x4d0 [xfs]
xfs_trans_committed_bulk+0x17e/0x2f0 [xfs]
xlog_cil_committed+0x2a9/0x300 [xfs]
xlog_cil_process_committed+0x69/0x80 [xfs]
xlog_state_shutdown_callbacks+0xce/0xf0 [xfs]
xlog_force_shutdown+0xdf/0x150 [xfs]
xfs_do_force_shutdown+0x5f/0x150 [xfs]
xlog_ioend_work+0x71/0x80 [xfs]
process_one_work+0x1c5/0x390
worker_thread+0x30/0x350
kthread+0xd7/0x100
ret_from_fork+0x1f/0x30
This is processing an EIO error to a log write, and it's
triggering a force shutdown. This causes the log to be shut down,
and then it is running attached iclog callbacks from the shutdown
context. That means the fs and log has already been marked as
xfs_is_shutdown/xlog_is_shutdown and so high level code will abort
(e.g. xfs_trans_commit(), xfs_log_force(), etc) with an error
because of shutdown.
The umount would have been blocked waiting for a log force
completion inside xfs_log_cover() -> xfs_sync_sb(). The first thing
for this situation to occur is for xfs_sync_sb() to exit without
waiting for the iclog buffer to be comitted to disk. The
above trace is the completion routine for the iclog buffer, and
it is shutting down the filesystem.
xlog_state_shutdown_callbacks() does this:
{
struct xlog_in_core *iclog;
LIST_HEAD(cb_list);
spin_lock(&log->l_icloglock);
iclog = log->l_iclog;
do {
if (atomic_read(&iclog->ic_refcnt)) {
/* Reference holder will re-run iclog callbacks. */
continue;
}
list_splice_init(&iclog->ic_callbacks, &cb_list);
>>>>>> wake_up_all(&iclog->ic_write_wait);
>>>>>> wake_up_all(&iclog->ic_force_wait);
} while ((iclog = iclog->ic_next) != log->l_iclog);
wake_up_all(&log->l_flush_wait);
spin_unlock(&log->l_icloglock);
>>>>>> xlog_cil_process_committed(&cb_list);
}
This wakes any thread waiting on IO completion of the iclog (in this
case the umount log force) before shutdown processes all the pending
callbacks. That means the xfs_sync_sb() waiting on a sync
transaction in xfs_log_force() on iclog->ic_force_wait will get
woken before the callbacks attached to that iclog are run. This
results in xfs_sync_sb() returning an error, and so unmount unblocks
and continues to run whilst the log shutdown is still in progress.
Normally this is just fine because the force waiter has nothing to
do with AIL operations. But in the case of this unmount path, the
log force waiter goes on to tear down the AIL because the log is now
shut down and so nothing ever blocks it again from the wait point in
xfs_log_cover().
Hence it's a race to see who gets to the AIL first - the unmount
code or xlog_cil_process_committed() killing the superblock buffer.
To fix this, we just have to change the order of processing in
xlog_state_shutdown_callbacks() to run the callbacks before it wakes
any task waiting on completion of the iclog.
Reported-by: Brian Foster <bfoster@redhat.com>
Fixes:
|
||
|---|---|---|
| .. | ||
| libxfs | ||
| scrub | ||
| Kconfig | ||
| kmem.c | ||
| kmem.h | ||
| Makefile | ||
| mrlock.h | ||
| xfs.h | ||
| xfs_acl.c | ||
| xfs_acl.h | ||
| xfs_aops.c | ||
| xfs_aops.h | ||
| xfs_attr_inactive.c | ||
| xfs_attr_list.c | ||
| xfs_bio_io.c | ||
| xfs_bmap_item.c | ||
| xfs_bmap_item.h | ||
| xfs_bmap_util.c | ||
| xfs_bmap_util.h | ||
| xfs_buf.c | ||
| xfs_buf.h | ||
| xfs_buf_item.c | ||
| xfs_buf_item.h | ||
| xfs_buf_item_recover.c | ||
| xfs_dir2_readdir.c | ||
| xfs_discard.c | ||
| xfs_discard.h | ||
| xfs_dquot.c | ||
| xfs_dquot.h | ||
| xfs_dquot_item.c | ||
| xfs_dquot_item.h | ||
| xfs_dquot_item_recover.c | ||
| xfs_error.c | ||
| xfs_error.h | ||
| xfs_export.c | ||
| xfs_export.h | ||
| xfs_extent_busy.c | ||
| xfs_extent_busy.h | ||
| xfs_extfree_item.c | ||
| xfs_extfree_item.h | ||
| xfs_file.c | ||
| xfs_filestream.c | ||
| xfs_filestream.h | ||
| xfs_fsmap.c | ||
| xfs_fsmap.h | ||
| xfs_fsops.c | ||
| xfs_fsops.h | ||
| xfs_globals.c | ||
| xfs_health.c | ||
| xfs_icache.c | ||
| xfs_icache.h | ||
| xfs_icreate_item.c | ||
| xfs_icreate_item.h | ||
| xfs_inode.c | ||
| xfs_inode.h | ||
| xfs_inode_item.c | ||
| xfs_inode_item.h | ||
| xfs_inode_item_recover.c | ||
| xfs_ioctl.c | ||
| xfs_ioctl.h | ||
| xfs_ioctl32.c | ||
| xfs_ioctl32.h | ||
| xfs_iomap.c | ||
| xfs_iomap.h | ||
| xfs_iops.c | ||
| xfs_iops.h | ||
| xfs_itable.c | ||
| xfs_itable.h | ||
| xfs_iwalk.c | ||
| xfs_iwalk.h | ||
| xfs_linux.h | ||
| xfs_log.c | ||
| xfs_log.h | ||
| xfs_log_cil.c | ||
| xfs_log_priv.h | ||
| xfs_log_recover.c | ||
| xfs_message.c | ||
| xfs_message.h | ||
| xfs_mount.c | ||
| xfs_mount.h | ||
| xfs_mru_cache.c | ||
| xfs_mru_cache.h | ||
| xfs_ondisk.h | ||
| xfs_pnfs.c | ||
| xfs_pnfs.h | ||
| xfs_pwork.c | ||
| xfs_pwork.h | ||
| xfs_qm.c | ||
| xfs_qm.h | ||
| xfs_qm_bhv.c | ||
| xfs_qm_syscalls.c | ||
| xfs_quota.h | ||
| xfs_quotaops.c | ||
| xfs_refcount_item.c | ||
| xfs_refcount_item.h | ||
| xfs_reflink.c | ||
| xfs_reflink.h | ||
| xfs_rmap_item.c | ||
| xfs_rmap_item.h | ||
| xfs_rtalloc.c | ||
| xfs_rtalloc.h | ||
| xfs_stats.c | ||
| xfs_stats.h | ||
| xfs_super.c | ||
| xfs_super.h | ||
| xfs_symlink.c | ||
| xfs_symlink.h | ||
| xfs_sysctl.c | ||
| xfs_sysctl.h | ||
| xfs_sysfs.c | ||
| xfs_sysfs.h | ||
| xfs_trace.c | ||
| xfs_trace.h | ||
| xfs_trans.c | ||
| xfs_trans.h | ||
| xfs_trans_ail.c | ||
| xfs_trans_buf.c | ||
| xfs_trans_dquot.c | ||
| xfs_trans_priv.h | ||
| xfs_xattr.c | ||