[0/9] xfs: shutdown is a racy mess

Message ID	20210630063813.1751007-1-david@fromorbit.com (mailing list archive)
Headers	show Return-Path: <linux-xfs-owner@kernel.org> From: Dave Chinner <david@fromorbit.com> To: linux-xfs@vger.kernel.org Subject: [PATCH 0/9] xfs: shutdown is a racy mess Date: Wed, 30 Jun 2021 16:38:04 +1000 Message-Id: <20210630063813.1751007-1-david@fromorbit.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	xfs: shutdown is a racy mess \| expand [0/9] xfs: shutdown is a racy mess [1/9] xfs: convert XLOG_FORCED_SHUTDOWN() to xlog_is_shutdown() [2/9] xfs: XLOG_STATE_IOERROR must die [3/9] xfs: move recovery needed state updates to xfs_log_mount_finish [4/9] xfs: convert log flags to an operational state field [5/9] xfs: make forced shutdown processing atomic [6/9] xfs: reowrk up xlog_state_do_callback [7/9] xfs: separate out log shutdown callback processing [8/9] xfs: don't run shutdown callbacks on active iclogs [9/9] xfs: log head and tail aren't reliable during shutdown

Message ID

20210630063813.1751007-1-david@fromorbit.com (mailing list archive)

Headers

From: Dave Chinner <david@fromorbit.com>
To: linux-xfs@vger.kernel.org
Subject: [PATCH 0/9] xfs: shutdown is a racy mess
Date: Wed, 30 Jun 2021 16:38:04 +1000
Message-Id: <20210630063813.1751007-1-david@fromorbit.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

xfs: shutdown is a racy mess | expand

Message

Dave Chinner June 30, 2021, 6:38 a.m. UTC

Hi folks,

With the recent log problems we've uncovreed, it's clear that the
way we shut down filesystems and the log is a chaotic mess. We can
have multiple filesystem shutdown executions being in progress at
once, all competing to run shutdown processing and emit log messages
saying the filesystem has been shut down and why. Further, shutdown
changes the log state and runs log IO completion callbacks without
any co-ordination with ongoing log operations.

This results in shutdowns running unpredictably, running multiple
times, racing with the iclog state machine transitions and exposing
us to use-after-free situations and unexpected state changes within
the log itself.

This patch series tries to address the chaotic nature of shutdowns
by making shutdown execution consistent and predictable. THis is
achieved by:

- making the mount shutdown state transistion atomic and not
  dependent on log state.
- making operational log state transitions atomic
- making the log shutdown check be based entirely on the operational
  XLOG_IO_ERROR log state rather than a combination of log flags and
  iclog XLOG_STATE_IOERROR checks.
- Getting rid of XLOG_STATE_IOERROR means shutdown doesn't perturb
  iclog state in the middle of operations that are expecting iclogs
  to be in specific state(s).
- shutdown doesn't process iclogs that are actively referenced.
  This avoids use-after-free situations where shutdown runs
  callbacks and frees objects that own the reference to the iclog
  and are still in use by the iclog reference owner.
- Run shutdown processing when the last active reference to an iclog
  goes away. This guarantees that shutdown processing occurs on all
  iclogs, but it only occurs when it is safe to do so.
- acknowledge that log state is not consistent once shutdown has
  been entered and so don't try to apply consistency checking during
  a shutdown...

At the end of this patch series, shutdown runs once and once only at
the first trigger, iclog state is not modified by shutdown, and
iclog callbacks and wakeups are not processed until all active
references to the iclog(s) are dropped. Hence we now have
deterministic shutdown behaviour for both the mount and the log and
a consistent iclog lifecycle framework that we can build more
complex functionality on top of safely.

Cheers,

Dave.