[29/67] xfs: force all buffers to be written during btree bulk load

From: Darrick J. Wong <djwong@kernel.org>

From: Darrick J. Wong <djwong@kernel.org>

Source kernel commit: 13ae04d8d45227c2ba51e188daf9fc13d08a1b12

While stress-testing online repair of btrees, I noticed periodic
assertion failures from the buffer cache about buffers with incorrect
DELWRI_Q state.  Looking further, I observed this race between the AIL
trying to write out a btree block and repair zapping a btree block after
the fact:

AIL:    Repair0:

pin buffer X
delwri_queue:
set DELWRI_Q
add to delwri list

stale buf X:
clear DELWRI_Q
does not clear b_list
free space X

delwri_submit   # oops

Worse yet, I discovered that running the same repair over and over in a
tight loop can result in a second race that cause data integrity
problems with the repair:

AIL:    Repair0:        Repair1:

pin buffer X
delwri_queue:
set DELWRI_Q
add to delwri list

stale buf X:
clear DELWRI_Q
does not clear b_list
free space X

find free space X
get buffer
rewrite buffer
delwri_queue:
set DELWRI_Q
already on a list, do not add

BAD: committed tree root before all blocks written

delwri_submit   # too late now

I traced this to my own misunderstanding of how the delwri lists work,
particularly with regards to the AIL's buffer list.  If a buffer is
logged and committed, the buffer can end up on that AIL buffer list.  If
btree repairs are run twice in rapid succession, it's possible that the
first repair will invalidate the buffer and free it before the next time
the AIL wakes up.  Marking the buffer stale clears DELWRI_Q from the
buffer state without removing the buffer from its delwri list.  The
buffer doesn't know which list it's on, so it cannot know which lock to
take to protect the list for a removal.

If the second repair allocates the same block, it will then recycle the
buffer to start writing the new btree block.  Meanwhile, if the AIL
wakes up and walks the buffer list, it will ignore the buffer because it
can't lock it, and go back to sleep.

When the second repair calls delwri_queue to put the buffer on the
list of buffers to write before committing the new btree, it will set
DELWRI_Q again, but since the buffer hasn't been removed from the AIL's
buffer list, it won't add it to the bulkload buffer's list.

This is incorrect, because the bulkload caller relies on delwri_submit
to ensure that all the buffers have been sent to disk /before/
required for data consistency.

Worse, the AIL won't clear DELWRI_Q from the buffer when it does finally
drop it, so the next thread to walk through the btree will trip over a
debug assertion on that flag.

To fix this, create a new function that waits for the buffer to be
removed from any other delwri lists before adding the buffer to the
caller's delwri list.  By waiting for the buffer to clear both the
delwri list and any potential delwri wait list, we can be sure that
repair will initiate writes of all buffers and report all write errors
back to userspace instead of committing the new structure.

Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Bill O'Donnell <bodonnel@redhat.com>
---
 libxfs/libxfs_io.h         |   11 +++++++++++
 libxfs/xfs_btree_staging.c |    4 +---
 2 files changed, 12 insertions(+), 3 deletions(-)

Message ID	171338842775.1853449.4418216174854196307.stgit@frogsfrogsfrogs (mailing list archive)
State	Superseded
Headers	show Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5D7FE8F4A for <linux-xfs@vger.kernel.org>; Wed, 17 Apr 2024 21:29:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713389361; cv=none; b=ACEzrW0JFT19k025sdJlrqoRJsXVbSd1dpRUbtLfxmJ7DmJiEqv5D3ols0JX2ccn/iPU+bUznBjjH60BD8+pm/knapNC5E6GbITxoKvV+Qt2SoCDAZvs5bt9NcmcGr9EYAkBWLI8edeXrexDfnA21e7OOkcivut08uYtXbUcK/o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1713389361; c=relaxed/simple; bh=JjltKEy0X9FX/cc9xPgL0uYoj79n4Mj3VuI1jiT49Rs=; h=Date:Subject:From:To:Cc:Message-ID:In-Reply-To:References: MIME-Version:Content-Type; b=IzERU5nY96CHSMvr/R7hr6rz0soc8IMgJNmwJRtsfUbsblFlijcSMJRBesiO1aUy5ioebzmbLW4FyDB7UCKI+hKGcZitPL1sUGO8r8Inx6KxXLY7tD+kdgBJAcKRnf1QCJ44LJNVCW4Aewt6bVevRFXpMjeIq+dTcM4Bj07RMu8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=ni4YhIhV; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="ni4YhIhV" Received: by smtp.kernel.org (Postfix) with ESMTPSA id E00AEC072AA; Wed, 17 Apr 2024 21:29:20 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1713389360; bh=JjltKEy0X9FX/cc9xPgL0uYoj79n4Mj3VuI1jiT49Rs=; h=Date:Subject:From:To:Cc:In-Reply-To:References:From; b=ni4YhIhVZp37lndpX7wBjVQ5Y/RlmA/5o2bj1kqC6C8zQ/M/LW8XNsovz+l47uP3+ nMLD546LmmK5MiF6IHBI0f/txL4akSZNDeBFj8yreXQqsdg5w8APORD7l5A/mQtdU1 8WZPi6Izcd2G9IlVFM8CxHNbMQkCqYwYxX4OIEprJqc9mBtDGAVXEBTZFmLgtroMLd Y910VWc7CIcXAwbjUOIdjjk09iH+xRzuXnr5i+wqhJXpTQScqwaJ+rFKzOyHULX2S2 M4AQFcq0rbJZ8rQMYmzHHbUmV7hUzzjw/irYVfPh4m49yfvs4Eq/P9FLrrAdrk9+9O cnzq1GN5BxDjw== Date: Wed, 17 Apr 2024 14:29:20 -0700 Subject: [PATCH 29/67] xfs: force all buffers to be written during btree bulk load From: "Darrick J. Wong" <djwong@kernel.org> To: cem@kernel.org, djwong@kernel.org Cc: Christoph Hellwig <hch@lst.de>, Bill O'Donnell <bodonnel@redhat.com>, linux-xfs@vger.kernel.org Message-ID: <171338842775.1853449.4418216174854196307.stgit@frogsfrogsfrogs> In-Reply-To: <171338842269.1853449.4066376212453408283.stgit@frogsfrogsfrogs> References: <171338842269.1853449.4066376212453408283.stgit@frogsfrogsfrogs> User-Agent: StGit/0.19 Precedence: bulk X-Mailing-List: linux-xfs@vger.kernel.org List-Id: <linux-xfs.vger.kernel.org> List-Subscribe: <mailto:linux-xfs+subscribe@vger.kernel.org> List-Unsubscribe: <mailto:linux-xfs+unsubscribe@vger.kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit
Series	[01/67] xfs: use xfs_defer_pending objects to recover intent items \| expand [01/67] xfs: use xfs_defer_pending objects to recover intent items [02/67] xfs: recreate work items when recovering intent items [03/67] xfs: use xfs_defer_finish_one to finish recovered work items [04/67] xfs: move ->iop_recover to xfs_defer_op_type [05/67] xfs: hoist intent done flag setting to ->finish_item callsite [06/67] xfs: hoist ->create_intent boilerplate to its callsite [07/67] xfs: use xfs_defer_create_done for the relogging operation [08/67] xfs: clean out XFS_LI_DIRTY setting boilerplate from ->iop_relog [09/67] xfs: hoist xfs_trans_add_item calls to defer ops functions [10/67] xfs: move ->iop_relog to struct xfs_defer_op_type [11/67] xfs: make rextslog computation consistent with mkfs [12/67] xfs: fix 32-bit truncation in xfs_compute_rextslog [13/67] xfs: don't allow overly small or large realtime volumes [14/67] xfs: elide ->create_done calls for unlogged deferred work [15/67] xfs: don't append work items to logged xfs_defer_pending objects [16/67] xfs: allow pausing of pending deferred work items [17/67] xfs: remove __xfs_free_extent_later [18/67] xfs: automatic freeing of freshly allocated unwritten space [19/67] xfs: remove unused fields from struct xbtree_ifakeroot [20/67] xfs: force small EFIs for reaping btree extents [21/67] xfs: ensure logflagsp is initialized in xfs_bmap_del_extent_real [22/67] xfs: update dir3 leaf block metadata after swap [23/67] xfs: extract xfs_da_buf_copy() helper function [24/67] xfs: move xfs_ondisk.h to libxfs/ [25/67] xfs: consolidate the xfs_attr_defer_* helpers [26/67] xfs: store an ops pointer in struct xfs_defer_pending [27/67] xfs: pass the defer ops instead of type to xfs_defer_start_recovery [28/67] xfs: pass the defer ops directly to xfs_defer_add [29/67] xfs: force all buffers to be written during btree bulk load [30/67] xfs: set XBF_DONE on newly formatted btree block that are ready for writing [31/67] xfs: read leaf blocks when computing keys for bulkloading into node blocks [32/67] xfs: move btree bulkload record initialization to ->get_record implementations [33/67] xfs: constrain dirty buffers while formatting a staged btree [34/67] xfs: repair free space btrees [35/67] xfs: repair inode btrees [36/67] xfs: repair refcount btrees [37/67] xfs: dont cast to char * for XFS_DFORK_PTR macros [38/67] xfs: set inode sick state flags when we zap either ondisk fork [39/67] xfs: zap broken inode forks [40/67] xfs: repair inode fork block mapping data structures [41/67] xfs: create a ranged query function for refcount btrees [42/67] xfs: create a new inode fork block unmap helper [43/67] xfs: improve dquot iteration for scrub [44/67] xfs: add lock protection when remove perag from radix tree [45/67] xfs: fix perag leak when growfs fails [46/67] xfs: remove the xfs_alloc_arg argument to xfs_bmap_btalloc_accounting [47/67] xfs: also use xfs_bmap_btalloc_accounting for RT allocations [48/67] xfs: return -ENOSPC from xfs_rtallocate_ [49/67] xfs: indicate if xfs_bmap_adjacent changed ap->blkno [50/67] xfs: move xfs_rtget_summary to xfs_rtbitmap.c [51/67] xfs: split xfs_rtmodify_summary_int [52/67] xfs: remove rt-wrappers from xfs_format.h [53/67] xfs: remove XFS_RTMIN/XFS_RTMAX [54/67] xfs: make if_data a void pointer [55/67] xfs: return if_data from xfs_idata_realloc [56/67] xfs: move the xfs_attr_sf_lookup tracepoint [57/67] xfs: simplify xfs_attr_sf_findname [58/67] xfs: remove xfs_attr_shortform_lookup [59/67] xfs: use xfs_attr_sf_findname in xfs_attr_shortform_getvalue [60/67] xfs: remove struct xfs_attr_shortform [61/67] xfs: remove xfs_attr_sf_hdr_t [62/67] xfs: turn the XFS_DA_OP_REPLACE checks in xfs_attr_shortform_addname into asserts [63/67] xfs: fix a use after free in xfs_defer_finish_recovery [64/67] xfs: use the op name in trace_xlog_intent_recovery_failed [65/67] xfs: fix backwards logic in xfs_bmap_alloc_account [66/67] xfs: reset XFS_ATTR_INCOMPLETE filter on node removal [67/67] xfs: remove conditional building of rt geometry validator functions

[29/67] xfs: force all buffers to be written during btree bulk load

Commit Message

Patch