2019-05-31 16:09:56 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2006-01-17 00:50:04 +08:00
|
|
|
/*
|
|
|
|
* Copyright (C) Sistina Software, Inc. 1997-2003 All rights reserved.
|
2007-12-12 08:49:21 +08:00
|
|
|
* Copyright (C) 2004-2007 Red Hat, Inc. All rights reserved.
|
2006-01-17 00:50:04 +08:00
|
|
|
*/
|
|
|
|
|
2014-03-07 04:10:45 +08:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
|
2009-05-22 17:36:01 +08:00
|
|
|
#include <linux/bio.h>
|
2017-02-03 02:15:33 +08:00
|
|
|
#include <linux/sched/signal.h>
|
2006-01-17 00:50:04 +08:00
|
|
|
#include <linux/slab.h>
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
#include <linux/completion.h>
|
|
|
|
#include <linux/buffer_head.h>
|
2009-05-22 17:36:01 +08:00
|
|
|
#include <linux/statfs.h>
|
|
|
|
#include <linux/seq_file.h>
|
|
|
|
#include <linux/mount.h>
|
|
|
|
#include <linux/kthread.h>
|
|
|
|
#include <linux/delay.h>
|
2006-02-28 06:23:27 +08:00
|
|
|
#include <linux/gfs2_ondisk.h>
|
2009-05-22 17:36:01 +08:00
|
|
|
#include <linux/crc32.h>
|
|
|
|
#include <linux/time.h>
|
2010-01-25 19:20:19 +08:00
|
|
|
#include <linux/wait.h>
|
2010-03-05 16:21:37 +08:00
|
|
|
#include <linux/writeback.h>
|
2011-04-18 21:18:09 +08:00
|
|
|
#include <linux/backing-dev.h>
|
2014-11-14 10:42:04 +08:00
|
|
|
#include <linux/kernel.h>
|
2006-01-17 00:50:04 +08:00
|
|
|
|
|
|
|
#include "gfs2.h"
|
2006-02-28 06:23:27 +08:00
|
|
|
#include "incore.h"
|
2006-01-17 00:50:04 +08:00
|
|
|
#include "bmap.h"
|
|
|
|
#include "dir.h"
|
|
|
|
#include "glock.h"
|
|
|
|
#include "glops.h"
|
|
|
|
#include "inode.h"
|
|
|
|
#include "log.h"
|
|
|
|
#include "meta_io.h"
|
|
|
|
#include "quota.h"
|
|
|
|
#include "recovery.h"
|
|
|
|
#include "rgrp.h"
|
|
|
|
#include "super.h"
|
|
|
|
#include "trans.h"
|
2006-02-28 06:23:27 +08:00
|
|
|
#include "util.h"
|
2009-05-22 17:36:01 +08:00
|
|
|
#include "sys.h"
|
2009-08-27 01:51:04 +08:00
|
|
|
#include "xattr.h"
|
2019-05-03 03:17:40 +08:00
|
|
|
#include "lops.h"
|
2009-05-22 17:36:01 +08:00
|
|
|
|
2020-09-11 23:30:26 +08:00
|
|
|
enum dinode_demise {
|
|
|
|
SHOULD_DELETE_DINODE,
|
|
|
|
SHOULD_NOT_DELETE_DINODE,
|
|
|
|
SHOULD_DEFER_EVICTION,
|
|
|
|
};
|
|
|
|
|
2008-12-19 23:32:06 +08:00
|
|
|
/**
|
|
|
|
* gfs2_jindex_free - Clear all the journal index information
|
|
|
|
* @sdp: The GFS2 superblock
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
void gfs2_jindex_free(struct gfs2_sbd *sdp)
|
|
|
|
{
|
2014-03-03 21:35:57 +08:00
|
|
|
struct list_head list;
|
2008-12-19 23:32:06 +08:00
|
|
|
struct gfs2_jdesc *jd;
|
|
|
|
|
|
|
|
spin_lock(&sdp->sd_jindex_spin);
|
|
|
|
list_add(&list, &sdp->sd_jindex_list);
|
|
|
|
list_del_init(&sdp->sd_jindex_list);
|
|
|
|
sdp->sd_journals = 0;
|
|
|
|
spin_unlock(&sdp->sd_jindex_spin);
|
|
|
|
|
2024-03-11 22:51:59 +08:00
|
|
|
down_write(&sdp->sd_log_flush_lock);
|
gfs2: Force withdraw to replay journals and wait for it to finish
When a node withdraws from a file system, it often leaves its journal
in an incomplete state. This is especially true when the withdraw is
caused by io errors writing to the journal. Before this patch, a
withdraw would try to write a "shutdown" record to the journal, tell
dlm it's done with the file system, and none of the other nodes
know about the problem. Later, when the problem is fixed and the
withdrawn node is rebooted, it would then discover that its own
journal was incomplete, and replay it. However, replaying it at this
point is almost guaranteed to introduce corruption because the other
nodes are likely to have used affected resource groups that appeared
in the journal since the time of the withdraw. Replaying the journal
later will overwrite any changes made, and not through any fault of
dlm, which was instructed during the withdraw to release those
resources.
This patch makes file system withdraws seen by the entire cluster.
Withdrawing nodes dequeue their journal glock to allow recovery.
The remaining nodes check all the journals to see if they are
clean or in need of replay. They try to replay dirty journals, but
only the journals of withdrawn nodes will be "not busy" and
therefore available for replay.
Until the journal replay is complete, no i/o related glocks may be
given out, to ensure that the replay does not cause the
aforementioned corruption: We cannot allow any journal replay to
overwrite blocks associated with a glock once it is held.
The "live" glock which is now used to signal when a withdraw
occurs. When a withdraw occurs, the node signals its withdraw by
dequeueing the "live" glock and trying to enqueue it in EX mode,
thus forcing the other nodes to all see a demote request, by way
of a "1CB" (one callback) try lock. The "live" glock is not
granted in EX; the callback is only just used to indicate a
withdraw has occurred.
Note that all nodes in the cluster must wait for the recovering
node to finish replaying the withdrawing node's journal before
continuing. To this end, it checks that the journals are clean
multiple times in a retry loop.
Also note that the withdraw function may be called from a wide
variety of situations, and therefore, we need to take extra
precautions to make sure pointers are valid before using them in
many circumstances.
We also need to take care when glocks decide to withdraw, since
the withdraw code now uses glocks.
Also, before this patch, if a process encountered an error and
decided to withdraw, if another process was already withdrawing,
the second withdraw would be silently ignored, which set it free
to unlock its glocks. That's correct behavior if the original
withdrawer encounters further errors down the road. But if
secondary waiters don't wait for the journal replay, unlocking
glocks will allow other nodes to use them, despite the fact that
the journal containing those blocks is being replayed. The
replay needs to finish before our glocks are released to other
nodes. IOW, secondary withdraws need to wait for the first
withdraw to finish.
For example, if an rgrp glock is unlocked by a process that didn't
wait for the first withdraw, a journal replay could introduce file
system corruption by replaying a rgrp block that has already been
granted to a different cluster node.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
2020-01-29 03:23:45 +08:00
|
|
|
sdp->sd_jdesc = NULL;
|
2024-03-11 22:51:59 +08:00
|
|
|
up_write(&sdp->sd_log_flush_lock);
|
|
|
|
|
2008-12-19 23:32:06 +08:00
|
|
|
while (!list_empty(&list)) {
|
2020-02-04 02:22:45 +08:00
|
|
|
jd = list_first_entry(&list, struct gfs2_jdesc, jd_list);
|
2024-03-11 22:51:59 +08:00
|
|
|
BUG_ON(jd->jd_log_bio);
|
2014-03-03 21:35:57 +08:00
|
|
|
gfs2_free_journal_extents(jd);
|
2008-12-19 23:32:06 +08:00
|
|
|
list_del(&jd->jd_list);
|
|
|
|
iput(jd->jd_inode);
|
gfs2: Force withdraw to replay journals and wait for it to finish
When a node withdraws from a file system, it often leaves its journal
in an incomplete state. This is especially true when the withdraw is
caused by io errors writing to the journal. Before this patch, a
withdraw would try to write a "shutdown" record to the journal, tell
dlm it's done with the file system, and none of the other nodes
know about the problem. Later, when the problem is fixed and the
withdrawn node is rebooted, it would then discover that its own
journal was incomplete, and replay it. However, replaying it at this
point is almost guaranteed to introduce corruption because the other
nodes are likely to have used affected resource groups that appeared
in the journal since the time of the withdraw. Replaying the journal
later will overwrite any changes made, and not through any fault of
dlm, which was instructed during the withdraw to release those
resources.
This patch makes file system withdraws seen by the entire cluster.
Withdrawing nodes dequeue their journal glock to allow recovery.
The remaining nodes check all the journals to see if they are
clean or in need of replay. They try to replay dirty journals, but
only the journals of withdrawn nodes will be "not busy" and
therefore available for replay.
Until the journal replay is complete, no i/o related glocks may be
given out, to ensure that the replay does not cause the
aforementioned corruption: We cannot allow any journal replay to
overwrite blocks associated with a glock once it is held.
The "live" glock which is now used to signal when a withdraw
occurs. When a withdraw occurs, the node signals its withdraw by
dequeueing the "live" glock and trying to enqueue it in EX mode,
thus forcing the other nodes to all see a demote request, by way
of a "1CB" (one callback) try lock. The "live" glock is not
granted in EX; the callback is only just used to indicate a
withdraw has occurred.
Note that all nodes in the cluster must wait for the recovering
node to finish replaying the withdrawing node's journal before
continuing. To this end, it checks that the journals are clean
multiple times in a retry loop.
Also note that the withdraw function may be called from a wide
variety of situations, and therefore, we need to take extra
precautions to make sure pointers are valid before using them in
many circumstances.
We also need to take care when glocks decide to withdraw, since
the withdraw code now uses glocks.
Also, before this patch, if a process encountered an error and
decided to withdraw, if another process was already withdrawing,
the second withdraw would be silently ignored, which set it free
to unlock its glocks. That's correct behavior if the original
withdrawer encounters further errors down the road. But if
secondary waiters don't wait for the journal replay, unlocking
glocks will allow other nodes to use them, despite the fact that
the journal containing those blocks is being replayed. The
replay needs to finish before our glocks are released to other
nodes. IOW, secondary withdraws need to wait for the first
withdraw to finish.
For example, if an rgrp glock is unlocked by a process that didn't
wait for the first withdraw, a journal replay could introduce file
system corruption by replaying a rgrp block that has already been
granted to a different cluster node.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
2020-01-29 03:23:45 +08:00
|
|
|
jd->jd_inode = NULL;
|
2008-12-19 23:32:06 +08:00
|
|
|
kfree(jd);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2006-01-17 00:50:04 +08:00
|
|
|
static struct gfs2_jdesc *jdesc_find_i(struct list_head *head, unsigned int jid)
|
|
|
|
{
|
|
|
|
struct gfs2_jdesc *jd;
|
|
|
|
|
|
|
|
list_for_each_entry(jd, head, jd_list) {
|
2020-12-07 07:06:32 +08:00
|
|
|
if (jd->jd_jid == jid)
|
|
|
|
return jd;
|
2006-01-17 00:50:04 +08:00
|
|
|
}
|
2020-12-07 07:06:32 +08:00
|
|
|
return NULL;
|
2006-01-17 00:50:04 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
struct gfs2_jdesc *gfs2_jdesc_find(struct gfs2_sbd *sdp, unsigned int jid)
|
|
|
|
{
|
|
|
|
struct gfs2_jdesc *jd;
|
|
|
|
|
|
|
|
spin_lock(&sdp->sd_jindex_spin);
|
|
|
|
jd = jdesc_find_i(&sdp->sd_jindex_list, jid);
|
|
|
|
spin_unlock(&sdp->sd_jindex_spin);
|
|
|
|
|
|
|
|
return jd;
|
|
|
|
}
|
|
|
|
|
|
|
|
int gfs2_jdesc_check(struct gfs2_jdesc *jd)
|
|
|
|
{
|
2006-06-15 03:32:57 +08:00
|
|
|
struct gfs2_inode *ip = GFS2_I(jd->jd_inode);
|
|
|
|
struct gfs2_sbd *sdp = GFS2_SB(jd->jd_inode);
|
2010-08-11 16:53:11 +08:00
|
|
|
u64 size = i_size_read(jd->jd_inode);
|
2006-01-17 00:50:04 +08:00
|
|
|
|
2016-08-03 01:05:27 +08:00
|
|
|
if (gfs2_check_internal_file_size(jd->jd_inode, 8 << 20, BIT(30)))
|
2006-01-17 00:50:04 +08:00
|
|
|
return -EIO;
|
|
|
|
|
2010-08-11 16:53:11 +08:00
|
|
|
jd->jd_blocks = size >> sdp->sd_sb.sb_bsize_shift;
|
|
|
|
|
|
|
|
if (gfs2_write_alloc_required(ip, 0, size)) {
|
2006-01-17 00:50:04 +08:00
|
|
|
gfs2_consist_inode(ip);
|
2010-06-25 07:21:20 +08:00
|
|
|
return -EIO;
|
2006-01-17 00:50:04 +08:00
|
|
|
}
|
|
|
|
|
2010-06-25 07:21:20 +08:00
|
|
|
return 0;
|
2006-01-17 00:50:04 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gfs2_make_fs_rw - Turn a Read-Only FS into a Read-Write one
|
|
|
|
* @sdp: the filesystem
|
|
|
|
*
|
|
|
|
* Returns: errno
|
|
|
|
*/
|
|
|
|
|
|
|
|
int gfs2_make_fs_rw(struct gfs2_sbd *sdp)
|
|
|
|
{
|
2006-06-15 03:32:57 +08:00
|
|
|
struct gfs2_inode *ip = GFS2_I(sdp->sd_jdesc->jd_inode);
|
2006-02-28 06:23:27 +08:00
|
|
|
struct gfs2_glock *j_gl = ip->i_gl;
|
2006-10-14 09:47:13 +08:00
|
|
|
struct gfs2_log_header_host head;
|
2006-01-17 00:50:04 +08:00
|
|
|
int error;
|
|
|
|
|
2006-11-20 23:37:45 +08:00
|
|
|
j_gl->gl_ops->go_inval(j_gl, DIO_METADATA);
|
2023-12-21 00:16:29 +08:00
|
|
|
if (gfs2_withdrawing_or_withdrawn(sdp))
|
2021-05-14 20:42:33 +08:00
|
|
|
return -EIO;
|
2006-01-17 00:50:04 +08:00
|
|
|
|
2019-05-03 03:17:40 +08:00
|
|
|
error = gfs2_find_jhead(sdp->sd_jdesc, &head, false);
|
2023-01-31 22:06:53 +08:00
|
|
|
if (error) {
|
|
|
|
gfs2_consist(sdp);
|
2021-05-14 20:42:33 +08:00
|
|
|
return error;
|
2023-01-31 22:06:53 +08:00
|
|
|
}
|
2006-01-17 00:50:04 +08:00
|
|
|
|
|
|
|
if (!(head.lh_flags & GFS2_LOG_HEAD_UNMOUNT)) {
|
|
|
|
gfs2_consist(sdp);
|
2021-05-14 20:42:33 +08:00
|
|
|
return -EIO;
|
2006-01-17 00:50:04 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* Initialize some head of the log stuff */
|
|
|
|
sdp->sd_log_sequence = head.lh_sequence + 1;
|
|
|
|
gfs2_log_pointers_init(sdp, head.lh_blkno);
|
|
|
|
|
|
|
|
error = gfs2_quota_init(sdp);
|
2023-12-21 00:16:29 +08:00
|
|
|
if (!error && gfs2_withdrawing_or_withdrawn(sdp))
|
2023-01-31 22:06:53 +08:00
|
|
|
error = -EIO;
|
|
|
|
if (!error)
|
2021-05-14 20:42:33 +08:00
|
|
|
set_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags);
|
2006-01-17 00:50:04 +08:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2009-06-26 04:09:51 +08:00
|
|
|
void gfs2_statfs_change_in(struct gfs2_statfs_change_host *sc, const void *buf)
|
2007-06-01 21:11:58 +08:00
|
|
|
{
|
|
|
|
const struct gfs2_statfs_change *str = buf;
|
|
|
|
|
|
|
|
sc->sc_total = be64_to_cpu(str->sc_total);
|
|
|
|
sc->sc_free = be64_to_cpu(str->sc_free);
|
|
|
|
sc->sc_dinodes = be64_to_cpu(str->sc_dinodes);
|
|
|
|
}
|
|
|
|
|
2020-10-21 04:58:03 +08:00
|
|
|
void gfs2_statfs_change_out(const struct gfs2_statfs_change_host *sc, void *buf)
|
2007-06-01 21:11:58 +08:00
|
|
|
{
|
|
|
|
struct gfs2_statfs_change *str = buf;
|
|
|
|
|
|
|
|
str->sc_total = cpu_to_be64(sc->sc_total);
|
|
|
|
str->sc_free = cpu_to_be64(sc->sc_free);
|
|
|
|
str->sc_dinodes = cpu_to_be64(sc->sc_dinodes);
|
|
|
|
}
|
|
|
|
|
2006-01-17 00:50:04 +08:00
|
|
|
int gfs2_statfs_init(struct gfs2_sbd *sdp)
|
|
|
|
{
|
2006-06-15 03:32:57 +08:00
|
|
|
struct gfs2_inode *m_ip = GFS2_I(sdp->sd_statfs_inode);
|
2006-10-14 11:43:19 +08:00
|
|
|
struct gfs2_statfs_change_host *m_sc = &sdp->sd_statfs_master;
|
|
|
|
struct gfs2_statfs_change_host *l_sc = &sdp->sd_statfs_local;
|
2021-07-01 00:46:17 +08:00
|
|
|
struct buffer_head *m_bh;
|
2006-01-17 00:50:04 +08:00
|
|
|
struct gfs2_holder gh;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = gfs2_glock_nq_init(m_ip->i_gl, LM_ST_EXCLUSIVE, GL_NOCACHE,
|
|
|
|
&gh);
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
|
|
|
|
error = gfs2_meta_inode_buffer(m_ip, &m_bh);
|
|
|
|
if (error)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
if (sdp->sd_args.ar_spectator) {
|
|
|
|
spin_lock(&sdp->sd_statfs_spin);
|
|
|
|
gfs2_statfs_change_in(m_sc, m_bh->b_data +
|
|
|
|
sizeof(struct gfs2_dinode));
|
|
|
|
spin_unlock(&sdp->sd_statfs_spin);
|
|
|
|
} else {
|
|
|
|
spin_lock(&sdp->sd_statfs_spin);
|
|
|
|
gfs2_statfs_change_in(m_sc, m_bh->b_data +
|
|
|
|
sizeof(struct gfs2_dinode));
|
2021-07-01 00:46:17 +08:00
|
|
|
gfs2_statfs_change_in(l_sc, sdp->sd_sc_bh->b_data +
|
2006-01-17 00:50:04 +08:00
|
|
|
sizeof(struct gfs2_dinode));
|
|
|
|
spin_unlock(&sdp->sd_statfs_spin);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
brelse(m_bh);
|
2006-09-05 00:04:26 +08:00
|
|
|
out:
|
2006-01-17 00:50:04 +08:00
|
|
|
gfs2_glock_dq_uninit(&gh);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-09-05 00:49:07 +08:00
|
|
|
void gfs2_statfs_change(struct gfs2_sbd *sdp, s64 total, s64 free,
|
|
|
|
s64 dinodes)
|
2006-01-17 00:50:04 +08:00
|
|
|
{
|
2006-06-15 03:32:57 +08:00
|
|
|
struct gfs2_inode *l_ip = GFS2_I(sdp->sd_sc_inode);
|
2006-10-14 11:43:19 +08:00
|
|
|
struct gfs2_statfs_change_host *l_sc = &sdp->sd_statfs_local;
|
2009-10-20 15:39:44 +08:00
|
|
|
struct gfs2_statfs_change_host *m_sc = &sdp->sd_statfs_master;
|
2009-10-27 02:29:47 +08:00
|
|
|
s64 x, y;
|
|
|
|
int need_sync = 0;
|
2006-01-17 00:50:04 +08:00
|
|
|
|
2021-07-01 00:46:17 +08:00
|
|
|
gfs2_trans_add_meta(l_ip->i_gl, sdp->sd_sc_bh);
|
2006-01-17 00:50:04 +08:00
|
|
|
|
|
|
|
spin_lock(&sdp->sd_statfs_spin);
|
|
|
|
l_sc->sc_total += total;
|
|
|
|
l_sc->sc_free += free;
|
|
|
|
l_sc->sc_dinodes += dinodes;
|
2021-07-01 00:46:17 +08:00
|
|
|
gfs2_statfs_change_out(l_sc, sdp->sd_sc_bh->b_data +
|
|
|
|
sizeof(struct gfs2_dinode));
|
2009-10-27 02:29:47 +08:00
|
|
|
if (sdp->sd_args.ar_statfs_percent) {
|
|
|
|
x = 100 * l_sc->sc_free;
|
|
|
|
y = m_sc->sc_free * sdp->sd_args.ar_statfs_percent;
|
|
|
|
if (x >= y || x <= -y)
|
|
|
|
need_sync = 1;
|
|
|
|
}
|
2006-01-17 00:50:04 +08:00
|
|
|
spin_unlock(&sdp->sd_statfs_spin);
|
|
|
|
|
2009-10-27 02:29:47 +08:00
|
|
|
if (need_sync)
|
2009-10-20 15:39:44 +08:00
|
|
|
gfs2_wake_up_statfs(sdp);
|
2006-01-17 00:50:04 +08:00
|
|
|
}
|
|
|
|
|
2021-07-01 00:46:17 +08:00
|
|
|
void update_statfs(struct gfs2_sbd *sdp, struct buffer_head *m_bh)
|
2009-06-26 04:09:51 +08:00
|
|
|
{
|
|
|
|
struct gfs2_inode *m_ip = GFS2_I(sdp->sd_statfs_inode);
|
|
|
|
struct gfs2_inode *l_ip = GFS2_I(sdp->sd_sc_inode);
|
|
|
|
struct gfs2_statfs_change_host *m_sc = &sdp->sd_statfs_master;
|
|
|
|
struct gfs2_statfs_change_host *l_sc = &sdp->sd_statfs_local;
|
|
|
|
|
2021-07-01 00:46:17 +08:00
|
|
|
gfs2_trans_add_meta(l_ip->i_gl, sdp->sd_sc_bh);
|
2015-03-11 22:52:31 +08:00
|
|
|
gfs2_trans_add_meta(m_ip->i_gl, m_bh);
|
2009-06-26 04:09:51 +08:00
|
|
|
|
|
|
|
spin_lock(&sdp->sd_statfs_spin);
|
|
|
|
m_sc->sc_total += l_sc->sc_total;
|
|
|
|
m_sc->sc_free += l_sc->sc_free;
|
|
|
|
m_sc->sc_dinodes += l_sc->sc_dinodes;
|
|
|
|
memset(l_sc, 0, sizeof(struct gfs2_statfs_change));
|
2021-07-01 00:46:17 +08:00
|
|
|
memset(sdp->sd_sc_bh->b_data + sizeof(struct gfs2_dinode),
|
2009-06-26 04:09:51 +08:00
|
|
|
0, sizeof(struct gfs2_statfs_change));
|
|
|
|
gfs2_statfs_change_out(m_sc, m_bh->b_data + sizeof(struct gfs2_dinode));
|
2015-03-11 22:52:31 +08:00
|
|
|
spin_unlock(&sdp->sd_statfs_spin);
|
2009-06-26 04:09:51 +08:00
|
|
|
}
|
|
|
|
|
2009-09-11 21:36:44 +08:00
|
|
|
int gfs2_statfs_sync(struct super_block *sb, int type)
|
2006-01-17 00:50:04 +08:00
|
|
|
{
|
2009-09-11 21:36:44 +08:00
|
|
|
struct gfs2_sbd *sdp = sb->s_fs_info;
|
2006-06-15 03:32:57 +08:00
|
|
|
struct gfs2_inode *m_ip = GFS2_I(sdp->sd_statfs_inode);
|
2006-10-14 11:43:19 +08:00
|
|
|
struct gfs2_statfs_change_host *m_sc = &sdp->sd_statfs_master;
|
|
|
|
struct gfs2_statfs_change_host *l_sc = &sdp->sd_statfs_local;
|
2006-01-17 00:50:04 +08:00
|
|
|
struct gfs2_holder gh;
|
2021-07-01 00:46:17 +08:00
|
|
|
struct buffer_head *m_bh;
|
2006-01-17 00:50:04 +08:00
|
|
|
int error;
|
|
|
|
|
|
|
|
error = gfs2_glock_nq_init(m_ip->i_gl, LM_ST_EXCLUSIVE, GL_NOCACHE,
|
|
|
|
&gh);
|
|
|
|
if (error)
|
2014-11-14 10:42:04 +08:00
|
|
|
goto out;
|
2006-01-17 00:50:04 +08:00
|
|
|
|
|
|
|
error = gfs2_meta_inode_buffer(m_ip, &m_bh);
|
|
|
|
if (error)
|
2014-11-14 10:42:04 +08:00
|
|
|
goto out_unlock;
|
2006-01-17 00:50:04 +08:00
|
|
|
|
|
|
|
spin_lock(&sdp->sd_statfs_spin);
|
|
|
|
gfs2_statfs_change_in(m_sc, m_bh->b_data +
|
2006-09-25 21:26:04 +08:00
|
|
|
sizeof(struct gfs2_dinode));
|
2006-01-17 00:50:04 +08:00
|
|
|
if (!l_sc->sc_total && !l_sc->sc_free && !l_sc->sc_dinodes) {
|
|
|
|
spin_unlock(&sdp->sd_statfs_spin);
|
|
|
|
goto out_bh;
|
|
|
|
}
|
|
|
|
spin_unlock(&sdp->sd_statfs_spin);
|
|
|
|
|
|
|
|
error = gfs2_trans_begin(sdp, 2 * RES_DINODE, 0);
|
|
|
|
if (error)
|
2021-07-01 00:46:17 +08:00
|
|
|
goto out_bh;
|
2006-01-17 00:50:04 +08:00
|
|
|
|
2021-07-01 00:46:17 +08:00
|
|
|
update_statfs(sdp, m_bh);
|
2009-10-20 15:39:44 +08:00
|
|
|
sdp->sd_statfs_force_sync = 0;
|
2006-01-17 00:50:04 +08:00
|
|
|
|
|
|
|
gfs2_trans_end(sdp);
|
|
|
|
|
2006-09-05 00:04:26 +08:00
|
|
|
out_bh:
|
2006-01-17 00:50:04 +08:00
|
|
|
brelse(m_bh);
|
2014-11-14 10:42:04 +08:00
|
|
|
out_unlock:
|
2006-01-17 00:50:04 +08:00
|
|
|
gfs2_glock_dq_uninit(&gh);
|
2014-11-14 10:42:04 +08:00
|
|
|
out:
|
2006-01-17 00:50:04 +08:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct lfcc {
|
|
|
|
struct list_head list;
|
|
|
|
struct gfs2_holder gh;
|
|
|
|
};
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gfs2_lock_fs_check_clean - Stop all writes to the FS and check that all
|
|
|
|
* journals are clean
|
|
|
|
* @sdp: the file system
|
|
|
|
*
|
|
|
|
* Returns: errno
|
|
|
|
*/
|
|
|
|
|
2019-11-15 22:42:46 +08:00
|
|
|
static int gfs2_lock_fs_check_clean(struct gfs2_sbd *sdp)
|
2006-01-17 00:50:04 +08:00
|
|
|
{
|
2006-02-28 06:23:27 +08:00
|
|
|
struct gfs2_inode *ip;
|
2006-01-17 00:50:04 +08:00
|
|
|
struct gfs2_jdesc *jd;
|
|
|
|
struct lfcc *lfcc;
|
|
|
|
LIST_HEAD(list);
|
2006-10-14 09:47:13 +08:00
|
|
|
struct gfs2_log_header_host lh;
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
int error, error2;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Grab all the journal glocks in SH mode. We are *probably* doing
|
|
|
|
* that to prevent recovery.
|
|
|
|
*/
|
2006-01-17 00:50:04 +08:00
|
|
|
|
|
|
|
list_for_each_entry(jd, &sdp->sd_jindex_list, jd_list) {
|
|
|
|
lfcc = kmalloc(sizeof(struct lfcc), GFP_KERNEL);
|
|
|
|
if (!lfcc) {
|
|
|
|
error = -ENOMEM;
|
|
|
|
goto out;
|
|
|
|
}
|
2006-06-15 03:32:57 +08:00
|
|
|
ip = GFS2_I(jd->jd_inode);
|
|
|
|
error = gfs2_glock_nq_init(ip->i_gl, LM_ST_SHARED, 0, &lfcc->gh);
|
2006-01-17 00:50:04 +08:00
|
|
|
if (error) {
|
|
|
|
kfree(lfcc);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
list_add(&lfcc->list, &list);
|
|
|
|
}
|
|
|
|
|
2024-04-07 18:55:44 +08:00
|
|
|
gfs2_freeze_unlock(sdp);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
|
GFS2: remove transaction glock
GFS2 has a transaction glock, which must be grabbed for every
transaction, whose purpose is to deal with freezing the filesystem.
Aside from this involving a large amount of locking, it is very easy to
make the current fsfreeze code hang on unfreezing.
This patch rewrites how gfs2 handles freezing the filesystem. The
transaction glock is removed. In it's place is a freeze glock, which is
cached (but not held) in a shared state by every node in the cluster
when the filesystem is mounted. This lock only needs to be grabbed on
freezing, and actions which need to be safe from freezing, like
recovery.
When a node wants to freeze the filesystem, it grabs this glock
exclusively. When the freeze glock state changes on the nodes (either
from shared to unlocked, or shared to exclusive), the filesystem does a
special log flush. gfs2_log_flush() does all the work for flushing out
the and shutting down the incore log, and then it tries to grab the
freeze glock in a shared state again. Since the filesystem is stuck in
gfs2_log_flush, no new transaction can start, and nothing can be written
to disk. Unfreezing the filesytem simply involes dropping the freeze
glock, allowing gfs2_log_flush() to grab and then release the shared
lock, so it is cached for next time.
However, in order for the unfreezing ioctl to occur, gfs2 needs to get a
shared lock on the filesystem root directory inode to check permissions.
If that glock has already been grabbed exclusively, fsfreeze will be
unable to get the shared lock and unfreeze the filesystem.
In order to allow the unfreeze, this patch makes gfs2 grab a shared lock
on the filesystem root directory during the freeze, and hold it until it
unfreezes the filesystem. The functions which need to grab a shared
lock in order to allow the unfreeze ioctl to be issued now use the lock
grabbed by the freeze code instead.
The freeze and unfreeze code take care to make sure that this shared
lock will not be dropped while another process is using it.
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
2014-05-02 11:26:55 +08:00
|
|
|
error = gfs2_glock_nq_init(sdp->sd_freeze_gl, LM_ST_EXCLUSIVE,
|
2022-04-06 04:39:16 +08:00
|
|
|
LM_FLAG_NOEXP | GL_NOPID,
|
|
|
|
&sdp->sd_freeze_gh);
|
2019-11-15 22:42:46 +08:00
|
|
|
if (error)
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
goto relock_shared;
|
2006-01-17 00:50:04 +08:00
|
|
|
|
|
|
|
list_for_each_entry(jd, &sdp->sd_jindex_list, jd_list) {
|
|
|
|
error = gfs2_jdesc_check(jd);
|
|
|
|
if (error)
|
|
|
|
break;
|
2019-05-03 03:17:40 +08:00
|
|
|
error = gfs2_find_jhead(jd, &lh, false);
|
2006-01-17 00:50:04 +08:00
|
|
|
if (error)
|
|
|
|
break;
|
|
|
|
if (!(lh.lh_flags & GFS2_LOG_HEAD_UNMOUNT)) {
|
|
|
|
error = -EBUSY;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
if (!error)
|
|
|
|
goto out; /* success */
|
|
|
|
|
2024-04-07 18:55:44 +08:00
|
|
|
gfs2_freeze_unlock(sdp);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
|
|
|
|
relock_shared:
|
2022-11-28 09:30:35 +08:00
|
|
|
error2 = gfs2_freeze_lock_shared(sdp);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
gfs2_assert_withdraw(sdp, !error2);
|
2006-01-17 00:50:04 +08:00
|
|
|
|
2006-09-05 00:04:26 +08:00
|
|
|
out:
|
2006-01-17 00:50:04 +08:00
|
|
|
while (!list_empty(&list)) {
|
2020-02-04 02:22:45 +08:00
|
|
|
lfcc = list_first_entry(&list, struct lfcc, list);
|
2006-01-17 00:50:04 +08:00
|
|
|
list_del(&lfcc->list);
|
|
|
|
gfs2_glock_dq_uninit(&lfcc->gh);
|
|
|
|
kfree(lfcc);
|
|
|
|
}
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2011-05-09 21:11:40 +08:00
|
|
|
void gfs2_dinode_out(const struct gfs2_inode *ip, void *buf)
|
|
|
|
{
|
2022-12-04 23:50:41 +08:00
|
|
|
const struct inode *inode = &ip->i_inode;
|
2011-05-09 21:11:40 +08:00
|
|
|
struct gfs2_dinode *str = buf;
|
|
|
|
|
|
|
|
str->di_header.mh_magic = cpu_to_be32(GFS2_MAGIC);
|
|
|
|
str->di_header.mh_type = cpu_to_be32(GFS2_METATYPE_DI);
|
|
|
|
str->di_header.mh_format = cpu_to_be32(GFS2_FORMAT_DI);
|
|
|
|
str->di_num.no_addr = cpu_to_be64(ip->i_no_addr);
|
|
|
|
str->di_num.no_formal_ino = cpu_to_be64(ip->i_no_formal_ino);
|
2022-12-04 23:50:41 +08:00
|
|
|
str->di_mode = cpu_to_be32(inode->i_mode);
|
|
|
|
str->di_uid = cpu_to_be32(i_uid_read(inode));
|
|
|
|
str->di_gid = cpu_to_be32(i_gid_read(inode));
|
|
|
|
str->di_nlink = cpu_to_be32(inode->i_nlink);
|
|
|
|
str->di_size = cpu_to_be64(i_size_read(inode));
|
|
|
|
str->di_blocks = cpu_to_be64(gfs2_get_inode_blocks(inode));
|
2023-10-05 02:52:25 +08:00
|
|
|
str->di_atime = cpu_to_be64(inode_get_atime_sec(inode));
|
|
|
|
str->di_mtime = cpu_to_be64(inode_get_mtime_sec(inode));
|
|
|
|
str->di_ctime = cpu_to_be64(inode_get_ctime_sec(inode));
|
2011-05-09 21:11:40 +08:00
|
|
|
|
|
|
|
str->di_goal_meta = cpu_to_be64(ip->i_goal);
|
|
|
|
str->di_goal_data = cpu_to_be64(ip->i_goal);
|
|
|
|
str->di_generation = cpu_to_be64(ip->i_generation);
|
|
|
|
|
|
|
|
str->di_flags = cpu_to_be32(ip->i_diskflags);
|
|
|
|
str->di_height = cpu_to_be16(ip->i_height);
|
2022-12-04 23:50:41 +08:00
|
|
|
str->di_payload_format = cpu_to_be32(S_ISDIR(inode->i_mode) &&
|
2011-05-09 21:11:40 +08:00
|
|
|
!(ip->i_diskflags & GFS2_DIF_EXHASH) ?
|
|
|
|
GFS2_FORMAT_DE : 0);
|
|
|
|
str->di_depth = cpu_to_be16(ip->i_depth);
|
|
|
|
str->di_entries = cpu_to_be32(ip->i_entries);
|
|
|
|
|
|
|
|
str->di_eattr = cpu_to_be64(ip->i_eattr);
|
2023-10-05 02:52:25 +08:00
|
|
|
str->di_atime_nsec = cpu_to_be32(inode_get_atime_nsec(inode));
|
|
|
|
str->di_mtime_nsec = cpu_to_be32(inode_get_mtime_nsec(inode));
|
|
|
|
str->di_ctime_nsec = cpu_to_be32(inode_get_ctime_nsec(inode));
|
2011-05-09 21:11:40 +08:00
|
|
|
}
|
2009-05-22 17:36:01 +08:00
|
|
|
|
|
|
|
/**
|
|
|
|
* gfs2_write_inode - Make sure the inode is stable on the disk
|
|
|
|
* @inode: The inode
|
2011-03-30 23:13:25 +08:00
|
|
|
* @wbc: The writeback control structure
|
2009-05-22 17:36:01 +08:00
|
|
|
*
|
|
|
|
* Returns: errno
|
|
|
|
*/
|
|
|
|
|
2010-03-05 16:21:37 +08:00
|
|
|
static int gfs2_write_inode(struct inode *inode, struct writeback_control *wbc)
|
2009-05-22 17:36:01 +08:00
|
|
|
{
|
|
|
|
struct gfs2_inode *ip = GFS2_I(inode);
|
|
|
|
struct gfs2_sbd *sdp = GFS2_SB(inode);
|
2011-03-30 23:13:25 +08:00
|
|
|
struct address_space *metamapping = gfs2_glock2aspace(ip->i_gl);
|
2015-01-14 17:42:36 +08:00
|
|
|
struct backing_dev_info *bdi = inode_to_bdi(metamapping->host);
|
2011-08-15 21:20:36 +08:00
|
|
|
int ret = 0;
|
2017-10-11 22:22:07 +08:00
|
|
|
bool flush_all = (wbc->sync_mode == WB_SYNC_ALL || gfs2_is_jdata(ip));
|
2011-08-15 21:20:36 +08:00
|
|
|
|
2017-10-11 22:22:07 +08:00
|
|
|
if (flush_all)
|
2018-01-17 07:01:33 +08:00
|
|
|
gfs2_log_flush(GFS2_SB(inode), ip->i_gl,
|
2018-01-08 23:34:17 +08:00
|
|
|
GFS2_LOG_HEAD_FLUSH_NORMAL |
|
|
|
|
GFS2_LFC_WRITE_INODE);
|
writeback: move bandwidth related fields from backing_dev_info into bdi_writeback
Currently, a bdi (backing_dev_info) embeds single wb (bdi_writeback)
and the role of the separation is unclear. For cgroup support for
writeback IOs, a bdi will be updated to host multiple wb's where each
wb serves writeback IOs of a different cgroup on the bdi. To achieve
that, a wb should carry all states necessary for servicing writeback
IOs for a cgroup independently.
This patch moves bandwidth related fields from backing_dev_info into
bdi_writeback.
* The moved fields are: bw_time_stamp, dirtied_stamp, written_stamp,
write_bandwidth, avg_write_bandwidth, dirty_ratelimit,
balanced_dirty_ratelimit, completions and dirty_exceeded.
* writeback_chunk_size() and over_bground_thresh() now take @wb
instead of @bdi.
* bdi_writeout_fraction(bdi, ...) -> wb_writeout_fraction(wb, ...)
bdi_dirty_limit(bdi, ...) -> wb_dirty_limit(wb, ...)
bdi_position_ration(bdi, ...) -> wb_position_ratio(wb, ...)
bdi_update_writebandwidth(bdi, ...) -> wb_update_write_bandwidth(wb, ...)
[__]bdi_update_bandwidth(bdi, ...) -> [__]wb_update_bandwidth(wb, ...)
bdi_{max|min}_pause(bdi, ...) -> wb_{max|min}_pause(wb, ...)
bdi_dirty_limits(bdi, ...) -> wb_dirty_limits(wb, ...)
* Init/exits of the relocated fields are moved to bdi_wb_init/exit()
respectively. Note that explicit zeroing is dropped in the process
as wb's are cleared in entirety anyway.
* As there's still only one bdi_writeback per backing_dev_info, all
uses of bdi->stat[] are mechanically replaced with bdi->wb.stat[]
introducing no behavior changes.
v2: Typo in description fixed as suggested by Jan.
Signed-off-by: Tejun Heo <tj@kernel.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Jens Axboe <axboe@kernel.dk>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Jaegeuk Kim <jaegeuk@kernel.org>
Cc: Steven Whitehouse <swhiteho@redhat.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2015-05-23 05:13:28 +08:00
|
|
|
if (bdi->wb.dirty_exceeded)
|
2011-04-18 21:18:09 +08:00
|
|
|
gfs2_ail1_flush(sdp, wbc);
|
2011-08-02 20:13:20 +08:00
|
|
|
else
|
|
|
|
filemap_fdatawrite(metamapping);
|
2017-10-11 22:22:07 +08:00
|
|
|
if (flush_all)
|
2011-03-30 23:13:25 +08:00
|
|
|
ret = filemap_fdatawait(metamapping);
|
|
|
|
if (ret)
|
|
|
|
mark_inode_dirty_sync(inode);
|
2018-01-31 01:00:09 +08:00
|
|
|
else {
|
|
|
|
spin_lock(&inode->i_lock);
|
|
|
|
if (!(inode->i_flags & I_DIRTY))
|
|
|
|
gfs2_ordered_del_inode(ip);
|
|
|
|
spin_unlock(&inode->i_lock);
|
|
|
|
}
|
2009-05-22 17:36:01 +08:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2011-08-15 21:20:36 +08:00
|
|
|
/**
|
|
|
|
* gfs2_dirty_inode - check for atime updates
|
|
|
|
* @inode: The inode in question
|
|
|
|
* @flags: The type of dirty
|
|
|
|
*
|
|
|
|
* Unfortunately it can be called under any combination of inode
|
2022-11-16 21:19:06 +08:00
|
|
|
* glock and freeze glock, so we have to check carefully.
|
2011-08-15 21:20:36 +08:00
|
|
|
*
|
|
|
|
* At the moment this deals only with atime - it should be possible
|
|
|
|
* to expand that role in future, once a review of the locking has
|
|
|
|
* been carried out.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static void gfs2_dirty_inode(struct inode *inode, int flags)
|
|
|
|
{
|
|
|
|
struct gfs2_inode *ip = GFS2_I(inode);
|
|
|
|
struct gfs2_sbd *sdp = GFS2_SB(inode);
|
|
|
|
struct buffer_head *bh;
|
|
|
|
struct gfs2_holder gh;
|
|
|
|
int need_unlock = 0;
|
|
|
|
int need_endtrans = 0;
|
|
|
|
int ret;
|
|
|
|
|
2022-11-03 00:06:58 +08:00
|
|
|
if (unlikely(!ip->i_gl)) {
|
|
|
|
/* This can only happen during incomplete inode creation. */
|
|
|
|
BUG_ON(!test_bit(GIF_ALLOC_FAILED, &ip->i_flags));
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2023-12-21 00:16:29 +08:00
|
|
|
if (gfs2_withdrawing_or_withdrawn(sdp))
|
2017-03-04 01:37:14 +08:00
|
|
|
return;
|
2011-08-15 21:20:36 +08:00
|
|
|
if (!gfs2_glock_is_locked_by_me(ip->i_gl)) {
|
|
|
|
ret = gfs2_glock_nq_init(ip->i_gl, LM_ST_EXCLUSIVE, 0, &gh);
|
|
|
|
if (ret) {
|
|
|
|
fs_err(sdp, "dirty_inode: glock %d\n", ret);
|
2020-07-31 01:31:38 +08:00
|
|
|
gfs2_dump_glock(NULL, ip->i_gl, true);
|
2011-08-15 21:20:36 +08:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
need_unlock = 1;
|
2012-11-06 14:49:28 +08:00
|
|
|
} else if (WARN_ON_ONCE(ip->i_gl->gl_state != LM_ST_EXCLUSIVE))
|
|
|
|
return;
|
2011-08-15 21:20:36 +08:00
|
|
|
|
|
|
|
if (current->journal_info == NULL) {
|
|
|
|
ret = gfs2_trans_begin(sdp, RES_DINODE, 0);
|
|
|
|
if (ret) {
|
|
|
|
fs_err(sdp, "dirty_inode: gfs2_trans_begin %d\n", ret);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
need_endtrans = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = gfs2_meta_inode_buffer(ip, &bh);
|
|
|
|
if (ret == 0) {
|
2012-12-14 20:36:02 +08:00
|
|
|
gfs2_trans_add_meta(ip->i_gl, bh);
|
2011-08-15 21:20:36 +08:00
|
|
|
gfs2_dinode_out(ip, bh->b_data);
|
|
|
|
brelse(bh);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (need_endtrans)
|
|
|
|
gfs2_trans_end(sdp);
|
|
|
|
out:
|
|
|
|
if (need_unlock)
|
|
|
|
gfs2_glock_dq_uninit(&gh);
|
|
|
|
}
|
|
|
|
|
2009-05-22 17:36:01 +08:00
|
|
|
/**
|
|
|
|
* gfs2_make_fs_ro - Turn a Read-Write FS into a Read-Only one
|
|
|
|
* @sdp: the filesystem
|
|
|
|
*
|
|
|
|
* Returns: errno
|
|
|
|
*/
|
|
|
|
|
2021-03-04 22:28:57 +08:00
|
|
|
void gfs2_make_fs_ro(struct gfs2_sbd *sdp)
|
2009-05-22 17:36:01 +08:00
|
|
|
{
|
gfs2: Force withdraw to replay journals and wait for it to finish
When a node withdraws from a file system, it often leaves its journal
in an incomplete state. This is especially true when the withdraw is
caused by io errors writing to the journal. Before this patch, a
withdraw would try to write a "shutdown" record to the journal, tell
dlm it's done with the file system, and none of the other nodes
know about the problem. Later, when the problem is fixed and the
withdrawn node is rebooted, it would then discover that its own
journal was incomplete, and replay it. However, replaying it at this
point is almost guaranteed to introduce corruption because the other
nodes are likely to have used affected resource groups that appeared
in the journal since the time of the withdraw. Replaying the journal
later will overwrite any changes made, and not through any fault of
dlm, which was instructed during the withdraw to release those
resources.
This patch makes file system withdraws seen by the entire cluster.
Withdrawing nodes dequeue their journal glock to allow recovery.
The remaining nodes check all the journals to see if they are
clean or in need of replay. They try to replay dirty journals, but
only the journals of withdrawn nodes will be "not busy" and
therefore available for replay.
Until the journal replay is complete, no i/o related glocks may be
given out, to ensure that the replay does not cause the
aforementioned corruption: We cannot allow any journal replay to
overwrite blocks associated with a glock once it is held.
The "live" glock which is now used to signal when a withdraw
occurs. When a withdraw occurs, the node signals its withdraw by
dequeueing the "live" glock and trying to enqueue it in EX mode,
thus forcing the other nodes to all see a demote request, by way
of a "1CB" (one callback) try lock. The "live" glock is not
granted in EX; the callback is only just used to indicate a
withdraw has occurred.
Note that all nodes in the cluster must wait for the recovering
node to finish replaying the withdrawing node's journal before
continuing. To this end, it checks that the journals are clean
multiple times in a retry loop.
Also note that the withdraw function may be called from a wide
variety of situations, and therefore, we need to take extra
precautions to make sure pointers are valid before using them in
many circumstances.
We also need to take care when glocks decide to withdraw, since
the withdraw code now uses glocks.
Also, before this patch, if a process encountered an error and
decided to withdraw, if another process was already withdrawing,
the second withdraw would be silently ignored, which set it free
to unlock its glocks. That's correct behavior if the original
withdrawer encounters further errors down the road. But if
secondary waiters don't wait for the journal replay, unlocking
glocks will allow other nodes to use them, despite the fact that
the journal containing those blocks is being replayed. The
replay needs to finish before our glocks are released to other
nodes. IOW, secondary withdraws need to wait for the first
withdraw to finish.
For example, if an rgrp glock is unlocked by a process that didn't
wait for the first withdraw, a journal replay could introduce file
system corruption by replaying a rgrp block that has already been
granted to a different cluster node.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
2020-01-29 03:23:45 +08:00
|
|
|
int log_write_allowed = test_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags);
|
|
|
|
|
2023-08-23 21:53:13 +08:00
|
|
|
if (!test_bit(SDF_KILL, &sdp->sd_flags))
|
2022-12-07 00:27:14 +08:00
|
|
|
gfs2_flush_delete_work(sdp);
|
|
|
|
|
gfs2: Fix asynchronous thread destruction
The kernel threads are currently stopped and destroyed synchronously by
gfs2_make_fs_ro() and gfs2_put_super(), and asynchronously by
signal_our_withdraw(), with no synchronization, so the synchronous and
asynchronous contexts can race with each other.
First, when creating the kernel threads, take an extra task struct
reference so that the task struct won't go away immediately when they
terminate. This allows those kthreads to terminate immediately when
they're done rather than hanging around as zombies until they are reaped
by kthread_stop(). When kthread_stop() is called on a terminated
kthread, it will return immediately.
Second, in signal_our_withdraw(), once the SDF_JOURNAL_LIVE flag has
been cleared, wake up the logd and quotad wait queues instead of
stopping the logd and quotad kthreads. The kthreads are then expected
to terminate automatically within short time, but if they cannot, they
will not block the withdraw.
For example, if a user process and one of the kthread decide to withdraw
at the same time, only one of them will perform the actual withdraw and
the other will wait for it to be done. If the kthread ends up being the
one to wait, the withdrawing user process won't be able to stop it.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2023-08-28 23:14:32 +08:00
|
|
|
gfs2_destroy_threads(sdp);
|
2013-12-12 19:34:09 +08:00
|
|
|
|
gfs2: Force withdraw to replay journals and wait for it to finish
When a node withdraws from a file system, it often leaves its journal
in an incomplete state. This is especially true when the withdraw is
caused by io errors writing to the journal. Before this patch, a
withdraw would try to write a "shutdown" record to the journal, tell
dlm it's done with the file system, and none of the other nodes
know about the problem. Later, when the problem is fixed and the
withdrawn node is rebooted, it would then discover that its own
journal was incomplete, and replay it. However, replaying it at this
point is almost guaranteed to introduce corruption because the other
nodes are likely to have used affected resource groups that appeared
in the journal since the time of the withdraw. Replaying the journal
later will overwrite any changes made, and not through any fault of
dlm, which was instructed during the withdraw to release those
resources.
This patch makes file system withdraws seen by the entire cluster.
Withdrawing nodes dequeue their journal glock to allow recovery.
The remaining nodes check all the journals to see if they are
clean or in need of replay. They try to replay dirty journals, but
only the journals of withdrawn nodes will be "not busy" and
therefore available for replay.
Until the journal replay is complete, no i/o related glocks may be
given out, to ensure that the replay does not cause the
aforementioned corruption: We cannot allow any journal replay to
overwrite blocks associated with a glock once it is held.
The "live" glock which is now used to signal when a withdraw
occurs. When a withdraw occurs, the node signals its withdraw by
dequeueing the "live" glock and trying to enqueue it in EX mode,
thus forcing the other nodes to all see a demote request, by way
of a "1CB" (one callback) try lock. The "live" glock is not
granted in EX; the callback is only just used to indicate a
withdraw has occurred.
Note that all nodes in the cluster must wait for the recovering
node to finish replaying the withdrawing node's journal before
continuing. To this end, it checks that the journals are clean
multiple times in a retry loop.
Also note that the withdraw function may be called from a wide
variety of situations, and therefore, we need to take extra
precautions to make sure pointers are valid before using them in
many circumstances.
We also need to take care when glocks decide to withdraw, since
the withdraw code now uses glocks.
Also, before this patch, if a process encountered an error and
decided to withdraw, if another process was already withdrawing,
the second withdraw would be silently ignored, which set it free
to unlock its glocks. That's correct behavior if the original
withdrawer encounters further errors down the road. But if
secondary waiters don't wait for the journal replay, unlocking
glocks will allow other nodes to use them, despite the fact that
the journal containing those blocks is being replayed. The
replay needs to finish before our glocks are released to other
nodes. IOW, secondary withdraws need to wait for the first
withdraw to finish.
For example, if an rgrp glock is unlocked by a process that didn't
wait for the first withdraw, a journal replay could introduce file
system corruption by replaying a rgrp block that has already been
granted to a different cluster node.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
2020-01-29 03:23:45 +08:00
|
|
|
if (log_write_allowed) {
|
|
|
|
gfs2_quota_sync(sdp->sd_vfs, 0);
|
|
|
|
gfs2_statfs_sync(sdp->sd_vfs, 0);
|
2009-05-22 17:36:01 +08:00
|
|
|
|
gfs2: Perform second log flush in gfs2_make_fs_ro
Before this patch, function gfs2_make_fs_ro called gfs2_log_flush once to
finalize the log. However, if there's dirty metadata, log flushes tend
to sync the metadata and formulate revokes. Before this patch, those
revokes may not be written out to the journal immediately, which meant
unresolved glocks could still have revokes in their ail lists. When the
glock worker runs, it tries to transition the glock, but the unresolved
revokes in the ail still need to be written, so it tries to start a
transaction. It's impossible to start a transaction because at that
point, the SDF_JOURNAL_LIVE flag has been cleared by gfs2_make_fs_ro.
That causes the glock worker to fail, unable to write the revokes. The
calling sequence looked something like this:
gfs2_make_fs_ro
gfs2_log_flush - with GFS2_LOG_HEAD_FLUSH_SHUTDOWN flag set
if (flags & GFS2_LOG_HEAD_FLUSH_SHUTDOWN)
clear_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags);
...meanwhile...
glock_work_func
do_xmote
rgrp_go_sync (or possibly inode_go_sync)
...
gfs2_ail_empty_gl
__gfs2_trans_begin
if (unlikely(!test_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags))) {
...
return -EROFS;
The previous patch in the series ("gfs2: return errors from
gfs2_ail_empty_gl") now causes the transaction error to no longer be
ignored, so it causes a warning from MOST of the xfstests:
WARNING: CPU: 11 PID: X at fs/gfs2/super.c:603 gfs2_put_super [gfs2]
which corresponds to:
WARN_ON(gfs2_withdrawing(sdp));
The withdraw was triggered silently from do_xmote by:
if (unlikely(sdp->sd_log_error && !gfs2_withdrawn(sdp)))
gfs2_withdraw_delayed(sdp);
This patch adds a second log_flush to gfs2_make_fs_ro: one to sync the
data and one to sync any outstanding revokes and finalize the journal.
Note that both of these log flushes need to be "special," in other
words, not GFS2_LOG_HEAD_FLUSH_NORMAL.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2023-04-22 03:07:08 +08:00
|
|
|
/* We do two log flushes here. The first one commits dirty inodes
|
|
|
|
* and rgrps to the journal, but queues up revokes to the ail list.
|
|
|
|
* The second flush writes out and removes the revokes.
|
|
|
|
*
|
|
|
|
* The first must be done before the FLUSH_SHUTDOWN code
|
|
|
|
* clears the LIVE flag, otherwise it will not be able to start
|
|
|
|
* a transaction to write its revokes, and the error will cause
|
|
|
|
* a withdraw of the file system. */
|
|
|
|
gfs2_log_flush(sdp, NULL, GFS2_LFC_MAKE_FS_RO);
|
gfs2: Force withdraw to replay journals and wait for it to finish
When a node withdraws from a file system, it often leaves its journal
in an incomplete state. This is especially true when the withdraw is
caused by io errors writing to the journal. Before this patch, a
withdraw would try to write a "shutdown" record to the journal, tell
dlm it's done with the file system, and none of the other nodes
know about the problem. Later, when the problem is fixed and the
withdrawn node is rebooted, it would then discover that its own
journal was incomplete, and replay it. However, replaying it at this
point is almost guaranteed to introduce corruption because the other
nodes are likely to have used affected resource groups that appeared
in the journal since the time of the withdraw. Replaying the journal
later will overwrite any changes made, and not through any fault of
dlm, which was instructed during the withdraw to release those
resources.
This patch makes file system withdraws seen by the entire cluster.
Withdrawing nodes dequeue their journal glock to allow recovery.
The remaining nodes check all the journals to see if they are
clean or in need of replay. They try to replay dirty journals, but
only the journals of withdrawn nodes will be "not busy" and
therefore available for replay.
Until the journal replay is complete, no i/o related glocks may be
given out, to ensure that the replay does not cause the
aforementioned corruption: We cannot allow any journal replay to
overwrite blocks associated with a glock once it is held.
The "live" glock which is now used to signal when a withdraw
occurs. When a withdraw occurs, the node signals its withdraw by
dequeueing the "live" glock and trying to enqueue it in EX mode,
thus forcing the other nodes to all see a demote request, by way
of a "1CB" (one callback) try lock. The "live" glock is not
granted in EX; the callback is only just used to indicate a
withdraw has occurred.
Note that all nodes in the cluster must wait for the recovering
node to finish replaying the withdrawing node's journal before
continuing. To this end, it checks that the journals are clean
multiple times in a retry loop.
Also note that the withdraw function may be called from a wide
variety of situations, and therefore, we need to take extra
precautions to make sure pointers are valid before using them in
many circumstances.
We also need to take care when glocks decide to withdraw, since
the withdraw code now uses glocks.
Also, before this patch, if a process encountered an error and
decided to withdraw, if another process was already withdrawing,
the second withdraw would be silently ignored, which set it free
to unlock its glocks. That's correct behavior if the original
withdrawer encounters further errors down the road. But if
secondary waiters don't wait for the journal replay, unlocking
glocks will allow other nodes to use them, despite the fact that
the journal containing those blocks is being replayed. The
replay needs to finish before our glocks are released to other
nodes. IOW, secondary withdraws need to wait for the first
withdraw to finish.
For example, if an rgrp glock is unlocked by a process that didn't
wait for the first withdraw, a journal replay could introduce file
system corruption by replaying a rgrp block that has already been
granted to a different cluster node.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
2020-01-29 03:23:45 +08:00
|
|
|
gfs2_log_flush(sdp, NULL, GFS2_LOG_HEAD_FLUSH_SHUTDOWN |
|
|
|
|
GFS2_LFC_MAKE_FS_RO);
|
2020-12-13 16:21:34 +08:00
|
|
|
wait_event_timeout(sdp->sd_log_waitq,
|
|
|
|
gfs2_log_is_empty(sdp),
|
|
|
|
HZ * 5);
|
|
|
|
gfs2_assert_warn(sdp, gfs2_log_is_empty(sdp));
|
gfs2: Force withdraw to replay journals and wait for it to finish
When a node withdraws from a file system, it often leaves its journal
in an incomplete state. This is especially true when the withdraw is
caused by io errors writing to the journal. Before this patch, a
withdraw would try to write a "shutdown" record to the journal, tell
dlm it's done with the file system, and none of the other nodes
know about the problem. Later, when the problem is fixed and the
withdrawn node is rebooted, it would then discover that its own
journal was incomplete, and replay it. However, replaying it at this
point is almost guaranteed to introduce corruption because the other
nodes are likely to have used affected resource groups that appeared
in the journal since the time of the withdraw. Replaying the journal
later will overwrite any changes made, and not through any fault of
dlm, which was instructed during the withdraw to release those
resources.
This patch makes file system withdraws seen by the entire cluster.
Withdrawing nodes dequeue their journal glock to allow recovery.
The remaining nodes check all the journals to see if they are
clean or in need of replay. They try to replay dirty journals, but
only the journals of withdrawn nodes will be "not busy" and
therefore available for replay.
Until the journal replay is complete, no i/o related glocks may be
given out, to ensure that the replay does not cause the
aforementioned corruption: We cannot allow any journal replay to
overwrite blocks associated with a glock once it is held.
The "live" glock which is now used to signal when a withdraw
occurs. When a withdraw occurs, the node signals its withdraw by
dequeueing the "live" glock and trying to enqueue it in EX mode,
thus forcing the other nodes to all see a demote request, by way
of a "1CB" (one callback) try lock. The "live" glock is not
granted in EX; the callback is only just used to indicate a
withdraw has occurred.
Note that all nodes in the cluster must wait for the recovering
node to finish replaying the withdrawing node's journal before
continuing. To this end, it checks that the journals are clean
multiple times in a retry loop.
Also note that the withdraw function may be called from a wide
variety of situations, and therefore, we need to take extra
precautions to make sure pointers are valid before using them in
many circumstances.
We also need to take care when glocks decide to withdraw, since
the withdraw code now uses glocks.
Also, before this patch, if a process encountered an error and
decided to withdraw, if another process was already withdrawing,
the second withdraw would be silently ignored, which set it free
to unlock its glocks. That's correct behavior if the original
withdrawer encounters further errors down the road. But if
secondary waiters don't wait for the journal replay, unlocking
glocks will allow other nodes to use them, despite the fact that
the journal containing those blocks is being replayed. The
replay needs to finish before our glocks are released to other
nodes. IOW, secondary withdraws need to wait for the first
withdraw to finish.
For example, if an rgrp glock is unlocked by a process that didn't
wait for the first withdraw, a journal replay could introduce file
system corruption by replaying a rgrp block that has already been
granted to a different cluster node.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
2020-01-29 03:23:45 +08:00
|
|
|
}
|
2009-05-22 17:36:01 +08:00
|
|
|
gfs2_quota_cleanup(sdp);
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gfs2_put_super - Unmount the filesystem
|
|
|
|
* @sb: The VFS superblock
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
|
|
|
static void gfs2_put_super(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct gfs2_sbd *sdp = sb->s_fs_info;
|
|
|
|
struct gfs2_jdesc *jd;
|
|
|
|
|
|
|
|
/* No more recovery requests */
|
|
|
|
set_bit(SDF_NORECOVERY, &sdp->sd_flags);
|
|
|
|
smp_mb();
|
|
|
|
|
|
|
|
/* Wait on outstanding recovery */
|
|
|
|
restart:
|
|
|
|
spin_lock(&sdp->sd_jindex_spin);
|
|
|
|
list_for_each_entry(jd, &sdp->sd_jindex_list, jd_list) {
|
|
|
|
if (!test_bit(JDF_RECOVERY, &jd->jd_flags))
|
|
|
|
continue;
|
|
|
|
spin_unlock(&sdp->sd_jindex_spin);
|
|
|
|
wait_on_bit(&jd->jd_flags, JDF_RECOVERY,
|
sched: Remove proliferation of wait_on_bit() action functions
The current "wait_on_bit" interface requires an 'action'
function to be provided which does the actual waiting.
There are over 20 such functions, many of them identical.
Most cases can be satisfied by one of just two functions, one
which uses io_schedule() and one which just uses schedule().
So:
Rename wait_on_bit and wait_on_bit_lock to
wait_on_bit_action and wait_on_bit_lock_action
to make it explicit that they need an action function.
Introduce new wait_on_bit{,_lock} and wait_on_bit{,_lock}_io
which are *not* given an action function but implicitly use
a standard one.
The decision to error-out if a signal is pending is now made
based on the 'mode' argument rather than being encoded in the action
function.
All instances of the old wait_on_bit and wait_on_bit_lock which
can use the new version have been changed accordingly and their
action functions have been discarded.
wait_on_bit{_lock} does not return any specific error code in the
event of a signal so the caller must check for non-zero and
interpolate their own error code as appropriate.
The wait_on_bit() call in __fscache_wait_on_invalidate() was
ambiguous as it specified TASK_UNINTERRUPTIBLE but used
fscache_wait_bit_interruptible as an action function.
David Howells confirms this should be uniformly
"uninterruptible"
The main remaining user of wait_on_bit{,_lock}_action is NFS
which needs to use a freezer-aware schedule() call.
A comment in fs/gfs2/glock.c notes that having multiple 'action'
functions is useful as they display differently in the 'wchan'
field of 'ps'. (and /proc/$PID/wchan).
As the new bit_wait{,_io} functions are tagged "__sched", they
will not show up at all, but something higher in the stack. So
the distinction will still be visible, only with different
function names (gds2_glock_wait versus gfs2_glock_dq_wait in the
gfs2/glock.c case).
Since first version of this patch (against 3.15) two new action
functions appeared, on in NFS and one in CIFS. CIFS also now
uses an action function that makes the same freezer aware
schedule call as NFS.
Signed-off-by: NeilBrown <neilb@suse.de>
Acked-by: David Howells <dhowells@redhat.com> (fscache, keys)
Acked-by: Steven Whitehouse <swhiteho@redhat.com> (gfs2)
Acked-by: Peter Zijlstra <peterz@infradead.org>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: Steve French <sfrench@samba.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Link: http://lkml.kernel.org/r/20140707051603.28027.72349.stgit@notabene.brown
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2014-07-07 13:16:04 +08:00
|
|
|
TASK_UNINTERRUPTIBLE);
|
2009-05-22 17:36:01 +08:00
|
|
|
goto restart;
|
|
|
|
}
|
|
|
|
spin_unlock(&sdp->sd_jindex_spin);
|
|
|
|
|
2023-10-30 05:10:06 +08:00
|
|
|
if (!sb_rdonly(sb))
|
2021-03-04 22:28:57 +08:00
|
|
|
gfs2_make_fs_ro(sdp);
|
2023-10-30 05:10:06 +08:00
|
|
|
else {
|
2023-12-21 00:16:29 +08:00
|
|
|
if (gfs2_withdrawing_or_withdrawn(sdp))
|
2023-10-30 05:10:06 +08:00
|
|
|
gfs2_destroy_threads(sdp);
|
|
|
|
|
2023-08-28 22:39:20 +08:00
|
|
|
gfs2_quota_cleanup(sdp);
|
gfs2: Fix asynchronous thread destruction
The kernel threads are currently stopped and destroyed synchronously by
gfs2_make_fs_ro() and gfs2_put_super(), and asynchronously by
signal_our_withdraw(), with no synchronization, so the synchronous and
asynchronous contexts can race with each other.
First, when creating the kernel threads, take an extra task struct
reference so that the task struct won't go away immediately when they
terminate. This allows those kthreads to terminate immediately when
they're done rather than hanging around as zombies until they are reaped
by kthread_stop(). When kthread_stop() is called on a terminated
kthread, it will return immediately.
Second, in signal_our_withdraw(), once the SDF_JOURNAL_LIVE flag has
been cleared, wake up the logd and quotad wait queues instead of
stopping the logd and quotad kthreads. The kthreads are then expected
to terminate automatically within short time, but if they cannot, they
will not block the withdraw.
For example, if a user process and one of the kthread decide to withdraw
at the same time, only one of them will perform the actual withdraw and
the other will wait for it to be done. If the kthread ends up being the
one to wait, the withdrawing user process won't be able to stop it.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2023-08-28 23:14:32 +08:00
|
|
|
}
|
2023-10-30 05:10:06 +08:00
|
|
|
|
2020-08-29 05:44:36 +08:00
|
|
|
WARN_ON(gfs2_withdrawing(sdp));
|
|
|
|
|
2009-05-22 17:36:01 +08:00
|
|
|
/* At this point, we're through modifying the disk */
|
|
|
|
|
|
|
|
/* Release stuff */
|
|
|
|
|
2024-04-07 18:55:44 +08:00
|
|
|
gfs2_freeze_unlock(sdp);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
|
2009-05-22 17:36:01 +08:00
|
|
|
iput(sdp->sd_jindex);
|
|
|
|
iput(sdp->sd_statfs_inode);
|
|
|
|
iput(sdp->sd_rindex);
|
|
|
|
iput(sdp->sd_quota_inode);
|
|
|
|
|
|
|
|
gfs2_glock_put(sdp->sd_rename_gl);
|
GFS2: remove transaction glock
GFS2 has a transaction glock, which must be grabbed for every
transaction, whose purpose is to deal with freezing the filesystem.
Aside from this involving a large amount of locking, it is very easy to
make the current fsfreeze code hang on unfreezing.
This patch rewrites how gfs2 handles freezing the filesystem. The
transaction glock is removed. In it's place is a freeze glock, which is
cached (but not held) in a shared state by every node in the cluster
when the filesystem is mounted. This lock only needs to be grabbed on
freezing, and actions which need to be safe from freezing, like
recovery.
When a node wants to freeze the filesystem, it grabs this glock
exclusively. When the freeze glock state changes on the nodes (either
from shared to unlocked, or shared to exclusive), the filesystem does a
special log flush. gfs2_log_flush() does all the work for flushing out
the and shutting down the incore log, and then it tries to grab the
freeze glock in a shared state again. Since the filesystem is stuck in
gfs2_log_flush, no new transaction can start, and nothing can be written
to disk. Unfreezing the filesytem simply involes dropping the freeze
glock, allowing gfs2_log_flush() to grab and then release the shared
lock, so it is cached for next time.
However, in order for the unfreezing ioctl to occur, gfs2 needs to get a
shared lock on the filesystem root directory inode to check permissions.
If that glock has already been grabbed exclusively, fsfreeze will be
unable to get the shared lock and unfreeze the filesystem.
In order to allow the unfreeze, this patch makes gfs2 grab a shared lock
on the filesystem root directory during the freeze, and hold it until it
unfreezes the filesystem. The functions which need to grab a shared
lock in order to allow the unfreeze ioctl to be issued now use the lock
grabbed by the freeze code instead.
The freeze and unfreeze code take care to make sure that this shared
lock will not be dropped while another process is using it.
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
2014-05-02 11:26:55 +08:00
|
|
|
gfs2_glock_put(sdp->sd_freeze_gl);
|
2009-05-22 17:36:01 +08:00
|
|
|
|
|
|
|
if (!sdp->sd_args.ar_spectator) {
|
gfs2: Force withdraw to replay journals and wait for it to finish
When a node withdraws from a file system, it often leaves its journal
in an incomplete state. This is especially true when the withdraw is
caused by io errors writing to the journal. Before this patch, a
withdraw would try to write a "shutdown" record to the journal, tell
dlm it's done with the file system, and none of the other nodes
know about the problem. Later, when the problem is fixed and the
withdrawn node is rebooted, it would then discover that its own
journal was incomplete, and replay it. However, replaying it at this
point is almost guaranteed to introduce corruption because the other
nodes are likely to have used affected resource groups that appeared
in the journal since the time of the withdraw. Replaying the journal
later will overwrite any changes made, and not through any fault of
dlm, which was instructed during the withdraw to release those
resources.
This patch makes file system withdraws seen by the entire cluster.
Withdrawing nodes dequeue their journal glock to allow recovery.
The remaining nodes check all the journals to see if they are
clean or in need of replay. They try to replay dirty journals, but
only the journals of withdrawn nodes will be "not busy" and
therefore available for replay.
Until the journal replay is complete, no i/o related glocks may be
given out, to ensure that the replay does not cause the
aforementioned corruption: We cannot allow any journal replay to
overwrite blocks associated with a glock once it is held.
The "live" glock which is now used to signal when a withdraw
occurs. When a withdraw occurs, the node signals its withdraw by
dequeueing the "live" glock and trying to enqueue it in EX mode,
thus forcing the other nodes to all see a demote request, by way
of a "1CB" (one callback) try lock. The "live" glock is not
granted in EX; the callback is only just used to indicate a
withdraw has occurred.
Note that all nodes in the cluster must wait for the recovering
node to finish replaying the withdrawing node's journal before
continuing. To this end, it checks that the journals are clean
multiple times in a retry loop.
Also note that the withdraw function may be called from a wide
variety of situations, and therefore, we need to take extra
precautions to make sure pointers are valid before using them in
many circumstances.
We also need to take care when glocks decide to withdraw, since
the withdraw code now uses glocks.
Also, before this patch, if a process encountered an error and
decided to withdraw, if another process was already withdrawing,
the second withdraw would be silently ignored, which set it free
to unlock its glocks. That's correct behavior if the original
withdrawer encounters further errors down the road. But if
secondary waiters don't wait for the journal replay, unlocking
glocks will allow other nodes to use them, despite the fact that
the journal containing those blocks is being replayed. The
replay needs to finish before our glocks are released to other
nodes. IOW, secondary withdraws need to wait for the first
withdraw to finish.
For example, if an rgrp glock is unlocked by a process that didn't
wait for the first withdraw, a journal replay could introduce file
system corruption by replaying a rgrp block that has already been
granted to a different cluster node.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
2020-01-29 03:23:45 +08:00
|
|
|
if (gfs2_holder_initialized(&sdp->sd_journal_gh))
|
|
|
|
gfs2_glock_dq_uninit(&sdp->sd_journal_gh);
|
|
|
|
if (gfs2_holder_initialized(&sdp->sd_jinode_gh))
|
|
|
|
gfs2_glock_dq_uninit(&sdp->sd_jinode_gh);
|
2021-07-01 00:46:17 +08:00
|
|
|
brelse(sdp->sd_sc_bh);
|
2009-05-22 17:36:01 +08:00
|
|
|
gfs2_glock_dq_uninit(&sdp->sd_sc_gh);
|
|
|
|
gfs2_glock_dq_uninit(&sdp->sd_qc_gh);
|
2020-10-21 04:58:04 +08:00
|
|
|
free_local_statfs_inodes(sdp);
|
2009-05-22 17:36:01 +08:00
|
|
|
iput(sdp->sd_qc_inode);
|
|
|
|
}
|
|
|
|
|
|
|
|
gfs2_glock_dq_uninit(&sdp->sd_live_gh);
|
|
|
|
gfs2_clear_rgrpd(sdp);
|
|
|
|
gfs2_jindex_free(sdp);
|
|
|
|
/* Take apart glock structures and buffer lists */
|
|
|
|
gfs2_gl_hash_clear(sdp);
|
2020-10-27 23:10:02 +08:00
|
|
|
truncate_inode_pages_final(&sdp->sd_aspace);
|
2017-07-28 20:22:55 +08:00
|
|
|
gfs2_delete_debugfs_file(sdp);
|
2009-05-22 17:36:01 +08:00
|
|
|
|
|
|
|
gfs2_sys_fs_del(sdp);
|
2020-10-12 21:13:09 +08:00
|
|
|
free_sbd(sdp);
|
2009-05-22 17:36:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gfs2_sync_fs - sync the filesystem
|
|
|
|
* @sb: the superblock
|
2021-03-31 00:44:29 +08:00
|
|
|
* @wait: true to wait for completion
|
2009-05-22 17:36:01 +08:00
|
|
|
*
|
|
|
|
* Flushes the log to disk.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static int gfs2_sync_fs(struct super_block *sb, int wait)
|
|
|
|
{
|
2011-03-30 23:13:25 +08:00
|
|
|
struct gfs2_sbd *sdp = sb->s_fs_info;
|
2012-07-03 22:45:29 +08:00
|
|
|
|
|
|
|
gfs2_quota_sync(sb, -1);
|
GFS2: Withdraw for IO errors writing to the journal or statfs
Before this patch, if GFS2 encountered IO errors while writing to
the journal, it would not report the problem, so they would go
unnoticed, sometimes for many hours. Sometimes this would only be
noticed later, when recovery tried to do journal replay and failed
due to invalid metadata at the blocks that resulted in IO errors.
This patch makes GFS2's log daemon check for IO errors. If it
encounters one, it withdraws from the file system and reports
why in dmesg. A similar action is taken when IO errors occur when
writing to the system statfs file.
These errors are also reported back to any callers of fsync, since
that requires the journal to be flushed. Therefore, any IO errors
that would previously go unnoticed are now noticed and the file
system is withdrawn as early as possible, thus preventing further
file system damage.
Also note that this reintroduces superblock variable sd_log_error,
which Christoph removed with commit f729b66fca.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
2017-08-17 00:30:06 +08:00
|
|
|
if (wait)
|
2018-01-08 23:34:17 +08:00
|
|
|
gfs2_log_flush(sdp, NULL, GFS2_LOG_HEAD_FLUSH_NORMAL |
|
|
|
|
GFS2_LFC_SYNC_FS);
|
GFS2: Withdraw for IO errors writing to the journal or statfs
Before this patch, if GFS2 encountered IO errors while writing to
the journal, it would not report the problem, so they would go
unnoticed, sometimes for many hours. Sometimes this would only be
noticed later, when recovery tried to do journal replay and failed
due to invalid metadata at the blocks that resulted in IO errors.
This patch makes GFS2's log daemon check for IO errors. If it
encounters one, it withdraws from the file system and reports
why in dmesg. A similar action is taken when IO errors occur when
writing to the system statfs file.
These errors are also reported back to any callers of fsync, since
that requires the journal to be flushed. Therefore, any IO errors
that would previously go unnoticed are now noticed and the file
system is withdrawn as early as possible, thus preventing further
file system damage.
Also note that this reintroduces superblock variable sd_log_error,
which Christoph removed with commit f729b66fca.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
2017-08-17 00:30:06 +08:00
|
|
|
return sdp->sd_log_error;
|
2009-05-22 17:36:01 +08:00
|
|
|
}
|
|
|
|
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
static int gfs2_do_thaw(struct gfs2_sbd *sdp)
|
|
|
|
{
|
|
|
|
struct super_block *sb = sdp->sd_vfs;
|
|
|
|
int error;
|
|
|
|
|
2022-11-28 09:30:35 +08:00
|
|
|
error = gfs2_freeze_lock_shared(sdp);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
if (error)
|
|
|
|
goto fail;
|
2023-07-18 00:00:09 +08:00
|
|
|
error = thaw_super(sb, FREEZE_HOLDER_USERSPACE);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
if (!error)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
fail:
|
|
|
|
fs_info(sdp, "GFS2: couldn't thaw filesystem: %d\n", error);
|
|
|
|
gfs2_assert_withdraw(sdp, 0);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
void gfs2_freeze_func(struct work_struct *work)
|
|
|
|
{
|
|
|
|
struct gfs2_sbd *sdp = container_of(work, struct gfs2_sbd, sd_freeze_work);
|
|
|
|
struct super_block *sb = sdp->sd_vfs;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
mutex_lock(&sdp->sd_freeze_mutex);
|
|
|
|
error = -EBUSY;
|
2022-08-18 22:12:24 +08:00
|
|
|
if (test_bit(SDF_FROZEN, &sdp->sd_flags))
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
goto freeze_failed;
|
|
|
|
|
2023-12-19 23:49:26 +08:00
|
|
|
error = freeze_super(sb, FREEZE_HOLDER_USERSPACE);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
if (error)
|
|
|
|
goto freeze_failed;
|
|
|
|
|
2024-04-07 18:55:44 +08:00
|
|
|
gfs2_freeze_unlock(sdp);
|
2022-08-18 22:12:24 +08:00
|
|
|
set_bit(SDF_FROZEN, &sdp->sd_flags);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
|
|
|
|
error = gfs2_do_thaw(sdp);
|
|
|
|
if (error)
|
|
|
|
goto out;
|
|
|
|
|
2022-08-18 22:12:24 +08:00
|
|
|
clear_bit(SDF_FROZEN, &sdp->sd_flags);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
goto out;
|
|
|
|
|
|
|
|
freeze_failed:
|
|
|
|
fs_info(sdp, "GFS2: couldn't freeze filesystem: %d\n", error);
|
|
|
|
|
|
|
|
out:
|
|
|
|
mutex_unlock(&sdp->sd_freeze_mutex);
|
2014-11-14 10:42:04 +08:00
|
|
|
deactivate_super(sb);
|
|
|
|
}
|
|
|
|
|
2009-05-22 17:36:01 +08:00
|
|
|
/**
|
2022-11-14 23:40:15 +08:00
|
|
|
* gfs2_freeze_super - prevent further writes to the filesystem
|
2009-05-22 17:36:01 +08:00
|
|
|
* @sb: the VFS structure for the filesystem
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
2023-07-18 00:00:09 +08:00
|
|
|
static int gfs2_freeze_super(struct super_block *sb, enum freeze_holder who)
|
2009-05-22 17:36:01 +08:00
|
|
|
{
|
|
|
|
struct gfs2_sbd *sdp = sb->s_fs_info;
|
2021-03-25 20:51:13 +08:00
|
|
|
int error;
|
2009-05-22 17:36:01 +08:00
|
|
|
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
if (!mutex_trylock(&sdp->sd_freeze_mutex))
|
|
|
|
return -EBUSY;
|
2023-12-26 03:00:20 +08:00
|
|
|
if (test_bit(SDF_FROZEN, &sdp->sd_flags)) {
|
|
|
|
mutex_unlock(&sdp->sd_freeze_mutex);
|
|
|
|
return -EBUSY;
|
|
|
|
}
|
2014-11-14 10:42:04 +08:00
|
|
|
|
2009-05-22 17:36:01 +08:00
|
|
|
for (;;) {
|
2023-12-19 23:49:26 +08:00
|
|
|
error = freeze_super(sb, FREEZE_HOLDER_USERSPACE);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
if (error) {
|
|
|
|
fs_info(sdp, "GFS2: couldn't freeze filesystem: %d\n",
|
|
|
|
error);
|
2019-11-14 22:53:36 +08:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2019-11-15 22:42:46 +08:00
|
|
|
error = gfs2_lock_fs_check_clean(sdp);
|
2023-12-26 03:00:20 +08:00
|
|
|
if (!error) {
|
|
|
|
set_bit(SDF_FREEZE_INITIATOR, &sdp->sd_flags);
|
|
|
|
set_bit(SDF_FROZEN, &sdp->sd_flags);
|
|
|
|
break;
|
|
|
|
}
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
|
|
|
|
error = gfs2_do_thaw(sdp);
|
|
|
|
if (error)
|
|
|
|
goto out;
|
2009-05-22 17:36:01 +08:00
|
|
|
|
2019-04-29 23:36:23 +08:00
|
|
|
if (error == -EBUSY)
|
2009-05-22 17:36:01 +08:00
|
|
|
fs_err(sdp, "waiting for recovery before freeze\n");
|
2019-11-15 22:42:46 +08:00
|
|
|
else if (error == -EIO) {
|
|
|
|
fs_err(sdp, "Fatal IO error: cannot freeze gfs2 due "
|
|
|
|
"to recovery error.\n");
|
|
|
|
goto out;
|
|
|
|
} else {
|
2009-05-22 17:36:01 +08:00
|
|
|
fs_err(sdp, "error freezing FS: %d\n", error);
|
2019-11-15 22:42:46 +08:00
|
|
|
}
|
2009-05-22 17:36:01 +08:00
|
|
|
fs_err(sdp, "retrying...\n");
|
|
|
|
msleep(1000);
|
|
|
|
}
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
|
2014-11-14 10:42:04 +08:00
|
|
|
out:
|
|
|
|
mutex_unlock(&sdp->sd_freeze_mutex);
|
|
|
|
return error;
|
2009-05-22 17:36:01 +08:00
|
|
|
}
|
|
|
|
|
2023-12-19 23:49:26 +08:00
|
|
|
static int gfs2_freeze_fs(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct gfs2_sbd *sdp = sb->s_fs_info;
|
|
|
|
|
|
|
|
if (test_bit(SDF_JOURNAL_LIVE, &sdp->sd_flags)) {
|
|
|
|
gfs2_log_flush(sdp, NULL, GFS2_LOG_HEAD_FLUSH_FREEZE |
|
|
|
|
GFS2_LFC_FREEZE_GO_SYNC);
|
|
|
|
if (gfs2_withdrawing_or_withdrawn(sdp))
|
|
|
|
return -EIO;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2009-05-22 17:36:01 +08:00
|
|
|
/**
|
2022-11-14 23:40:15 +08:00
|
|
|
* gfs2_thaw_super - reallow writes to the filesystem
|
2009-05-22 17:36:01 +08:00
|
|
|
* @sb: the VFS structure for the filesystem
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
2023-07-18 00:00:09 +08:00
|
|
|
static int gfs2_thaw_super(struct super_block *sb, enum freeze_holder who)
|
2009-05-22 17:36:01 +08:00
|
|
|
{
|
2013-01-11 18:49:34 +08:00
|
|
|
struct gfs2_sbd *sdp = sb->s_fs_info;
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
int error;
|
2013-01-11 18:49:34 +08:00
|
|
|
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
if (!mutex_trylock(&sdp->sd_freeze_mutex))
|
|
|
|
return -EBUSY;
|
2023-12-26 03:00:20 +08:00
|
|
|
if (!test_bit(SDF_FREEZE_INITIATOR, &sdp->sd_flags)) {
|
|
|
|
mutex_unlock(&sdp->sd_freeze_mutex);
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
|
2023-12-26 03:07:46 +08:00
|
|
|
atomic_inc(&sb->s_active);
|
2024-04-07 18:55:44 +08:00
|
|
|
gfs2_freeze_unlock(sdp);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
|
|
|
|
error = gfs2_do_thaw(sdp);
|
|
|
|
|
|
|
|
if (!error) {
|
|
|
|
clear_bit(SDF_FREEZE_INITIATOR, &sdp->sd_flags);
|
2022-08-18 22:12:24 +08:00
|
|
|
clear_bit(SDF_FROZEN, &sdp->sd_flags);
|
2014-11-14 10:42:04 +08:00
|
|
|
}
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
mutex_unlock(&sdp->sd_freeze_mutex);
|
2023-12-26 03:07:46 +08:00
|
|
|
deactivate_super(sb);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
void gfs2_thaw_freeze_initiator(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct gfs2_sbd *sdp = sb->s_fs_info;
|
|
|
|
|
|
|
|
mutex_lock(&sdp->sd_freeze_mutex);
|
|
|
|
if (!test_bit(SDF_FREEZE_INITIATOR, &sdp->sd_flags))
|
|
|
|
goto out;
|
2014-11-14 10:42:04 +08:00
|
|
|
|
2024-04-07 18:55:44 +08:00
|
|
|
gfs2_freeze_unlock(sdp);
|
gfs2: Rework freeze / thaw logic
So far, at mount time, gfs2 would take the freeze glock in shared mode
and then immediately drop it again, turning it into a cached glock that
can be reclaimed at any time. To freeze the filesystem cluster-wide,
the node initiating the freeze would take the freeze glock in exclusive
mode, which would cause the freeze glock's freeze_go_sync() callback to
run on each node. There, gfs2 would freeze the filesystem and schedule
gfs2_freeze_func() to run. gfs2_freeze_func() would re-acquire the
freeze glock in shared mode, thaw the filesystem, and drop the freeze
glock again. The initiating node would keep the freeze glock held in
exclusive mode. To thaw the filesystem, the initiating node would drop
the freeze glock again, which would allow gfs2_freeze_func() to resume
on all nodes, leaving the filesystem in the thawed state.
It turns out that in freeze_go_sync(), we cannot reliably and safely
freeze the filesystem. This is primarily because the final unmount of a
filesystem takes a write lock on the s_umount rw semaphore before
calling into gfs2_put_super(), and freeze_go_sync() needs to call
freeze_super() which also takes a write lock on the same semaphore,
causing a deadlock. We could work around this by trying to take an
active reference on the super block first, which would prevent unmount
from running at the same time. But that can fail, and freeze_go_sync()
isn't actually allowed to fail.
To get around this, this patch changes the freeze glock locking scheme
as follows:
At mount time, each node takes the freeze glock in shared mode. To
freeze a filesystem, the initiating node first freezes the filesystem
locally and then drops and re-acquires the freeze glock in exclusive
mode. All other nodes notice that there is contention on the freeze
glock in their go_callback callbacks, and they schedule
gfs2_freeze_func() to run. There, they freeze the filesystem locally
and drop and re-acquire the freeze glock before re-thawing the
filesystem. This is happening outside of the glock state engine, so
there, we are allowed to fail.
From a cluster point of view, taking and immediately dropping a glock is
indistinguishable from taking the glock and only dropping it upon
contention, so this new scheme is compatible with the old one.
Thanks to Li Dong <lidong@vivo.com> for reporting a locking bug in
gfs2_freeze_func() in a previous version of this commit.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2022-11-15 06:34:50 +08:00
|
|
|
|
|
|
|
out:
|
2014-11-14 10:42:04 +08:00
|
|
|
mutex_unlock(&sdp->sd_freeze_mutex);
|
2009-05-22 17:36:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
2021-03-31 00:44:29 +08:00
|
|
|
* statfs_slow_fill - fill in the sg for a given RG
|
2009-05-22 17:36:01 +08:00
|
|
|
* @rgd: the RG
|
|
|
|
* @sc: the sc structure
|
|
|
|
*
|
|
|
|
* Returns: 0 on success, -ESTALE if the LVB is invalid
|
|
|
|
*/
|
|
|
|
|
|
|
|
static int statfs_slow_fill(struct gfs2_rgrpd *rgd,
|
|
|
|
struct gfs2_statfs_change_host *sc)
|
|
|
|
{
|
|
|
|
gfs2_rgrp_verify(rgd);
|
|
|
|
sc->sc_total += rgd->rd_data;
|
|
|
|
sc->sc_free += rgd->rd_free;
|
|
|
|
sc->sc_dinodes += rgd->rd_dinodes;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gfs2_statfs_slow - Stat a filesystem using asynchronous locking
|
|
|
|
* @sdp: the filesystem
|
|
|
|
* @sc: the sc info that will be returned
|
|
|
|
*
|
|
|
|
* Any error (other than a signal) will cause this routine to fall back
|
|
|
|
* to the synchronous version.
|
|
|
|
*
|
|
|
|
* FIXME: This really shouldn't busy wait like this.
|
|
|
|
*
|
|
|
|
* Returns: errno
|
|
|
|
*/
|
|
|
|
|
|
|
|
static int gfs2_statfs_slow(struct gfs2_sbd *sdp, struct gfs2_statfs_change_host *sc)
|
|
|
|
{
|
|
|
|
struct gfs2_rgrpd *rgd_next;
|
|
|
|
struct gfs2_holder *gha, *gh;
|
|
|
|
unsigned int slots = 64;
|
|
|
|
unsigned int x;
|
|
|
|
int done;
|
|
|
|
int error = 0, err;
|
|
|
|
|
|
|
|
memset(sc, 0, sizeof(struct gfs2_statfs_change_host));
|
treewide: kmalloc() -> kmalloc_array()
The kmalloc() function has a 2-factor argument form, kmalloc_array(). This
patch replaces cases of:
kmalloc(a * b, gfp)
with:
kmalloc_array(a * b, gfp)
as well as handling cases of:
kmalloc(a * b * c, gfp)
with:
kmalloc(array3_size(a, b, c), gfp)
as it's slightly less ugly than:
kmalloc_array(array_size(a, b), c, gfp)
This does, however, attempt to ignore constant size factors like:
kmalloc(4 * 1024, gfp)
though any constants defined via macros get caught up in the conversion.
Any factors with a sizeof() of "unsigned char", "char", and "u8" were
dropped, since they're redundant.
The tools/ directory was manually excluded, since it has its own
implementation of kmalloc().
The Coccinelle script used for this was:
// Fix redundant parens around sizeof().
@@
type TYPE;
expression THING, E;
@@
(
kmalloc(
- (sizeof(TYPE)) * E
+ sizeof(TYPE) * E
, ...)
|
kmalloc(
- (sizeof(THING)) * E
+ sizeof(THING) * E
, ...)
)
// Drop single-byte sizes and redundant parens.
@@
expression COUNT;
typedef u8;
typedef __u8;
@@
(
kmalloc(
- sizeof(u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * (COUNT)
+ COUNT
, ...)
|
kmalloc(
- sizeof(u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(__u8) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(char) * COUNT
+ COUNT
, ...)
|
kmalloc(
- sizeof(unsigned char) * COUNT
+ COUNT
, ...)
)
// 2-factor product with sizeof(type/expression) and identifier or constant.
@@
type TYPE;
expression THING;
identifier COUNT_ID;
constant COUNT_CONST;
@@
(
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_ID)
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_ID
+ COUNT_ID, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (COUNT_CONST)
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * COUNT_CONST
+ COUNT_CONST, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_ID)
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_ID
+ COUNT_ID, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (COUNT_CONST)
+ COUNT_CONST, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * COUNT_CONST
+ COUNT_CONST, sizeof(THING)
, ...)
)
// 2-factor product, only identifiers.
@@
identifier SIZE, COUNT;
@@
- kmalloc
+ kmalloc_array
(
- SIZE * COUNT
+ COUNT, SIZE
, ...)
// 3-factor product with 1 sizeof(type) or sizeof(expression), with
// redundant parens removed.
@@
expression THING;
identifier STRIDE, COUNT;
type TYPE;
@@
(
kmalloc(
- sizeof(TYPE) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(TYPE) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(TYPE))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * (COUNT) * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * (STRIDE)
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
|
kmalloc(
- sizeof(THING) * COUNT * STRIDE
+ array3_size(COUNT, STRIDE, sizeof(THING))
, ...)
)
// 3-factor product with 2 sizeof(variable), with redundant parens removed.
@@
expression THING1, THING2;
identifier COUNT;
type TYPE1, TYPE2;
@@
(
kmalloc(
- sizeof(TYPE1) * sizeof(TYPE2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(THING1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(THING1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * COUNT
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
|
kmalloc(
- sizeof(TYPE1) * sizeof(THING2) * (COUNT)
+ array3_size(COUNT, sizeof(TYPE1), sizeof(THING2))
, ...)
)
// 3-factor product, only identifiers, with redundant parens removed.
@@
identifier STRIDE, SIZE, COUNT;
@@
(
kmalloc(
- (COUNT) * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * STRIDE * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- (COUNT) * (STRIDE) * (SIZE)
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
|
kmalloc(
- COUNT * STRIDE * SIZE
+ array3_size(COUNT, STRIDE, SIZE)
, ...)
)
// Any remaining multi-factor products, first at least 3-factor products,
// when they're not all constants...
@@
expression E1, E2, E3;
constant C1, C2, C3;
@@
(
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(
- (E1) * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * E3
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- (E1) * (E2) * (E3)
+ array3_size(E1, E2, E3)
, ...)
|
kmalloc(
- E1 * E2 * E3
+ array3_size(E1, E2, E3)
, ...)
)
// And then all remaining 2 factors products when they're not all constants,
// keeping sizeof() as the second factor argument.
@@
expression THING, E1, E2;
type TYPE;
constant C1, C2, C3;
@@
(
kmalloc(sizeof(THING) * C2, ...)
|
kmalloc(sizeof(TYPE) * C2, ...)
|
kmalloc(C1 * C2 * C3, ...)
|
kmalloc(C1 * C2, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * (E2)
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(TYPE) * E2
+ E2, sizeof(TYPE)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * (E2)
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- sizeof(THING) * E2
+ E2, sizeof(THING)
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * E2
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- (E1) * (E2)
+ E1, E2
, ...)
|
- kmalloc
+ kmalloc_array
(
- E1 * E2
+ E1, E2
, ...)
)
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-06-13 04:55:00 +08:00
|
|
|
gha = kmalloc_array(slots, sizeof(struct gfs2_holder), GFP_KERNEL);
|
2009-05-22 17:36:01 +08:00
|
|
|
if (!gha)
|
|
|
|
return -ENOMEM;
|
2016-06-17 20:31:27 +08:00
|
|
|
for (x = 0; x < slots; x++)
|
|
|
|
gfs2_holder_mark_uninitialized(gha + x);
|
2009-05-22 17:36:01 +08:00
|
|
|
|
|
|
|
rgd_next = gfs2_rgrpd_get_first(sdp);
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
done = 1;
|
|
|
|
|
|
|
|
for (x = 0; x < slots; x++) {
|
|
|
|
gh = gha + x;
|
|
|
|
|
2016-06-17 20:31:27 +08:00
|
|
|
if (gfs2_holder_initialized(gh) && gfs2_glock_poll(gh)) {
|
2009-05-22 17:36:01 +08:00
|
|
|
err = gfs2_glock_wait(gh);
|
|
|
|
if (err) {
|
|
|
|
gfs2_holder_uninit(gh);
|
|
|
|
error = err;
|
|
|
|
} else {
|
2017-06-30 20:55:08 +08:00
|
|
|
if (!error) {
|
|
|
|
struct gfs2_rgrpd *rgd =
|
|
|
|
gfs2_glock2rgrp(gh->gh_gl);
|
|
|
|
|
|
|
|
error = statfs_slow_fill(rgd, sc);
|
|
|
|
}
|
2009-05-22 17:36:01 +08:00
|
|
|
gfs2_glock_dq_uninit(gh);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2016-06-17 20:31:27 +08:00
|
|
|
if (gfs2_holder_initialized(gh))
|
2009-05-22 17:36:01 +08:00
|
|
|
done = 0;
|
|
|
|
else if (rgd_next && !error) {
|
|
|
|
error = gfs2_glock_nq_init(rgd_next->rd_gl,
|
|
|
|
LM_ST_SHARED,
|
|
|
|
GL_ASYNC,
|
|
|
|
gh);
|
|
|
|
rgd_next = gfs2_rgrpd_get_next(rgd_next);
|
|
|
|
done = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (signal_pending(current))
|
|
|
|
error = -ERESTARTSYS;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (done)
|
|
|
|
break;
|
|
|
|
|
|
|
|
yield();
|
|
|
|
}
|
|
|
|
|
|
|
|
kfree(gha);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gfs2_statfs_i - Do a statfs
|
|
|
|
* @sdp: the filesystem
|
2021-03-31 00:44:29 +08:00
|
|
|
* @sc: the sc structure
|
2009-05-22 17:36:01 +08:00
|
|
|
*
|
|
|
|
* Returns: errno
|
|
|
|
*/
|
|
|
|
|
|
|
|
static int gfs2_statfs_i(struct gfs2_sbd *sdp, struct gfs2_statfs_change_host *sc)
|
|
|
|
{
|
|
|
|
struct gfs2_statfs_change_host *m_sc = &sdp->sd_statfs_master;
|
|
|
|
struct gfs2_statfs_change_host *l_sc = &sdp->sd_statfs_local;
|
|
|
|
|
|
|
|
spin_lock(&sdp->sd_statfs_spin);
|
|
|
|
|
|
|
|
*sc = *m_sc;
|
|
|
|
sc->sc_total += l_sc->sc_total;
|
|
|
|
sc->sc_free += l_sc->sc_free;
|
|
|
|
sc->sc_dinodes += l_sc->sc_dinodes;
|
|
|
|
|
|
|
|
spin_unlock(&sdp->sd_statfs_spin);
|
|
|
|
|
|
|
|
if (sc->sc_free < 0)
|
|
|
|
sc->sc_free = 0;
|
|
|
|
if (sc->sc_free > sc->sc_total)
|
|
|
|
sc->sc_free = sc->sc_total;
|
|
|
|
if (sc->sc_dinodes < 0)
|
|
|
|
sc->sc_dinodes = 0;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gfs2_statfs - Gather and return stats about the filesystem
|
2021-03-31 00:44:29 +08:00
|
|
|
* @dentry: The name of the link
|
|
|
|
* @buf: The buffer
|
2009-05-22 17:36:01 +08:00
|
|
|
*
|
|
|
|
* Returns: 0 on success or error code
|
|
|
|
*/
|
|
|
|
|
|
|
|
static int gfs2_statfs(struct dentry *dentry, struct kstatfs *buf)
|
|
|
|
{
|
2016-04-10 13:33:30 +08:00
|
|
|
struct super_block *sb = dentry->d_sb;
|
2009-05-22 17:36:01 +08:00
|
|
|
struct gfs2_sbd *sdp = sb->s_fs_info;
|
|
|
|
struct gfs2_statfs_change_host sc;
|
|
|
|
int error;
|
|
|
|
|
2011-08-31 23:38:29 +08:00
|
|
|
error = gfs2_rindex_update(sdp);
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
|
2009-05-22 17:36:01 +08:00
|
|
|
if (gfs2_tune_get(sdp, gt_statfs_slow))
|
|
|
|
error = gfs2_statfs_slow(sdp, &sc);
|
|
|
|
else
|
|
|
|
error = gfs2_statfs_i(sdp, &sc);
|
|
|
|
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
|
|
|
|
buf->f_type = GFS2_MAGIC;
|
|
|
|
buf->f_bsize = sdp->sd_sb.sb_bsize;
|
|
|
|
buf->f_blocks = sc.sc_total;
|
|
|
|
buf->f_bfree = sc.sc_free;
|
|
|
|
buf->f_bavail = sc.sc_free;
|
|
|
|
buf->f_files = sc.sc_dinodes + sc.sc_free;
|
|
|
|
buf->f_ffree = sc.sc_free;
|
|
|
|
buf->f_namelen = GFS2_FNAMESIZE;
|
2023-10-24 15:55:35 +08:00
|
|
|
buf->f_fsid = uuid_to_fsid(sb->s_uuid.b);
|
2009-05-22 17:36:01 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gfs2_drop_inode - Drop an inode (test for remote unlink)
|
|
|
|
* @inode: The inode to drop
|
|
|
|
*
|
2017-08-01 22:54:33 +08:00
|
|
|
* If we've received a callback on an iopen lock then it's because a
|
2009-05-22 17:36:01 +08:00
|
|
|
* remote node tried to deallocate the inode but failed due to this node
|
|
|
|
* still having the inode open. Here we mark the link count zero
|
|
|
|
* since we know that it must have reached zero if the GLF_DEMOTE flag
|
|
|
|
* is set on the iopen glock. If we didn't do a disk read since the
|
|
|
|
* remote node removed the final link then we might otherwise miss
|
|
|
|
* this event. This check ensures that this node will deallocate the
|
|
|
|
* inode's blocks, or alternatively pass the baton on to another
|
|
|
|
* node for later deallocation.
|
|
|
|
*/
|
|
|
|
|
2010-06-08 01:43:19 +08:00
|
|
|
static int gfs2_drop_inode(struct inode *inode)
|
2009-05-22 17:36:01 +08:00
|
|
|
{
|
|
|
|
struct gfs2_inode *ip = GFS2_I(inode);
|
2023-01-27 03:23:40 +08:00
|
|
|
struct gfs2_sbd *sdp = GFS2_SB(inode);
|
2009-05-22 17:36:01 +08:00
|
|
|
|
2022-11-03 00:06:58 +08:00
|
|
|
if (inode->i_nlink &&
|
2016-06-17 20:31:27 +08:00
|
|
|
gfs2_holder_initialized(&ip->i_iopen_gh)) {
|
2009-05-22 17:36:01 +08:00
|
|
|
struct gfs2_glock *gl = ip->i_iopen_gh.gh_gl;
|
2016-06-17 20:31:27 +08:00
|
|
|
if (test_bit(GLF_DEMOTE, &gl->gl_flags))
|
2009-05-22 17:36:01 +08:00
|
|
|
clear_nlink(inode);
|
|
|
|
}
|
2017-08-02 00:49:42 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* When under memory pressure when an inode's link count has dropped to
|
|
|
|
* zero, defer deleting the inode to the delete workqueue. This avoids
|
|
|
|
* calling into DLM under memory pressure, which can deadlock.
|
|
|
|
*/
|
|
|
|
if (!inode->i_nlink &&
|
|
|
|
unlikely(current->flags & PF_MEMALLOC) &&
|
|
|
|
gfs2_holder_initialized(&ip->i_iopen_gh)) {
|
|
|
|
struct gfs2_glock *gl = ip->i_iopen_gh.gh_gl;
|
|
|
|
|
|
|
|
gfs2_glock_hold(gl);
|
2022-12-21 07:52:51 +08:00
|
|
|
if (!gfs2_queue_try_to_evict(gl))
|
2024-03-15 23:45:39 +08:00
|
|
|
gfs2_glock_put_async(gl);
|
2021-07-29 20:34:39 +08:00
|
|
|
return 0;
|
2017-08-02 00:49:42 +08:00
|
|
|
}
|
|
|
|
|
2023-01-27 03:23:40 +08:00
|
|
|
/*
|
|
|
|
* No longer cache inodes when trying to evict them all.
|
|
|
|
*/
|
|
|
|
if (test_bit(SDF_EVICTING, &sdp->sd_flags))
|
|
|
|
return 1;
|
|
|
|
|
2010-06-08 01:43:19 +08:00
|
|
|
return generic_drop_inode(inode);
|
2009-05-22 17:36:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/**
|
|
|
|
* gfs2_show_options - Show mount options for /proc/mounts
|
|
|
|
* @s: seq_file structure
|
2011-12-09 10:32:45 +08:00
|
|
|
* @root: root of this (sub)tree
|
2009-05-22 17:36:01 +08:00
|
|
|
*
|
|
|
|
* Returns: 0 on success or error code
|
|
|
|
*/
|
|
|
|
|
2011-12-09 10:32:45 +08:00
|
|
|
static int gfs2_show_options(struct seq_file *s, struct dentry *root)
|
2009-05-22 17:36:01 +08:00
|
|
|
{
|
2011-12-09 10:32:45 +08:00
|
|
|
struct gfs2_sbd *sdp = root->d_sb->s_fs_info;
|
2009-05-22 17:36:01 +08:00
|
|
|
struct gfs2_args *args = &sdp->sd_args;
|
2023-06-13 11:06:37 +08:00
|
|
|
unsigned int logd_secs, statfs_slow, statfs_quantum, quota_quantum;
|
|
|
|
|
|
|
|
spin_lock(&sdp->sd_tune.gt_spin);
|
|
|
|
logd_secs = sdp->sd_tune.gt_logd_secs;
|
|
|
|
quota_quantum = sdp->sd_tune.gt_quota_quantum;
|
|
|
|
statfs_quantum = sdp->sd_tune.gt_statfs_quantum;
|
|
|
|
statfs_slow = sdp->sd_tune.gt_statfs_slow;
|
|
|
|
spin_unlock(&sdp->sd_tune.gt_spin);
|
2009-05-22 17:36:01 +08:00
|
|
|
|
2023-12-20 13:31:57 +08:00
|
|
|
if (is_subdir(root, sdp->sd_master_dir))
|
2014-07-03 04:08:46 +08:00
|
|
|
seq_puts(s, ",meta");
|
2009-05-22 17:36:01 +08:00
|
|
|
if (args->ar_lockproto[0])
|
fs: create and use seq_show_option for escaping
Many file systems that implement the show_options hook fail to correctly
escape their output which could lead to unescaped characters (e.g. new
lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files. This
could lead to confusion, spoofed entries (resulting in things like
systemd issuing false d-bus "mount" notifications), and who knows what
else. This looks like it would only be the root user stepping on
themselves, but it's possible weird things could happen in containers or
in other situations with delegated mount privileges.
Here's an example using overlay with setuid fusermount trusting the
contents of /proc/mounts (via the /etc/mtab symlink). Imagine the use
of "sudo" is something more sneaky:
$ BASE="ovl"
$ MNT="$BASE/mnt"
$ LOW="$BASE/lower"
$ UP="$BASE/upper"
$ WORK="$BASE/work/ 0 0
none /proc fuse.pwn user_id=1000"
$ mkdir -p "$LOW" "$UP" "$WORK"
$ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt
$ cat /proc/mounts
none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0
none /proc fuse.pwn user_id=1000 0 0
$ fusermount -u /proc
$ cat /proc/mounts
cat: /proc/mounts: No such file or directory
This fixes the problem by adding new seq_show_option and
seq_show_option_n helpers, and updating the vulnerable show_option
handlers to use them as needed. Some, like SELinux, need to be open
coded due to unusual existing escape mechanisms.
[akpm@linux-foundation.org: add lost chunk, per Kees]
[keescook@chromium.org: seq_show_option should be using const parameters]
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Jan Kara <jack@suse.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Cc: J. R. Okajima <hooanon05g@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-09-05 06:44:57 +08:00
|
|
|
seq_show_option(s, "lockproto", args->ar_lockproto);
|
2009-05-22 17:36:01 +08:00
|
|
|
if (args->ar_locktable[0])
|
fs: create and use seq_show_option for escaping
Many file systems that implement the show_options hook fail to correctly
escape their output which could lead to unescaped characters (e.g. new
lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files. This
could lead to confusion, spoofed entries (resulting in things like
systemd issuing false d-bus "mount" notifications), and who knows what
else. This looks like it would only be the root user stepping on
themselves, but it's possible weird things could happen in containers or
in other situations with delegated mount privileges.
Here's an example using overlay with setuid fusermount trusting the
contents of /proc/mounts (via the /etc/mtab symlink). Imagine the use
of "sudo" is something more sneaky:
$ BASE="ovl"
$ MNT="$BASE/mnt"
$ LOW="$BASE/lower"
$ UP="$BASE/upper"
$ WORK="$BASE/work/ 0 0
none /proc fuse.pwn user_id=1000"
$ mkdir -p "$LOW" "$UP" "$WORK"
$ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt
$ cat /proc/mounts
none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0
none /proc fuse.pwn user_id=1000 0 0
$ fusermount -u /proc
$ cat /proc/mounts
cat: /proc/mounts: No such file or directory
This fixes the problem by adding new seq_show_option and
seq_show_option_n helpers, and updating the vulnerable show_option
handlers to use them as needed. Some, like SELinux, need to be open
coded due to unusual existing escape mechanisms.
[akpm@linux-foundation.org: add lost chunk, per Kees]
[keescook@chromium.org: seq_show_option should be using const parameters]
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Jan Kara <jack@suse.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Cc: J. R. Okajima <hooanon05g@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-09-05 06:44:57 +08:00
|
|
|
seq_show_option(s, "locktable", args->ar_locktable);
|
2009-05-22 17:36:01 +08:00
|
|
|
if (args->ar_hostdata[0])
|
fs: create and use seq_show_option for escaping
Many file systems that implement the show_options hook fail to correctly
escape their output which could lead to unescaped characters (e.g. new
lines) leaking into /proc/mounts and /proc/[pid]/mountinfo files. This
could lead to confusion, spoofed entries (resulting in things like
systemd issuing false d-bus "mount" notifications), and who knows what
else. This looks like it would only be the root user stepping on
themselves, but it's possible weird things could happen in containers or
in other situations with delegated mount privileges.
Here's an example using overlay with setuid fusermount trusting the
contents of /proc/mounts (via the /etc/mtab symlink). Imagine the use
of "sudo" is something more sneaky:
$ BASE="ovl"
$ MNT="$BASE/mnt"
$ LOW="$BASE/lower"
$ UP="$BASE/upper"
$ WORK="$BASE/work/ 0 0
none /proc fuse.pwn user_id=1000"
$ mkdir -p "$LOW" "$UP" "$WORK"
$ sudo mount -t overlay -o "lowerdir=$LOW,upperdir=$UP,workdir=$WORK" none /mnt
$ cat /proc/mounts
none /root/ovl/mnt overlay rw,relatime,lowerdir=ovl/lower,upperdir=ovl/upper,workdir=ovl/work/ 0 0
none /proc fuse.pwn user_id=1000 0 0
$ fusermount -u /proc
$ cat /proc/mounts
cat: /proc/mounts: No such file or directory
This fixes the problem by adding new seq_show_option and
seq_show_option_n helpers, and updating the vulnerable show_option
handlers to use them as needed. Some, like SELinux, need to be open
coded due to unusual existing escape mechanisms.
[akpm@linux-foundation.org: add lost chunk, per Kees]
[keescook@chromium.org: seq_show_option should be using const parameters]
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Serge Hallyn <serge.hallyn@canonical.com>
Acked-by: Jan Kara <jack@suse.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Cc: J. R. Okajima <hooanon05g@gmail.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-09-05 06:44:57 +08:00
|
|
|
seq_show_option(s, "hostdata", args->ar_hostdata);
|
2009-05-22 17:36:01 +08:00
|
|
|
if (args->ar_spectator)
|
2014-07-03 04:08:46 +08:00
|
|
|
seq_puts(s, ",spectator");
|
2009-05-22 17:36:01 +08:00
|
|
|
if (args->ar_localflocks)
|
2014-07-03 04:08:46 +08:00
|
|
|
seq_puts(s, ",localflocks");
|
2009-05-22 17:36:01 +08:00
|
|
|
if (args->ar_debug)
|
2014-07-03 04:08:46 +08:00
|
|
|
seq_puts(s, ",debug");
|
2009-05-22 17:36:01 +08:00
|
|
|
if (args->ar_posix_acl)
|
2014-07-03 04:08:46 +08:00
|
|
|
seq_puts(s, ",acl");
|
2009-05-22 17:36:01 +08:00
|
|
|
if (args->ar_quota != GFS2_QUOTA_DEFAULT) {
|
|
|
|
char *state;
|
|
|
|
switch (args->ar_quota) {
|
|
|
|
case GFS2_QUOTA_OFF:
|
|
|
|
state = "off";
|
|
|
|
break;
|
|
|
|
case GFS2_QUOTA_ACCOUNT:
|
|
|
|
state = "account";
|
|
|
|
break;
|
|
|
|
case GFS2_QUOTA_ON:
|
|
|
|
state = "on";
|
|
|
|
break;
|
2023-06-29 02:52:42 +08:00
|
|
|
case GFS2_QUOTA_QUIET:
|
|
|
|
state = "quiet";
|
|
|
|
break;
|
2009-05-22 17:36:01 +08:00
|
|
|
default:
|
|
|
|
state = "unknown";
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
seq_printf(s, ",quota=%s", state);
|
|
|
|
}
|
|
|
|
if (args->ar_suiddir)
|
2014-07-03 04:08:46 +08:00
|
|
|
seq_puts(s, ",suiddir");
|
2009-05-22 17:36:01 +08:00
|
|
|
if (args->ar_data != GFS2_DATA_DEFAULT) {
|
|
|
|
char *state;
|
|
|
|
switch (args->ar_data) {
|
|
|
|
case GFS2_DATA_WRITEBACK:
|
|
|
|
state = "writeback";
|
|
|
|
break;
|
|
|
|
case GFS2_DATA_ORDERED:
|
|
|
|
state = "ordered";
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
state = "unknown";
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
seq_printf(s, ",data=%s", state);
|
|
|
|
}
|
|
|
|
if (args->ar_discard)
|
2014-07-03 04:08:46 +08:00
|
|
|
seq_puts(s, ",discard");
|
2023-06-13 11:06:37 +08:00
|
|
|
if (logd_secs != 30)
|
|
|
|
seq_printf(s, ",commit=%d", logd_secs);
|
|
|
|
if (statfs_quantum != 30)
|
|
|
|
seq_printf(s, ",statfs_quantum=%d", statfs_quantum);
|
|
|
|
else if (statfs_slow)
|
2012-08-21 00:07:49 +08:00
|
|
|
seq_puts(s, ",statfs_quantum=0");
|
2023-06-13 11:06:37 +08:00
|
|
|
if (quota_quantum != 60)
|
|
|
|
seq_printf(s, ",quota_quantum=%d", quota_quantum);
|
2009-10-20 15:39:44 +08:00
|
|
|
if (args->ar_statfs_percent)
|
|
|
|
seq_printf(s, ",statfs_percent=%d", args->ar_statfs_percent);
|
2009-08-24 17:44:18 +08:00
|
|
|
if (args->ar_errors != GFS2_ERRORS_DEFAULT) {
|
|
|
|
const char *state;
|
|
|
|
|
|
|
|
switch (args->ar_errors) {
|
|
|
|
case GFS2_ERRORS_WITHDRAW:
|
|
|
|
state = "withdraw";
|
|
|
|
break;
|
|
|
|
case GFS2_ERRORS_PANIC:
|
|
|
|
state = "panic";
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
state = "unknown";
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
seq_printf(s, ",errors=%s", state);
|
|
|
|
}
|
2009-10-30 18:48:53 +08:00
|
|
|
if (test_bit(SDF_NOBARRIERS, &sdp->sd_flags))
|
2014-07-03 04:08:46 +08:00
|
|
|
seq_puts(s, ",nobarrier");
|
2010-05-06 18:03:29 +08:00
|
|
|
if (test_bit(SDF_DEMOTE, &sdp->sd_flags))
|
2014-07-03 04:08:46 +08:00
|
|
|
seq_puts(s, ",demote_interface_used");
|
GFS2: Use lvbs for storing rgrp information with mount option
Instead of reading in the resource groups when gfs2 is checking
for free space to allocate from, gfs2 can store the necessary infromation
in the resource group's lvb. Also, instead of searching for unlinked
inodes in every resource group that's checked for free space, gfs2 can
store the number of unlinked but inodes in the lvb, and only check for
unlinked inodes if it will find some.
The first time a resource group is locked, the lvb must initialized.
Since this involves counting the unlinked inodes in the resource group,
this takes a little extra time. But after that, if the resource group
is locked with GL_SKIP, the buffer head won't be read in unless it's
actually needed.
Enabling the resource groups lvbs is done via the rgrplvb mount option. If
this option isn't set, the lvbs will still be set and updated, but they won't
be verfied or used by the filesystem. To safely turn on this option, all of
the nodes mounting the filesystem must be running code with this patch, and
the filesystem must have been completely unmounted since they were updated.
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Steven Whitehouse <swhiteho@redhat.com>
2012-05-30 12:01:09 +08:00
|
|
|
if (args->ar_rgrplvb)
|
2014-07-03 04:08:46 +08:00
|
|
|
seq_puts(s, ",rgrplvb");
|
gfs2: change gfs2 readdir cookie
gfs2 currently returns 31 bits of filename hash as a cookie that readdir
uses for an offset into the directory. When there are a large number of
directory entries, the likelihood of a collision goes up way too
quickly. GFS2 will now return cookies that are guaranteed unique for a
while, and then fail back to using 30 bits of filename hash.
Specifically, the directory leaf blocks are divided up into chunks based
on the minimum size of a gfs2 directory entry (48 bytes). Each entry's
cookie is based off the chunk where it starts, in the linked list of
leaf blocks that it hashes to (there are 131072 hash buckets). Directory
entries will have unique names until they take reach chunk 8192.
Assuming the largest filenames possible, and the least efficient spacing
possible, this new method will still be able to return unique names when
the previous method has statistically more than a 99% chance of a
collision. The non-unique names it fails back to are guaranteed to not
collide with the unique names.
unique cookies will be in this format:
- 1 bit "0" to make sure the the returned cookie is positive
- 17 bits for the hash table index
- 1 bit for the mode "0"
- 13 bits for the offset
non-unique cookies will be in this format:
- 1 bit "0" to make sure the the returned cookie is positive
- 17 bits for the hash table index
- 1 bit for the mode "1"
- 13 more bits of the name hash
Another benefit of location based cookies, is that once a directory's
exhash table is fully extended (so that multiple hash table indexs do
not use the same leaf blocks), gfs2 can skip sorting the directory
entries until it reaches the non-unique ones, and then it only needs to
sort these. This provides a significant speed up for directory reads of
very large directories.
The only issue is that for these cookies to continue to point to the
correct entry as files are added and removed from the directory, gfs2
must keep the entries at the same offset in the leaf block when they are
split (see my previous patch). This means that until all the nodes in a
cluster are running with code that will split the directory leaf blocks
this way, none of the nodes can use the new cookie code. To deal with
this, gfs2 now has the mount option loccookie, which, if set, will make
it return these new location based cookies. This option must not be set
until all nodes in the cluster are at least running this version of the
kernel code, and you have guaranteed that there are no outstanding
cookies required by other software, such as NFS.
gfs2 uses some of the extra space at the end of the gfs2_dirent
structure to store the calculated readdir cookies. This keeps us from
needing to allocate a seperate array to hold these values. gfs2
recomputes the cookie stored in de_cookie for every readdir call. The
time it takes to do so is small, and if gfs2 expected this value to be
saved on disk, the new code wouldn't work correctly on filesystems
created with an earlier version of gfs2.
One issue with adding de_cookie to the union in the gfs2_dirent
structure is that it caused the union to align itself to a 4 byte
boundary, instead of its previous 2 byte boundary. This changed the
offset of de_rahead. To solve that, I pulled de_rahead out of the union,
since it does not need to be there.
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
2015-12-01 22:46:55 +08:00
|
|
|
if (args->ar_loccookie)
|
|
|
|
seq_puts(s, ",loccookie");
|
2009-05-22 17:36:01 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-04-14 23:50:31 +08:00
|
|
|
static void gfs2_final_release_pages(struct gfs2_inode *ip)
|
|
|
|
{
|
|
|
|
struct inode *inode = &ip->i_inode;
|
|
|
|
struct gfs2_glock *gl = ip->i_gl;
|
|
|
|
|
2022-11-03 00:06:58 +08:00
|
|
|
if (unlikely(!gl)) {
|
|
|
|
/* This can only happen during incomplete inode creation. */
|
|
|
|
BUG_ON(!test_bit(GIF_ALLOC_FAILED, &ip->i_flags));
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
truncate_inode_pages(gfs2_glock2aspace(gl), 0);
|
2011-04-14 23:50:31 +08:00
|
|
|
truncate_inode_pages(&inode->i_data, 0);
|
|
|
|
|
2019-06-06 20:33:38 +08:00
|
|
|
if (atomic_read(&gl->gl_revokes) == 0) {
|
2011-04-14 23:50:31 +08:00
|
|
|
clear_bit(GLF_LFLUSH, &gl->gl_flags);
|
|
|
|
clear_bit(GLF_DIRTY, &gl->gl_flags);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static int gfs2_dinode_dealloc(struct gfs2_inode *ip)
|
|
|
|
{
|
|
|
|
struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode);
|
|
|
|
struct gfs2_rgrpd *rgd;
|
2011-11-22 02:36:17 +08:00
|
|
|
struct gfs2_holder gh;
|
2011-04-14 23:50:31 +08:00
|
|
|
int error;
|
|
|
|
|
|
|
|
if (gfs2_get_inode_blocks(&ip->i_inode) != 1) {
|
2011-05-09 20:36:10 +08:00
|
|
|
gfs2_consist_inode(ip);
|
2011-04-14 23:50:31 +08:00
|
|
|
return -EIO;
|
|
|
|
}
|
|
|
|
|
2023-05-05 01:43:22 +08:00
|
|
|
gfs2_rindex_update(sdp);
|
2011-04-14 23:50:31 +08:00
|
|
|
|
2013-02-01 09:49:26 +08:00
|
|
|
error = gfs2_quota_hold(ip, NO_UID_QUOTA_CHANGE, NO_GID_QUOTA_CHANGE);
|
2011-04-14 23:50:31 +08:00
|
|
|
if (error)
|
2012-05-18 21:28:23 +08:00
|
|
|
return error;
|
2011-04-14 23:50:31 +08:00
|
|
|
|
2012-02-08 20:58:32 +08:00
|
|
|
rgd = gfs2_blk2rgrpd(sdp, ip->i_no_addr, 1);
|
2011-04-14 23:50:31 +08:00
|
|
|
if (!rgd) {
|
|
|
|
gfs2_consist_inode(ip);
|
|
|
|
error = -EIO;
|
2011-08-31 23:38:29 +08:00
|
|
|
goto out_qs;
|
2011-04-14 23:50:31 +08:00
|
|
|
}
|
|
|
|
|
2018-04-25 01:35:02 +08:00
|
|
|
error = gfs2_glock_nq_init(rgd->rd_gl, LM_ST_EXCLUSIVE,
|
|
|
|
LM_FLAG_NODE_SCOPE, &gh);
|
2011-04-14 23:50:31 +08:00
|
|
|
if (error)
|
2011-08-31 23:38:29 +08:00
|
|
|
goto out_qs;
|
2011-04-14 23:50:31 +08:00
|
|
|
|
2011-04-18 21:18:09 +08:00
|
|
|
error = gfs2_trans_begin(sdp, RES_RG_BIT + RES_STATFS + RES_QUOTA,
|
|
|
|
sdp->sd_jdesc->jd_blocks);
|
2011-04-14 23:50:31 +08:00
|
|
|
if (error)
|
|
|
|
goto out_rg_gunlock;
|
|
|
|
|
|
|
|
gfs2_free_di(rgd, ip);
|
|
|
|
|
|
|
|
gfs2_final_release_pages(ip);
|
|
|
|
|
|
|
|
gfs2_trans_end(sdp);
|
|
|
|
|
|
|
|
out_rg_gunlock:
|
2011-11-22 02:36:17 +08:00
|
|
|
gfs2_glock_dq_uninit(&gh);
|
2011-04-14 23:50:31 +08:00
|
|
|
out_qs:
|
|
|
|
gfs2_quota_unhold(ip);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2017-08-02 00:45:23 +08:00
|
|
|
/**
|
|
|
|
* gfs2_glock_put_eventually
|
|
|
|
* @gl: The glock to put
|
|
|
|
*
|
|
|
|
* When under memory pressure, trigger a deferred glock put to make sure we
|
|
|
|
* won't call into DLM and deadlock. Otherwise, put the glock directly.
|
|
|
|
*/
|
|
|
|
|
|
|
|
static void gfs2_glock_put_eventually(struct gfs2_glock *gl)
|
|
|
|
{
|
|
|
|
if (current->flags & PF_MEMALLOC)
|
2024-03-15 23:45:39 +08:00
|
|
|
gfs2_glock_put_async(gl);
|
2017-08-02 00:45:23 +08:00
|
|
|
else
|
|
|
|
gfs2_glock_put(gl);
|
|
|
|
}
|
|
|
|
|
2020-01-14 21:59:08 +08:00
|
|
|
static bool gfs2_upgrade_iopen_glock(struct inode *inode)
|
|
|
|
{
|
|
|
|
struct gfs2_inode *ip = GFS2_I(inode);
|
|
|
|
struct gfs2_sbd *sdp = GFS2_SB(inode);
|
|
|
|
struct gfs2_holder *gh = &ip->i_iopen_gh;
|
|
|
|
long timeout = 5 * HZ;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
gh->gh_flags |= GL_NOCACHE;
|
|
|
|
gfs2_glock_dq_wait(gh);
|
|
|
|
|
|
|
|
/*
|
2023-01-24 21:14:42 +08:00
|
|
|
* If there are no other lock holders, we will immediately get
|
|
|
|
* exclusive access to the iopen glock here.
|
|
|
|
*
|
2020-01-14 21:59:08 +08:00
|
|
|
* Otherwise, the other nodes holding the lock will be notified about
|
2023-01-24 21:14:42 +08:00
|
|
|
* our locking request. If they do not have the inode open, they are
|
|
|
|
* expected to evict the cached inode and release the lock, allowing us
|
|
|
|
* to proceed.
|
|
|
|
*
|
|
|
|
* Otherwise, if they cannot evict the inode, they are expected to poke
|
|
|
|
* the inode glock (note: not the iopen glock). We will notice that
|
|
|
|
* and stop waiting for the iopen glock immediately. The other node(s)
|
|
|
|
* are then expected to take care of deleting the inode when they no
|
|
|
|
* longer use it.
|
|
|
|
*
|
|
|
|
* As a last resort, if another node keeps holding the iopen glock
|
|
|
|
* without showing any activity on the inode glock, we will eventually
|
|
|
|
* time out and fail the iopen glock upgrade.
|
2020-01-14 21:59:08 +08:00
|
|
|
*/
|
|
|
|
|
|
|
|
gfs2_holder_reinit(LM_ST_EXCLUSIVE, GL_ASYNC | GL_NOCACHE, gh);
|
|
|
|
error = gfs2_glock_nq(gh);
|
|
|
|
if (error)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
timeout = wait_event_interruptible_timeout(sdp->sd_async_glock_wait,
|
2020-01-17 17:53:23 +08:00
|
|
|
!test_bit(HIF_WAIT, &gh->gh_iflags) ||
|
|
|
|
test_bit(GLF_DEMOTE, &ip->i_gl->gl_flags),
|
2020-01-14 21:59:08 +08:00
|
|
|
timeout);
|
|
|
|
if (!test_bit(HIF_HOLDER, &gh->gh_iflags)) {
|
|
|
|
gfs2_glock_dq(gh);
|
|
|
|
return false;
|
|
|
|
}
|
2022-06-11 11:04:11 +08:00
|
|
|
return gfs2_glock_holder_ready(gh) == 0;
|
2020-01-14 21:59:08 +08:00
|
|
|
}
|
|
|
|
|
2020-09-11 23:30:26 +08:00
|
|
|
/**
|
|
|
|
* evict_should_delete - determine whether the inode is eligible for deletion
|
|
|
|
* @inode: The inode to evict
|
2021-03-31 00:44:29 +08:00
|
|
|
* @gh: The glock holder structure
|
2020-09-11 23:30:26 +08:00
|
|
|
*
|
|
|
|
* This function determines whether the evicted inode is eligible to be deleted
|
|
|
|
* and locks the inode glock.
|
|
|
|
*
|
|
|
|
* Returns: the fate of the dinode
|
|
|
|
*/
|
|
|
|
static enum dinode_demise evict_should_delete(struct inode *inode,
|
|
|
|
struct gfs2_holder *gh)
|
|
|
|
{
|
|
|
|
struct gfs2_inode *ip = GFS2_I(inode);
|
|
|
|
struct super_block *sb = inode->i_sb;
|
|
|
|
struct gfs2_sbd *sdp = sb->s_fs_info;
|
|
|
|
int ret;
|
|
|
|
|
2022-11-03 00:06:58 +08:00
|
|
|
if (unlikely(test_bit(GIF_ALLOC_FAILED, &ip->i_flags)))
|
2020-09-11 23:30:26 +08:00
|
|
|
goto should_delete;
|
|
|
|
|
|
|
|
if (test_bit(GIF_DEFERRED_DELETE, &ip->i_flags))
|
|
|
|
return SHOULD_DEFER_EVICTION;
|
|
|
|
|
|
|
|
/* Deletes should never happen under memory pressure anymore. */
|
|
|
|
if (WARN_ON_ONCE(current->flags & PF_MEMALLOC))
|
|
|
|
return SHOULD_DEFER_EVICTION;
|
|
|
|
|
|
|
|
/* Must not read inode block until block type has been verified */
|
|
|
|
ret = gfs2_glock_nq_init(ip->i_gl, LM_ST_EXCLUSIVE, GL_SKIP, gh);
|
|
|
|
if (unlikely(ret)) {
|
|
|
|
glock_clear_object(ip->i_iopen_gh.gh_gl, ip);
|
|
|
|
ip->i_iopen_gh.gh_flags |= GL_NOCACHE;
|
|
|
|
gfs2_glock_dq_uninit(&ip->i_iopen_gh);
|
|
|
|
return SHOULD_DEFER_EVICTION;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (gfs2_inode_already_deleted(ip->i_gl, ip->i_no_formal_ino))
|
|
|
|
return SHOULD_NOT_DELETE_DINODE;
|
|
|
|
ret = gfs2_check_blk_type(sdp, ip->i_no_addr, GFS2_BLKST_UNLINKED);
|
|
|
|
if (ret)
|
|
|
|
return SHOULD_NOT_DELETE_DINODE;
|
|
|
|
|
2021-11-30 17:06:11 +08:00
|
|
|
ret = gfs2_instantiate(gh);
|
|
|
|
if (ret)
|
|
|
|
return SHOULD_NOT_DELETE_DINODE;
|
2020-09-11 23:30:26 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* The inode may have been recreated in the meantime.
|
|
|
|
*/
|
|
|
|
if (inode->i_nlink)
|
|
|
|
return SHOULD_NOT_DELETE_DINODE;
|
|
|
|
|
|
|
|
should_delete:
|
|
|
|
if (gfs2_holder_initialized(&ip->i_iopen_gh) &&
|
|
|
|
test_bit(HIF_HOLDER, &ip->i_iopen_gh.gh_iflags)) {
|
|
|
|
if (!gfs2_upgrade_iopen_glock(inode)) {
|
|
|
|
gfs2_holder_uninit(&ip->i_iopen_gh);
|
|
|
|
return SHOULD_NOT_DELETE_DINODE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return SHOULD_DELETE_DINODE;
|
|
|
|
}
|
|
|
|
|
2020-09-11 22:29:25 +08:00
|
|
|
/**
|
|
|
|
* evict_unlinked_inode - delete the pieces of an unlinked evicted inode
|
|
|
|
* @inode: The inode to evict
|
|
|
|
*/
|
|
|
|
static int evict_unlinked_inode(struct inode *inode)
|
|
|
|
{
|
|
|
|
struct gfs2_inode *ip = GFS2_I(inode);
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (S_ISDIR(inode->i_mode) &&
|
|
|
|
(ip->i_diskflags & GFS2_DIF_EXHASH)) {
|
|
|
|
ret = gfs2_dir_exhash_dealloc(ip);
|
|
|
|
if (ret)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ip->i_eattr) {
|
|
|
|
ret = gfs2_ea_dealloc(ip);
|
|
|
|
if (ret)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!gfs2_is_stuffed(ip)) {
|
|
|
|
ret = gfs2_file_dealloc(ip);
|
|
|
|
if (ret)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2022-12-04 10:48:52 +08:00
|
|
|
/*
|
|
|
|
* As soon as we clear the bitmap for the dinode, gfs2_create_inode()
|
|
|
|
* can get called to recreate it, or even gfs2_inode_lookup() if the
|
|
|
|
* inode was recreated on another node in the meantime.
|
|
|
|
*
|
|
|
|
* However, inserting the new inode into the inode hash table will not
|
|
|
|
* succeed until the old inode is removed, and that only happens after
|
|
|
|
* ->evict_inode() returns. The new inode is attached to its inode and
|
|
|
|
* iopen glocks after inserting it into the inode hash table, so at
|
|
|
|
* that point we can be sure that both glocks are unused.
|
|
|
|
*/
|
|
|
|
|
2020-09-11 22:29:25 +08:00
|
|
|
ret = gfs2_dinode_dealloc(ip);
|
2023-05-05 02:28:51 +08:00
|
|
|
if (!ret && ip->i_gl)
|
|
|
|
gfs2_inode_remember_delete(ip->i_gl, ip->i_no_formal_ino);
|
|
|
|
|
2020-09-11 22:29:25 +08:00
|
|
|
out:
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2020-09-12 03:53:52 +08:00
|
|
|
/*
|
|
|
|
* evict_linked_inode - evict an inode whose dinode has not been unlinked
|
|
|
|
* @inode: The inode to evict
|
|
|
|
*/
|
|
|
|
static int evict_linked_inode(struct inode *inode)
|
|
|
|
{
|
|
|
|
struct super_block *sb = inode->i_sb;
|
|
|
|
struct gfs2_sbd *sdp = sb->s_fs_info;
|
|
|
|
struct gfs2_inode *ip = GFS2_I(inode);
|
|
|
|
struct address_space *metamapping;
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
gfs2_log_flush(sdp, ip->i_gl, GFS2_LOG_HEAD_FLUSH_NORMAL |
|
|
|
|
GFS2_LFC_EVICT_INODE);
|
|
|
|
metamapping = gfs2_glock2aspace(ip->i_gl);
|
|
|
|
if (test_bit(GLF_DIRTY, &ip->i_gl->gl_flags)) {
|
|
|
|
filemap_fdatawrite(metamapping);
|
|
|
|
filemap_fdatawait(metamapping);
|
|
|
|
}
|
|
|
|
write_inode_now(inode, 1);
|
|
|
|
gfs2_ail_flush(ip->i_gl, 0);
|
|
|
|
|
|
|
|
ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks);
|
|
|
|
if (ret)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
/* Needs to be done before glock release & also in a transaction */
|
|
|
|
truncate_inode_pages(&inode->i_data, 0);
|
|
|
|
truncate_inode_pages(metamapping, 0);
|
|
|
|
gfs2_trans_end(sdp);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2011-07-14 15:59:44 +08:00
|
|
|
/**
|
|
|
|
* gfs2_evict_inode - Remove an inode from cache
|
|
|
|
* @inode: The inode to evict
|
|
|
|
*
|
|
|
|
* There are three cases to consider:
|
|
|
|
* 1. i_nlink == 0, we are final opener (and must deallocate)
|
|
|
|
* 2. i_nlink == 0, we are not the final opener (and cannot deallocate)
|
|
|
|
* 3. i_nlink > 0
|
|
|
|
*
|
|
|
|
* If the fs is read only, then we have to treat all cases as per #3
|
|
|
|
* since we are unable to do any deallocation. The inode will be
|
|
|
|
* deallocated by the next read/write node to attempt an allocation
|
|
|
|
* in the same resource group
|
|
|
|
*
|
2009-05-22 17:36:01 +08:00
|
|
|
* We have to (at the moment) hold the inodes main lock to cover
|
|
|
|
* the gap between unlocking the shared lock on the iopen lock and
|
|
|
|
* taking the exclusive lock. I'd rather do a shared -> exclusive
|
|
|
|
* conversion on the iopen lock, but we can change that later. This
|
|
|
|
* is safe, just less efficient.
|
|
|
|
*/
|
|
|
|
|
2010-06-07 23:05:19 +08:00
|
|
|
static void gfs2_evict_inode(struct inode *inode)
|
2009-05-22 17:36:01 +08:00
|
|
|
{
|
2011-03-30 21:17:51 +08:00
|
|
|
struct super_block *sb = inode->i_sb;
|
|
|
|
struct gfs2_sbd *sdp = sb->s_fs_info;
|
2009-05-22 17:36:01 +08:00
|
|
|
struct gfs2_inode *ip = GFS2_I(inode);
|
|
|
|
struct gfs2_holder gh;
|
2020-09-11 23:56:31 +08:00
|
|
|
int ret;
|
2009-05-22 17:36:01 +08:00
|
|
|
|
2022-11-03 00:06:58 +08:00
|
|
|
if (inode->i_nlink || sb_rdonly(sb) || !ip->i_no_addr)
|
2010-06-07 23:05:19 +08:00
|
|
|
goto out;
|
|
|
|
|
gfs2: Don't deref jdesc in evict
On corrupt gfs2 file systems the evict code can try to reference the
journal descriptor structure, jdesc, after it has been freed and set to
NULL. The sequence of events is:
init_journal()
...
fail_jindex:
gfs2_jindex_free(sdp); <------frees journals, sets jdesc = NULL
if (gfs2_holder_initialized(&ji_gh))
gfs2_glock_dq_uninit(&ji_gh);
fail:
iput(sdp->sd_jindex); <--references jdesc in evict_linked_inode
evict()
gfs2_evict_inode()
evict_linked_inode()
ret = gfs2_trans_begin(sdp, 0, sdp->sd_jdesc->jd_blocks);
<------references the now freed/zeroed sd_jdesc pointer.
The call to gfs2_trans_begin is done because the truncate_inode_pages
call can cause gfs2 events that require a transaction, such as removing
journaled data (jdata) blocks from the journal.
This patch fixes the problem by adding a check for sdp->sd_jdesc to
function gfs2_evict_inode. In theory, this should only happen to corrupt
gfs2 file systems, when gfs2 detects the problem, reports it, then tries
to evict all the system inodes it has read in up to that point.
Reported-by: Yang Lan <lanyang0908@gmail.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2023-04-29 00:07:46 +08:00
|
|
|
/*
|
|
|
|
* In case of an incomplete mount, gfs2_evict_inode() may be called for
|
|
|
|
* system files without having an active journal to write to. In that
|
|
|
|
* case, skip the filesystem evict.
|
|
|
|
*/
|
|
|
|
if (!sdp->sd_jdesc)
|
|
|
|
goto out;
|
|
|
|
|
2020-09-11 23:30:26 +08:00
|
|
|
gfs2_holder_mark_uninitialized(&gh);
|
|
|
|
ret = evict_should_delete(inode, &gh);
|
|
|
|
if (ret == SHOULD_DEFER_EVICTION)
|
2020-01-14 05:16:17 +08:00
|
|
|
goto out;
|
2020-09-16 21:50:44 +08:00
|
|
|
if (ret == SHOULD_DELETE_DINODE)
|
|
|
|
ret = evict_unlinked_inode(inode);
|
|
|
|
else
|
|
|
|
ret = evict_linked_inode(inode);
|
2009-05-22 17:36:01 +08:00
|
|
|
|
2015-07-16 21:28:04 +08:00
|
|
|
if (gfs2_rs_active(&ip->i_res))
|
|
|
|
gfs2_rs_deltree(&ip->i_res);
|
2012-07-19 20:12:40 +08:00
|
|
|
|
gfs2: gl_object races fix
Function glock_clear_object() checks if the specified glock is still
pointing at the right object and clears the gl_object pointer. To
handle the case of incompletely constructed inodes, glock_clear_object()
also allows gl_object to be NULL.
However, in the teardown case, when iget_failed() is called and the
inode is removed from the inode hash, by the time we get to the
glock_clear_object() calls in gfs2_put_super() and its helpers, we don't
have exclusion against concurrent gfs2_inode_lookup() and
gfs2_create_inode() calls, and the inode and iopen glocks may already be
pointing at another inode, so the checks in glock_clear_object() are
incorrect.
To better handle this case, always completely disassociate an inode from
its glocks before tearing it down. In addition, get rid of a duplicate
glock_clear_object() call in gfs2_evict_inode(). That way,
glock_clear_object() will only ever be called when the glock points at
the current inode, and the NULL check in glock_clear_object() can be
removed.
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
2023-01-24 01:58:27 +08:00
|
|
|
if (gfs2_holder_initialized(&gh))
|
2017-06-30 21:16:46 +08:00
|
|
|
gfs2_glock_dq_uninit(&gh);
|
2020-09-11 23:56:31 +08:00
|
|
|
if (ret && ret != GLR_TRYFAILED && ret != -EROFS)
|
|
|
|
fs_warn(sdp, "gfs2_evict_inode: %d\n", ret);
|
2009-05-22 17:36:01 +08:00
|
|
|
out:
|
2014-04-04 05:47:49 +08:00
|
|
|
truncate_inode_pages_final(&inode->i_data);
|
2020-02-28 02:47:53 +08:00
|
|
|
if (ip->i_qadata)
|
|
|
|
gfs2_assert_warn(sdp, ip->i_qadata->qa_ref == 0);
|
2021-12-10 21:43:36 +08:00
|
|
|
gfs2_rs_deltree(&ip->i_res);
|
2013-01-28 17:30:07 +08:00
|
|
|
gfs2_ordered_del_inode(ip);
|
2012-05-03 20:48:02 +08:00
|
|
|
clear_inode(inode);
|
2011-06-15 17:29:37 +08:00
|
|
|
gfs2_dir_hash_inval(ip);
|
2016-06-17 20:31:27 +08:00
|
|
|
if (gfs2_holder_initialized(&ip->i_iopen_gh)) {
|
2017-08-02 00:45:23 +08:00
|
|
|
struct gfs2_glock *gl = ip->i_iopen_gh.gh_gl;
|
|
|
|
|
|
|
|
glock_clear_object(gl, ip);
|
|
|
|
gfs2_glock_hold(gl);
|
2022-12-04 20:27:11 +08:00
|
|
|
ip->i_iopen_gh.gh_flags |= GL_NOCACHE;
|
|
|
|
gfs2_glock_dq_uninit(&ip->i_iopen_gh);
|
2017-08-02 00:45:23 +08:00
|
|
|
gfs2_glock_put_eventually(gl);
|
2010-06-07 23:05:19 +08:00
|
|
|
}
|
2021-10-29 00:53:10 +08:00
|
|
|
if (ip->i_gl) {
|
|
|
|
glock_clear_object(ip->i_gl, ip);
|
|
|
|
wait_on_bit_io(&ip->i_flags, GIF_GLOP_PENDING, TASK_UNINTERRUPTIBLE);
|
|
|
|
gfs2_glock_add_to_lru(ip->i_gl);
|
|
|
|
gfs2_glock_put_eventually(ip->i_gl);
|
2023-10-02 10:33:44 +08:00
|
|
|
rcu_assign_pointer(ip->i_gl, NULL);
|
2021-10-29 00:53:10 +08:00
|
|
|
}
|
2009-05-22 17:36:01 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct inode *gfs2_alloc_inode(struct super_block *sb)
|
|
|
|
{
|
|
|
|
struct gfs2_inode *ip;
|
|
|
|
|
2022-03-23 05:41:03 +08:00
|
|
|
ip = alloc_inode_sb(sb, gfs2_inode_cachep, GFP_KERNEL);
|
2019-07-24 19:05:38 +08:00
|
|
|
if (!ip)
|
|
|
|
return NULL;
|
2022-11-03 00:06:58 +08:00
|
|
|
ip->i_no_addr = 0;
|
2019-07-24 19:05:38 +08:00
|
|
|
ip->i_flags = 0;
|
|
|
|
ip->i_gl = NULL;
|
2020-01-24 21:14:46 +08:00
|
|
|
gfs2_holder_mark_uninitialized(&ip->i_iopen_gh);
|
2019-07-24 19:05:38 +08:00
|
|
|
memset(&ip->i_res, 0, sizeof(ip->i_res));
|
|
|
|
RB_CLEAR_NODE(&ip->i_res.rs_node);
|
|
|
|
ip->i_rahead = 0;
|
2009-05-22 17:36:01 +08:00
|
|
|
return &ip->i_inode;
|
|
|
|
}
|
|
|
|
|
2019-04-16 07:45:26 +08:00
|
|
|
static void gfs2_free_inode(struct inode *inode)
|
2009-05-22 17:36:01 +08:00
|
|
|
{
|
2019-04-16 07:45:26 +08:00
|
|
|
kmem_cache_free(gfs2_inode_cachep, GFS2_I(inode));
|
2011-01-07 14:49:49 +08:00
|
|
|
}
|
|
|
|
|
2023-10-10 00:49:31 +08:00
|
|
|
void free_local_statfs_inodes(struct gfs2_sbd *sdp)
|
2020-10-21 04:58:04 +08:00
|
|
|
{
|
|
|
|
struct local_statfs_inode *lsi, *safe;
|
|
|
|
|
|
|
|
/* Run through the statfs inodes list to iput and free memory */
|
|
|
|
list_for_each_entry_safe(lsi, safe, &sdp->sd_sc_inodes_list, si_list) {
|
|
|
|
if (lsi->si_jid == sdp->sd_jdesc->jd_jid)
|
|
|
|
sdp->sd_sc_inode = NULL; /* belongs to this node */
|
|
|
|
if (lsi->si_sc_inode)
|
|
|
|
iput(lsi->si_sc_inode);
|
|
|
|
list_del(&lsi->si_list);
|
|
|
|
kfree(lsi);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-10-10 00:49:31 +08:00
|
|
|
struct inode *find_local_statfs_inode(struct gfs2_sbd *sdp,
|
|
|
|
unsigned int index)
|
2020-10-21 04:58:04 +08:00
|
|
|
{
|
|
|
|
struct local_statfs_inode *lsi;
|
|
|
|
|
|
|
|
/* Return the local (per node) statfs inode in the
|
|
|
|
* sdp->sd_sc_inodes_list corresponding to the 'index'. */
|
|
|
|
list_for_each_entry(lsi, &sdp->sd_sc_inodes_list, si_list) {
|
|
|
|
if (lsi->si_jid == index)
|
|
|
|
return lsi->si_sc_inode;
|
|
|
|
}
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2009-05-22 17:36:01 +08:00
|
|
|
const struct super_operations gfs2_super_ops = {
|
|
|
|
.alloc_inode = gfs2_alloc_inode,
|
2019-04-16 07:45:26 +08:00
|
|
|
.free_inode = gfs2_free_inode,
|
2009-05-22 17:36:01 +08:00
|
|
|
.write_inode = gfs2_write_inode,
|
2011-08-15 21:20:36 +08:00
|
|
|
.dirty_inode = gfs2_dirty_inode,
|
2010-06-07 23:05:19 +08:00
|
|
|
.evict_inode = gfs2_evict_inode,
|
2009-05-22 17:36:01 +08:00
|
|
|
.put_super = gfs2_put_super,
|
|
|
|
.sync_fs = gfs2_sync_fs,
|
2022-11-14 23:40:15 +08:00
|
|
|
.freeze_super = gfs2_freeze_super,
|
2023-12-19 23:49:26 +08:00
|
|
|
.freeze_fs = gfs2_freeze_fs,
|
2022-11-14 23:40:15 +08:00
|
|
|
.thaw_super = gfs2_thaw_super,
|
2009-05-22 17:36:01 +08:00
|
|
|
.statfs = gfs2_statfs,
|
|
|
|
.drop_inode = gfs2_drop_inode,
|
|
|
|
.show_options = gfs2_show_options,
|
|
|
|
};
|
|
|
|
|