1. 25 10月, 2021 5 次提交
    • B
      gfs2: remove RDF_UPTODATE flag · 4b3113a2
      Bob Peterson 提交于
      The new GLF_INSTANTIATE_NEEDED flag obsoletes the old rgrp flag
      GFS2_RDF_UPTODATE, so this patch replaces it like we did with inodes.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      4b3113a2
    • B
      gfs2: Eliminate GIF_INVALID flag · ec1d398d
      Bob Peterson 提交于
      With the addition of the new GLF_INSTANTIATE_NEEDED flag, the
      GIF_INVALID flag is now redundant. This patch removes it.
      Since inode_instantiate is only called when instantiation is needed,
      the check in inode_instantiate is removed too.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      ec1d398d
    • B
      gfs2: fix GL_SKIP node_scope problems · f2e70d8f
      Bob Peterson 提交于
      Before this patch, when a glock was locked, the very first holder on the
      queue would unlock the lockref and call the go_instantiate glops function
      (if one existed), unless GL_SKIP was specified. When we introduced the new
      node-scope concept, we allowed multiple holders to lock glocks in EX mode
      and share the lock.
      
      But node-scope introduced a new problem: if the first holder has GL_SKIP
      and the next one does NOT, since it is not the first holder on the queue,
      the go_instantiate op was not called. Eventually the GL_SKIP holder may
      call the instantiate sub-function (e.g. gfs2_rgrp_bh_get) but there was
      still a window of time in which another non-GL_SKIP holder assumes the
      instantiate function had been called by the first holder. In the case of
      rgrp glocks, this led to a NULL pointer dereference on the buffer_heads.
      
      This patch tries to fix the problem by introducing two new glock flags:
      
      GLF_INSTANTIATE_NEEDED, which keeps track of when the instantiate function
      needs to be called to "fill in" or "read in" the object before it is
      referenced.
      
      GLF_INSTANTIATE_IN_PROG which is used to determine when a process is
      in the process of reading in the object. Whenever a function needs to
      reference the object, it checks the GLF_INSTANTIATE_NEEDED flag, and if
      set, it sets GLF_INSTANTIATE_IN_PROG and calls the glops "go_instantiate"
      function.
      
      As before, the gl_lockref spin_lock is unlocked during the IO operation,
      which may take a relatively long amount of time to complete. While
      unlocked, if another process determines go_instantiate is still needed,
      it sees GLF_INSTANTIATE_IN_PROG is set, and waits for the go_instantiate
      glop operation to be completed. Once GLF_INSTANTIATE_IN_PROG is cleared,
      it needs to check GLF_INSTANTIATE_NEEDED again because the other process's
      go_instantiate operation may not have been successful.
      
      Functions that previously called the instantiate sub-functions now call
      directly into gfs2_instantiate so the new bits are managed properly.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      f2e70d8f
    • B
      gfs2: change go_lock to go_instantiate · 3278b977
      Bob Peterson 提交于
      Before this patch, the go_lock glock operations (glops) did not do
      any actual locking. They were used to instantiate objects, like reading
      in dinodes and rgrps from the media.
      
      This patch renames the functions to go_instantiate for clarity.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      3278b977
    • B
      gfs2: move GL_SKIP check from glops to do_promote · c1442f6b
      Bob Peterson 提交于
      Before this patch, each individual "go_lock" glock operation (glop)
      checked the GL_SKIP flag, and if set, would skip further processing.
      
      This patch changes the logic so the go_lock caller, function go_promote,
      checks the GL_SKIP flag before calling the go_lock op in the first place.
      This avoids having to unnecessarily unlock gl_lockref.lock only to
      re-lock it again.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      c1442f6b
  2. 20 8月, 2021 2 次提交
  3. 05 8月, 2021 1 次提交
    • B
      gfs2: Fix glock recursion in freeze_go_xmote_bh · 9d9b1605
      Bob Peterson 提交于
      We must not call gfs2_consist (which does a file system withdraw) from
      the freeze glock's freeze_go_xmote_bh function because the withdraw
      will try to use the freeze glock, thus causing a glock recursion error.
      
      This patch changes freeze_go_xmote_bh to call function
      gfs2_assert_withdraw_delayed instead of gfs2_consist to avoid recursion.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      9d9b1605
  4. 20 5月, 2021 1 次提交
  5. 10 4月, 2021 1 次提交
  6. 04 4月, 2021 1 次提交
  7. 13 3月, 2021 1 次提交
    • A
      gfs2: be careful with inode refresh · 4a378d8a
      Al Viro 提交于
      1) gfs2_dinode_in() should *not* touch ->i_rdev on live inodes; even
      "zero and immediately reread the same value from dinode" is broken -
      have it overlap with ->release() of char device and you can get all
      kinds of bogus behaviour.
      
      2) mismatch on inode type on live inodes should be treated as fs
      corruption rather than blindly setting ->i_mode.
      Signed-off-by: NAl Viro <viro@zeniv.linux.org.uk>
      4a378d8a
  8. 23 2月, 2021 1 次提交
    • A
      gfs2: Per-revoke accounting in transactions · 2129b428
      Andreas Gruenbacher 提交于
      In the log, revokes are stored as a revoke descriptor (struct
      gfs2_log_descriptor), followed by zero or more additional revoke blocks
      (struct gfs2_meta_header).  On filesystems with a blocksize of 4k, the
      revoke descriptor contains up to 503 revokes, and the metadata blocks
      contain up to 509 revokes each.  We've so far been reserving space for
      revokes in transactions in block granularity, so a lot more space than
      necessary was being allocated and then released again.
      
      This patch switches to assigning revokes to transactions individually
      instead.  Initially, space for the revoke descriptor is reserved and
      handed out to transactions.  When more revokes than that are reserved,
      additional revoke blocks are added.  When the log is flushed, the space
      for the additional revoke blocks is released, but we keep the space for
      the revoke descriptor block allocated.
      
      Transactions may still reserve more revokes than they will actually need
      in the end, but now we won't overshoot the target as much, and by only
      returning the space for excess revokes at log flush time, we further
      reduce the amount of contention between processes.
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      2129b428
  9. 04 2月, 2021 1 次提交
  10. 03 2月, 2021 1 次提交
  11. 26 11月, 2020 1 次提交
    • B
      gfs2: Don't freeze the file system during unmount · f39e7d3a
      Bob Peterson 提交于
      GFS2's freeze/thaw mechanism uses a special freeze glock to control its
      operation. It does this with a sync glock operation (glops.c) called
      freeze_go_sync. When the freeze glock is demoted (glock's do_xmote) the
      glops function causes the file system to be frozen. This is intended. However,
      GFS2's mount and unmount processes also hold the freeze glock to prevent other
      processes, perhaps on different cluster nodes, from mounting the frozen file
      system in read-write mode.
      
      Before this patch, there was no check in freeze_go_sync for whether a freeze
      in intended or whether the glock demote was caused by a normal unmount.
      So it was trying to freeze the file system it's trying to unmount, which
      ends up in a deadlock.
      
      This patch adds an additional check to freeze_go_sync so that demotes of the
      freeze glock are ignored if they come from the unmount process.
      
      Fixes: 20b32912 ("gfs2: Fix regression in freeze_go_sync")
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      f39e7d3a
  12. 25 11月, 2020 2 次提交
    • A
      gfs2: set lockdep subclass for iopen glocks · 515b269d
      Alexander Aring 提交于
      This patch introduce a new globs attribute to define the subclass of the
      glock lockref spinlock. This avoid the following lockdep warning, which
      occurs when we lock an inode lock while an iopen lock is held:
      
      ============================================
      WARNING: possible recursive locking detected
      5.10.0-rc3+ #4990 Not tainted
      --------------------------------------------
      kworker/0:1/12 is trying to acquire lock:
      ffff9067d45672d8 (&gl->gl_lockref.lock){+.+.}-{3:3}, at: lockref_get+0x9/0x20
      
      but task is already holding lock:
      ffff9067da308588 (&gl->gl_lockref.lock){+.+.}-{3:3}, at: delete_work_func+0x164/0x260
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&gl->gl_lockref.lock);
        lock(&gl->gl_lockref.lock);
      
       *** DEADLOCK ***
      
       May be due to missing lock nesting notation
      
      3 locks held by kworker/0:1/12:
       #0: ffff9067c1bfdd38 ((wq_completion)delete_workqueue){+.+.}-{0:0}, at: process_one_work+0x1b7/0x540
       #1: ffffac594006be70 ((work_completion)(&(&gl->gl_delete)->work)){+.+.}-{0:0}, at: process_one_work+0x1b7/0x540
       #2: ffff9067da308588 (&gl->gl_lockref.lock){+.+.}-{3:3}, at: delete_work_func+0x164/0x260
      
      stack backtrace:
      CPU: 0 PID: 12 Comm: kworker/0:1 Not tainted 5.10.0-rc3+ #4990
      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
      Workqueue: delete_workqueue delete_work_func
      Call Trace:
       dump_stack+0x8b/0xb0
       __lock_acquire.cold+0x19e/0x2e3
       lock_acquire+0x150/0x410
       ? lockref_get+0x9/0x20
       _raw_spin_lock+0x27/0x40
       ? lockref_get+0x9/0x20
       lockref_get+0x9/0x20
       delete_work_func+0x188/0x260
       process_one_work+0x237/0x540
       worker_thread+0x4d/0x3b0
       ? process_one_work+0x540/0x540
       kthread+0x127/0x140
       ? __kthread_bind_mask+0x60/0x60
       ret_from_fork+0x22/0x30
      Suggested-by: NAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: NAlexander Aring <aahringo@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      515b269d
    • A
      gfs2: Fix deadlock dumping resource group glocks · 16e6281b
      Alexander Aring 提交于
      Commit 0e539ca1 ("gfs2: Fix NULL pointer dereference in gfs2_rgrp_dump")
      introduced additional locking in gfs2_rgrp_go_dump, which is also used for
      dumping resource group glocks via debugfs.  However, on that code path, the
      glock spin lock is already taken in dump_glock, and taking it again in
      gfs2_glock2rgrp leads to deadlock.  This can be reproduced with:
      
        $ mkfs.gfs2 -O -p lock_nolock /dev/FOO
        $ mount /dev/FOO /mnt/foo
        $ touch /mnt/foo/bar
        $ cat /sys/kernel/debug/gfs2/FOO/glocks
      
      Fix that by not taking the glock spin lock inside the go_dump callback.
      
      Fixes: 0e539ca1 ("gfs2: Fix NULL pointer dereference in gfs2_rgrp_dump")
      Signed-off-by: NAlexander Aring <aahringo@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      16e6281b
  13. 18 11月, 2020 1 次提交
    • B
      gfs2: Fix regression in freeze_go_sync · 20b32912
      Bob Peterson 提交于
      Patch 541656d3 ("gfs2: freeze should work on read-only mounts") changed
      the check for glock state in function freeze_go_sync() from "gl->gl_state
      == LM_ST_SHARED" to "gl->gl_req == LM_ST_EXCLUSIVE".  That's wrong and it
      regressed gfs2's freeze/thaw mechanism because it caused only the freezing
      node (which requests the glock in EX) to queue freeze work.
      
      All nodes go through this go_sync code path during the freeze to drop their
      SHared hold on the freeze glock, allowing the freezing node to acquire it
      in EXclusive mode. But all the nodes must freeze access to the file system
      locally, so they ALL must queue freeze work. The freeze_work calls
      freeze_func, which makes a request to reacquire the freeze glock in SH,
      effectively blocking until the thaw from the EX holder. Once thawed, the
      freezing node drops its EX hold on the freeze glock, then the (blocked)
      freeze_func reacquires the freeze glock in SH again (on all nodes, including
      the freezer) so all nodes go back to a thawed state.
      
      This patch changes the check back to gl_state == LM_ST_SHARED like it was
      prior to 541656d3.
      
      Fixes: 541656d3 ("gfs2: freeze should work on read-only mounts")
      Cc: stable@vger.kernel.org # v5.8+
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      20b32912
  14. 30 10月, 2020 1 次提交
    • B
      gfs2: Split up gfs2_meta_sync into inode and rgrp versions · 4a55752a
      Bob Peterson 提交于
      Before this patch, function gfs2_meta_sync called filemap_fdatawrite to write
      the address space for the metadata being synced. That's great for inodes, but
      resource groups all point to the same superblock-address space, sdp->sd_aspace.
      Each rgrp has its own range of blocks on which it should operate. That meant
      every time an rgrp's metadata was synced, it would write all of them instead
      of just the range.
      
      This patch eliminates function gfs2_meta_sync and tailors specific metasync
      functions for inodes and rgrps.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      4a55752a
  15. 21 10月, 2020 2 次提交
    • A
      gfs2: Ignore subsequent errors after withdraw in rgrp_go_sync · ed3adb37
      Andreas Gruenbacher 提交于
      Once a withdraw has occurred, ignore errors that are the consequence of the
      withdraw.
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      ed3adb37
    • B
      gfs2: Eliminate gl_vm · 23cfb0c3
      Bob Peterson 提交于
      The gfs2_glock structure has a gl_vm member, introduced in commit 7005c3e4
      ("GFS2: Use range based functions for rgrp sync/invalidation"), which stores
      the location of resource groups within their address space.  This structure is
      in a union with iopen glock specific fields.  It was introduced because at
      unmount time, the resource group objects were destroyed before flushing out any
      pending resource group glock work, and flushing out such work could require
      flushing / truncating the address space.
      
      Since commit b3422cac ("gfs2: Rework how rgrp buffer_heads are managed"),
      any pending resource group glock work is flushed out before destroying the
      resource group objects.  So the resource group objects will now always exist in
      rgrp_go_sync and rgrp_go_inval, and we now simply compute the gl_vm values
      where needed instead of caching them.  This also eliminates the union.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      23cfb0c3
  16. 15 10月, 2020 1 次提交
    • A
      gfs2: Fix NULL pointer dereference in gfs2_rgrp_dump · 0e539ca1
      Andrew Price 提交于
      When an rindex entry is found to be corrupt, compute_bitstructs() calls
      gfs2_consist_rgrpd() which calls gfs2_rgrp_dump() like this:
      
          gfs2_rgrp_dump(NULL, rgd->rd_gl, fs_id_buf);
      
      gfs2_rgrp_dump then dereferences the gl without checking it and we get
      
          BUG: KASAN: null-ptr-deref in gfs2_rgrp_dump+0x28/0x280
      
      because there's no rgrp glock involved while reading the rindex on mount.
      
      Fix this by changing gfs2_rgrp_dump to take an rgrp argument.
      
      Reported-by: syzbot+43fa87986bdd31df9de6@syzkaller.appspotmail.com
      Signed-off-by: NAndrew Price <anprice@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      0e539ca1
  17. 03 7月, 2020 1 次提交
    • B
      gfs2: freeze should work on read-only mounts · 541656d3
      Bob Peterson 提交于
      Before this patch, function freeze_go_sync, called when promoting
      the freeze glock, was testing for the SDF_JOURNAL_LIVE superblock flag.
      That's only set for read-write mounts. Read-only mounts don't use a
      journal, so the bit is never set, so the freeze never happened.
      
      This patch removes the check for SDF_JOURNAL_LIVE for freeze requests
      but still checks it when deciding whether to flush a journal.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      541656d3
  18. 06 6月, 2020 3 次提交
  19. 03 6月, 2020 1 次提交
    • B
      gfs2: Don't ignore inode write errors during inode_go_sync · bbae10fa
      Bob Peterson 提交于
      Before for this patch, function inode_go_sync ignored io errors
      during inode_go_sync, overwriting them with metadata write errors:
      
      		error = filemap_fdatawait(mapping);
      		mapping_set_error(mapping, error);
      	}
      	error = filemap_fdatawait(metamapping);
      	...
      	return error;
      
      So any errors returned by the inode write would be forgotten if the
      metadata write succeeded. This patch still does both writes, but
      only sets error if it's still zero. That way, any errors will be
      reported by to the caller, do_xmote, which will take appropriate
      action and report the error.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      bbae10fa
  20. 27 2月, 2020 4 次提交
    • B
      gfs2: Do proper error checking for go_sync family of glops functions · 1c634f94
      Bob Peterson 提交于
      Before this patch, function do_xmote would try to sync out the glock
      dirty data by calling the appropriate glops function XXX_go_sync()
      but it did not check for a good return code. If the sync was not
      possible due to an io error or whatever, do_xmote would continue on
      and call go_inval and release the glock to other cluster nodes.
      When those nodes go to replay the journal, they may already be holding
      glocks for the journal records that should have been synced, but were
      not due to the ignored error.
      
      This patch introduces proper error code checking to the go_sync
      family of glops functions.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Reviewed-by: NAndreas Gruenbacher <agruenba@redhat.com>
      1c634f94
    • B
      gfs2: Do log_flush in gfs2_ail_empty_gl even if ail list is empty · 9ff78289
      Bob Peterson 提交于
      Before this patch, if gfs2_ail_empty_gl saw there was nothing on
      the ail list, it would return and not flush the log. The problem
      is that there could still be a revoke for the rgrp sitting on the
      sd_log_le_revoke list that's been recently taken off the ail list.
      But that revoke still needs to be written, and the rgrp_go_inval
      still needs to call log_flush_wait to ensure the revokes are all
      properly written to the journal before we relinquish control of
      the glock to another node. If we give the glock to another node
      before we have this knowledge, the node might crash and its journal
      replayed, in which case the missing revoke would allow the journal
      replay to replay the rgrp over top of the rgrp we already gave to
      another node, thus overwriting its changes and corrupting the
      file system.
      
      This patch makes gfs2_ail_empty_gl still call gfs2_log_flush rather
      than returning.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Reviewed-by: NAndreas Gruenbacher <agruenba@redhat.com>
      9ff78289
    • B
      gfs2: fix infinite loop when checking ail item count before go_inval · 33dbd1e4
      Bob Peterson 提交于
      Before this patch, the rgrp_go_inval and inode_go_inval functions each
      checked if there were any items left on the ail count (by way of a
      count), and if so, did a withdraw. But the withdraw code now uses
      glocks when changing the file system to read-only status. So we can
      not have glock functions withdrawing or a hang will likely result:
      The glocks can't be serviced by the work_func if the work_func is
      busy doing its own withdraw.
      
      This patch removes the checks from the go_inval functions and adds
      a centralized check in do_xmote to warn about the problem and not
      withdraw, but flag the error so it's eventually caught when the logd
      daemon eventually runs.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Reviewed-by: NAndreas Gruenbacher <agruenba@redhat.com>
      33dbd1e4
    • B
      gfs2: Force withdraw to replay journals and wait for it to finish · 601ef0d5
      Bob Peterson 提交于
      When a node withdraws from a file system, it often leaves its journal
      in an incomplete state. This is especially true when the withdraw is
      caused by io errors writing to the journal. Before this patch, a
      withdraw would try to write a "shutdown" record to the journal, tell
      dlm it's done with the file system, and none of the other nodes
      know about the problem. Later, when the problem is fixed and the
      withdrawn node is rebooted, it would then discover that its own
      journal was incomplete, and replay it. However, replaying it at this
      point is almost guaranteed to introduce corruption because the other
      nodes are likely to have used affected resource groups that appeared
      in the journal since the time of the withdraw. Replaying the journal
      later will overwrite any changes made, and not through any fault of
      dlm, which was instructed during the withdraw to release those
      resources.
      
      This patch makes file system withdraws seen by the entire cluster.
      Withdrawing nodes dequeue their journal glock to allow recovery.
      
      The remaining nodes check all the journals to see if they are
      clean or in need of replay. They try to replay dirty journals, but
      only the journals of withdrawn nodes will be "not busy" and
      therefore available for replay.
      
      Until the journal replay is complete, no i/o related glocks may be
      given out, to ensure that the replay does not cause the
      aforementioned corruption: We cannot allow any journal replay to
      overwrite blocks associated with a glock once it is held.
      
      The "live" glock which is now used to signal when a withdraw
      occurs. When a withdraw occurs, the node signals its withdraw by
      dequeueing the "live" glock and trying to enqueue it in EX mode,
      thus forcing the other nodes to all see a demote request, by way
      of a "1CB" (one callback) try lock. The "live" glock is not
      granted in EX; the callback is only just used to indicate a
      withdraw has occurred.
      
      Note that all nodes in the cluster must wait for the recovering
      node to finish replaying the withdrawing node's journal before
      continuing. To this end, it checks that the journals are clean
      multiple times in a retry loop.
      
      Also note that the withdraw function may be called from a wide
      variety of situations, and therefore, we need to take extra
      precautions to make sure pointers are valid before using them in
      many circumstances.
      
      We also need to take care when glocks decide to withdraw, since
      the withdraw code now uses glocks.
      
      Also, before this patch, if a process encountered an error and
      decided to withdraw, if another process was already withdrawing,
      the second withdraw would be silently ignored, which set it free
      to unlock its glocks. That's correct behavior if the original
      withdrawer encounters further errors down the road. But if
      secondary waiters don't wait for the journal replay, unlocking
      glocks will allow other nodes to use them, despite the fact that
      the journal containing those blocks is being replayed. The
      replay needs to finish before our glocks are released to other
      nodes. IOW, secondary withdraws need to wait for the first
      withdraw to finish.
      
      For example, if an rgrp glock is unlocked by a process that didn't
      wait for the first withdraw, a journal replay could introduce file
      system corruption by replaying a rgrp block that has already been
      granted to a different cluster node.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      601ef0d5
  21. 21 2月, 2020 1 次提交
    • B
      gfs2: Allow some glocks to be used during withdraw · a72d2401
      Bob Peterson 提交于
      We need to allow some glocks to be enqueued, dequeued, promoted, and demoted
      when we're withdrawn. For example, to maintain metadata integrity, we should
      disallow the use of inode and rgrp glocks when withdrawn. Other glocks, like
      iopen or the transaction glocks may be safely used because none of their
      metadata goes through the journal. So in general, we should disallow all
      glocks with an address space, and allow all the others. One exception is:
      we need to allow our active journal to be demoted so others may recover it.
      
      Allowing glocks after withdraw gives us the ability to take appropriate
      action (in a following patch) to have our journal properly replayed by
      another node rather than just abandoning the current transactions and
      pretending nothing bad happened, leaving the other nodes free to modify
      the blocks we had in our journal, which may result in file system
      corruption.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      a72d2401
  22. 10 2月, 2020 2 次提交
    • B
      gfs2: Rework how rgrp buffer_heads are managed · b3422cac
      Bob Peterson 提交于
      Before this patch, the rgrp code had a serious problem related to
      how it managed buffer_heads for resource groups. The problem caused
      file system corruption, especially in cases of journal replay.
      
      When an rgrp glock was demoted to transfer ownership to a
      different cluster node, do_xmote() first calls rgrp_go_sync and then
      rgrp_go_inval, as expected. When it calls rgrp_go_sync, that called
      gfs2_rgrp_brelse() that dropped the buffer_head reference count.
      In most cases, the reference count went to zero, which is right.
      However, there were other places where the buffers are handled
      differently.
      
      After rgrp_go_sync, do_xmote called rgrp_go_inval which called
      gfs2_rgrp_brelse a second time, then rgrp_go_inval's call to
      truncate_inode_pages_range would get rid of the pages in memory,
      but only if the reference count drops to 0.
      
      Unfortunately, gfs2_rgrp_brelse was setting bi->bi_bh = NULL.
      So when rgrp_go_sync called gfs2_rgrp_brelse, it lost the pointer
      to the buffer_heads in cases where the reference count was still 1.
      Therefore, when rgrp_go_inval called gfs2_rgrp_brelse a second time,
      it failed the check for "if (bi->bi_bh)" and thus failed to call
      brelse a second time. Because of that, the reference count on those
      buffers sometimes failed to drop from 1 to 0. And that caused
      function truncate_inode_pages_range to keep the pages in page cache
      rather than freeing them.
      
      The next time the rgrp glock was acquired, the metadata read of
      the rgrp buffers re-used the pages in memory, which were now
      wrong because they were likely modified by the other node who
      acquired the glock in EX (which is why we demoted the glock).
      This re-use of the page cache caused corruption because changes
      made by the other nodes were never seen, so the bitmaps were
      inaccurate.
      
      For some reason, the problem became most apparent when journal
      replay forced the replay of rgrps in memory, which caused newer
      rgrp data to be overwritten by the older in-core pages.
      
      A big part of the problem was that the rgrp buffer were released
      in multiple places: The go_unlock function would release them when
      the glock was released rather than when the glock is demoted,
      which is clearly wrong because our intent was to cache them until
      the glock is demoted from SH or EX.
      
      This patch attempts to clean up the mess and make one consistent
      and centralized mechanism for managing the rgrp buffer_heads by
      implementing several changes:
      
      1. It eliminates the call to gfs2_rgrp_brelse() from rgrp_go_sync.
         We don't want to release the buffers or zero the pointers when
         syncing for the reasons stated above. It only makes sense to
         release them when the glock is actually invalidated (go_inval).
         And when we do, then we set the bh pointers to NULL.
      2. The go_unlock function (which was only used for rgrps) is
         eliminated, as we've talked about doing many times before.
         The go_unlock function was called too early in the glock dq
         process, and should not happen until the glock is invalidated.
      3. It also eliminates the call to rgrp_brelse in gfs2_clear_rgrpd.
         That will now happen automatically when the rgrp glocks are
         demoted, and shouldn't happen any sooner or later than that.
         Instead, function gfs2_clear_rgrpd has been modified to demote
         the rgrp glocks, and therefore, free those pages, before the
         remaining glocks are culled by gfs2_gl_hash_clear. This
         prevents the gl_object from hanging around when the glocks are
         culled.
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      Reviewed-by: NAndreas Gruenbacher <agruenba@redhat.com>
      b3422cac
    • A
      gfs2: Split gfs2_lm_withdraw into two functions · badb55ec
      Andreas Gruenbacher 提交于
      Split gfs2_lm_withdraw into a function that prints an error message and a
      function that withdraws the filesystem.
      Signed-off-by: NAndreas Gruenbacher <agruenba@redhat.com>
      Signed-off-by: NBob Peterson <rpeterso@redhat.com>
      badb55ec
  23. 08 1月, 2020 1 次提交
  24. 15 11月, 2019 1 次提交
  25. 30 10月, 2019 1 次提交
  26. 28 6月, 2019 2 次提交