From: Josef Bacik <josef@toxicpanda.com>
To: Omar Sandoval <osandov@osandov.com>
Cc: linux-btrfs@vger.kernel.org, kernel-team@fb.com,
Filipe Manana <fdmanana@suse.com>,
Leo Martins <loemra.dev@gmail.com>, Boris Burkov <boris@bur.io>
Subject: Re: [PATCH] btrfs: fix subvolume deletion lockup caused by inodes xarray race
Date: Tue, 26 Aug 2025 16:25:07 -0400 [thread overview]
Message-ID: <20250826202507.GA2119633@perftesting> (raw)
In-Reply-To: <f7e05205fd33d9e510ec1295e0cc8cfdf395cb89.1756237895.git.osandov@osandov.com>
On Tue, Aug 26, 2025 at 01:01:38PM -0700, Omar Sandoval wrote:
> From: Omar Sandoval <osandov@fb.com>
>
> There is a race condition between inode eviction and inode caching that
> can cause a live struct btrfs_inode to be missing from the root->inodes
> xarray. Specifically, there is a window during evict() between the inode
> being unhashed and deleted from the xarray. If btrfs_iget() is called
> for the same inode in that window, it will be recreated and inserted
> into the xarray, but then eviction will delete the new entry, leaving
> nothing in the xarray:
>
> Thread 1 Thread 2
> ---------------------------------------------------------------
> evict()
> remove_inode_hash()
> btrfs_iget_path()
> btrfs_iget_locked()
> btrfs_read_locked_inode()
> btrfs_add_inode_to_root()
> destroy_inode()
> btrfs_destroy_inode()
> btrfs_del_inode_from_root()
> __xa_erase
>
> In turn, this can cause issues for subvolume deletion. Specifically, if
> an inode is in this lost state, and all other inodes are evicted, then
> btrfs_del_inode_from_root() will call btrfs_add_dead_root() prematurely.
> If the lost inode has a delayed_node attached to it, then when
> btrfs_clean_one_deleted_snapshot() calls btrfs_kill_all_delayed_nodes(),
> it will loop forever because the delayed_nodes xarray will never become
> empty (unless memory pressure forces the inode out). We saw this
> manifest as soft lockups in production.
>
> Fix it by only deleting the xarray entry if it matches the given inode
> (using __xa_cmpxchg()).
>
> Fixes: 310b2f5d5a94 ("btrfs: use an xarray to track open inodes in a root")
> Cc: stable@vger.kernel.org # 6.11+
> Co-authored-by: Leo Martins <loemra.dev@gmail.com>
> Signed-off-by: Leo Martins <loemra.dev@gmail.com>
> Signed-off-by: Omar Sandoval <osandov@fb.com>
Heh, I was just noticing weirdness here as I started converting inodes over to
using an xarray instead of a hash. Nice catch,
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Thanks,
Josef
next prev parent reply other threads:[~2025-08-26 20:25 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-26 20:01 [PATCH] btrfs: fix subvolume deletion lockup caused by inodes xarray race Omar Sandoval
2025-08-26 20:25 ` Josef Bacik [this message]
2025-08-26 21:19 ` Omar Sandoval
2025-08-27 8:45 ` Filipe Manana
2025-08-28 23:23 ` David Sterba
2025-08-29 3:31 ` Omar Sandoval
2025-08-29 14:23 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250826202507.GA2119633@perftesting \
--to=josef@toxicpanda.com \
--cc=boris@bur.io \
--cc=fdmanana@suse.com \
--cc=kernel-team@fb.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=loemra.dev@gmail.com \
--cc=osandov@osandov.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.