From: bugzilla-daemon@bugzilla.kernel.org
To: linux-xfs@vger.kernel.org
Subject: [Bug 203947] [xfstests generic/475]: general protection fault: 0000 [#1] RIP: 0010:xfs_setfilesize_ioend+0xb1/0x220 [xfs]
Date: Thu, 27 Jun 2019 18:35:30 +0000 [thread overview]
Message-ID: <bug-203947-201763-BIraDUAzxc@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-203947-201763@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=203947
Darrick J. Wong (djwong+kernel@djwong.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djwong+kernel@djwong.org
--- Comment #2 from Darrick J. Wong (djwong+kernel@djwong.org) ---
Hmm... so we're clearly in a situation where we have ioend A -> ioend B and
we're trying to merge A and B. A has a setfilesize transaction and B does not,
but current code assumes that if A has one then B must have one and that it
must cancel B's. Then we crash trying to cancel the transaction that B doesn't
have.
How do we end up in this situation? I can't trigger it on my systems, but I
guess this sounds plausible:
1. Dirty pages 0, 1, and 2 of an empty file.
2. Writeback gets scheduled for pages 0 and 2, creating ioends A and C. Both
ioends describe writes past the on-disk isize so we allocate transactions.
3. ioend C completes immediately, sets the ondisk isize to (3 * PAGESIZE).
4. Writeback gets scheduled for page 1, creating ioend B. ioend B describes a
write within the on-disk isize so we do not allocate setfilesize transaction.
5. ioend A and B complete and are sorted into the per-inode ioend completion
list. xfs_ioend_try_merge looks at ioend A, sees that ioend A has a
setfilesize transaction and that there's an ioend B that can be merged with A.
6. _try_merge tries to call xfs_setfilesize_ioend(ioend B, -1) to cancel ioend
B's transaction, but as we saw in (4), ioend B has no transaction and crashes.
I wonder how hard it will be to write a regression test for this, since it
requires fairly tight timing?
Coincidentally, Christoph just posted "xfs: allow merging ioends over append
boundaries" which I think fixes this problem. Zorro, can you apply it and
retry?
--
You are receiving this mail because:
You are watching the assignee of the bug.
next prev parent reply other threads:[~2019-06-27 18:35 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-21 8:32 [Bug 203947] New: [xfstests generic/475]: general protection fault: 0000 [#1] RIP: 0010:xfs_setfilesize_ioend+0xb1/0x220 [xfs] bugzilla-daemon
2019-06-27 8:35 ` [Bug 203947] " bugzilla-daemon
2019-06-27 18:35 ` bugzilla-daemon [this message]
2019-06-27 18:35 ` bugzilla-daemon
2019-06-29 3:30 ` bugzilla-daemon
2019-06-29 3:46 ` bugzilla-daemon
2019-06-29 3:48 ` bugzilla-daemon
2019-06-29 16:07 ` bugzilla-daemon
2019-06-29 17:31 ` bugzilla-daemon
2019-06-29 17:35 ` bugzilla-daemon
2019-06-30 13:52 ` bugzilla-daemon
2019-07-09 4:30 ` bugzilla-daemon
2019-07-11 22:59 ` bugzilla-daemon
2019-07-12 4:27 ` bugzilla-daemon
2019-07-12 13:18 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-203947-201763-BIraDUAzxc@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.