From: David Sterba <dsterba@suse.cz>
To: Meng Xu <mengxu.gatech@gmail.com>
Cc: linux-btrfs@vger.kernel.org, josef@toxicpanda.com
Subject: Re: potential data race on `delayed_rsv->full`
Date: Fri, 1 Nov 2019 16:45:36 +0100 [thread overview]
Message-ID: <20191101154536.GW3001@twin.jikos.cz> (raw)
In-Reply-To: <CAAwBoOJDjei5Hnem155N_cJwiEkVwJYvgN-tQrwWbZQGhFU=cA@mail.gmail.com>
On Tue, Oct 15, 2019 at 02:33:11PM -0400, Meng Xu wrote:
> I am reporting a potential data race around the `delayed_rsv->full` field.
Thanks for the report.
> [thread 1] mount a btrfs image, a kernel thread of uuid_rescan will be created
>
> btrfs_uuid_rescan_kthread
> btrfs_end_transaction
> __btrfs_end_transaction
> btrfs_trans_release_metadata
> btrfs_block_rsv_release
> __btrfs_block_rsv_release
> --> [READ] else if (block_rsv != global_rsv && !delayed_rsv->full)
> ^^^^^^^^^^^^^^^^^
>
>
> [thread 2] do a mkdir syscall on the mounted image
>
> __do_sys_mkdir
> do_mkdirat
> vfs_mkdir
> btrfs_mkdir
> btrfs_new_inode
> btrfs_insert_empty_items
> btrfs_cow_block
> __btrfs_cow_block
> alloc_tree_block_no_bg_flush
> btrfs_alloc_tree_block
> btrfs_add_delayed_tree_ref
> btrfs_update_delayed_refs_rsv
> --> [WRITE] delayed_rsv->full = 0;
> ^^^^^^^^^^^^^^^^^^^^^
>
>
> I could confirm that this is a data race by manually adding and adjusting
> delays before the read and write statements although I am not very sure
> about the implication of such a data race (e.g., crashing btrfs or causing
> violations of assumptions). I would appreciate if you could help check on
> this potential bug and advise whether this is a harmful data race or it
> is intended.
The race is there, as the access is unprotected, but it does not seem to
have serious implications. The race is for space, which happens all the
time, and if the reservations cannot be satisfied there goes ENOSPC.
In this particular case I wonder if the uuid thread is important or if
this would happen with anything that calls btrfs_end_transaction.
Depending on the value of ->full, __btrfs_block_rsv_release decides
where to return the reservation, and block_rsv_release_bytes handles a
NULL pointer for block_rsv and if it's not NULL then it double checks
the full status under a lock.
So the unlocked and racy access is only advisory and in the worst case
the block reserve is found !full and becomes full in the meantime,
but properly handled.
I've CCed Josef to review the analysis.
next prev parent reply other threads:[~2019-11-01 15:45 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-15 18:33 potential data race on `delayed_rsv->full` Meng Xu
2019-11-01 15:45 ` David Sterba [this message]
2019-11-01 17:09 ` Meng Xu
2019-11-01 18:16 ` Josef Bacik
2019-11-05 10:01 ` David Sterba
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191101154536.GW3001@twin.jikos.cz \
--to=dsterba@suse.cz \
--cc=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=mengxu.gatech@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox