From: Josef Bacik <josef@toxicpanda.com>
To: Qu Wenruo <wqu@suse.com>
Cc: linux-btrfs@vger.kernel.org,
Linus Torvalds <torvalds@linux-foundation.org>,
Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
Subject: Re: [PATCH RFC] btrfs: fix a possible race window when allocating new extent buffers
Date: Fri, 31 May 2024 11:13:14 -0400 [thread overview]
Message-ID: <20240531151314.GA2226865@perftesting> (raw)
In-Reply-To: <b2192936067ea7e82e7d5958c0aa6baf8c29b5d9.1717130599.git.wqu@suse.com>
On Fri, May 31, 2024 at 02:14:11PM +0930, Qu Wenruo wrote:
> [POSSIBLE RACE]
> Commit 09e6cef19c9f ("btrfs: refactor alloc_extent_buffer() to
> allocate-then-attach method") changes the sequence when allocating a new
> extent buffer.
>
> Previously we always call grab_extent_buffer() under
> mapping->i_private_lock, thus there is no chance for race to happen
> between extent buffer releasing and allocating.
>
> However that commit changed the behavior to call grab_extent_buffer()
> without holding that lock, making the following race possible:
>
> Thread A | Thread B
> -------------------------------+----------------------------------
> | btree_release_folio()
> | |- btrfs_release_extent_buffer_pages()
> attach_eb_folio_to_filemap() | | |- detach_extent_buffer_folio()
> | | \- return 1 so that this folio would be
> | | released from page cache
> |-grab_extent_buffer() |
> | Now it returns no eb, we can |
> | reuse the folio |
>
> This would make the newly allocated extent buffer to point to a soon to
> be freed folio.
> The problem is not immediately triggered, as the we still hold one extra
> folio refcount from thread A.
>
> But later mostly at extent buffer release, if we put the last refcount
> of the folio (only hold by ourselves), then we can hit various problems.
>
> The most common one is the bad folio status:
>
> BUG: Bad page state in process kswapd0 pfn:d6e840
> page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c
> pfn:0xd6e840
> aops:btree_aops ino:1
> flags: 0x17ffffe0000008(uptodate|node=0|zone=2|lastcpupid=0x3fffff)
> page_type: 0xffffffff()
> raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0
> raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000
> page dumped because: non-NULL mapping
>
> [FIX]
> Move all the code requiring i_private_lock into
> attach_eb_folio_to_filemap(), so that everything is done with proper
> lock protection.
>
> Reported-by: Linus Torvalds <torvalds@linux-foundation.org>
> Link: https://lore.kernel.org/linux-btrfs/CAHk-=wgt362nGfScVOOii8cgKn2LVVHeOvOA7OBwg1OwbuJQcw@mail.gmail.com/
> Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com>
> Link: https://lore.kernel.org/lkml/CABXGCsPktcHQOvKTbPaTwegMExije=Gpgci5NW=hqORo-s7diA@mail.gmail.com/
> Fixes: 09e6cef19c9f ("btrfs: refactor alloc_extent_buffer() to allocate-then-attach method")
> Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Thanks,
Josef
prev parent reply other threads:[~2024-05-31 15:13 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-31 4:44 [PATCH RFC] btrfs: fix a possible race window when allocating new extent buffers Qu Wenruo
2024-05-31 10:44 ` Filipe Manana
2024-05-31 12:31 ` Filipe Manana
2024-05-31 15:13 ` Josef Bacik [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240531151314.GA2226865@perftesting \
--to=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=mikhail.v.gavrilov@gmail.com \
--cc=torvalds@linux-foundation.org \
--cc=wqu@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox