[PATCH 0/2] squota delete fstests

[PATCH 0/2] squota delete fstests

[Boris Burkov]

Resurrect a failed previous attempt to land tests exercising edge cases
of squota qgroup deletion.

Previous attempt:
https://lore.kernel.org/fstests/ce4a79cafb6790ef6d1e141d65195f72f469ae4d.1706035378.git.boris@bur.io/

Since then, there have been some more bugs fixed so include some
additional testing reflecting that, as well as incorporating the last
round of feedback.

Boris Burkov (2):
  btrfs: inline enable_quota helper in test 301
  btrfs: test qgroup deletion races with squota writes

 tests/btrfs/301     |  14 +----
 tests/btrfs/348     | 136 ++++++++++++++++++++++++++++++++++++++++++++
 tests/btrfs/348.out |  10 ++++
 3 files changed, 148 insertions(+), 12 deletions(-)
 create mode 100755 tests/btrfs/348
 create mode 100644 tests/btrfs/348.out

-- 
2.54.0

[PATCH 1/2] btrfs: inline enable_quota helper in test 301

[Boris Burkov]

The enable_quota helper in btrfs/301 takes a mode argument ('n', 's',
or anything else) to switch between "no quota", "simple quota", and
"full quota" enable.  Only the simple-quota path is ever exercised by
this test, so the dispatch is dead weight and the indirection just
obscures the actual btrfs command being run.

Inline the two call sites to call 'btrfs quota enable --simple'
directly and drop the helper.

Signed-off-by: Boris Burkov <boris@bur.io>
---
 tests/btrfs/301 | 14 ++------------
 1 file changed, 2 insertions(+), 12 deletions(-)

diff --git a/tests/btrfs/301 b/tests/btrfs/301
index 1f72a97b..31243aab 100755
--- a/tests/btrfs/301
+++ b/tests/btrfs/301
@@ -169,16 +169,6 @@ do_enospc_falloc()
 	do_falloc $file $sz
 }
 
-enable_quota()
-{
-	local mode=$1
-
-	[ $mode == "n" ] && return
-	arg=$([ $mode == "s" ] && echo "--simple")
-
-	$BTRFS_UTIL_PROG quota enable $arg $SCRATCH_MNT
-}
-
 get_subvid()
 {
 	_btrfs_get_subvolid $SCRATCH_MNT subv
@@ -198,7 +188,7 @@ prepare()
 {
 	_scratch_mkfs >> $seqres.full
 	_scratch_mount
-	enable_quota "s"
+	$BTRFS_UTIL_PROG quota enable --simple $SCRATCH_MNT
 	$BTRFS_UTIL_PROG subvolume create $subv >> $seqres.full
 	local subvid=$(get_subvid)
 	set_subvol_limit $subvid $limit
@@ -421,7 +411,7 @@ enable_mature()
 	# Sync before enabling squotas to reliably *not* count the writes
 	# we did before enabling.
 	sync
-	enable_quota "s"
+	$BTRFS_UTIL_PROG quota enable --simple $SCRATCH_MNT
 	set_subvol_limit $subvid $limit
 	_scratch_cycle_mount
 	usage=$(get_subvol_usage $subvid)
-- 
2.54.0

[PATCH 2/2] btrfs: test qgroup deletion races with squota writes

[Boris Burkov]

When using simple quotas, an extent's EXTENT_OWNER_REF can long outlive
the subvolume that created it, since the extent can pick up additional
references that keep it alive after the owning subvolume is deleted.

Several lifecycle bugs around the owning qgroup arise from this:

  1. Freeing an extent whose owner qgroup is gone: must not cause an
     underflow nor a transaction abort.

  2. Creating an extent in the same transaction that the owner subvolume
     is deleted: the qgroup may already be gone by the time the squota
     delta is recorded, leaving behind an EXTENT_OWNER_REF that points
     at a qgroup that never accumulated a usage delta.  Manually
     re-creating that qgroup and then freeing the extent would underflow
     it.

  3. Destroying a live subvolume's qgroup while delayed refs for newly
     allocated tree blocks have not yet flushed: rfer/excl read as 0,
     so the destroy looked safe, but the alloc delta was silently lost.

  4. Destroying the qgroup of a live subvolume whose data predates
     'btrfs quota enable --simple': pre-existing extents are not
     accounted (generation < qgroup_enable_gen), so rfer/excl stay 0
     permanently and a usage-only check happily destroys a qgroup
     belonging to a still-mounted, still-writeable subvolume.

Add four cases covering these scenarios.  On a fixed kernel all four
'qgroup destroy' (and the re-create in case 2) operations are refused
because the subvol check rejects the request; on an unfixed kernel
they would succeed and leave the filesystem with broken accounting or
trigger a transaction abort.

Signed-off-by: Boris Burkov <boris@bur.io>
---
 tests/btrfs/348     | 136 ++++++++++++++++++++++++++++++++++++++++++++
 tests/btrfs/348.out |  10 ++++
 2 files changed, 146 insertions(+)
 create mode 100755 tests/btrfs/348
 create mode 100644 tests/btrfs/348.out

diff --git a/tests/btrfs/348 b/tests/btrfs/348
new file mode 100755
index 00000000..ab816301
--- /dev/null
+++ b/tests/btrfs/348
@@ -0,0 +1,136 @@
+#! /bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (c) 2024 Meta Platforms, Inc.  All Rights Reserved.
+#
+# FS QA Test 348
+#
+# Test various race conditions between qgroup deletion and squota writes
+#
+. ./common/preamble
+_begin_fstest auto qgroup subvol clone
+
+# Import common functions.
+. ./common/reflink
+
+# real QA test starts here
+
+_require_scratch_reflink
+_require_cp_reflink
+_require_scratch_enable_simple_quota
+
+_fixed_by_kernel_commit XXXXXXXXXXXX \
+	"btrfs: check for subvolume before deleting squota qgroup"
+_fixed_by_kernel_commit 0c309d66dacd \
+	"btrfs: forbid creating subvol qgroups"
+
+subv1=$SCRATCH_MNT/subv1
+subv2=$SCRATCH_MNT/subv2
+
+prepare()
+{
+	_scratch_mkfs >> $seqres.full
+	_scratch_mount
+	$BTRFS_UTIL_PROG quota enable --simple $SCRATCH_MNT
+	$BTRFS_UTIL_PROG subvolume create $subv1 >> $seqres.full
+	$BTRFS_UTIL_PROG subvolume create $subv2 >> $seqres.full
+	$XFS_IO_PROG -fc "pwrite -q 0 128K" $subv1/f
+	_cp_reflink $subv1/f $subv2/f
+}
+
+# An extent can long outlive its owner. Test this by deleting the owning
+# subvolume, committing the transaction, then deleting the reflinked copy.
+free_from_deleted_owner()
+{
+	echo "free from deleted owner"
+	prepare
+	local subvid1=$(_btrfs_get_subvolid $SCRATCH_MNT subv1)
+
+	$BTRFS_UTIL_PROG filesystem sync $SCRATCH_MNT
+	$BTRFS_UTIL_PROG subvolume delete $subv1 >> $seqres.full
+	$BTRFS_UTIL_PROG qgroup destroy 0/$subvid1 $SCRATCH_MNT >> $seqres.full
+	$BTRFS_UTIL_PROG filesystem sync $SCRATCH_MNT
+	rm $subv2/f
+	_scratch_unmount
+}
+
+# A race where we delete the owner in the same transaction as writing the
+# extent leads to incrementing the squota usage of the missing qgroup.
+# This leaves behind an owner ref with an owner id that cannot exist, so
+# freeing the extent now frees from that qgroup, but there has never
+# been a corresponding usage to free.
+add_to_deleted_owner()
+{
+	echo "add to deleted owner"
+	prepare
+	local subvid1=$(_btrfs_get_subvolid $SCRATCH_MNT subv1)
+
+	$BTRFS_UTIL_PROG filesystem sync $SCRATCH_MNT
+	$BTRFS_UTIL_PROG subvolume delete $subv1 >> $seqres.full
+	$BTRFS_UTIL_PROG qgroup destroy 0/$subvid1 $SCRATCH_MNT >> $seqres.full
+	$BTRFS_UTIL_PROG filesystem sync $SCRATCH_MNT
+	$BTRFS_UTIL_PROG qgroup create 0/$subvid1 $SCRATCH_MNT >> $seqres.full
+	rm $subv2/f
+	_scratch_unmount
+}
+
+# Create a subvol, destroy its qgroup before delayed refs update rfer/excl.
+# On an unfixed kernel the qgroup destroy succeeds (rfer == 0), silently
+# losing the alloc delta. On a fixed kernel the destroy is refused because
+# the ROOT_ITEM still exists.
+same_txn_destroy_race()
+{
+	echo "same txn destroy race"
+	prepare
+
+	# Commit so the next subvol create starts a fresh transaction.
+	$BTRFS_UTIL_PROG filesystem sync $SCRATCH_MNT
+
+	# New subvol -- tree block alloc delayed ref is pending, rfer/excl=0.
+	local subv3=$SCRATCH_MNT/subv3
+	$BTRFS_UTIL_PROG subvolume create $subv3 >> $seqres.full
+	local subvid3=$(_btrfs_get_subvolid $SCRATCH_MNT subv3)
+
+	# rfer/excl still 0 (delayed refs not flushed). Destroy should fail
+	# because the ROOT_ITEM exists.
+	$BTRFS_UTIL_PROG qgroup destroy 0/$subvid3 $SCRATCH_MNT 2>&1
+
+	_scratch_unmount
+}
+
+# Enable squotas on a filesystem that already has a subvolume with data.
+# Pre-existing extents have generation < qgroup_enable_gen, so the qgroup's
+# rfer/excl stay 0 permanently. On an unfixed kernel can_delete_squota_qgroup
+# only checks rfer/excl, so the qgroup can be destroyed for a live subvol.
+# On a fixed kernel, the subvol check prevents deletion.
+pre_existing_data_destroy()
+{
+	echo "pre-existing data destroy"
+	_scratch_mkfs >> $seqres.full
+	_scratch_mount
+
+	# Create subvol and write data BEFORE enabling squotas.
+	$BTRFS_UTIL_PROG subvolume create $subv1 >> $seqres.full
+	$XFS_IO_PROG -fc "pwrite -q 0 128K" $subv1/f
+	sync
+
+	# Enable squotas. Pre-existing data is not accounted (gen < enable_gen).
+	$BTRFS_UTIL_PROG quota enable --simple $SCRATCH_MNT
+	$BTRFS_UTIL_PROG filesystem sync $SCRATCH_MNT
+
+	local subvid1=$(_btrfs_get_subvolid $SCRATCH_MNT subv1)
+
+	# Destroy the qgroup. rfer/excl = 0 because data predates squotas.
+	# Should fail because the ROOT_ITEM still exists.
+	$BTRFS_UTIL_PROG qgroup destroy 0/$subvid1 $SCRATCH_MNT 2>&1
+
+	_scratch_unmount
+}
+
+free_from_deleted_owner
+add_to_deleted_owner
+same_txn_destroy_race
+pre_existing_data_destroy
+
+# success, all done
+status=0
+exit
diff --git a/tests/btrfs/348.out b/tests/btrfs/348.out
new file mode 100644
index 00000000..0a1cf11f
--- /dev/null
+++ b/tests/btrfs/348.out
@@ -0,0 +1,10 @@
+QA output created by 348
+free from deleted owner
+ERROR: unable to destroy quota group: Device or resource busy
+add to deleted owner
+ERROR: unable to destroy quota group: Device or resource busy
+ERROR: unable to create quota group: Invalid argument
+same txn destroy race
+ERROR: unable to destroy quota group: Device or resource busy
+pre-existing data destroy
+ERROR: unable to destroy quota group: Device or resource busy
-- 
2.54.0