* [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle
@ 2025-03-06 14:28 Ojaswin Mujoo
2025-03-06 14:28 ` [PATCH v2 1/3] ext4: define ext4_journal_destroy wrapper Ojaswin Mujoo
` (3 more replies)
0 siblings, 4 replies; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-06 14:28 UTC (permalink / raw)
To: linux-ext4, Theodore Ts'o; +Cc: Jan Kara, Baokun Li, linux-kernel
** Changes since v1 [1] **
* Picked up RVBs from Jan and Ritesh
* In patch 2/3, we now use a flag in sbi instead of SB_ACITVE
to determine when to journal sb vs when to commit directly.
* Added a prep patch 1/3
[1] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#m5e659425b8c8fe2ac01e7242b77fed315ff89db4
@Baokun, I didn't get a chance to look into the journal_inode
modifications we were discussing in [2]. I'll try to spend some time and
send that as a separate patch. Hope that's okay
[2] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#mad8feb44d9b6ddadf87830b92caa7b78d902dc05
** Original Cover **
When running LTP stress tests on ext4, after a multiday run we seemed to
have hit the following BUG_ON:
[NIP : start_this_handle+268]
#3 [c000001067c27a40] start_this_handle at c008000004d40f74 [jbd2] (unreliable)
#4 [c000001067c27b60] jbd2__journal_start at c008000004d415cc [jbd2]
#5 [c000001067c27be0] update_super_work at c0080000053f9758 [ext4]
#6 [c000001067c27c70] process_one_work at c000000000188790
#7 [c000001067c27d20] worker_thread at c00000000018973c
#8 [c000001067c27dc0] kthread at c000000000196c84
#9 [c000001067c27e10] ret_from_kernel_thread at c00000000000cd64
Which comes out to
382 repeat:
383 read_lock(&journal->j_state_lock);
* 384 BUG_ON(journal->j_flags & JBD2_UNMOUNT);
385 if (is_journal_aborted(journal) ||
386 (journal->j_errno != 0 && !(journal->j_flags & JBD2_ACK_ERR))) {
387 read_unlock(&journal->j_state_lock);
Initially this seemed like it should never happen but upon crash
analysis it seems like it could indeed be hit as described in patch 1/2.
I would like to add that through the logs we only knew that:
- ext4_journal_bmap -> ext4_map_blocks is failing with EFSCORRUPTED.
- update_super_work had hit the BUG_ON
I was not able to hit this bug again (without modifying the kernel to
inject errors) but the above backtrace seems to be one possible paths
where this BUG_ON can be hit. Rest of the analysis and fix is in patch
2/3. Patch 3 is just a small tweak that i found helpful while debugging.
That being said, journalling is something I'm not very familiar with and
there might be gaps in my understanding so thoughts and suggestions are
welcome.
Ojaswin Mujoo (3):
ext4: define ext4_journal_destroy wrapper
ext4: avoid journaling sb update on error if journal is destroying
ext4: Make sb update interval tunable
fs/ext4/ext4.h | 11 +++++++++++
fs/ext4/ext4_jbd2.h | 22 ++++++++++++++++++++++
fs/ext4/super.c | 35 +++++++++++++++++------------------
fs/ext4/sysfs.c | 4 ++++
4 files changed, 54 insertions(+), 18 deletions(-)
--
2.48.1
^ permalink raw reply [flat|nested] 41+ messages in thread
* [PATCH v2 1/3] ext4: define ext4_journal_destroy wrapper
2025-03-06 14:28 [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle Ojaswin Mujoo
@ 2025-03-06 14:28 ` Ojaswin Mujoo
2025-03-07 14:05 ` Jan Kara
2025-03-08 1:18 ` Baokun Li
2025-03-06 14:28 ` [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying Ojaswin Mujoo
` (2 subsequent siblings)
3 siblings, 2 replies; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-06 14:28 UTC (permalink / raw)
To: linux-ext4, Theodore Ts'o; +Cc: Jan Kara, Baokun Li, linux-kernel
Define an ext4 wrapper over jbd2_journal_destroy to make sure we
have consistent behavior during journal destruction. This will also
come useful in the next patch where we add some ext4 specific logic
in the destroy path.
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
---
fs/ext4/ext4_jbd2.h | 14 ++++++++++++++
fs/ext4/super.c | 16 ++++++----------
2 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
index 3f2596c9e5f2..9b3c9df02a39 100644
--- a/fs/ext4/ext4_jbd2.h
+++ b/fs/ext4/ext4_jbd2.h
@@ -429,4 +429,18 @@ static inline int ext4_should_dioread_nolock(struct inode *inode)
return 1;
}
+/*
+ * Pass journal explicitly as it may not be cached in the sbi->s_journal in some
+ * cases
+ */
+static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *journal)
+{
+ int err = 0;
+
+ err = jbd2_journal_destroy(journal);
+ sbi->s_journal = NULL;
+
+ return err;
+}
+
#endif /* _EXT4_JBD2_H */
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index a963ffda692a..8ad664d47806 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1297,8 +1297,7 @@ static void ext4_put_super(struct super_block *sb)
if (sbi->s_journal) {
aborted = is_journal_aborted(sbi->s_journal);
- err = jbd2_journal_destroy(sbi->s_journal);
- sbi->s_journal = NULL;
+ err = ext4_journal_destroy(sbi, sbi->s_journal);
if ((err < 0) && !aborted) {
ext4_abort(sb, -err, "Couldn't clean up the journal");
}
@@ -4960,8 +4959,7 @@ static int ext4_load_and_init_journal(struct super_block *sb,
out:
/* flush s_sb_upd_work before destroying the journal. */
flush_work(&sbi->s_sb_upd_work);
- jbd2_journal_destroy(sbi->s_journal);
- sbi->s_journal = NULL;
+ ext4_journal_destroy(sbi, sbi->s_journal);
return -EINVAL;
}
@@ -5652,8 +5650,7 @@ failed_mount8: __maybe_unused
if (sbi->s_journal) {
/* flush s_sb_upd_work before journal destroy. */
flush_work(&sbi->s_sb_upd_work);
- jbd2_journal_destroy(sbi->s_journal);
- sbi->s_journal = NULL;
+ ext4_journal_destroy(sbi, sbi->s_journal);
}
failed_mount3a:
ext4_es_unregister_shrinker(sbi);
@@ -5958,7 +5955,7 @@ static journal_t *ext4_open_dev_journal(struct super_block *sb,
return journal;
out_journal:
- jbd2_journal_destroy(journal);
+ ext4_journal_destroy(EXT4_SB(sb), journal);
out_bdev:
bdev_fput(bdev_file);
return ERR_PTR(errno);
@@ -6075,8 +6072,7 @@ static int ext4_load_journal(struct super_block *sb,
EXT4_SB(sb)->s_journal = journal;
err = ext4_clear_journal_err(sb, es);
if (err) {
- EXT4_SB(sb)->s_journal = NULL;
- jbd2_journal_destroy(journal);
+ ext4_journal_destroy(EXT4_SB(sb), journal);
return err;
}
@@ -6094,7 +6090,7 @@ static int ext4_load_journal(struct super_block *sb,
return 0;
err_out:
- jbd2_journal_destroy(journal);
+ ext4_journal_destroy(EXT4_SB(sb), journal);
return err;
}
--
2.48.1
^ permalink raw reply related [flat|nested] 41+ messages in thread
* [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-06 14:28 [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle Ojaswin Mujoo
2025-03-06 14:28 ` [PATCH v2 1/3] ext4: define ext4_journal_destroy wrapper Ojaswin Mujoo
@ 2025-03-06 14:28 ` Ojaswin Mujoo
2025-03-07 2:49 ` Zhang Yi
` (3 more replies)
2025-03-06 14:28 ` [PATCH v2 3/3] ext4: Make sb update interval tunable Ojaswin Mujoo
2025-03-08 1:09 ` [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle Baokun Li
3 siblings, 4 replies; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-06 14:28 UTC (permalink / raw)
To: linux-ext4, Theodore Ts'o
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar
Presently we always BUG_ON if trying to start a transaction on a journal marked
with JBD2_UNMOUNT, since this should never happen. However, while ltp running
stress tests, it was observed that in case of some error handling paths, it is
possible for update_super_work to start a transaction after the journal is
destroyed eg:
(umount)
ext4_kill_sb
kill_block_super
generic_shutdown_super
sync_filesystem /* commits all txns */
evict_inodes
/* might start a new txn */
ext4_put_super
flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
jbd2_journal_destroy
journal_kill_thread
journal->j_flags |= JBD2_UNMOUNT;
jbd2_journal_commit_transaction
jbd2_journal_get_descriptor_buffer
jbd2_journal_bmap
ext4_journal_bmap
ext4_map_blocks
...
ext4_inode_error
ext4_handle_error
schedule_work(&sbi->s_sb_upd_work)
/* work queue kicks in */
update_super_work
jbd2_journal_start
start_this_handle
BUG_ON(journal->j_flags &
JBD2_UNMOUNT)
Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
destroying only do a journaled (and deferred) update of sb if this flag is not
set. Otherwise, just fallback to an un-journaled commit.
We set sbi->s_journal_destroying = true only after all the FS updates are done
during ext4_put_super() (except a running transaction that will get commited
during jbd2_journal_destroy()). After this point, it is safe to commit the sb
outside the journal as it won't race with a journaled update (refer
2d01ddc86606).
Also, we don't need a similar check in ext4_grp_locked_error since it is only
called from mballoc and AFAICT it would be always valid to schedule work here.
Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
---
fs/ext4/ext4.h | 2 ++
fs/ext4/ext4_jbd2.h | 8 ++++++++
fs/ext4/super.c | 4 +++-
3 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 2b7d781bfcad..d48e93bd5690 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1728,6 +1728,8 @@ struct ext4_sb_info {
*/
struct work_struct s_sb_upd_work;
+ bool s_journal_destorying;
+
/* Atomic write unit values in bytes */
unsigned int s_awu_min;
unsigned int s_awu_max;
diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
index 9b3c9df02a39..6bd3ca84410d 100644
--- a/fs/ext4/ext4_jbd2.h
+++ b/fs/ext4/ext4_jbd2.h
@@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
{
int err = 0;
+ /*
+ * At this point all pending FS updates should be done except a possible
+ * running transaction (which will commit in jbd2_journal_destroy). It
+ * is now safe for any new errors to directly commit superblock rather
+ * than going via journal.
+ */
+ sbi->s_journal_destorying = true;
+
err = jbd2_journal_destroy(journal);
sbi->s_journal = NULL;
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 8ad664d47806..31552cf0519a 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
* constraints, it may not be safe to do it right here so we
* defer superblock flushing to a workqueue.
*/
- if (continue_fs && journal)
+ if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
else
ext4_commit_super(sb);
@@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
spin_lock_init(&sbi->s_error_lock);
INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
+ sbi->s_journal_destorying = false;
+
err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
if (err)
goto failed_mount3;
--
2.48.1
^ permalink raw reply related [flat|nested] 41+ messages in thread
* [PATCH v2 3/3] ext4: Make sb update interval tunable
2025-03-06 14:28 [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle Ojaswin Mujoo
2025-03-06 14:28 ` [PATCH v2 1/3] ext4: define ext4_journal_destroy wrapper Ojaswin Mujoo
2025-03-06 14:28 ` [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying Ojaswin Mujoo
@ 2025-03-06 14:28 ` Ojaswin Mujoo
2025-03-08 2:25 ` Baokun Li
2025-03-08 1:09 ` [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle Baokun Li
3 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-06 14:28 UTC (permalink / raw)
To: linux-ext4, Theodore Ts'o
Cc: Jan Kara, Baokun Li, linux-kernel, Ritesh Harjani (IBM)
Currently, outside error paths, we auto commit the super block after 1
hour has passed and 16MB worth of updates have been written since last
commit. This is a policy decision so make this tunable while keeping the
defaults same. This is useful if user wants to tweak the superblock
behavior or for debugging the codepath by allowing to trigger it more
frequently.
We can now tweak the super block update using sb_update_sec and
sb_update_kb files in /sys/fs/ext4/<dev>/
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
---
fs/ext4/ext4.h | 9 +++++++++
fs/ext4/super.c | 15 ++++++++-------
fs/ext4/sysfs.c | 4 ++++
3 files changed, 21 insertions(+), 7 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index d48e93bd5690..82c902ed86f3 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1608,6 +1608,8 @@ struct ext4_sb_info {
unsigned int s_mb_prefetch;
unsigned int s_mb_prefetch_limit;
unsigned int s_mb_best_avail_max_trim_order;
+ unsigned int s_sb_update_sec;
+ unsigned int s_sb_update_kb;
/* stats for buddy allocator */
atomic_t s_bal_reqs; /* number of reqs with len > 1 */
@@ -2281,6 +2283,13 @@ static inline int ext4_forced_shutdown(struct super_block *sb)
#define EXT4_DEF_MIN_BATCH_TIME 0
#define EXT4_DEF_MAX_BATCH_TIME 15000 /* 15ms */
+/*
+ * Default values for superblock update
+ */
+#define EXT4_DEF_SB_UPDATE_INTERVAL_SEC (3600) /* seconds (1 hour) */
+#define EXT4_DEF_SB_UPDATE_INTERVAL_KB (16384) /* kilobytes (16MB) */
+
+
/*
* Minimum number of groups in a flexgroup before we separate out
* directories into the first block group of a flexgroup
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 31552cf0519a..1b47b111c583 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -447,9 +447,6 @@ static time64_t __ext4_get_tstamp(__le32 *lo, __u8 *hi)
#define ext4_get_tstamp(es, tstamp) \
__ext4_get_tstamp(&(es)->tstamp, &(es)->tstamp ## _hi)
-#define EXT4_SB_REFRESH_INTERVAL_SEC (3600) /* seconds (1 hour) */
-#define EXT4_SB_REFRESH_INTERVAL_KB (16384) /* kilobytes (16MB) */
-
/*
* The ext4_maybe_update_superblock() function checks and updates the
* superblock if needed.
@@ -457,8 +454,10 @@ static time64_t __ext4_get_tstamp(__le32 *lo, __u8 *hi)
* This function is designed to update the on-disk superblock only under
* certain conditions to prevent excessive disk writes and unnecessary
* waking of the disk from sleep. The superblock will be updated if:
- * 1. More than an hour has passed since the last superblock update, and
- * 2. More than 16MB have been written since the last superblock update.
+ * 1. More than sbi->s_sb_update_sec (def: 1 hour) has passed since the last
+ * superblock update
+ * 2. More than sbi->s_sb_update_kb (def: 16MB) kbs have been written since the
+ * last superblock update.
*
* @sb: The superblock
*/
@@ -479,7 +478,7 @@ static void ext4_maybe_update_superblock(struct super_block *sb)
now = ktime_get_real_seconds();
last_update = ext4_get_tstamp(es, s_wtime);
- if (likely(now - last_update < EXT4_SB_REFRESH_INTERVAL_SEC))
+ if (likely(now - last_update < sbi->s_sb_update_sec))
return;
lifetime_write_kbytes = sbi->s_kbytes_written +
@@ -494,7 +493,7 @@ static void ext4_maybe_update_superblock(struct super_block *sb)
*/
diff_size = lifetime_write_kbytes - le64_to_cpu(es->s_kbytes_written);
- if (diff_size > EXT4_SB_REFRESH_INTERVAL_KB)
+ if (diff_size > sbi->s_sb_update_kb)
schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
}
@@ -5246,6 +5245,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
sbi->s_commit_interval = JBD2_DEFAULT_MAX_COMMIT_AGE * HZ;
sbi->s_min_batch_time = EXT4_DEF_MIN_BATCH_TIME;
sbi->s_max_batch_time = EXT4_DEF_MAX_BATCH_TIME;
+ sbi->s_sb_update_kb = EXT4_DEF_SB_UPDATE_INTERVAL_KB;
+ sbi->s_sb_update_sec = EXT4_DEF_SB_UPDATE_INTERVAL_SEC;
/*
* set default s_li_wait_mult for lazyinit, for the case there is
diff --git a/fs/ext4/sysfs.c b/fs/ext4/sysfs.c
index ddb54608ca2e..987bd00f916a 100644
--- a/fs/ext4/sysfs.c
+++ b/fs/ext4/sysfs.c
@@ -254,6 +254,8 @@ EXT4_ATTR(journal_task, 0444, journal_task);
EXT4_RW_ATTR_SBI_UI(mb_prefetch, s_mb_prefetch);
EXT4_RW_ATTR_SBI_UI(mb_prefetch_limit, s_mb_prefetch_limit);
EXT4_RW_ATTR_SBI_UL(last_trim_minblks, s_last_trim_minblks);
+EXT4_RW_ATTR_SBI_UI(sb_update_sec, s_sb_update_sec);
+EXT4_RW_ATTR_SBI_UI(sb_update_kb, s_sb_update_kb);
static unsigned int old_bump_val = 128;
EXT4_ATTR_PTR(max_writeback_mb_bump, 0444, pointer_ui, &old_bump_val);
@@ -305,6 +307,8 @@ static struct attribute *ext4_attrs[] = {
ATTR_LIST(mb_prefetch),
ATTR_LIST(mb_prefetch_limit),
ATTR_LIST(last_trim_minblks),
+ ATTR_LIST(sb_update_sec),
+ ATTR_LIST(sb_update_kb),
NULL,
};
ATTRIBUTE_GROUPS(ext4);
--
2.48.1
^ permalink raw reply related [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-06 14:28 ` [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying Ojaswin Mujoo
@ 2025-03-07 2:49 ` Zhang Yi
2025-03-07 6:34 ` Ojaswin Mujoo
2025-03-07 14:26 ` Jan Kara
` (2 subsequent siblings)
3 siblings, 1 reply; 41+ messages in thread
From: Zhang Yi @ 2025-03-07 2:49 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> Presently we always BUG_ON if trying to start a transaction on a journal marked
> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> stress tests, it was observed that in case of some error handling paths, it is
> possible for update_super_work to start a transaction after the journal is
> destroyed eg:
>
> (umount)
> ext4_kill_sb
> kill_block_super
> generic_shutdown_super
> sync_filesystem /* commits all txns */
> evict_inodes
> /* might start a new txn */
> ext4_put_super
> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> jbd2_journal_destroy
> journal_kill_thread
> journal->j_flags |= JBD2_UNMOUNT;
> jbd2_journal_commit_transaction
> jbd2_journal_get_descriptor_buffer
> jbd2_journal_bmap
> ext4_journal_bmap
> ext4_map_blocks
> ...
> ext4_inode_error
> ext4_handle_error
> schedule_work(&sbi->s_sb_upd_work)
>
> /* work queue kicks in */
> update_super_work
> jbd2_journal_start
> start_this_handle
> BUG_ON(journal->j_flags &
> JBD2_UNMOUNT)
>
> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> destroying only do a journaled (and deferred) update of sb if this flag is not
> set. Otherwise, just fallback to an un-journaled commit.
>
> We set sbi->s_journal_destroying = true only after all the FS updates are done
> during ext4_put_super() (except a running transaction that will get commited
> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> outside the journal as it won't race with a journaled update (refer
> 2d01ddc86606).
>
> Also, we don't need a similar check in ext4_grp_locked_error since it is only
> called from mballoc and AFAICT it would be always valid to schedule work here.
>
> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> Suggested-by: Jan Kara <jack@suse.cz>
> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> ---
> fs/ext4/ext4.h | 2 ++
> fs/ext4/ext4_jbd2.h | 8 ++++++++
> fs/ext4/super.c | 4 +++-
> 3 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> index 2b7d781bfcad..d48e93bd5690 100644
> --- a/fs/ext4/ext4.h
> +++ b/fs/ext4/ext4.h
> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> */
> struct work_struct s_sb_upd_work;
>
> + bool s_journal_destorying;
> +
> /* Atomic write unit values in bytes */
> unsigned int s_awu_min;
> unsigned int s_awu_max;
> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> index 9b3c9df02a39..6bd3ca84410d 100644
> --- a/fs/ext4/ext4_jbd2.h
> +++ b/fs/ext4/ext4_jbd2.h
> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> {
> int err = 0;
>
> + /*
> + * At this point all pending FS updates should be done except a possible
> + * running transaction (which will commit in jbd2_journal_destroy). It
> + * is now safe for any new errors to directly commit superblock rather
> + * than going via journal.
> + */
> + sbi->s_journal_destorying = true;
> +
Hi, Ojaswin!
I'm afraid you still need to flush the superblock update work here,
otherwise I guess the race condition you mentioned in v1 could still
occur.
ext4_put_super()
flush_work(&sbi->s_sb_upd_work)
**kjournald2**
jbd2_journal_commit_transaction()
...
ext4_inode_error()
/* JBD2_UNMOUNT not set */
schedule_work(s_sb_upd_work)
**workqueue**
update_super_work
/* s_journal_destorying is not set */
if (journal && !s_journal_destorying)
ext4_journal_destroy()
/* set s_journal_destorying */
sbi->s_journal_destorying = true;
jbd2_journal_destroy()
journal->j_flags |= JBD2_UNMOUNT;
jbd2_journal_start()
start_this_handle()
BUG_ON(JBD2_UNMOUNT)
Thanks,
Yi.
> err = jbd2_journal_destroy(journal);
> sbi->s_journal = NULL;
>
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 8ad664d47806..31552cf0519a 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
> * constraints, it may not be safe to do it right here so we
> * defer superblock flushing to a workqueue.
> */
> - if (continue_fs && journal)
> + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
> schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
> else
> ext4_commit_super(sb);
> @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
> spin_lock_init(&sbi->s_error_lock);
> INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
>
> + sbi->s_journal_destorying = false;
> +
> err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
> if (err)
> goto failed_mount3;
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-07 2:49 ` Zhang Yi
@ 2025-03-07 6:34 ` Ojaswin Mujoo
2025-03-07 8:13 ` Ojaswin Mujoo
0 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-07 6:34 UTC (permalink / raw)
To: Zhang Yi
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> > Presently we always BUG_ON if trying to start a transaction on a journal marked
> > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> > stress tests, it was observed that in case of some error handling paths, it is
> > possible for update_super_work to start a transaction after the journal is
> > destroyed eg:
> >
> > (umount)
> > ext4_kill_sb
> > kill_block_super
> > generic_shutdown_super
> > sync_filesystem /* commits all txns */
> > evict_inodes
> > /* might start a new txn */
> > ext4_put_super
> > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> > jbd2_journal_destroy
> > journal_kill_thread
> > journal->j_flags |= JBD2_UNMOUNT;
> > jbd2_journal_commit_transaction
> > jbd2_journal_get_descriptor_buffer
> > jbd2_journal_bmap
> > ext4_journal_bmap
> > ext4_map_blocks
> > ...
> > ext4_inode_error
> > ext4_handle_error
> > schedule_work(&sbi->s_sb_upd_work)
> >
> > /* work queue kicks in */
> > update_super_work
> > jbd2_journal_start
> > start_this_handle
> > BUG_ON(journal->j_flags &
> > JBD2_UNMOUNT)
> >
> > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> > destroying only do a journaled (and deferred) update of sb if this flag is not
> > set. Otherwise, just fallback to an un-journaled commit.
> >
> > We set sbi->s_journal_destroying = true only after all the FS updates are done
> > during ext4_put_super() (except a running transaction that will get commited
> > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> > outside the journal as it won't race with a journaled update (refer
> > 2d01ddc86606).
> >
> > Also, we don't need a similar check in ext4_grp_locked_error since it is only
> > called from mballoc and AFAICT it would be always valid to schedule work here.
> >
> > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> > Suggested-by: Jan Kara <jack@suse.cz>
> > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> > ---
> > fs/ext4/ext4.h | 2 ++
> > fs/ext4/ext4_jbd2.h | 8 ++++++++
> > fs/ext4/super.c | 4 +++-
> > 3 files changed, 13 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> > index 2b7d781bfcad..d48e93bd5690 100644
> > --- a/fs/ext4/ext4.h
> > +++ b/fs/ext4/ext4.h
> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> > */
> > struct work_struct s_sb_upd_work;
> >
> > + bool s_journal_destorying;
> > +
> > /* Atomic write unit values in bytes */
> > unsigned int s_awu_min;
> > unsigned int s_awu_max;
> > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> > index 9b3c9df02a39..6bd3ca84410d 100644
> > --- a/fs/ext4/ext4_jbd2.h
> > +++ b/fs/ext4/ext4_jbd2.h
> > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> > {
> > int err = 0;
> >
> > + /*
> > + * At this point all pending FS updates should be done except a possible
> > + * running transaction (which will commit in jbd2_journal_destroy). It
> > + * is now safe for any new errors to directly commit superblock rather
> > + * than going via journal.
> > + */
> > + sbi->s_journal_destorying = true;
> > +
>
> Hi, Ojaswin!
>
> I'm afraid you still need to flush the superblock update work here,
> otherwise I guess the race condition you mentioned in v1 could still
> occur.
>
> ext4_put_super()
> flush_work(&sbi->s_sb_upd_work)
>
> **kjournald2**
> jbd2_journal_commit_transaction()
> ...
> ext4_inode_error()
> /* JBD2_UNMOUNT not set */
> schedule_work(s_sb_upd_work)
>
> **workqueue**
> update_super_work
> /* s_journal_destorying is not set */
> if (journal && !s_journal_destorying)
>
> ext4_journal_destroy()
> /* set s_journal_destorying */
> sbi->s_journal_destorying = true;
> jbd2_journal_destroy()
> journal->j_flags |= JBD2_UNMOUNT;
>
> jbd2_journal_start()
> start_this_handle()
> BUG_ON(JBD2_UNMOUNT)
>
> Thanks,
> Yi.
Hi Yi,
Yes you are right, somehow missed this edge case :(
Alright then, we have to move out sbi->s_journal_destroying outside the
helper. Just wondering if I should still let it be in
ext4_journal_destroy and just add an extra s_journal_destroying = false
before schedule_work(s_sb_upd_work), because it makes sense.
Okay let me give it some thought but thanks for pointing this out!
Regards,
ojaswin
>
> > err = jbd2_journal_destroy(journal);
> > sbi->s_journal = NULL;
> >
> > diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> > index 8ad664d47806..31552cf0519a 100644
> > --- a/fs/ext4/super.c
> > +++ b/fs/ext4/super.c
> > @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
> > * constraints, it may not be safe to do it right here so we
> > * defer superblock flushing to a workqueue.
> > */
> > - if (continue_fs && journal)
> > + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
> > schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
> > else
> > ext4_commit_super(sb);
> > @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
> > spin_lock_init(&sbi->s_error_lock);
> > INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
> >
> > + sbi->s_journal_destorying = false;
> > +
> > err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
> > if (err)
> > goto failed_mount3;
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-07 6:34 ` Ojaswin Mujoo
@ 2025-03-07 8:13 ` Ojaswin Mujoo
2025-03-07 8:43 ` Zhang Yi
0 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-07 8:13 UTC (permalink / raw)
To: Zhang Yi
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On Fri, Mar 07, 2025 at 12:04:26PM +0530, Ojaswin Mujoo wrote:
> On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
> > On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> > > Presently we always BUG_ON if trying to start a transaction on a journal marked
> > > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> > > stress tests, it was observed that in case of some error handling paths, it is
> > > possible for update_super_work to start a transaction after the journal is
> > > destroyed eg:
> > >
> > > (umount)
> > > ext4_kill_sb
> > > kill_block_super
> > > generic_shutdown_super
> > > sync_filesystem /* commits all txns */
> > > evict_inodes
> > > /* might start a new txn */
> > > ext4_put_super
> > > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> > > jbd2_journal_destroy
> > > journal_kill_thread
> > > journal->j_flags |= JBD2_UNMOUNT;
> > > jbd2_journal_commit_transaction
> > > jbd2_journal_get_descriptor_buffer
> > > jbd2_journal_bmap
> > > ext4_journal_bmap
> > > ext4_map_blocks
> > > ...
> > > ext4_inode_error
> > > ext4_handle_error
> > > schedule_work(&sbi->s_sb_upd_work)
> > >
> > > /* work queue kicks in */
> > > update_super_work
> > > jbd2_journal_start
> > > start_this_handle
> > > BUG_ON(journal->j_flags &
> > > JBD2_UNMOUNT)
> > >
> > > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> > > destroying only do a journaled (and deferred) update of sb if this flag is not
> > > set. Otherwise, just fallback to an un-journaled commit.
> > >
> > > We set sbi->s_journal_destroying = true only after all the FS updates are done
> > > during ext4_put_super() (except a running transaction that will get commited
> > > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> > > outside the journal as it won't race with a journaled update (refer
> > > 2d01ddc86606).
> > >
> > > Also, we don't need a similar check in ext4_grp_locked_error since it is only
> > > called from mballoc and AFAICT it would be always valid to schedule work here.
> > >
> > > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> > > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> > > Suggested-by: Jan Kara <jack@suse.cz>
> > > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> > > ---
> > > fs/ext4/ext4.h | 2 ++
> > > fs/ext4/ext4_jbd2.h | 8 ++++++++
> > > fs/ext4/super.c | 4 +++-
> > > 3 files changed, 13 insertions(+), 1 deletion(-)
> > >
> > > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> > > index 2b7d781bfcad..d48e93bd5690 100644
> > > --- a/fs/ext4/ext4.h
> > > +++ b/fs/ext4/ext4.h
> > > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> > > */
> > > struct work_struct s_sb_upd_work;
> > >
> > > + bool s_journal_destorying;
> > > +
> > > /* Atomic write unit values in bytes */
> > > unsigned int s_awu_min;
> > > unsigned int s_awu_max;
> > > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> > > index 9b3c9df02a39..6bd3ca84410d 100644
> > > --- a/fs/ext4/ext4_jbd2.h
> > > +++ b/fs/ext4/ext4_jbd2.h
> > > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> > > {
> > > int err = 0;
> > >
> > > + /*
> > > + * At this point all pending FS updates should be done except a possible
> > > + * running transaction (which will commit in jbd2_journal_destroy). It
> > > + * is now safe for any new errors to directly commit superblock rather
> > > + * than going via journal.
> > > + */
> > > + sbi->s_journal_destorying = true;
> > > +
> >
> > Hi, Ojaswin!
> >
> > I'm afraid you still need to flush the superblock update work here,
> > otherwise I guess the race condition you mentioned in v1 could still
> > occur.
> >
> > ext4_put_super()
> > flush_work(&sbi->s_sb_upd_work)
> >
> > **kjournald2**
> > jbd2_journal_commit_transaction()
> > ...
> > ext4_inode_error()
> > /* JBD2_UNMOUNT not set */
> > schedule_work(s_sb_upd_work)
> >
> > **workqueue**
> > update_super_work
> > /* s_journal_destorying is not set */
> > if (journal && !s_journal_destorying)
> >
> > ext4_journal_destroy()
> > /* set s_journal_destorying */
> > sbi->s_journal_destorying = true;
> > jbd2_journal_destroy()
> > journal->j_flags |= JBD2_UNMOUNT;
> >
> > jbd2_journal_start()
> > start_this_handle()
> > BUG_ON(JBD2_UNMOUNT)
> >
> > Thanks,
> > Yi.
> Hi Yi,
>
> Yes you are right, somehow missed this edge case :(
>
> Alright then, we have to move out sbi->s_journal_destroying outside the
> helper. Just wondering if I should still let it be in
> ext4_journal_destroy and just add an extra s_journal_destroying = false
> before schedule_work(s_sb_upd_work), because it makes sense.
>
> Okay let me give it some thought but thanks for pointing this out!
>
> Regards,
> ojaswin
Okay so thinking about it a bit more, I see you also suggested to flush
the work after marking sbi->s_journal_destroying. But will that solve
it?
ext4_put_super()
flush_work(&sbi->s_sb_upd_work)
**kjournald2**
jbd2_journal_commit_transaction()
...
ext4_inode_error()
/* JBD2_UNMOUNT not set */
schedule_work(s_sb_upd_work)
**workqueue**
update_super_work
/* s_journal_destorying is not set */
if (journal && !s_journal_destorying)
ext4_journal_destroy()
/* set s_journal_destorying */
sbi->s_journal_destorying = true;
flush_work(&sbi->s_sb_upd_work)
schedule_work()
jbd2_journal_destroy()
journal->j_flags |= JBD2_UNMOUNT;
jbd2_journal_start()
start_this_handle()
BUG_ON(JBD2_UNMOUNT)
Seems like these edge cases keep sprouting up :)
As for the fix, how about we do something like this:
ext4_put_super()
flush_work(&sbi->s_sb_upd_work)
destroy_workqueue(sbi->rsv_conversion_wq);
ext4_journal_destroy()
/* set s_journal_destorying */
sbi->s_journal_destorying = true;
/* trigger a commit and wait for it to complete */
flush_work(&sbi->s_sb_upd_work)
jbd2_journal_destroy()
journal->j_flags |= JBD2_UNMOUNT;
jbd2_journal_start()
start_this_handle()
BUG_ON(JBD2_UNMOUNT)
Still giving this codepath some thought but seems like this might just
be enough to fix the race. Thoughts on this?
Regards,
ojaswin
> >
> > > err = jbd2_journal_destroy(journal);
> > > sbi->s_journal = NULL;
> > >
> > > diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> > > index 8ad664d47806..31552cf0519a 100644
> > > --- a/fs/ext4/super.c
> > > +++ b/fs/ext4/super.c
> > > @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
> > > * constraints, it may not be safe to do it right here so we
> > > * defer superblock flushing to a workqueue.
> > > */
> > > - if (continue_fs && journal)
> > > + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
> > > schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
> > > else
> > > ext4_commit_super(sb);
> > > @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
> > > spin_lock_init(&sbi->s_error_lock);
> > > INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
> > >
> > > + sbi->s_journal_destorying = false;
> > > +
> > > err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
> > > if (err)
> > > goto failed_mount3;
> >
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-07 8:13 ` Ojaswin Mujoo
@ 2025-03-07 8:43 ` Zhang Yi
2025-03-07 10:27 ` Ojaswin Mujoo
0 siblings, 1 reply; 41+ messages in thread
From: Zhang Yi @ 2025-03-07 8:43 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On 2025/3/7 16:13, Ojaswin Mujoo wrote:
> On Fri, Mar 07, 2025 at 12:04:26PM +0530, Ojaswin Mujoo wrote:
>> On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
>>> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
>>>> Presently we always BUG_ON if trying to start a transaction on a journal marked
>>>> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
>>>> stress tests, it was observed that in case of some error handling paths, it is
>>>> possible for update_super_work to start a transaction after the journal is
>>>> destroyed eg:
>>>>
>>>> (umount)
>>>> ext4_kill_sb
>>>> kill_block_super
>>>> generic_shutdown_super
>>>> sync_filesystem /* commits all txns */
>>>> evict_inodes
>>>> /* might start a new txn */
>>>> ext4_put_super
>>>> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
>>>> jbd2_journal_destroy
>>>> journal_kill_thread
>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>> jbd2_journal_commit_transaction
>>>> jbd2_journal_get_descriptor_buffer
>>>> jbd2_journal_bmap
>>>> ext4_journal_bmap
>>>> ext4_map_blocks
>>>> ...
>>>> ext4_inode_error
>>>> ext4_handle_error
>>>> schedule_work(&sbi->s_sb_upd_work)
>>>>
>>>> /* work queue kicks in */
>>>> update_super_work
>>>> jbd2_journal_start
>>>> start_this_handle
>>>> BUG_ON(journal->j_flags &
>>>> JBD2_UNMOUNT)
>>>>
>>>> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
>>>> destroying only do a journaled (and deferred) update of sb if this flag is not
>>>> set. Otherwise, just fallback to an un-journaled commit.
>>>>
>>>> We set sbi->s_journal_destroying = true only after all the FS updates are done
>>>> during ext4_put_super() (except a running transaction that will get commited
>>>> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
>>>> outside the journal as it won't race with a journaled update (refer
>>>> 2d01ddc86606).
>>>>
>>>> Also, we don't need a similar check in ext4_grp_locked_error since it is only
>>>> called from mballoc and AFAICT it would be always valid to schedule work here.
>>>>
>>>> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
>>>> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
>>>> Suggested-by: Jan Kara <jack@suse.cz>
>>>> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
>>>> ---
>>>> fs/ext4/ext4.h | 2 ++
>>>> fs/ext4/ext4_jbd2.h | 8 ++++++++
>>>> fs/ext4/super.c | 4 +++-
>>>> 3 files changed, 13 insertions(+), 1 deletion(-)
>>>>
>>>> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
>>>> index 2b7d781bfcad..d48e93bd5690 100644
>>>> --- a/fs/ext4/ext4.h
>>>> +++ b/fs/ext4/ext4.h
>>>> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
>>>> */
>>>> struct work_struct s_sb_upd_work;
>>>>
>>>> + bool s_journal_destorying;
>>>> +
>>>> /* Atomic write unit values in bytes */
>>>> unsigned int s_awu_min;
>>>> unsigned int s_awu_max;
>>>> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
>>>> index 9b3c9df02a39..6bd3ca84410d 100644
>>>> --- a/fs/ext4/ext4_jbd2.h
>>>> +++ b/fs/ext4/ext4_jbd2.h
>>>> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
>>>> {
>>>> int err = 0;
>>>>
>>>> + /*
>>>> + * At this point all pending FS updates should be done except a possible
>>>> + * running transaction (which will commit in jbd2_journal_destroy). It
>>>> + * is now safe for any new errors to directly commit superblock rather
>>>> + * than going via journal.
>>>> + */
>>>> + sbi->s_journal_destorying = true;
>>>> +
>>>
>>> Hi, Ojaswin!
>>>
>>> I'm afraid you still need to flush the superblock update work here,
>>> otherwise I guess the race condition you mentioned in v1 could still
>>> occur.
>>>
>>> ext4_put_super()
>>> flush_work(&sbi->s_sb_upd_work)
>>>
>>> **kjournald2**
>>> jbd2_journal_commit_transaction()
>>> ...
>>> ext4_inode_error()
>>> /* JBD2_UNMOUNT not set */
>>> schedule_work(s_sb_upd_work)
>>>
>>> **workqueue**
>>> update_super_work
>>> /* s_journal_destorying is not set */
>>> if (journal && !s_journal_destorying)
>>>
>>> ext4_journal_destroy()
>>> /* set s_journal_destorying */
>>> sbi->s_journal_destorying = true;
>>> jbd2_journal_destroy()
>>> journal->j_flags |= JBD2_UNMOUNT;
>>>
>>> jbd2_journal_start()
>>> start_this_handle()
>>> BUG_ON(JBD2_UNMOUNT)
>>>
>>> Thanks,
>>> Yi.
>> Hi Yi,
>>
>> Yes you are right, somehow missed this edge case :(
>>
>> Alright then, we have to move out sbi->s_journal_destroying outside the
>> helper. Just wondering if I should still let it be in
>> ext4_journal_destroy and just add an extra s_journal_destroying = false
>> before schedule_work(s_sb_upd_work), because it makes sense.
>>
>> Okay let me give it some thought but thanks for pointing this out!
>>
>> Regards,
>> ojaswin
>
> Okay so thinking about it a bit more, I see you also suggested to flush
> the work after marking sbi->s_journal_destroying. But will that solve
> it?
>
> ext4_put_super()
> flush_work(&sbi->s_sb_upd_work)
>
> **kjournald2**
> jbd2_journal_commit_transaction()
> ...
> ext4_inode_error()
> /* JBD2_UNMOUNT not set */
> schedule_work(s_sb_upd_work)
>
> **workqueue**
> update_super_work
> /* s_journal_destorying is not set */
> if (journal && !s_journal_destorying)
>
> ext4_journal_destroy()
> /* set s_journal_destorying */
> sbi->s_journal_destorying = true;
> flush_work(&sbi->s_sb_upd_work)
> schedule_work()
^^^^^^^^^^^^^^^
where does this come from?
After this flush_work, we can guarantee that the running s_sb_upd_work
finishes before we set JBD2_UNMOUNT. Additionally, the journal will
not commit transaction or call schedule_work() again because it has
been aborted due to the previous error. Am I missing something?
Thanks,
Yi.
> jbd2_journal_destroy()
> journal->j_flags |= JBD2_UNMOUNT;
>
> jbd2_journal_start()
> start_this_handle()
> BUG_ON(JBD2_UNMOUNT)
>
>
> Seems like these edge cases keep sprouting up :)
>
> As for the fix, how about we do something like this:
>
> ext4_put_super()
>
> flush_work(&sbi->s_sb_upd_work)
> destroy_workqueue(sbi->rsv_conversion_wq);
>
> ext4_journal_destroy()
> /* set s_journal_destorying */
> sbi->s_journal_destorying = true;
>
> /* trigger a commit and wait for it to complete */
>
> flush_work(&sbi->s_sb_upd_work)
>
> jbd2_journal_destroy()
> journal->j_flags |= JBD2_UNMOUNT;
>
> jbd2_journal_start()
> start_this_handle()
> BUG_ON(JBD2_UNMOUNT)
>
> Still giving this codepath some thought but seems like this might just
> be enough to fix the race. Thoughts on this?
>
> Regards,
> ojaswin
>
>>>
>>>> err = jbd2_journal_destroy(journal);
>>>> sbi->s_journal = NULL;
>>>>
>>>> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
>>>> index 8ad664d47806..31552cf0519a 100644
>>>> --- a/fs/ext4/super.c
>>>> +++ b/fs/ext4/super.c
>>>> @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
>>>> * constraints, it may not be safe to do it right here so we
>>>> * defer superblock flushing to a workqueue.
>>>> */
>>>> - if (continue_fs && journal)
>>>> + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
>>>> schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
>>>> else
>>>> ext4_commit_super(sb);
>>>> @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
>>>> spin_lock_init(&sbi->s_error_lock);
>>>> INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
>>>>
>>>> + sbi->s_journal_destorying = false;
>>>> +
>>>> err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
>>>> if (err)
>>>> goto failed_mount3;
>>>
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-07 8:43 ` Zhang Yi
@ 2025-03-07 10:27 ` Ojaswin Mujoo
2025-03-07 12:36 ` Zhang Yi
0 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-07 10:27 UTC (permalink / raw)
To: Zhang Yi
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On Fri, Mar 07, 2025 at 04:43:24PM +0800, Zhang Yi wrote:
>
>
> On 2025/3/7 16:13, Ojaswin Mujoo wrote:
> > On Fri, Mar 07, 2025 at 12:04:26PM +0530, Ojaswin Mujoo wrote:
> >> On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
> >>> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> >>>> Presently we always BUG_ON if trying to start a transaction on a journal marked
> >>>> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> >>>> stress tests, it was observed that in case of some error handling paths, it is
> >>>> possible for update_super_work to start a transaction after the journal is
> >>>> destroyed eg:
> >>>>
> >>>> (umount)
> >>>> ext4_kill_sb
> >>>> kill_block_super
> >>>> generic_shutdown_super
> >>>> sync_filesystem /* commits all txns */
> >>>> evict_inodes
> >>>> /* might start a new txn */
> >>>> ext4_put_super
> >>>> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> >>>> jbd2_journal_destroy
> >>>> journal_kill_thread
> >>>> journal->j_flags |= JBD2_UNMOUNT;
> >>>> jbd2_journal_commit_transaction
> >>>> jbd2_journal_get_descriptor_buffer
> >>>> jbd2_journal_bmap
> >>>> ext4_journal_bmap
> >>>> ext4_map_blocks
> >>>> ...
> >>>> ext4_inode_error
> >>>> ext4_handle_error
> >>>> schedule_work(&sbi->s_sb_upd_work)
> >>>>
> >>>> /* work queue kicks in */
> >>>> update_super_work
> >>>> jbd2_journal_start
> >>>> start_this_handle
> >>>> BUG_ON(journal->j_flags &
> >>>> JBD2_UNMOUNT)
> >>>>
> >>>> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> >>>> destroying only do a journaled (and deferred) update of sb if this flag is not
> >>>> set. Otherwise, just fallback to an un-journaled commit.
> >>>>
> >>>> We set sbi->s_journal_destroying = true only after all the FS updates are done
> >>>> during ext4_put_super() (except a running transaction that will get commited
> >>>> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> >>>> outside the journal as it won't race with a journaled update (refer
> >>>> 2d01ddc86606).
> >>>>
> >>>> Also, we don't need a similar check in ext4_grp_locked_error since it is only
> >>>> called from mballoc and AFAICT it would be always valid to schedule work here.
> >>>>
> >>>> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> >>>> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> >>>> Suggested-by: Jan Kara <jack@suse.cz>
> >>>> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> >>>> ---
> >>>> fs/ext4/ext4.h | 2 ++
> >>>> fs/ext4/ext4_jbd2.h | 8 ++++++++
> >>>> fs/ext4/super.c | 4 +++-
> >>>> 3 files changed, 13 insertions(+), 1 deletion(-)
> >>>>
> >>>> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> >>>> index 2b7d781bfcad..d48e93bd5690 100644
> >>>> --- a/fs/ext4/ext4.h
> >>>> +++ b/fs/ext4/ext4.h
> >>>> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> >>>> */
> >>>> struct work_struct s_sb_upd_work;
> >>>>
> >>>> + bool s_journal_destorying;
> >>>> +
> >>>> /* Atomic write unit values in bytes */
> >>>> unsigned int s_awu_min;
> >>>> unsigned int s_awu_max;
> >>>> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> >>>> index 9b3c9df02a39..6bd3ca84410d 100644
> >>>> --- a/fs/ext4/ext4_jbd2.h
> >>>> +++ b/fs/ext4/ext4_jbd2.h
> >>>> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> >>>> {
> >>>> int err = 0;
> >>>>
> >>>> + /*
> >>>> + * At this point all pending FS updates should be done except a possible
> >>>> + * running transaction (which will commit in jbd2_journal_destroy). It
> >>>> + * is now safe for any new errors to directly commit superblock rather
> >>>> + * than going via journal.
> >>>> + */
> >>>> + sbi->s_journal_destorying = true;
> >>>> +
> >>>
> >>> Hi, Ojaswin!
> >>>
> >>> I'm afraid you still need to flush the superblock update work here,
> >>> otherwise I guess the race condition you mentioned in v1 could still
> >>> occur.
> >>>
> >>> ext4_put_super()
> >>> flush_work(&sbi->s_sb_upd_work)
> >>>
> >>> **kjournald2**
> >>> jbd2_journal_commit_transaction()
> >>> ...
> >>> ext4_inode_error()
> >>> /* JBD2_UNMOUNT not set */
> >>> schedule_work(s_sb_upd_work)
> >>>
> >>> **workqueue**
> >>> update_super_work
> >>> /* s_journal_destorying is not set */
> >>> if (journal && !s_journal_destorying)
> >>>
> >>> ext4_journal_destroy()
> >>> /* set s_journal_destorying */
> >>> sbi->s_journal_destorying = true;
> >>> jbd2_journal_destroy()
> >>> journal->j_flags |= JBD2_UNMOUNT;
> >>>
> >>> jbd2_journal_start()
> >>> start_this_handle()
> >>> BUG_ON(JBD2_UNMOUNT)
> >>>
> >>> Thanks,
> >>> Yi.
> >> Hi Yi,
> >>
> >> Yes you are right, somehow missed this edge case :(
> >>
> >> Alright then, we have to move out sbi->s_journal_destroying outside the
> >> helper. Just wondering if I should still let it be in
> >> ext4_journal_destroy and just add an extra s_journal_destroying = false
> >> before schedule_work(s_sb_upd_work), because it makes sense.
> >>
> >> Okay let me give it some thought but thanks for pointing this out!
> >>
> >> Regards,
> >> ojaswin
> >
> > Okay so thinking about it a bit more, I see you also suggested to flush
> > the work after marking sbi->s_journal_destroying. But will that solve
> > it?
> >
> > ext4_put_super()
> > flush_work(&sbi->s_sb_upd_work)
> >
> > **kjournald2**
> > jbd2_journal_commit_transaction()
> > ...
> > ext4_inode_error()
> > /* JBD2_UNMOUNT not set */
> > schedule_work(s_sb_upd_work)
> >
> > **workqueue**
> > update_super_work
> > /* s_journal_destorying is not set */
> > if (journal && !s_journal_destorying)
> >
> > ext4_journal_destroy()
> > /* set s_journal_destorying */
> > sbi->s_journal_destorying = true;
> > flush_work(&sbi->s_sb_upd_work)
> > schedule_work()
> ^^^^^^^^^^^^^^^
> where does this come from?
>
> After this flush_work, we can guarantee that the running s_sb_upd_work
> finishes before we set JBD2_UNMOUNT. Additionally, the journal will
> not commit transaction or call schedule_work() again because it has
> been aborted due to the previous error. Am I missing something?
>
> Thanks,
> Yi.
Hmm, so I am thinking of a corner case in ext4_handle_error() where
if(journal && !is_journal_destroying)
is computed but schedule_work() not called yet, which is possible cause
the cmp followed by jump is not atomic in nature. If the schedule_work
is only called after we have done the flush then we end up with this:
if (journal && !s_journal_destorying)
ext4_journal_destroy()
/* set s_journal_destorying */
sbi->s_journal_destorying = true;
flush_work(&sbi->s_sb_upd_work)
schedule_work()
Which is possible IMO, although the window is tiny.
Regards,
ojaswin
>
> > jbd2_journal_destroy()
> > journal->j_flags |= JBD2_UNMOUNT;
> >
> > jbd2_journal_start()
> > start_this_handle()
> > BUG_ON(JBD2_UNMOUNT)
> >
> >
> > Seems like these edge cases keep sprouting up :)
> >
> > As for the fix, how about we do something like this:
> >
> > ext4_put_super()
> >
> > flush_work(&sbi->s_sb_upd_work)
> > destroy_workqueue(sbi->rsv_conversion_wq);
> >
> > ext4_journal_destroy()
> > /* set s_journal_destorying */
> > sbi->s_journal_destorying = true;
> >
> > /* trigger a commit and wait for it to complete */
> >
> > flush_work(&sbi->s_sb_upd_work)
> >
> > jbd2_journal_destroy()
> > journal->j_flags |= JBD2_UNMOUNT;
> >
> > jbd2_journal_start()
> > start_this_handle()
> > BUG_ON(JBD2_UNMOUNT)
> >
> > Still giving this codepath some thought but seems like this might just
> > be enough to fix the race. Thoughts on this?
> >
> > Regards,
> > ojaswin
> >
> >>>
> >>>> err = jbd2_journal_destroy(journal);
> >>>> sbi->s_journal = NULL;
> >>>>
> >>>> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> >>>> index 8ad664d47806..31552cf0519a 100644
> >>>> --- a/fs/ext4/super.c
> >>>> +++ b/fs/ext4/super.c
> >>>> @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
> >>>> * constraints, it may not be safe to do it right here so we
> >>>> * defer superblock flushing to a workqueue.
> >>>> */
> >>>> - if (continue_fs && journal)
> >>>> + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
> >>>> schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
> >>>> else
> >>>> ext4_commit_super(sb);
> >>>> @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
> >>>> spin_lock_init(&sbi->s_error_lock);
> >>>> INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
> >>>>
> >>>> + sbi->s_journal_destorying = false;
> >>>> +
> >>>> err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
> >>>> if (err)
> >>>> goto failed_mount3;
> >>>
> >
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-07 10:27 ` Ojaswin Mujoo
@ 2025-03-07 12:36 ` Zhang Yi
2025-03-07 17:26 ` Ojaswin Mujoo
0 siblings, 1 reply; 41+ messages in thread
From: Zhang Yi @ 2025-03-07 12:36 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On 2025/3/7 18:27, Ojaswin Mujoo wrote:
> On Fri, Mar 07, 2025 at 04:43:24PM +0800, Zhang Yi wrote:
>> On 2025/3/7 16:13, Ojaswin Mujoo wrote:
>>> On Fri, Mar 07, 2025 at 12:04:26PM +0530, Ojaswin Mujoo wrote:
>>>> On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
>>>>> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
>>>>>> Presently we always BUG_ON if trying to start a transaction on a journal marked
>>>>>> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
>>>>>> stress tests, it was observed that in case of some error handling paths, it is
>>>>>> possible for update_super_work to start a transaction after the journal is
>>>>>> destroyed eg:
>>>>>>
>>>>>> (umount)
>>>>>> ext4_kill_sb
>>>>>> kill_block_super
>>>>>> generic_shutdown_super
>>>>>> sync_filesystem /* commits all txns */
>>>>>> evict_inodes
>>>>>> /* might start a new txn */
>>>>>> ext4_put_super
>>>>>> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
>>>>>> jbd2_journal_destroy
>>>>>> journal_kill_thread
>>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>> jbd2_journal_commit_transaction
>>>>>> jbd2_journal_get_descriptor_buffer
>>>>>> jbd2_journal_bmap
>>>>>> ext4_journal_bmap
>>>>>> ext4_map_blocks
>>>>>> ...
>>>>>> ext4_inode_error
>>>>>> ext4_handle_error
>>>>>> schedule_work(&sbi->s_sb_upd_work)
>>>>>>
>>>>>> /* work queue kicks in */
>>>>>> update_super_work
>>>>>> jbd2_journal_start
>>>>>> start_this_handle
>>>>>> BUG_ON(journal->j_flags &
>>>>>> JBD2_UNMOUNT)
>>>>>>
>>>>>> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
>>>>>> destroying only do a journaled (and deferred) update of sb if this flag is not
>>>>>> set. Otherwise, just fallback to an un-journaled commit.
>>>>>>
>>>>>> We set sbi->s_journal_destroying = true only after all the FS updates are done
>>>>>> during ext4_put_super() (except a running transaction that will get commited
>>>>>> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
>>>>>> outside the journal as it won't race with a journaled update (refer
>>>>>> 2d01ddc86606).
>>>>>>
>>>>>> Also, we don't need a similar check in ext4_grp_locked_error since it is only
>>>>>> called from mballoc and AFAICT it would be always valid to schedule work here.
>>>>>>
>>>>>> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
>>>>>> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
>>>>>> Suggested-by: Jan Kara <jack@suse.cz>
>>>>>> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
>>>>>> ---
>>>>>> fs/ext4/ext4.h | 2 ++
>>>>>> fs/ext4/ext4_jbd2.h | 8 ++++++++
>>>>>> fs/ext4/super.c | 4 +++-
>>>>>> 3 files changed, 13 insertions(+), 1 deletion(-)
>>>>>>
>>>>>> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
>>>>>> index 2b7d781bfcad..d48e93bd5690 100644
>>>>>> --- a/fs/ext4/ext4.h
>>>>>> +++ b/fs/ext4/ext4.h
>>>>>> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
>>>>>> */
>>>>>> struct work_struct s_sb_upd_work;
>>>>>>
>>>>>> + bool s_journal_destorying;
>>>>>> +
>>>>>> /* Atomic write unit values in bytes */
>>>>>> unsigned int s_awu_min;
>>>>>> unsigned int s_awu_max;
>>>>>> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
>>>>>> index 9b3c9df02a39..6bd3ca84410d 100644
>>>>>> --- a/fs/ext4/ext4_jbd2.h
>>>>>> +++ b/fs/ext4/ext4_jbd2.h
>>>>>> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
>>>>>> {
>>>>>> int err = 0;
>>>>>>
>>>>>> + /*
>>>>>> + * At this point all pending FS updates should be done except a possible
>>>>>> + * running transaction (which will commit in jbd2_journal_destroy). It
>>>>>> + * is now safe for any new errors to directly commit superblock rather
>>>>>> + * than going via journal.
>>>>>> + */
>>>>>> + sbi->s_journal_destorying = true;
>>>>>> +
>>>>>
>>>>> Hi, Ojaswin!
>>>>>
>>>>> I'm afraid you still need to flush the superblock update work here,
>>>>> otherwise I guess the race condition you mentioned in v1 could still
>>>>> occur.
>>>>>
>>>>> ext4_put_super()
>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>
>>>>> **kjournald2**
>>>>> jbd2_journal_commit_transaction()
>>>>> ...
>>>>> ext4_inode_error()
>>>>> /* JBD2_UNMOUNT not set */
>>>>> schedule_work(s_sb_upd_work)
>>>>>
>>>>> **workqueue**
>>>>> update_super_work
>>>>> /* s_journal_destorying is not set */
>>>>> if (journal && !s_journal_destorying)
>>>>>
>>>>> ext4_journal_destroy()
>>>>> /* set s_journal_destorying */
>>>>> sbi->s_journal_destorying = true;
>>>>> jbd2_journal_destroy()
>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>
>>>>> jbd2_journal_start()
>>>>> start_this_handle()
>>>>> BUG_ON(JBD2_UNMOUNT)
>>>>>
>>>>> Thanks,
>>>>> Yi.
>>>> Hi Yi,
>>>>
>>>> Yes you are right, somehow missed this edge case :(
>>>>
>>>> Alright then, we have to move out sbi->s_journal_destroying outside the
>>>> helper. Just wondering if I should still let it be in
>>>> ext4_journal_destroy and just add an extra s_journal_destroying = false
>>>> before schedule_work(s_sb_upd_work), because it makes sense.
>>>>
>>>> Okay let me give it some thought but thanks for pointing this out!
>>>>
>>>> Regards,
>>>> ojaswin
>>>
>>> Okay so thinking about it a bit more, I see you also suggested to flush
>>> the work after marking sbi->s_journal_destroying. But will that solve
>>> it?
>>>
>>> ext4_put_super()
>>> flush_work(&sbi->s_sb_upd_work)
>>>
>>> **kjournald2**
>>> jbd2_journal_commit_transaction()
>>> ...
>>> ext4_inode_error()
>>> /* JBD2_UNMOUNT not set */
>>> schedule_work(s_sb_upd_work)
>>>
>>> **workqueue**
>>> update_super_work
>>> /* s_journal_destorying is not set */
>>> if (journal && !s_journal_destorying)
>>>
>>> ext4_journal_destroy()
>>> /* set s_journal_destorying */
>>> sbi->s_journal_destorying = true;
>>> flush_work(&sbi->s_sb_upd_work)
>>> schedule_work()
>> ^^^^^^^^^^^^^^^
>> where does this come from?
>>
>> After this flush_work, we can guarantee that the running s_sb_upd_work
>> finishes before we set JBD2_UNMOUNT. Additionally, the journal will
>> not commit transaction or call schedule_work() again because it has
>> been aborted due to the previous error. Am I missing something?
>>
>> Thanks,
>> Yi.
>
> Hmm, so I am thinking of a corner case in ext4_handle_error() where
>
> if(journal && !is_journal_destroying)
>
> is computed but schedule_work() not called yet, which is possible cause
> the cmp followed by jump is not atomic in nature. If the schedule_work
> is only called after we have done the flush then we end up with this:
>
> if (journal && !s_journal_destorying)
> ext4_journal_destroy()
> /* set s_journal_destorying */
> sbi->s_journal_destorying = true;
> flush_work(&sbi->s_sb_upd_work)
> schedule_work()
>
> Which is possible IMO, although the window is tiny.
Yeah, right!
Sorry for misread the location where you add the "!s_journal_destorying"
check, the graph I provided was in update_super_work(), which was wrong.
The right one should be:
ext4_put_super()
flush_work(&sbi->s_sb_upd_work)
**kjournald2**
jbd2_journal_commit_transaction()
...
ext4_inode_error()
/* s_journal_destorying is not set */
if (journal && !s_journal_destorying)
(schedule_work(s_sb_upd_work)) //can be here
ext4_journal_destroy()
/* set s_journal_destorying */
sbi->s_journal_destorying = true;
jbd2_journal_destroy()
journal->j_flags |= JBD2_UNMOUNT;
(schedule_work(s_sb_upd_work)) //also can be here
**workqueue**
update_super_work()
journal = sbi->s_journal //get journal
kfree(journal)
jbd2_journal_start(journal) //journal UAF
start_this_handle()
BUG_ON(JBD2_UNMOUNT) //bugon here
So there are two problems here, the first one is the 'journal' UAF,
the second one is triggering JBD2_UNMOUNT flag BUGON.
>>>
>>> As for the fix, how about we do something like this:
>>>
>>> ext4_put_super()
>>>
>>> flush_work(&sbi->s_sb_upd_work)
>>> destroy_workqueue(sbi->rsv_conversion_wq);
>>>
>>> ext4_journal_destroy()
>>> /* set s_journal_destorying */
>>> sbi->s_journal_destorying = true;
>>>
>>> /* trigger a commit and wait for it to complete */
>>>
>>> flush_work(&sbi->s_sb_upd_work)
>>>
>>> jbd2_journal_destroy()
>>> journal->j_flags |= JBD2_UNMOUNT;
>>>
>>> jbd2_journal_start()
>>> start_this_handle()
>>> BUG_ON(JBD2_UNMOUNT)
>>>
>>> Still giving this codepath some thought but seems like this might just
>>> be enough to fix the race. Thoughts on this?
>>>
I think this solution should work, the forced commit and flush_work()
should ensure that the last transaction is committed and that the
potential work is done.
Besides, the s_journal_destorying flag is set and check concurrently
now, so we need WRITE_ONCE() and READ_ONCE() for it. Besides, what
about adding a new flag into sbi->s_mount_state instead of adding
new s_journal_destorying?
Thanks,
Yi.
>>>
>>>>>
>>>>>> err = jbd2_journal_destroy(journal);
>>>>>> sbi->s_journal = NULL;
>>>>>>
>>>>>> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
>>>>>> index 8ad664d47806..31552cf0519a 100644
>>>>>> --- a/fs/ext4/super.c
>>>>>> +++ b/fs/ext4/super.c
>>>>>> @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
>>>>>> * constraints, it may not be safe to do it right here so we
>>>>>> * defer superblock flushing to a workqueue.
>>>>>> */
>>>>>> - if (continue_fs && journal)
>>>>>> + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
>>>>>> schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
>>>>>> else
>>>>>> ext4_commit_super(sb);
>>>>>> @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
>>>>>> spin_lock_init(&sbi->s_error_lock);
>>>>>> INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
>>>>>>
>>>>>> + sbi->s_journal_destorying = false;
>>>>>> +
>>>>>> err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
>>>>>> if (err)
>>>>>> goto failed_mount3;
>>>>>
>>>
>>
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 1/3] ext4: define ext4_journal_destroy wrapper
2025-03-06 14:28 ` [PATCH v2 1/3] ext4: define ext4_journal_destroy wrapper Ojaswin Mujoo
@ 2025-03-07 14:05 ` Jan Kara
2025-03-08 1:18 ` Baokun Li
1 sibling, 0 replies; 41+ messages in thread
From: Jan Kara @ 2025-03-07 14:05 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: linux-ext4, Theodore Ts'o, Jan Kara, Baokun Li, linux-kernel
On Thu 06-03-25 19:58:32, Ojaswin Mujoo wrote:
> Define an ext4 wrapper over jbd2_journal_destroy to make sure we
> have consistent behavior during journal destruction. This will also
> come useful in the next patch where we add some ext4 specific logic
> in the destroy path.
>
> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Looks good. Feel free to add:
Reviewed-by: Jan Kara <jack@suse.cz>
Honza
> ---
> fs/ext4/ext4_jbd2.h | 14 ++++++++++++++
> fs/ext4/super.c | 16 ++++++----------
> 2 files changed, 20 insertions(+), 10 deletions(-)
>
> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> index 3f2596c9e5f2..9b3c9df02a39 100644
> --- a/fs/ext4/ext4_jbd2.h
> +++ b/fs/ext4/ext4_jbd2.h
> @@ -429,4 +429,18 @@ static inline int ext4_should_dioread_nolock(struct inode *inode)
> return 1;
> }
>
> +/*
> + * Pass journal explicitly as it may not be cached in the sbi->s_journal in some
> + * cases
> + */
> +static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *journal)
> +{
> + int err = 0;
> +
> + err = jbd2_journal_destroy(journal);
> + sbi->s_journal = NULL;
> +
> + return err;
> +}
> +
> #endif /* _EXT4_JBD2_H */
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index a963ffda692a..8ad664d47806 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -1297,8 +1297,7 @@ static void ext4_put_super(struct super_block *sb)
>
> if (sbi->s_journal) {
> aborted = is_journal_aborted(sbi->s_journal);
> - err = jbd2_journal_destroy(sbi->s_journal);
> - sbi->s_journal = NULL;
> + err = ext4_journal_destroy(sbi, sbi->s_journal);
> if ((err < 0) && !aborted) {
> ext4_abort(sb, -err, "Couldn't clean up the journal");
> }
> @@ -4960,8 +4959,7 @@ static int ext4_load_and_init_journal(struct super_block *sb,
> out:
> /* flush s_sb_upd_work before destroying the journal. */
> flush_work(&sbi->s_sb_upd_work);
> - jbd2_journal_destroy(sbi->s_journal);
> - sbi->s_journal = NULL;
> + ext4_journal_destroy(sbi, sbi->s_journal);
> return -EINVAL;
> }
>
> @@ -5652,8 +5650,7 @@ failed_mount8: __maybe_unused
> if (sbi->s_journal) {
> /* flush s_sb_upd_work before journal destroy. */
> flush_work(&sbi->s_sb_upd_work);
> - jbd2_journal_destroy(sbi->s_journal);
> - sbi->s_journal = NULL;
> + ext4_journal_destroy(sbi, sbi->s_journal);
> }
> failed_mount3a:
> ext4_es_unregister_shrinker(sbi);
> @@ -5958,7 +5955,7 @@ static journal_t *ext4_open_dev_journal(struct super_block *sb,
> return journal;
>
> out_journal:
> - jbd2_journal_destroy(journal);
> + ext4_journal_destroy(EXT4_SB(sb), journal);
> out_bdev:
> bdev_fput(bdev_file);
> return ERR_PTR(errno);
> @@ -6075,8 +6072,7 @@ static int ext4_load_journal(struct super_block *sb,
> EXT4_SB(sb)->s_journal = journal;
> err = ext4_clear_journal_err(sb, es);
> if (err) {
> - EXT4_SB(sb)->s_journal = NULL;
> - jbd2_journal_destroy(journal);
> + ext4_journal_destroy(EXT4_SB(sb), journal);
> return err;
> }
>
> @@ -6094,7 +6090,7 @@ static int ext4_load_journal(struct super_block *sb,
> return 0;
>
> err_out:
> - jbd2_journal_destroy(journal);
> + ext4_journal_destroy(EXT4_SB(sb), journal);
> return err;
> }
>
> --
> 2.48.1
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-06 14:28 ` [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying Ojaswin Mujoo
2025-03-07 2:49 ` Zhang Yi
@ 2025-03-07 14:26 ` Jan Kara
2025-03-07 17:00 ` Ojaswin Mujoo
2025-03-08 9:55 ` Ritesh Harjani (IBM)
2025-03-12 13:57 ` Eric Sandeen
3 siblings, 1 reply; 41+ messages in thread
From: Jan Kara @ 2025-03-07 14:26 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: linux-ext4, Theodore Ts'o, Jan Kara, Baokun Li, linux-kernel,
Mahesh Kumar
On Thu 06-03-25 19:58:33, Ojaswin Mujoo wrote:
> Presently we always BUG_ON if trying to start a transaction on a journal marked
> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> stress tests, it was observed that in case of some error handling paths, it is
> possible for update_super_work to start a transaction after the journal is
> destroyed eg:
>
> (umount)
> ext4_kill_sb
> kill_block_super
> generic_shutdown_super
> sync_filesystem /* commits all txns */
> evict_inodes
> /* might start a new txn */
> ext4_put_super
> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> jbd2_journal_destroy
> journal_kill_thread
> journal->j_flags |= JBD2_UNMOUNT;
> jbd2_journal_commit_transaction
> jbd2_journal_get_descriptor_buffer
> jbd2_journal_bmap
> ext4_journal_bmap
> ext4_map_blocks
> ...
> ext4_inode_error
> ext4_handle_error
> schedule_work(&sbi->s_sb_upd_work)
>
> /* work queue kicks in */
> update_super_work
> jbd2_journal_start
> start_this_handle
> BUG_ON(journal->j_flags &
> JBD2_UNMOUNT)
>
> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> destroying only do a journaled (and deferred) update of sb if this flag is not
> set. Otherwise, just fallback to an un-journaled commit.
>
> We set sbi->s_journal_destroying = true only after all the FS updates are done
> during ext4_put_super() (except a running transaction that will get commited
> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> outside the journal as it won't race with a journaled update (refer
> 2d01ddc86606).
>
> Also, we don't need a similar check in ext4_grp_locked_error since it is only
> called from mballoc and AFAICT it would be always valid to schedule work here.
>
> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> Suggested-by: Jan Kara <jack@suse.cz>
> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> ---
> fs/ext4/ext4.h | 2 ++
> fs/ext4/ext4_jbd2.h | 8 ++++++++
> fs/ext4/super.c | 4 +++-
> 3 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> index 2b7d781bfcad..d48e93bd5690 100644
> --- a/fs/ext4/ext4.h
> +++ b/fs/ext4/ext4.h
> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> */
> struct work_struct s_sb_upd_work;
>
> + bool s_journal_destorying;
> +
Not that it would matter much but why not make this a flag in
sbi->s_mount_flags?
> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> index 9b3c9df02a39..6bd3ca84410d 100644
> --- a/fs/ext4/ext4_jbd2.h
> +++ b/fs/ext4/ext4_jbd2.h
> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> {
> int err = 0;
>
> + /*
> + * At this point all pending FS updates should be done except a possible
> + * running transaction (which will commit in jbd2_journal_destroy). It
> + * is now safe for any new errors to directly commit superblock rather
> + * than going via journal.
> + */
> + sbi->s_journal_destorying = true;
> +
So as you already uncovered with Zhang Yi, this does not work. What I meant
was that we move flush_work(&sbi->s_sb_upd_work) into
ext4_journal_destroy() and set s_journal_destorying *before* calling
flush_work(). By the time ext4_journal_destroy() gets called, the
filesystem is quiescent, there cannot be new handles started (except for sb
update itself from the workqueue) and thus if we hit some error, the
journal will be aborted anyway and in that case non-journaled sb update is
safe.
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-07 14:26 ` Jan Kara
@ 2025-03-07 17:00 ` Ojaswin Mujoo
0 siblings, 0 replies; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-07 17:00 UTC (permalink / raw)
To: Jan Kara
Cc: linux-ext4, Theodore Ts'o, Baokun Li, linux-kernel,
Mahesh Kumar
On Fri, Mar 07, 2025 at 03:26:54PM +0100, Jan Kara wrote:
> On Thu 06-03-25 19:58:33, Ojaswin Mujoo wrote:
> > Presently we always BUG_ON if trying to start a transaction on a journal marked
> > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> > stress tests, it was observed that in case of some error handling paths, it is
> > possible for update_super_work to start a transaction after the journal is
> > destroyed eg:
> >
> > (umount)
> > ext4_kill_sb
> > kill_block_super
> > generic_shutdown_super
> > sync_filesystem /* commits all txns */
> > evict_inodes
> > /* might start a new txn */
> > ext4_put_super
> > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> > jbd2_journal_destroy
> > journal_kill_thread
> > journal->j_flags |= JBD2_UNMOUNT;
> > jbd2_journal_commit_transaction
> > jbd2_journal_get_descriptor_buffer
> > jbd2_journal_bmap
> > ext4_journal_bmap
> > ext4_map_blocks
> > ...
> > ext4_inode_error
> > ext4_handle_error
> > schedule_work(&sbi->s_sb_upd_work)
> >
> > /* work queue kicks in */
> > update_super_work
> > jbd2_journal_start
> > start_this_handle
> > BUG_ON(journal->j_flags &
> > JBD2_UNMOUNT)
> >
> > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> > destroying only do a journaled (and deferred) update of sb if this flag is not
> > set. Otherwise, just fallback to an un-journaled commit.
> >
> > We set sbi->s_journal_destroying = true only after all the FS updates are done
> > during ext4_put_super() (except a running transaction that will get commited
> > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> > outside the journal as it won't race with a journaled update (refer
> > 2d01ddc86606).
> >
> > Also, we don't need a similar check in ext4_grp_locked_error since it is only
> > called from mballoc and AFAICT it would be always valid to schedule work here.
> >
> > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> > Suggested-by: Jan Kara <jack@suse.cz>
> > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> > ---
> > fs/ext4/ext4.h | 2 ++
> > fs/ext4/ext4_jbd2.h | 8 ++++++++
> > fs/ext4/super.c | 4 +++-
> > 3 files changed, 13 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> > index 2b7d781bfcad..d48e93bd5690 100644
> > --- a/fs/ext4/ext4.h
> > +++ b/fs/ext4/ext4.h
> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> > */
> > struct work_struct s_sb_upd_work;
> >
> > + bool s_journal_destorying;
> > +
>
> Not that it would matter much but why not make this a flag in
> sbi->s_mount_flags?
Noted.
>
> > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> > index 9b3c9df02a39..6bd3ca84410d 100644
> > --- a/fs/ext4/ext4_jbd2.h
> > +++ b/fs/ext4/ext4_jbd2.h
> > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> > {
> > int err = 0;
> >
> > + /*
> > + * At this point all pending FS updates should be done except a possible
> > + * running transaction (which will commit in jbd2_journal_destroy). It
> > + * is now safe for any new errors to directly commit superblock rather
> > + * than going via journal.
> > + */
> > + sbi->s_journal_destorying = true;
> > +
>
> So as you already uncovered with Zhang Yi, this does not work. What I meant
> was that we move flush_work(&sbi->s_sb_upd_work) into
> ext4_journal_destroy() and set s_journal_destorying *before* calling
> flush_work(). By the time ext4_journal_destroy() gets called, the
> filesystem is quiescent, there cannot be new handles started (except for sb
> update itself from the workqueue) and thus if we hit some error, the
> journal will be aborted anyway and in that case non-journaled sb update is
> safe.
I missed that in my patch, however as in the discussion [1],
even:
ext4_journal_destroy
sbi->s_journal_destroying = true
flush_work()
sequence is not enough. Zhang and I were discussing that we might need
to force and wait for commit as well before flushing the work.
Hopefully, with that, we should be covering all the possible edge cases.
[1] https://lore.kernel.org/linux-ext4/cover.1741270780.git.ojaswin@linux.ibm.com/T/#mc8046d47b357665bdbd2878c91e51eb660f94b3e
Regards,
ojaswin
>
> Honza
> --
> Jan Kara <jack@suse.com>
> SUSE Labs, CR
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-07 12:36 ` Zhang Yi
@ 2025-03-07 17:26 ` Ojaswin Mujoo
2025-03-08 2:57 ` Zhang Yi
0 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-07 17:26 UTC (permalink / raw)
To: Zhang Yi
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On Fri, Mar 07, 2025 at 08:36:08PM +0800, Zhang Yi wrote:
> On 2025/3/7 18:27, Ojaswin Mujoo wrote:
> > On Fri, Mar 07, 2025 at 04:43:24PM +0800, Zhang Yi wrote:
> >> On 2025/3/7 16:13, Ojaswin Mujoo wrote:
> >>> On Fri, Mar 07, 2025 at 12:04:26PM +0530, Ojaswin Mujoo wrote:
> >>>> On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
> >>>>> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> >>>>>> Presently we always BUG_ON if trying to start a transaction on a journal marked
> >>>>>> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> >>>>>> stress tests, it was observed that in case of some error handling paths, it is
> >>>>>> possible for update_super_work to start a transaction after the journal is
> >>>>>> destroyed eg:
> >>>>>>
> >>>>>> (umount)
> >>>>>> ext4_kill_sb
> >>>>>> kill_block_super
> >>>>>> generic_shutdown_super
> >>>>>> sync_filesystem /* commits all txns */
> >>>>>> evict_inodes
> >>>>>> /* might start a new txn */
> >>>>>> ext4_put_super
> >>>>>> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> >>>>>> jbd2_journal_destroy
> >>>>>> journal_kill_thread
> >>>>>> journal->j_flags |= JBD2_UNMOUNT;
> >>>>>> jbd2_journal_commit_transaction
> >>>>>> jbd2_journal_get_descriptor_buffer
> >>>>>> jbd2_journal_bmap
> >>>>>> ext4_journal_bmap
> >>>>>> ext4_map_blocks
> >>>>>> ...
> >>>>>> ext4_inode_error
> >>>>>> ext4_handle_error
> >>>>>> schedule_work(&sbi->s_sb_upd_work)
> >>>>>>
> >>>>>> /* work queue kicks in */
> >>>>>> update_super_work
> >>>>>> jbd2_journal_start
> >>>>>> start_this_handle
> >>>>>> BUG_ON(journal->j_flags &
> >>>>>> JBD2_UNMOUNT)
> >>>>>>
> >>>>>> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> >>>>>> destroying only do a journaled (and deferred) update of sb if this flag is not
> >>>>>> set. Otherwise, just fallback to an un-journaled commit.
> >>>>>>
> >>>>>> We set sbi->s_journal_destroying = true only after all the FS updates are done
> >>>>>> during ext4_put_super() (except a running transaction that will get commited
> >>>>>> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> >>>>>> outside the journal as it won't race with a journaled update (refer
> >>>>>> 2d01ddc86606).
> >>>>>>
> >>>>>> Also, we don't need a similar check in ext4_grp_locked_error since it is only
> >>>>>> called from mballoc and AFAICT it would be always valid to schedule work here.
> >>>>>>
> >>>>>> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> >>>>>> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> >>>>>> Suggested-by: Jan Kara <jack@suse.cz>
> >>>>>> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> >>>>>> ---
> >>>>>> fs/ext4/ext4.h | 2 ++
> >>>>>> fs/ext4/ext4_jbd2.h | 8 ++++++++
> >>>>>> fs/ext4/super.c | 4 +++-
> >>>>>> 3 files changed, 13 insertions(+), 1 deletion(-)
> >>>>>>
> >>>>>> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> >>>>>> index 2b7d781bfcad..d48e93bd5690 100644
> >>>>>> --- a/fs/ext4/ext4.h
> >>>>>> +++ b/fs/ext4/ext4.h
> >>>>>> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> >>>>>> */
> >>>>>> struct work_struct s_sb_upd_work;
> >>>>>>
> >>>>>> + bool s_journal_destorying;
> >>>>>> +
> >>>>>> /* Atomic write unit values in bytes */
> >>>>>> unsigned int s_awu_min;
> >>>>>> unsigned int s_awu_max;
> >>>>>> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> >>>>>> index 9b3c9df02a39..6bd3ca84410d 100644
> >>>>>> --- a/fs/ext4/ext4_jbd2.h
> >>>>>> +++ b/fs/ext4/ext4_jbd2.h
> >>>>>> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> >>>>>> {
> >>>>>> int err = 0;
> >>>>>>
> >>>>>> + /*
> >>>>>> + * At this point all pending FS updates should be done except a possible
> >>>>>> + * running transaction (which will commit in jbd2_journal_destroy). It
> >>>>>> + * is now safe for any new errors to directly commit superblock rather
> >>>>>> + * than going via journal.
> >>>>>> + */
> >>>>>> + sbi->s_journal_destorying = true;
> >>>>>> +
> >>>>>
> >>>>> Hi, Ojaswin!
> >>>>>
> >>>>> I'm afraid you still need to flush the superblock update work here,
> >>>>> otherwise I guess the race condition you mentioned in v1 could still
> >>>>> occur.
> >>>>>
> >>>>> ext4_put_super()
> >>>>> flush_work(&sbi->s_sb_upd_work)
> >>>>>
> >>>>> **kjournald2**
> >>>>> jbd2_journal_commit_transaction()
> >>>>> ...
> >>>>> ext4_inode_error()
> >>>>> /* JBD2_UNMOUNT not set */
> >>>>> schedule_work(s_sb_upd_work)
> >>>>>
> >>>>> **workqueue**
> >>>>> update_super_work
> >>>>> /* s_journal_destorying is not set */
> >>>>> if (journal && !s_journal_destorying)
> >>>>>
> >>>>> ext4_journal_destroy()
> >>>>> /* set s_journal_destorying */
> >>>>> sbi->s_journal_destorying = true;
> >>>>> jbd2_journal_destroy()
> >>>>> journal->j_flags |= JBD2_UNMOUNT;
> >>>>>
> >>>>> jbd2_journal_start()
> >>>>> start_this_handle()
> >>>>> BUG_ON(JBD2_UNMOUNT)
> >>>>>
> >>>>> Thanks,
> >>>>> Yi.
> >>>> Hi Yi,
> >>>>
> >>>> Yes you are right, somehow missed this edge case :(
> >>>>
> >>>> Alright then, we have to move out sbi->s_journal_destroying outside the
> >>>> helper. Just wondering if I should still let it be in
> >>>> ext4_journal_destroy and just add an extra s_journal_destroying = false
> >>>> before schedule_work(s_sb_upd_work), because it makes sense.
> >>>>
> >>>> Okay let me give it some thought but thanks for pointing this out!
> >>>>
> >>>> Regards,
> >>>> ojaswin
> >>>
> >>> Okay so thinking about it a bit more, I see you also suggested to flush
> >>> the work after marking sbi->s_journal_destroying. But will that solve
> >>> it?
> >>>
> >>> ext4_put_super()
> >>> flush_work(&sbi->s_sb_upd_work)
> >>>
> >>> **kjournald2**
> >>> jbd2_journal_commit_transaction()
> >>> ...
> >>> ext4_inode_error()
> >>> /* JBD2_UNMOUNT not set */
> >>> schedule_work(s_sb_upd_work)
> >>>
> >>> **workqueue**
> >>> update_super_work
> >>> /* s_journal_destorying is not set */
> >>> if (journal && !s_journal_destorying)
> >>>
> >>> ext4_journal_destroy()
> >>> /* set s_journal_destorying */
> >>> sbi->s_journal_destorying = true;
> >>> flush_work(&sbi->s_sb_upd_work)
> >>> schedule_work()
> >> ^^^^^^^^^^^^^^^
> >> where does this come from?
> >>
> >> After this flush_work, we can guarantee that the running s_sb_upd_work
> >> finishes before we set JBD2_UNMOUNT. Additionally, the journal will
> >> not commit transaction or call schedule_work() again because it has
> >> been aborted due to the previous error. Am I missing something?
> >>
> >> Thanks,
> >> Yi.
> >
> > Hmm, so I am thinking of a corner case in ext4_handle_error() where
> >
> > if(journal && !is_journal_destroying)
> >
> > is computed but schedule_work() not called yet, which is possible cause
> > the cmp followed by jump is not atomic in nature. If the schedule_work
> > is only called after we have done the flush then we end up with this:
> >
> > if (journal && !s_journal_destorying)
> > ext4_journal_destroy()
> > /* set s_journal_destorying */
> > sbi->s_journal_destorying = true;
> > flush_work(&sbi->s_sb_upd_work)
> > schedule_work()
> >
> > Which is possible IMO, although the window is tiny.
>
> Yeah, right!
> Sorry for misread the location where you add the "!s_journal_destorying"
> check, the graph I provided was in update_super_work(), which was wrong.
Oh right, I also misread your trace but yes as discussed, even
sbi->s_journal_destorying = true;
flush_work()
jbd2_journal_destroy()
doesn't work.
> The right one should be:
>
> ext4_put_super()
> flush_work(&sbi->s_sb_upd_work)
>
> **kjournald2**
> jbd2_journal_commit_transaction()
> ...
> ext4_inode_error()
> /* s_journal_destorying is not set */
> if (journal && !s_journal_destorying)
> (schedule_work(s_sb_upd_work)) //can be here
>
> ext4_journal_destroy()
> /* set s_journal_destorying */
> sbi->s_journal_destorying = true;
> jbd2_journal_destroy()
> journal->j_flags |= JBD2_UNMOUNT;
>
> (schedule_work(s_sb_upd_work)) //also can be here
>
> **workqueue**
> update_super_work()
> journal = sbi->s_journal //get journal
> kfree(journal)
> jbd2_journal_start(journal) //journal UAF
> start_this_handle()
> BUG_ON(JBD2_UNMOUNT) //bugon here
>
>
> So there are two problems here, the first one is the 'journal' UAF,
> the second one is triggering JBD2_UNMOUNT flag BUGON.
Indeed, there's a possible UAF here as well.
>
> >>>
> >>> As for the fix, how about we do something like this:
> >>>
> >>> ext4_put_super()
> >>>
> >>> flush_work(&sbi->s_sb_upd_work)
> >>> destroy_workqueue(sbi->rsv_conversion_wq);
> >>>
> >>> ext4_journal_destroy()
> >>> /* set s_journal_destorying */
> >>> sbi->s_journal_destorying = true;
> >>>
> >>> /* trigger a commit and wait for it to complete */
> >>>
> >>> flush_work(&sbi->s_sb_upd_work)
> >>>
> >>> jbd2_journal_destroy()
> >>> journal->j_flags |= JBD2_UNMOUNT;
> >>>
> >>> jbd2_journal_start()
> >>> start_this_handle()
> >>> BUG_ON(JBD2_UNMOUNT)
> >>>
> >>> Still giving this codepath some thought but seems like this might just
> >>> be enough to fix the race. Thoughts on this?
> >>>
>
> I think this solution should work, the forced commit and flush_work()
> should ensure that the last transaction is committed and that the
> potential work is done.
>
> Besides, the s_journal_destorying flag is set and check concurrently
> now, so we need WRITE_ONCE() and READ_ONCE() for it. Besides, what
> about adding a new flag into sbi->s_mount_state instead of adding
> new s_journal_destorying?
Right, that makes sence. I will incorporate these changes in the next
revision.
Thanks for the review,
ojaswin
>
> Thanks,
> Yi.
>
> >>>
> >>>>>
> >>>>>> err = jbd2_journal_destroy(journal);
> >>>>>> sbi->s_journal = NULL;
> >>>>>>
> >>>>>> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> >>>>>> index 8ad664d47806..31552cf0519a 100644
> >>>>>> --- a/fs/ext4/super.c
> >>>>>> +++ b/fs/ext4/super.c
> >>>>>> @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
> >>>>>> * constraints, it may not be safe to do it right here so we
> >>>>>> * defer superblock flushing to a workqueue.
> >>>>>> */
> >>>>>> - if (continue_fs && journal)
> >>>>>> + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
> >>>>>> schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
> >>>>>> else
> >>>>>> ext4_commit_super(sb);
> >>>>>> @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
> >>>>>> spin_lock_init(&sbi->s_error_lock);
> >>>>>> INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
> >>>>>>
> >>>>>> + sbi->s_journal_destorying = false;
> >>>>>> +
> >>>>>> err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
> >>>>>> if (err)
> >>>>>> goto failed_mount3;
> >>>>>
> >>>
> >>
> >
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle
2025-03-06 14:28 [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle Ojaswin Mujoo
` (2 preceding siblings ...)
2025-03-06 14:28 ` [PATCH v2 3/3] ext4: Make sb update interval tunable Ojaswin Mujoo
@ 2025-03-08 1:09 ` Baokun Li
2025-03-08 13:07 ` Ojaswin Mujoo
3 siblings, 1 reply; 41+ messages in thread
From: Baokun Li @ 2025-03-08 1:09 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: linux-ext4, Theodore Ts'o, Jan Kara, linux-kernel, Yang Erkun
On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> ** Changes since v1 [1] **
>
> * Picked up RVBs from Jan and Ritesh
> * In patch 2/3, we now use a flag in sbi instead of SB_ACITVE
> to determine when to journal sb vs when to commit directly.
> * Added a prep patch 1/3
>
> [1] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#m5e659425b8c8fe2ac01e7242b77fed315ff89db4
>
> @Baokun, I didn't get a chance to look into the journal_inode
> modifications we were discussing in [2]. I'll try to spend some time and
> send that as a separate patch. Hope that's okay
>
> [2] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#mad8feb44d9b6ddadf87830b92caa7b78d902dc05
>
That's fine, it's not a priority. And if this patch set makes sure we
don't crash when things go wrong, I'm okay with leaving it as is.
It's possible that jbd2_journal_commit_transaction() could call
ext4_handle_error() in other places as the code evolves. Fixing known
problems and protecting against potential ones is always a good thing.
Cheers,
Baokun
> ** Original Cover **
>
> When running LTP stress tests on ext4, after a multiday run we seemed to
> have hit the following BUG_ON:
>
> [NIP : start_this_handle+268]
> #3 [c000001067c27a40] start_this_handle at c008000004d40f74 [jbd2] (unreliable)
> #4 [c000001067c27b60] jbd2__journal_start at c008000004d415cc [jbd2]
> #5 [c000001067c27be0] update_super_work at c0080000053f9758 [ext4]
> #6 [c000001067c27c70] process_one_work at c000000000188790
> #7 [c000001067c27d20] worker_thread at c00000000018973c
> #8 [c000001067c27dc0] kthread at c000000000196c84
> #9 [c000001067c27e10] ret_from_kernel_thread at c00000000000cd64
>
> Which comes out to
>
> 382 repeat:
> 383 read_lock(&journal->j_state_lock);
> * 384 BUG_ON(journal->j_flags & JBD2_UNMOUNT);
> 385 if (is_journal_aborted(journal) ||
> 386 (journal->j_errno != 0 && !(journal->j_flags & JBD2_ACK_ERR))) {
> 387 read_unlock(&journal->j_state_lock);
>
>
> Initially this seemed like it should never happen but upon crash
> analysis it seems like it could indeed be hit as described in patch 1/2.
>
> I would like to add that through the logs we only knew that:
>
> - ext4_journal_bmap -> ext4_map_blocks is failing with EFSCORRUPTED.
> - update_super_work had hit the BUG_ON
>
> I was not able to hit this bug again (without modifying the kernel to
> inject errors) but the above backtrace seems to be one possible paths
> where this BUG_ON can be hit. Rest of the analysis and fix is in patch
> 2/3. Patch 3 is just a small tweak that i found helpful while debugging.
>
> That being said, journalling is something I'm not very familiar with and
> there might be gaps in my understanding so thoughts and suggestions are
> welcome.
>
> Ojaswin Mujoo (3):
> ext4: define ext4_journal_destroy wrapper
> ext4: avoid journaling sb update on error if journal is destroying
> ext4: Make sb update interval tunable
>
> fs/ext4/ext4.h | 11 +++++++++++
> fs/ext4/ext4_jbd2.h | 22 ++++++++++++++++++++++
> fs/ext4/super.c | 35 +++++++++++++++++------------------
> fs/ext4/sysfs.c | 4 ++++
> 4 files changed, 54 insertions(+), 18 deletions(-)
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 1/3] ext4: define ext4_journal_destroy wrapper
2025-03-06 14:28 ` [PATCH v2 1/3] ext4: define ext4_journal_destroy wrapper Ojaswin Mujoo
2025-03-07 14:05 ` Jan Kara
@ 2025-03-08 1:18 ` Baokun Li
1 sibling, 0 replies; 41+ messages in thread
From: Baokun Li @ 2025-03-08 1:18 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: linux-ext4, Theodore Ts'o, Jan Kara, linux-kernel, Yang Erkun
On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> Define an ext4 wrapper over jbd2_journal_destroy to make sure we
> have consistent behavior during journal destruction. This will also
> come useful in the next patch where we add some ext4 specific logic
> in the destroy path.
>
> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Looks good to me.
Reviewed-by: Baokun Li <libaokun1@huawei.com>
> ---
> fs/ext4/ext4_jbd2.h | 14 ++++++++++++++
> fs/ext4/super.c | 16 ++++++----------
> 2 files changed, 20 insertions(+), 10 deletions(-)
>
> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> index 3f2596c9e5f2..9b3c9df02a39 100644
> --- a/fs/ext4/ext4_jbd2.h
> +++ b/fs/ext4/ext4_jbd2.h
> @@ -429,4 +429,18 @@ static inline int ext4_should_dioread_nolock(struct inode *inode)
> return 1;
> }
>
> +/*
> + * Pass journal explicitly as it may not be cached in the sbi->s_journal in some
> + * cases
> + */
> +static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *journal)
> +{
> + int err = 0;
> +
> + err = jbd2_journal_destroy(journal);
> + sbi->s_journal = NULL;
> +
> + return err;
> +}
> +
> #endif /* _EXT4_JBD2_H */
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index a963ffda692a..8ad664d47806 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -1297,8 +1297,7 @@ static void ext4_put_super(struct super_block *sb)
>
> if (sbi->s_journal) {
> aborted = is_journal_aborted(sbi->s_journal);
> - err = jbd2_journal_destroy(sbi->s_journal);
> - sbi->s_journal = NULL;
> + err = ext4_journal_destroy(sbi, sbi->s_journal);
> if ((err < 0) && !aborted) {
> ext4_abort(sb, -err, "Couldn't clean up the journal");
> }
> @@ -4960,8 +4959,7 @@ static int ext4_load_and_init_journal(struct super_block *sb,
> out:
> /* flush s_sb_upd_work before destroying the journal. */
> flush_work(&sbi->s_sb_upd_work);
> - jbd2_journal_destroy(sbi->s_journal);
> - sbi->s_journal = NULL;
> + ext4_journal_destroy(sbi, sbi->s_journal);
> return -EINVAL;
> }
>
> @@ -5652,8 +5650,7 @@ failed_mount8: __maybe_unused
> if (sbi->s_journal) {
> /* flush s_sb_upd_work before journal destroy. */
> flush_work(&sbi->s_sb_upd_work);
> - jbd2_journal_destroy(sbi->s_journal);
> - sbi->s_journal = NULL;
> + ext4_journal_destroy(sbi, sbi->s_journal);
> }
> failed_mount3a:
> ext4_es_unregister_shrinker(sbi);
> @@ -5958,7 +5955,7 @@ static journal_t *ext4_open_dev_journal(struct super_block *sb,
> return journal;
>
> out_journal:
> - jbd2_journal_destroy(journal);
> + ext4_journal_destroy(EXT4_SB(sb), journal);
> out_bdev:
> bdev_fput(bdev_file);
> return ERR_PTR(errno);
> @@ -6075,8 +6072,7 @@ static int ext4_load_journal(struct super_block *sb,
> EXT4_SB(sb)->s_journal = journal;
> err = ext4_clear_journal_err(sb, es);
> if (err) {
> - EXT4_SB(sb)->s_journal = NULL;
> - jbd2_journal_destroy(journal);
> + ext4_journal_destroy(EXT4_SB(sb), journal);
> return err;
> }
>
> @@ -6094,7 +6090,7 @@ static int ext4_load_journal(struct super_block *sb,
> return 0;
>
> err_out:
> - jbd2_journal_destroy(journal);
> + ext4_journal_destroy(EXT4_SB(sb), journal);
> return err;
> }
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 3/3] ext4: Make sb update interval tunable
2025-03-06 14:28 ` [PATCH v2 3/3] ext4: Make sb update interval tunable Ojaswin Mujoo
@ 2025-03-08 2:25 ` Baokun Li
0 siblings, 0 replies; 41+ messages in thread
From: Baokun Li @ 2025-03-08 2:25 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: linux-ext4, Theodore Ts'o, Jan Kara, linux-kernel,
Ritesh Harjani (IBM), Yang Erkun
On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> Currently, outside error paths, we auto commit the super block after 1
> hour has passed and 16MB worth of updates have been written since last
> commit. This is a policy decision so make this tunable while keeping the
> defaults same. This is useful if user wants to tweak the superblock
> behavior or for debugging the codepath by allowing to trigger it more
> frequently.
>
> We can now tweak the super block update using sb_update_sec and
> sb_update_kb files in /sys/fs/ext4/<dev>/
>
> Reviewed-by: Jan Kara <jack@suse.cz>
> Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Looks good.
Reviewed-by: Baokun Li <libaokun1@huawei.com>
> ---
> fs/ext4/ext4.h | 9 +++++++++
> fs/ext4/super.c | 15 ++++++++-------
> fs/ext4/sysfs.c | 4 ++++
> 3 files changed, 21 insertions(+), 7 deletions(-)
>
> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> index d48e93bd5690..82c902ed86f3 100644
> --- a/fs/ext4/ext4.h
> +++ b/fs/ext4/ext4.h
> @@ -1608,6 +1608,8 @@ struct ext4_sb_info {
> unsigned int s_mb_prefetch;
> unsigned int s_mb_prefetch_limit;
> unsigned int s_mb_best_avail_max_trim_order;
> + unsigned int s_sb_update_sec;
> + unsigned int s_sb_update_kb;
>
> /* stats for buddy allocator */
> atomic_t s_bal_reqs; /* number of reqs with len > 1 */
> @@ -2281,6 +2283,13 @@ static inline int ext4_forced_shutdown(struct super_block *sb)
> #define EXT4_DEF_MIN_BATCH_TIME 0
> #define EXT4_DEF_MAX_BATCH_TIME 15000 /* 15ms */
>
> +/*
> + * Default values for superblock update
> + */
> +#define EXT4_DEF_SB_UPDATE_INTERVAL_SEC (3600) /* seconds (1 hour) */
> +#define EXT4_DEF_SB_UPDATE_INTERVAL_KB (16384) /* kilobytes (16MB) */
> +
> +
> /*
> * Minimum number of groups in a flexgroup before we separate out
> * directories into the first block group of a flexgroup
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 31552cf0519a..1b47b111c583 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -447,9 +447,6 @@ static time64_t __ext4_get_tstamp(__le32 *lo, __u8 *hi)
> #define ext4_get_tstamp(es, tstamp) \
> __ext4_get_tstamp(&(es)->tstamp, &(es)->tstamp ## _hi)
>
> -#define EXT4_SB_REFRESH_INTERVAL_SEC (3600) /* seconds (1 hour) */
> -#define EXT4_SB_REFRESH_INTERVAL_KB (16384) /* kilobytes (16MB) */
> -
> /*
> * The ext4_maybe_update_superblock() function checks and updates the
> * superblock if needed.
> @@ -457,8 +454,10 @@ static time64_t __ext4_get_tstamp(__le32 *lo, __u8 *hi)
> * This function is designed to update the on-disk superblock only under
> * certain conditions to prevent excessive disk writes and unnecessary
> * waking of the disk from sleep. The superblock will be updated if:
> - * 1. More than an hour has passed since the last superblock update, and
> - * 2. More than 16MB have been written since the last superblock update.
> + * 1. More than sbi->s_sb_update_sec (def: 1 hour) has passed since the last
> + * superblock update
> + * 2. More than sbi->s_sb_update_kb (def: 16MB) kbs have been written since the
> + * last superblock update.
> *
> * @sb: The superblock
> */
> @@ -479,7 +478,7 @@ static void ext4_maybe_update_superblock(struct super_block *sb)
> now = ktime_get_real_seconds();
> last_update = ext4_get_tstamp(es, s_wtime);
>
> - if (likely(now - last_update < EXT4_SB_REFRESH_INTERVAL_SEC))
> + if (likely(now - last_update < sbi->s_sb_update_sec))
> return;
>
> lifetime_write_kbytes = sbi->s_kbytes_written +
> @@ -494,7 +493,7 @@ static void ext4_maybe_update_superblock(struct super_block *sb)
> */
> diff_size = lifetime_write_kbytes - le64_to_cpu(es->s_kbytes_written);
>
> - if (diff_size > EXT4_SB_REFRESH_INTERVAL_KB)
> + if (diff_size > sbi->s_sb_update_kb)
> schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
> }
>
> @@ -5246,6 +5245,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
> sbi->s_commit_interval = JBD2_DEFAULT_MAX_COMMIT_AGE * HZ;
> sbi->s_min_batch_time = EXT4_DEF_MIN_BATCH_TIME;
> sbi->s_max_batch_time = EXT4_DEF_MAX_BATCH_TIME;
> + sbi->s_sb_update_kb = EXT4_DEF_SB_UPDATE_INTERVAL_KB;
> + sbi->s_sb_update_sec = EXT4_DEF_SB_UPDATE_INTERVAL_SEC;
>
> /*
> * set default s_li_wait_mult for lazyinit, for the case there is
> diff --git a/fs/ext4/sysfs.c b/fs/ext4/sysfs.c
> index ddb54608ca2e..987bd00f916a 100644
> --- a/fs/ext4/sysfs.c
> +++ b/fs/ext4/sysfs.c
> @@ -254,6 +254,8 @@ EXT4_ATTR(journal_task, 0444, journal_task);
> EXT4_RW_ATTR_SBI_UI(mb_prefetch, s_mb_prefetch);
> EXT4_RW_ATTR_SBI_UI(mb_prefetch_limit, s_mb_prefetch_limit);
> EXT4_RW_ATTR_SBI_UL(last_trim_minblks, s_last_trim_minblks);
> +EXT4_RW_ATTR_SBI_UI(sb_update_sec, s_sb_update_sec);
> +EXT4_RW_ATTR_SBI_UI(sb_update_kb, s_sb_update_kb);
>
> static unsigned int old_bump_val = 128;
> EXT4_ATTR_PTR(max_writeback_mb_bump, 0444, pointer_ui, &old_bump_val);
> @@ -305,6 +307,8 @@ static struct attribute *ext4_attrs[] = {
> ATTR_LIST(mb_prefetch),
> ATTR_LIST(mb_prefetch_limit),
> ATTR_LIST(last_trim_minblks),
> + ATTR_LIST(sb_update_sec),
> + ATTR_LIST(sb_update_kb),
> NULL,
> };
> ATTRIBUTE_GROUPS(ext4);
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-07 17:26 ` Ojaswin Mujoo
@ 2025-03-08 2:57 ` Zhang Yi
2025-03-08 8:18 ` Ojaswin Mujoo
2025-03-08 10:01 ` Ritesh Harjani
0 siblings, 2 replies; 41+ messages in thread
From: Zhang Yi @ 2025-03-08 2:57 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On 2025/3/8 1:26, Ojaswin Mujoo wrote:
> On Fri, Mar 07, 2025 at 08:36:08PM +0800, Zhang Yi wrote:
>> On 2025/3/7 18:27, Ojaswin Mujoo wrote:
>>> On Fri, Mar 07, 2025 at 04:43:24PM +0800, Zhang Yi wrote:
>>>> On 2025/3/7 16:13, Ojaswin Mujoo wrote:
>>>>> On Fri, Mar 07, 2025 at 12:04:26PM +0530, Ojaswin Mujoo wrote:
>>>>>> On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
>>>>>>> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
>>>>>>>> Presently we always BUG_ON if trying to start a transaction on a journal marked
>>>>>>>> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
>>>>>>>> stress tests, it was observed that in case of some error handling paths, it is
>>>>>>>> possible for update_super_work to start a transaction after the journal is
>>>>>>>> destroyed eg:
>>>>>>>>
>>>>>>>> (umount)
>>>>>>>> ext4_kill_sb
>>>>>>>> kill_block_super
>>>>>>>> generic_shutdown_super
>>>>>>>> sync_filesystem /* commits all txns */
>>>>>>>> evict_inodes
>>>>>>>> /* might start a new txn */
>>>>>>>> ext4_put_super
>>>>>>>> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
>>>>>>>> jbd2_journal_destroy
>>>>>>>> journal_kill_thread
>>>>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>>>> jbd2_journal_commit_transaction
>>>>>>>> jbd2_journal_get_descriptor_buffer
>>>>>>>> jbd2_journal_bmap
>>>>>>>> ext4_journal_bmap
>>>>>>>> ext4_map_blocks
>>>>>>>> ...
>>>>>>>> ext4_inode_error
>>>>>>>> ext4_handle_error
>>>>>>>> schedule_work(&sbi->s_sb_upd_work)
>>>>>>>>
>>>>>>>> /* work queue kicks in */
>>>>>>>> update_super_work
>>>>>>>> jbd2_journal_start
>>>>>>>> start_this_handle
>>>>>>>> BUG_ON(journal->j_flags &
>>>>>>>> JBD2_UNMOUNT)
>>>>>>>>
>>>>>>>> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
>>>>>>>> destroying only do a journaled (and deferred) update of sb if this flag is not
>>>>>>>> set. Otherwise, just fallback to an un-journaled commit.
>>>>>>>>
>>>>>>>> We set sbi->s_journal_destroying = true only after all the FS updates are done
>>>>>>>> during ext4_put_super() (except a running transaction that will get commited
>>>>>>>> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
>>>>>>>> outside the journal as it won't race with a journaled update (refer
>>>>>>>> 2d01ddc86606).
>>>>>>>>
>>>>>>>> Also, we don't need a similar check in ext4_grp_locked_error since it is only
>>>>>>>> called from mballoc and AFAICT it would be always valid to schedule work here.
>>>>>>>>
>>>>>>>> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
>>>>>>>> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
>>>>>>>> Suggested-by: Jan Kara <jack@suse.cz>
>>>>>>>> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
>>>>>>>> ---
>>>>>>>> fs/ext4/ext4.h | 2 ++
>>>>>>>> fs/ext4/ext4_jbd2.h | 8 ++++++++
>>>>>>>> fs/ext4/super.c | 4 +++-
>>>>>>>> 3 files changed, 13 insertions(+), 1 deletion(-)
>>>>>>>>
>>>>>>>> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
>>>>>>>> index 2b7d781bfcad..d48e93bd5690 100644
>>>>>>>> --- a/fs/ext4/ext4.h
>>>>>>>> +++ b/fs/ext4/ext4.h
>>>>>>>> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
>>>>>>>> */
>>>>>>>> struct work_struct s_sb_upd_work;
>>>>>>>>
>>>>>>>> + bool s_journal_destorying;
>>>>>>>> +
>>>>>>>> /* Atomic write unit values in bytes */
>>>>>>>> unsigned int s_awu_min;
>>>>>>>> unsigned int s_awu_max;
>>>>>>>> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
>>>>>>>> index 9b3c9df02a39..6bd3ca84410d 100644
>>>>>>>> --- a/fs/ext4/ext4_jbd2.h
>>>>>>>> +++ b/fs/ext4/ext4_jbd2.h
>>>>>>>> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
>>>>>>>> {
>>>>>>>> int err = 0;
>>>>>>>>
>>>>>>>> + /*
>>>>>>>> + * At this point all pending FS updates should be done except a possible
>>>>>>>> + * running transaction (which will commit in jbd2_journal_destroy). It
>>>>>>>> + * is now safe for any new errors to directly commit superblock rather
>>>>>>>> + * than going via journal.
>>>>>>>> + */
>>>>>>>> + sbi->s_journal_destorying = true;
>>>>>>>> +
>>>>>>>
>>>>>>> Hi, Ojaswin!
>>>>>>>
>>>>>>> I'm afraid you still need to flush the superblock update work here,
>>>>>>> otherwise I guess the race condition you mentioned in v1 could still
>>>>>>> occur.
>>>>>>>
>>>>>>> ext4_put_super()
>>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>>>
>>>>>>> **kjournald2**
>>>>>>> jbd2_journal_commit_transaction()
>>>>>>> ...
>>>>>>> ext4_inode_error()
>>>>>>> /* JBD2_UNMOUNT not set */
>>>>>>> schedule_work(s_sb_upd_work)
>>>>>>>
>>>>>>> **workqueue**
>>>>>>> update_super_work
>>>>>>> /* s_journal_destorying is not set */
>>>>>>> if (journal && !s_journal_destorying)
>>>>>>>
>>>>>>> ext4_journal_destroy()
>>>>>>> /* set s_journal_destorying */
>>>>>>> sbi->s_journal_destorying = true;
>>>>>>> jbd2_journal_destroy()
>>>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>>>
>>>>>>> jbd2_journal_start()
>>>>>>> start_this_handle()
>>>>>>> BUG_ON(JBD2_UNMOUNT)
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Yi.
>>>>>> Hi Yi,
>>>>>>
>>>>>> Yes you are right, somehow missed this edge case :(
>>>>>>
>>>>>> Alright then, we have to move out sbi->s_journal_destroying outside the
>>>>>> helper. Just wondering if I should still let it be in
>>>>>> ext4_journal_destroy and just add an extra s_journal_destroying = false
>>>>>> before schedule_work(s_sb_upd_work), because it makes sense.
>>>>>>
>>>>>> Okay let me give it some thought but thanks for pointing this out!
>>>>>>
>>>>>> Regards,
>>>>>> ojaswin
>>>>>
>>>>> Okay so thinking about it a bit more, I see you also suggested to flush
>>>>> the work after marking sbi->s_journal_destroying. But will that solve
>>>>> it?
>>>>>
>>>>> ext4_put_super()
>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>
>>>>> **kjournald2**
>>>>> jbd2_journal_commit_transaction()
>>>>> ...
>>>>> ext4_inode_error()
>>>>> /* JBD2_UNMOUNT not set */
>>>>> schedule_work(s_sb_upd_work)
>>>>>
>>>>> **workqueue**
>>>>> update_super_work
>>>>> /* s_journal_destorying is not set */
>>>>> if (journal && !s_journal_destorying)
>>>>>
>>>>> ext4_journal_destroy()
>>>>> /* set s_journal_destorying */
>>>>> sbi->s_journal_destorying = true;
>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>> schedule_work()
>>>> ^^^^^^^^^^^^^^^
>>>> where does this come from?
>>>>
>>>> After this flush_work, we can guarantee that the running s_sb_upd_work
>>>> finishes before we set JBD2_UNMOUNT. Additionally, the journal will
>>>> not commit transaction or call schedule_work() again because it has
>>>> been aborted due to the previous error. Am I missing something?
>>>>
>>>> Thanks,
>>>> Yi.
>>>
>>> Hmm, so I am thinking of a corner case in ext4_handle_error() where
>>>
>>> if(journal && !is_journal_destroying)
>>>
>>> is computed but schedule_work() not called yet, which is possible cause
>>> the cmp followed by jump is not atomic in nature. If the schedule_work
>>> is only called after we have done the flush then we end up with this:
>>>
>>> if (journal && !s_journal_destorying)
>>> ext4_journal_destroy()
>>> /* set s_journal_destorying */
>>> sbi->s_journal_destorying = true;
>>> flush_work(&sbi->s_sb_upd_work)
>>> schedule_work()
>>>
>>> Which is possible IMO, although the window is tiny.
>>
>> Yeah, right!
>> Sorry for misread the location where you add the "!s_journal_destorying"
>> check, the graph I provided was in update_super_work(), which was wrong.
>
> Oh right, I also misread your trace but yes as discussed, even
>
> sbi->s_journal_destorying = true;
> flush_work()
> jbd2_journal_destroy()
>
> doesn't work.
>
>> The right one should be:
>>
>> ext4_put_super()
>> flush_work(&sbi->s_sb_upd_work)
>>
>> **kjournald2**
>> jbd2_journal_commit_transaction()
>> ...
>> ext4_inode_error()
>> /* s_journal_destorying is not set */
>> if (journal && !s_journal_destorying)
>> (schedule_work(s_sb_upd_work)) //can be here
>>
>> ext4_journal_destroy()
>> /* set s_journal_destorying */
>> sbi->s_journal_destorying = true;
>> jbd2_journal_destroy()
>> journal->j_flags |= JBD2_UNMOUNT;
>>
>> (schedule_work(s_sb_upd_work)) //also can be here
>>
>> **workqueue**
>> update_super_work()
>> journal = sbi->s_journal //get journal
>> kfree(journal)
>> jbd2_journal_start(journal) //journal UAF
>> start_this_handle()
>> BUG_ON(JBD2_UNMOUNT) //bugon here
>>
>>
>> So there are two problems here, the first one is the 'journal' UAF,
>> the second one is triggering JBD2_UNMOUNT flag BUGON.
>
> Indeed, there's a possible UAF here as well.
>
>>
>>>>>
>>>>> As for the fix, how about we do something like this:
>>>>>
>>>>> ext4_put_super()
>>>>>
>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>> destroy_workqueue(sbi->rsv_conversion_wq);
>>>>>
>>>>> ext4_journal_destroy()
>>>>> /* set s_journal_destorying */
>>>>> sbi->s_journal_destorying = true;
>>>>>
>>>>> /* trigger a commit and wait for it to complete */
>>>>>
>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>
>>>>> jbd2_journal_destroy()
>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>
>>>>> jbd2_journal_start()
>>>>> start_this_handle()
>>>>> BUG_ON(JBD2_UNMOUNT)
>>>>>
>>>>> Still giving this codepath some thought but seems like this might just
>>>>> be enough to fix the race. Thoughts on this?
>>>>>
>>
>> I think this solution should work, the forced commit and flush_work()
>> should ensure that the last transaction is committed and that the
>> potential work is done.
>>
>> Besides, the s_journal_destorying flag is set and check concurrently
>> now, so we need WRITE_ONCE() and READ_ONCE() for it. Besides, what
>> about adding a new flag into sbi->s_mount_state instead of adding
>> new s_journal_destorying?
>
> Right, that makes sence. I will incorporate these changes in the next
> revision.
>
Think about this again, it seems that we no longer need the destroying
flag. Because we force to commit and wait for the **last** transaction to
complete, and the flush work should also ensure that the last sb_update
work to complete. Regardless of whether it starts a new handle in the
last update_super_work(), it will not commit since the journal should
have aborted. What are your thoughts?
ext4_put_super()
flush_work(&sbi->s_sb_upd_work)
destroy_workqueue(sbi->rsv_conversion_wq)
ext4_journal_destroy()
/* trigger a commit (it will commit the last trnasaction) */
**kjournald2**
jbd2_journal_commit_transaction()
...
ext4_inode_error()
schedule_work(s_sb_upd_work))
**workqueue**
update_super_work()
jbd2_journal_start(journal)
start_this_handle()
//This new trans will
//not be committed.
jbd2_journal_abort()
/* wait for it to complete */
flush_work(&sbi->s_sb_upd_work)
jbd2_journal_destroy()
journal->j_flags |= JBD2_UNMOUNT;
jbd2_journal_commit_transaction() //it will commit nothing
Thanks,
Yi.
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-08 2:57 ` Zhang Yi
@ 2025-03-08 8:18 ` Ojaswin Mujoo
2025-03-08 9:58 ` Ojaswin Mujoo
2025-03-08 10:01 ` Ritesh Harjani
1 sibling, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-08 8:18 UTC (permalink / raw)
To: Zhang Yi
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On Sat, Mar 08, 2025 at 10:57:16AM +0800, Zhang Yi wrote:
> On 2025/3/8 1:26, Ojaswin Mujoo wrote:
> > On Fri, Mar 07, 2025 at 08:36:08PM +0800, Zhang Yi wrote:
> >> On 2025/3/7 18:27, Ojaswin Mujoo wrote:
> >>> On Fri, Mar 07, 2025 at 04:43:24PM +0800, Zhang Yi wrote:
> >>>> On 2025/3/7 16:13, Ojaswin Mujoo wrote:
> >>>>> On Fri, Mar 07, 2025 at 12:04:26PM +0530, Ojaswin Mujoo wrote:
> >>>>>> On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
> >>>>>>> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> >>>>>>>> Presently we always BUG_ON if trying to start a transaction on a journal marked
> >>>>>>>> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> >>>>>>>> stress tests, it was observed that in case of some error handling paths, it is
> >>>>>>>> possible for update_super_work to start a transaction after the journal is
> >>>>>>>> destroyed eg:
> >>>>>>>>
> >>>>>>>> (umount)
> >>>>>>>> ext4_kill_sb
> >>>>>>>> kill_block_super
> >>>>>>>> generic_shutdown_super
> >>>>>>>> sync_filesystem /* commits all txns */
> >>>>>>>> evict_inodes
> >>>>>>>> /* might start a new txn */
> >>>>>>>> ext4_put_super
> >>>>>>>> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> >>>>>>>> jbd2_journal_destroy
> >>>>>>>> journal_kill_thread
> >>>>>>>> journal->j_flags |= JBD2_UNMOUNT;
> >>>>>>>> jbd2_journal_commit_transaction
> >>>>>>>> jbd2_journal_get_descriptor_buffer
> >>>>>>>> jbd2_journal_bmap
> >>>>>>>> ext4_journal_bmap
> >>>>>>>> ext4_map_blocks
> >>>>>>>> ...
> >>>>>>>> ext4_inode_error
> >>>>>>>> ext4_handle_error
> >>>>>>>> schedule_work(&sbi->s_sb_upd_work)
> >>>>>>>>
> >>>>>>>> /* work queue kicks in */
> >>>>>>>> update_super_work
> >>>>>>>> jbd2_journal_start
> >>>>>>>> start_this_handle
> >>>>>>>> BUG_ON(journal->j_flags &
> >>>>>>>> JBD2_UNMOUNT)
> >>>>>>>>
> >>>>>>>> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> >>>>>>>> destroying only do a journaled (and deferred) update of sb if this flag is not
> >>>>>>>> set. Otherwise, just fallback to an un-journaled commit.
> >>>>>>>>
> >>>>>>>> We set sbi->s_journal_destroying = true only after all the FS updates are done
> >>>>>>>> during ext4_put_super() (except a running transaction that will get commited
> >>>>>>>> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> >>>>>>>> outside the journal as it won't race with a journaled update (refer
> >>>>>>>> 2d01ddc86606).
> >>>>>>>>
> >>>>>>>> Also, we don't need a similar check in ext4_grp_locked_error since it is only
> >>>>>>>> called from mballoc and AFAICT it would be always valid to schedule work here.
> >>>>>>>>
> >>>>>>>> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> >>>>>>>> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> >>>>>>>> Suggested-by: Jan Kara <jack@suse.cz>
> >>>>>>>> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> >>>>>>>> ---
> >>>>>>>> fs/ext4/ext4.h | 2 ++
> >>>>>>>> fs/ext4/ext4_jbd2.h | 8 ++++++++
> >>>>>>>> fs/ext4/super.c | 4 +++-
> >>>>>>>> 3 files changed, 13 insertions(+), 1 deletion(-)
> >>>>>>>>
> >>>>>>>> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> >>>>>>>> index 2b7d781bfcad..d48e93bd5690 100644
> >>>>>>>> --- a/fs/ext4/ext4.h
> >>>>>>>> +++ b/fs/ext4/ext4.h
> >>>>>>>> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> >>>>>>>> */
> >>>>>>>> struct work_struct s_sb_upd_work;
> >>>>>>>>
> >>>>>>>> + bool s_journal_destorying;
> >>>>>>>> +
> >>>>>>>> /* Atomic write unit values in bytes */
> >>>>>>>> unsigned int s_awu_min;
> >>>>>>>> unsigned int s_awu_max;
> >>>>>>>> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> >>>>>>>> index 9b3c9df02a39..6bd3ca84410d 100644
> >>>>>>>> --- a/fs/ext4/ext4_jbd2.h
> >>>>>>>> +++ b/fs/ext4/ext4_jbd2.h
> >>>>>>>> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> >>>>>>>> {
> >>>>>>>> int err = 0;
> >>>>>>>>
> >>>>>>>> + /*
> >>>>>>>> + * At this point all pending FS updates should be done except a possible
> >>>>>>>> + * running transaction (which will commit in jbd2_journal_destroy). It
> >>>>>>>> + * is now safe for any new errors to directly commit superblock rather
> >>>>>>>> + * than going via journal.
> >>>>>>>> + */
> >>>>>>>> + sbi->s_journal_destorying = true;
> >>>>>>>> +
> >>>>>>>
> >>>>>>> Hi, Ojaswin!
> >>>>>>>
> >>>>>>> I'm afraid you still need to flush the superblock update work here,
> >>>>>>> otherwise I guess the race condition you mentioned in v1 could still
> >>>>>>> occur.
> >>>>>>>
> >>>>>>> ext4_put_super()
> >>>>>>> flush_work(&sbi->s_sb_upd_work)
> >>>>>>>
> >>>>>>> **kjournald2**
> >>>>>>> jbd2_journal_commit_transaction()
> >>>>>>> ...
> >>>>>>> ext4_inode_error()
> >>>>>>> /* JBD2_UNMOUNT not set */
> >>>>>>> schedule_work(s_sb_upd_work)
> >>>>>>>
> >>>>>>> **workqueue**
> >>>>>>> update_super_work
> >>>>>>> /* s_journal_destorying is not set */
> >>>>>>> if (journal && !s_journal_destorying)
> >>>>>>>
> >>>>>>> ext4_journal_destroy()
> >>>>>>> /* set s_journal_destorying */
> >>>>>>> sbi->s_journal_destorying = true;
> >>>>>>> jbd2_journal_destroy()
> >>>>>>> journal->j_flags |= JBD2_UNMOUNT;
> >>>>>>>
> >>>>>>> jbd2_journal_start()
> >>>>>>> start_this_handle()
> >>>>>>> BUG_ON(JBD2_UNMOUNT)
> >>>>>>>
> >>>>>>> Thanks,
> >>>>>>> Yi.
> >>>>>> Hi Yi,
> >>>>>>
> >>>>>> Yes you are right, somehow missed this edge case :(
> >>>>>>
> >>>>>> Alright then, we have to move out sbi->s_journal_destroying outside the
> >>>>>> helper. Just wondering if I should still let it be in
> >>>>>> ext4_journal_destroy and just add an extra s_journal_destroying = false
> >>>>>> before schedule_work(s_sb_upd_work), because it makes sense.
> >>>>>>
> >>>>>> Okay let me give it some thought but thanks for pointing this out!
> >>>>>>
> >>>>>> Regards,
> >>>>>> ojaswin
> >>>>>
> >>>>> Okay so thinking about it a bit more, I see you also suggested to flush
> >>>>> the work after marking sbi->s_journal_destroying. But will that solve
> >>>>> it?
> >>>>>
> >>>>> ext4_put_super()
> >>>>> flush_work(&sbi->s_sb_upd_work)
> >>>>>
> >>>>> **kjournald2**
> >>>>> jbd2_journal_commit_transaction()
> >>>>> ...
> >>>>> ext4_inode_error()
> >>>>> /* JBD2_UNMOUNT not set */
> >>>>> schedule_work(s_sb_upd_work)
> >>>>>
> >>>>> **workqueue**
> >>>>> update_super_work
> >>>>> /* s_journal_destorying is not set */
> >>>>> if (journal && !s_journal_destorying)
> >>>>>
> >>>>> ext4_journal_destroy()
> >>>>> /* set s_journal_destorying */
> >>>>> sbi->s_journal_destorying = true;
> >>>>> flush_work(&sbi->s_sb_upd_work)
> >>>>> schedule_work()
> >>>> ^^^^^^^^^^^^^^^
> >>>> where does this come from?
> >>>>
> >>>> After this flush_work, we can guarantee that the running s_sb_upd_work
> >>>> finishes before we set JBD2_UNMOUNT. Additionally, the journal will
> >>>> not commit transaction or call schedule_work() again because it has
> >>>> been aborted due to the previous error. Am I missing something?
> >>>>
> >>>> Thanks,
> >>>> Yi.
> >>>
> >>> Hmm, so I am thinking of a corner case in ext4_handle_error() where
> >>>
> >>> if(journal && !is_journal_destroying)
> >>>
> >>> is computed but schedule_work() not called yet, which is possible cause
> >>> the cmp followed by jump is not atomic in nature. If the schedule_work
> >>> is only called after we have done the flush then we end up with this:
> >>>
> >>> if (journal && !s_journal_destorying)
> >>> ext4_journal_destroy()
> >>> /* set s_journal_destorying */
> >>> sbi->s_journal_destorying = true;
> >>> flush_work(&sbi->s_sb_upd_work)
> >>> schedule_work()
> >>>
> >>> Which is possible IMO, although the window is tiny.
> >>
> >> Yeah, right!
> >> Sorry for misread the location where you add the "!s_journal_destorying"
> >> check, the graph I provided was in update_super_work(), which was wrong.
> >
> > Oh right, I also misread your trace but yes as discussed, even
> >
> > sbi->s_journal_destorying = true;
> > flush_work()
> > jbd2_journal_destroy()
> >
> > doesn't work.
> >
> >> The right one should be:
> >>
> >> ext4_put_super()
> >> flush_work(&sbi->s_sb_upd_work)
> >>
> >> **kjournald2**
> >> jbd2_journal_commit_transaction()
> >> ...
> >> ext4_inode_error()
> >> /* s_journal_destorying is not set */
> >> if (journal && !s_journal_destorying)
> >> (schedule_work(s_sb_upd_work)) //can be here
> >>
> >> ext4_journal_destroy()
> >> /* set s_journal_destorying */
> >> sbi->s_journal_destorying = true;
> >> jbd2_journal_destroy()
> >> journal->j_flags |= JBD2_UNMOUNT;
> >>
> >> (schedule_work(s_sb_upd_work)) //also can be here
> >>
> >> **workqueue**
> >> update_super_work()
> >> journal = sbi->s_journal //get journal
> >> kfree(journal)
> >> jbd2_journal_start(journal) //journal UAF
> >> start_this_handle()
> >> BUG_ON(JBD2_UNMOUNT) //bugon here
> >>
> >>
> >> So there are two problems here, the first one is the 'journal' UAF,
> >> the second one is triggering JBD2_UNMOUNT flag BUGON.
> >
> > Indeed, there's a possible UAF here as well.
> >
> >>
> >>>>>
> >>>>> As for the fix, how about we do something like this:
> >>>>>
> >>>>> ext4_put_super()
> >>>>>
> >>>>> flush_work(&sbi->s_sb_upd_work)
> >>>>> destroy_workqueue(sbi->rsv_conversion_wq);
> >>>>>
> >>>>> ext4_journal_destroy()
> >>>>> /* set s_journal_destorying */
> >>>>> sbi->s_journal_destorying = true;
> >>>>>
> >>>>> /* trigger a commit and wait for it to complete */
> >>>>>
> >>>>> flush_work(&sbi->s_sb_upd_work)
> >>>>>
> >>>>> jbd2_journal_destroy()
> >>>>> journal->j_flags |= JBD2_UNMOUNT;
> >>>>>
> >>>>> jbd2_journal_start()
> >>>>> start_this_handle()
> >>>>> BUG_ON(JBD2_UNMOUNT)
> >>>>>
> >>>>> Still giving this codepath some thought but seems like this might just
> >>>>> be enough to fix the race. Thoughts on this?
> >>>>>
> >>
> >> I think this solution should work, the forced commit and flush_work()
> >> should ensure that the last transaction is committed and that the
> >> potential work is done.
> >>
> >> Besides, the s_journal_destorying flag is set and check concurrently
> >> now, so we need WRITE_ONCE() and READ_ONCE() for it. Besides, what
> >> about adding a new flag into sbi->s_mount_state instead of adding
> >> new s_journal_destorying?
> >
> > Right, that makes sence. I will incorporate these changes in the next
> > revision.
> >
>
> Think about this again, it seems that we no longer need the destroying
> flag. Because we force to commit and wait for the **last** transaction to
> complete, and the flush work should also ensure that the last sb_update
> work to complete. Regardless of whether it starts a new handle in the
> last update_super_work(), it will not commit since the journal should
> have aborted. What are your thoughts?
>
> ext4_put_super()
> flush_work(&sbi->s_sb_upd_work)
> destroy_workqueue(sbi->rsv_conversion_wq)
>
> ext4_journal_destroy()
> /* trigger a commit (it will commit the last trnasaction) */
>
> **kjournald2**
> jbd2_journal_commit_transaction()
> ...
> ext4_inode_error()
> schedule_work(s_sb_upd_work))
>
> **workqueue**
> update_super_work()
> jbd2_journal_start(journal)
> start_this_handle()
> //This new trans will
> //not be committed.
>
> jbd2_journal_abort()
>
> /* wait for it to complete */
>
> flush_work(&sbi->s_sb_upd_work)
> jbd2_journal_destroy()
> journal->j_flags |= JBD2_UNMOUNT;
> jbd2_journal_commit_transaction() //it will commit nothing
>
> Thanks,
> Yi.
Hi Yi,
There's one more path for which we need the flag:
ext4_journal_destroy()
/* trigger a commit (it will commit the last trnasaction) */
**kjournald2**
jbd2_journal_commit_transaction()
journal->j_commit_callback()
ext4_journal_commit_callback()
ext4_maybe_update_superblock()
schedule_work()
/* start a transaction here */
flush_work()
jbd2_journal_destroy()
journal_kill_thread
flags |= JBD2_UNMOUNT
jbd2_journal_commit_transaction()
...
ext4_inode_error()
schedule_work(s_sb_upd_work))
/* update_super_work_tries to start the txn */
BUG_ON()
I think this to protect against this path we do need a flag.
Regards,
ojaswin
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-06 14:28 ` [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying Ojaswin Mujoo
2025-03-07 2:49 ` Zhang Yi
2025-03-07 14:26 ` Jan Kara
@ 2025-03-08 9:55 ` Ritesh Harjani (IBM)
2025-03-08 13:05 ` Ojaswin Mujoo
2025-03-12 13:57 ` Eric Sandeen
3 siblings, 1 reply; 41+ messages in thread
From: Ritesh Harjani (IBM) @ 2025-03-08 9:55 UTC (permalink / raw)
To: Ojaswin Mujoo, linux-ext4, Theodore Ts'o
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar
Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> Presently we always BUG_ON if trying to start a transaction on a journal marked
> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> stress tests, it was observed that in case of some error handling paths, it is
> possible for update_super_work to start a transaction after the journal is
> destroyed eg:
>
> (umount)
> ext4_kill_sb
> kill_block_super
> generic_shutdown_super
> sync_filesystem /* commits all txns */
> evict_inodes
> /* might start a new txn */
> ext4_put_super
> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> jbd2_journal_destroy
> journal_kill_thread
> journal->j_flags |= JBD2_UNMOUNT;
> jbd2_journal_commit_transaction
> jbd2_journal_get_descriptor_buffer
> jbd2_journal_bmap
> ext4_journal_bmap
> ext4_map_blocks
> ...
> ext4_inode_error
> ext4_handle_error
> schedule_work(&sbi->s_sb_upd_work)
>
> /* work queue kicks in */
> update_super_work
> jbd2_journal_start
> start_this_handle
> BUG_ON(journal->j_flags &
> JBD2_UNMOUNT)
>
> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> destroying only do a journaled (and deferred) update of sb if this flag is not
> set. Otherwise, just fallback to an un-journaled commit.
>
> We set sbi->s_journal_destroying = true only after all the FS updates are done
> during ext4_put_super() (except a running transaction that will get commited
> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> outside the journal as it won't race with a journaled update (refer
> 2d01ddc86606).
>
> Also, we don't need a similar check in ext4_grp_locked_error since it is only
> called from mballoc and AFAICT it would be always valid to schedule work here.
>
> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> Suggested-by: Jan Kara <jack@suse.cz>
> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> ---
> fs/ext4/ext4.h | 2 ++
> fs/ext4/ext4_jbd2.h | 8 ++++++++
> fs/ext4/super.c | 4 +++-
> 3 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> index 2b7d781bfcad..d48e93bd5690 100644
> --- a/fs/ext4/ext4.h
> +++ b/fs/ext4/ext4.h
> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> */
> struct work_struct s_sb_upd_work;
>
> + bool s_journal_destorying;
> +
> /* Atomic write unit values in bytes */
> unsigned int s_awu_min;
> unsigned int s_awu_max;
> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> index 9b3c9df02a39..6bd3ca84410d 100644
> --- a/fs/ext4/ext4_jbd2.h
> +++ b/fs/ext4/ext4_jbd2.h
> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> {
> int err = 0;
>
> + /*
> + * At this point all pending FS updates should be done except a possible
> + * running transaction (which will commit in jbd2_journal_destroy). It
> + * is now safe for any new errors to directly commit superblock rather
> + * than going via journal.
> + */
> + sbi->s_journal_destorying = true;
This is not correct right. I think what we decided to set this flag
before we flush the workqueue. So that we don't schedule any new
work after this flag has been set. At least that is what I understood.
[1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
-ritesh
> +
> err = jbd2_journal_destroy(journal);
> sbi->s_journal = NULL;
>
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 8ad664d47806..31552cf0519a 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
> * constraints, it may not be safe to do it right here so we
> * defer superblock flushing to a workqueue.
> */
> - if (continue_fs && journal)
> + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
> schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
> else
> ext4_commit_super(sb);
> @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
> spin_lock_init(&sbi->s_error_lock);
> INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
>
> + sbi->s_journal_destorying = false;
> +
> err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
> if (err)
> goto failed_mount3;
> --
> 2.48.1
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-08 8:18 ` Ojaswin Mujoo
@ 2025-03-08 9:58 ` Ojaswin Mujoo
2025-03-08 10:10 ` Baokun Li
0 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-08 9:58 UTC (permalink / raw)
To: Zhang Yi
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On Sat, Mar 08, 2025 at 01:48:44PM +0530, Ojaswin Mujoo wrote:
> On Sat, Mar 08, 2025 at 10:57:16AM +0800, Zhang Yi wrote:
> > On 2025/3/8 1:26, Ojaswin Mujoo wrote:
> > > On Fri, Mar 07, 2025 at 08:36:08PM +0800, Zhang Yi wrote:
> > >> On 2025/3/7 18:27, Ojaswin Mujoo wrote:
> > >>> On Fri, Mar 07, 2025 at 04:43:24PM +0800, Zhang Yi wrote:
> > >>>> On 2025/3/7 16:13, Ojaswin Mujoo wrote:
> > >>>>> On Fri, Mar 07, 2025 at 12:04:26PM +0530, Ojaswin Mujoo wrote:
> > >>>>>> On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
> > >>>>>>> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> > >>>>>>>> Presently we always BUG_ON if trying to start a transaction on a journal marked
> > >>>>>>>> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> > >>>>>>>> stress tests, it was observed that in case of some error handling paths, it is
> > >>>>>>>> possible for update_super_work to start a transaction after the journal is
> > >>>>>>>> destroyed eg:
> > >>>>>>>>
> > >>>>>>>> (umount)
> > >>>>>>>> ext4_kill_sb
> > >>>>>>>> kill_block_super
> > >>>>>>>> generic_shutdown_super
> > >>>>>>>> sync_filesystem /* commits all txns */
> > >>>>>>>> evict_inodes
> > >>>>>>>> /* might start a new txn */
> > >>>>>>>> ext4_put_super
> > >>>>>>>> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> > >>>>>>>> jbd2_journal_destroy
> > >>>>>>>> journal_kill_thread
> > >>>>>>>> journal->j_flags |= JBD2_UNMOUNT;
> > >>>>>>>> jbd2_journal_commit_transaction
> > >>>>>>>> jbd2_journal_get_descriptor_buffer
> > >>>>>>>> jbd2_journal_bmap
> > >>>>>>>> ext4_journal_bmap
> > >>>>>>>> ext4_map_blocks
> > >>>>>>>> ...
> > >>>>>>>> ext4_inode_error
> > >>>>>>>> ext4_handle_error
> > >>>>>>>> schedule_work(&sbi->s_sb_upd_work)
> > >>>>>>>>
> > >>>>>>>> /* work queue kicks in */
> > >>>>>>>> update_super_work
> > >>>>>>>> jbd2_journal_start
> > >>>>>>>> start_this_handle
> > >>>>>>>> BUG_ON(journal->j_flags &
> > >>>>>>>> JBD2_UNMOUNT)
> > >>>>>>>>
> > >>>>>>>> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> > >>>>>>>> destroying only do a journaled (and deferred) update of sb if this flag is not
> > >>>>>>>> set. Otherwise, just fallback to an un-journaled commit.
> > >>>>>>>>
> > >>>>>>>> We set sbi->s_journal_destroying = true only after all the FS updates are done
> > >>>>>>>> during ext4_put_super() (except a running transaction that will get commited
> > >>>>>>>> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> > >>>>>>>> outside the journal as it won't race with a journaled update (refer
> > >>>>>>>> 2d01ddc86606).
> > >>>>>>>>
> > >>>>>>>> Also, we don't need a similar check in ext4_grp_locked_error since it is only
> > >>>>>>>> called from mballoc and AFAICT it would be always valid to schedule work here.
> > >>>>>>>>
> > >>>>>>>> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> > >>>>>>>> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> > >>>>>>>> Suggested-by: Jan Kara <jack@suse.cz>
> > >>>>>>>> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> > >>>>>>>> ---
> > >>>>>>>> fs/ext4/ext4.h | 2 ++
> > >>>>>>>> fs/ext4/ext4_jbd2.h | 8 ++++++++
> > >>>>>>>> fs/ext4/super.c | 4 +++-
> > >>>>>>>> 3 files changed, 13 insertions(+), 1 deletion(-)
> > >>>>>>>>
> > >>>>>>>> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> > >>>>>>>> index 2b7d781bfcad..d48e93bd5690 100644
> > >>>>>>>> --- a/fs/ext4/ext4.h
> > >>>>>>>> +++ b/fs/ext4/ext4.h
> > >>>>>>>> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> > >>>>>>>> */
> > >>>>>>>> struct work_struct s_sb_upd_work;
> > >>>>>>>>
> > >>>>>>>> + bool s_journal_destorying;
> > >>>>>>>> +
> > >>>>>>>> /* Atomic write unit values in bytes */
> > >>>>>>>> unsigned int s_awu_min;
> > >>>>>>>> unsigned int s_awu_max;
> > >>>>>>>> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> > >>>>>>>> index 9b3c9df02a39..6bd3ca84410d 100644
> > >>>>>>>> --- a/fs/ext4/ext4_jbd2.h
> > >>>>>>>> +++ b/fs/ext4/ext4_jbd2.h
> > >>>>>>>> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> > >>>>>>>> {
> > >>>>>>>> int err = 0;
> > >>>>>>>>
> > >>>>>>>> + /*
> > >>>>>>>> + * At this point all pending FS updates should be done except a possible
> > >>>>>>>> + * running transaction (which will commit in jbd2_journal_destroy). It
> > >>>>>>>> + * is now safe for any new errors to directly commit superblock rather
> > >>>>>>>> + * than going via journal.
> > >>>>>>>> + */
> > >>>>>>>> + sbi->s_journal_destorying = true;
> > >>>>>>>> +
> > >>>>>>>
> > >>>>>>> Hi, Ojaswin!
> > >>>>>>>
> > >>>>>>> I'm afraid you still need to flush the superblock update work here,
> > >>>>>>> otherwise I guess the race condition you mentioned in v1 could still
> > >>>>>>> occur.
> > >>>>>>>
> > >>>>>>> ext4_put_super()
> > >>>>>>> flush_work(&sbi->s_sb_upd_work)
> > >>>>>>>
> > >>>>>>> **kjournald2**
> > >>>>>>> jbd2_journal_commit_transaction()
> > >>>>>>> ...
> > >>>>>>> ext4_inode_error()
> > >>>>>>> /* JBD2_UNMOUNT not set */
> > >>>>>>> schedule_work(s_sb_upd_work)
> > >>>>>>>
> > >>>>>>> **workqueue**
> > >>>>>>> update_super_work
> > >>>>>>> /* s_journal_destorying is not set */
> > >>>>>>> if (journal && !s_journal_destorying)
> > >>>>>>>
> > >>>>>>> ext4_journal_destroy()
> > >>>>>>> /* set s_journal_destorying */
> > >>>>>>> sbi->s_journal_destorying = true;
> > >>>>>>> jbd2_journal_destroy()
> > >>>>>>> journal->j_flags |= JBD2_UNMOUNT;
> > >>>>>>>
> > >>>>>>> jbd2_journal_start()
> > >>>>>>> start_this_handle()
> > >>>>>>> BUG_ON(JBD2_UNMOUNT)
> > >>>>>>>
> > >>>>>>> Thanks,
> > >>>>>>> Yi.
> > >>>>>> Hi Yi,
> > >>>>>>
> > >>>>>> Yes you are right, somehow missed this edge case :(
> > >>>>>>
> > >>>>>> Alright then, we have to move out sbi->s_journal_destroying outside the
> > >>>>>> helper. Just wondering if I should still let it be in
> > >>>>>> ext4_journal_destroy and just add an extra s_journal_destroying = false
> > >>>>>> before schedule_work(s_sb_upd_work), because it makes sense.
> > >>>>>>
> > >>>>>> Okay let me give it some thought but thanks for pointing this out!
> > >>>>>>
> > >>>>>> Regards,
> > >>>>>> ojaswin
> > >>>>>
> > >>>>> Okay so thinking about it a bit more, I see you also suggested to flush
> > >>>>> the work after marking sbi->s_journal_destroying. But will that solve
> > >>>>> it?
> > >>>>>
> > >>>>> ext4_put_super()
> > >>>>> flush_work(&sbi->s_sb_upd_work)
> > >>>>>
> > >>>>> **kjournald2**
> > >>>>> jbd2_journal_commit_transaction()
> > >>>>> ...
> > >>>>> ext4_inode_error()
> > >>>>> /* JBD2_UNMOUNT not set */
> > >>>>> schedule_work(s_sb_upd_work)
> > >>>>>
> > >>>>> **workqueue**
> > >>>>> update_super_work
> > >>>>> /* s_journal_destorying is not set */
> > >>>>> if (journal && !s_journal_destorying)
> > >>>>>
> > >>>>> ext4_journal_destroy()
> > >>>>> /* set s_journal_destorying */
> > >>>>> sbi->s_journal_destorying = true;
> > >>>>> flush_work(&sbi->s_sb_upd_work)
> > >>>>> schedule_work()
> > >>>> ^^^^^^^^^^^^^^^
> > >>>> where does this come from?
> > >>>>
> > >>>> After this flush_work, we can guarantee that the running s_sb_upd_work
> > >>>> finishes before we set JBD2_UNMOUNT. Additionally, the journal will
> > >>>> not commit transaction or call schedule_work() again because it has
> > >>>> been aborted due to the previous error. Am I missing something?
> > >>>>
> > >>>> Thanks,
> > >>>> Yi.
> > >>>
> > >>> Hmm, so I am thinking of a corner case in ext4_handle_error() where
> > >>>
> > >>> if(journal && !is_journal_destroying)
> > >>>
> > >>> is computed but schedule_work() not called yet, which is possible cause
> > >>> the cmp followed by jump is not atomic in nature. If the schedule_work
> > >>> is only called after we have done the flush then we end up with this:
> > >>>
> > >>> if (journal && !s_journal_destorying)
> > >>> ext4_journal_destroy()
> > >>> /* set s_journal_destorying */
> > >>> sbi->s_journal_destorying = true;
> > >>> flush_work(&sbi->s_sb_upd_work)
> > >>> schedule_work()
> > >>>
> > >>> Which is possible IMO, although the window is tiny.
> > >>
> > >> Yeah, right!
> > >> Sorry for misread the location where you add the "!s_journal_destorying"
> > >> check, the graph I provided was in update_super_work(), which was wrong.
> > >
> > > Oh right, I also misread your trace but yes as discussed, even
> > >
> > > sbi->s_journal_destorying = true;
> > > flush_work()
> > > jbd2_journal_destroy()
> > >
> > > doesn't work.
> > >
> > >> The right one should be:
> > >>
> > >> ext4_put_super()
> > >> flush_work(&sbi->s_sb_upd_work)
> > >>
> > >> **kjournald2**
> > >> jbd2_journal_commit_transaction()
> > >> ...
> > >> ext4_inode_error()
> > >> /* s_journal_destorying is not set */
> > >> if (journal && !s_journal_destorying)
> > >> (schedule_work(s_sb_upd_work)) //can be here
> > >>
> > >> ext4_journal_destroy()
> > >> /* set s_journal_destorying */
> > >> sbi->s_journal_destorying = true;
> > >> jbd2_journal_destroy()
> > >> journal->j_flags |= JBD2_UNMOUNT;
> > >>
> > >> (schedule_work(s_sb_upd_work)) //also can be here
> > >>
> > >> **workqueue**
> > >> update_super_work()
> > >> journal = sbi->s_journal //get journal
> > >> kfree(journal)
> > >> jbd2_journal_start(journal) //journal UAF
> > >> start_this_handle()
> > >> BUG_ON(JBD2_UNMOUNT) //bugon here
> > >>
> > >>
> > >> So there are two problems here, the first one is the 'journal' UAF,
> > >> the second one is triggering JBD2_UNMOUNT flag BUGON.
> > >
> > > Indeed, there's a possible UAF here as well.
> > >
> > >>
> > >>>>>
> > >>>>> As for the fix, how about we do something like this:
> > >>>>>
> > >>>>> ext4_put_super()
> > >>>>>
> > >>>>> flush_work(&sbi->s_sb_upd_work)
> > >>>>> destroy_workqueue(sbi->rsv_conversion_wq);
> > >>>>>
> > >>>>> ext4_journal_destroy()
> > >>>>> /* set s_journal_destorying */
> > >>>>> sbi->s_journal_destorying = true;
> > >>>>>
> > >>>>> /* trigger a commit and wait for it to complete */
> > >>>>>
> > >>>>> flush_work(&sbi->s_sb_upd_work)
> > >>>>>
> > >>>>> jbd2_journal_destroy()
> > >>>>> journal->j_flags |= JBD2_UNMOUNT;
> > >>>>>
> > >>>>> jbd2_journal_start()
> > >>>>> start_this_handle()
> > >>>>> BUG_ON(JBD2_UNMOUNT)
> > >>>>>
> > >>>>> Still giving this codepath some thought but seems like this might just
> > >>>>> be enough to fix the race. Thoughts on this?
> > >>>>>
> > >>
> > >> I think this solution should work, the forced commit and flush_work()
> > >> should ensure that the last transaction is committed and that the
> > >> potential work is done.
> > >>
> > >> Besides, the s_journal_destorying flag is set and check concurrently
> > >> now, so we need WRITE_ONCE() and READ_ONCE() for it. Besides, what
> > >> about adding a new flag into sbi->s_mount_state instead of adding
> > >> new s_journal_destorying?
> > >
> > > Right, that makes sence. I will incorporate these changes in the next
> > > revision.
> > >
> >
> > Think about this again, it seems that we no longer need the destroying
> > flag. Because we force to commit and wait for the **last** transaction to
> > complete, and the flush work should also ensure that the last sb_update
> > work to complete. Regardless of whether it starts a new handle in the
> > last update_super_work(), it will not commit since the journal should
> > have aborted. What are your thoughts?
> >
> > ext4_put_super()
> > flush_work(&sbi->s_sb_upd_work)
> > destroy_workqueue(sbi->rsv_conversion_wq)
> >
> > ext4_journal_destroy()
> > /* trigger a commit (it will commit the last trnasaction) */
> >
> > **kjournald2**
> > jbd2_journal_commit_transaction()
> > ...
> > ext4_inode_error()
> > schedule_work(s_sb_upd_work))
> >
> > **workqueue**
> > update_super_work()
> > jbd2_journal_start(journal)
> > start_this_handle()
> > //This new trans will
> > //not be committed.
> >
> > jbd2_journal_abort()
> >
> > /* wait for it to complete */
> >
> > flush_work(&sbi->s_sb_upd_work)
> > jbd2_journal_destroy()
> > journal->j_flags |= JBD2_UNMOUNT;
> > jbd2_journal_commit_transaction() //it will commit nothing
> >
> > Thanks,
> > Yi.
>
> Hi Yi,
>
> There's one more path for which we need the flag:
>
> ext4_journal_destroy()
> /* trigger a commit (it will commit the last trnasaction) */
>
> **kjournald2**
> jbd2_journal_commit_transaction()
> journal->j_commit_callback()
> ext4_journal_commit_callback()
> ext4_maybe_update_superblock()
> schedule_work()
> /* start a transaction here */
> flush_work()
> jbd2_journal_destroy()
> journal_kill_thread
> flags |= JBD2_UNMOUNT
> jbd2_journal_commit_transaction()
> ...
> ext4_inode_error()
> schedule_work(s_sb_upd_work))
> /* update_super_work_tries to start the txn */
> BUG_ON()
Oops the formatting is wrong, here's the trace:
ext4_journal_destroy()
/* trigger a commit (it will commit the last trnasaction) */
**kjournald2**
jbd2_journal_commit_transaction()
journal->j_commit_callback()
ext4_journal_commit_callback()
ext4_maybe_update_superblock()
schedule_work()
/* update_super_work starts a new txn here */
flush_work()
jbd2_journal_destroy()
journal_kill_thread
flags |= JBD2_UNMOUNT
jbd2_journal_commit_transaction()
...
ext4_inode_error()
schedule_work(s_sb_upd_work))
/* update_super_work_tries to start the txn */
BUG_ON()
>
> I think this to protect against this path we do need a flag.
>
> Regards,
> ojaswin
> >
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-08 2:57 ` Zhang Yi
2025-03-08 8:18 ` Ojaswin Mujoo
@ 2025-03-08 10:01 ` Ritesh Harjani
1 sibling, 0 replies; 41+ messages in thread
From: Ritesh Harjani @ 2025-03-08 10:01 UTC (permalink / raw)
To: Zhang Yi, Ojaswin Mujoo
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
Zhang Yi <yi.zhang@huaweicloud.com> writes:
> On 2025/3/8 1:26, Ojaswin Mujoo wrote:
>> On Fri, Mar 07, 2025 at 08:36:08PM +0800, Zhang Yi wrote:
>>> On 2025/3/7 18:27, Ojaswin Mujoo wrote:
>>>> On Fri, Mar 07, 2025 at 04:43:24PM +0800, Zhang Yi wrote:
>>>>> On 2025/3/7 16:13, Ojaswin Mujoo wrote:
>>>>>> On Fri, Mar 07, 2025 at 12:04:26PM +0530, Ojaswin Mujoo wrote:
>>>>>>> On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
>>>>>>>> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
>>>>>>>>> Presently we always BUG_ON if trying to start a transaction on a journal marked
>>>>>>>>> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
>>>>>>>>> stress tests, it was observed that in case of some error handling paths, it is
>>>>>>>>> possible for update_super_work to start a transaction after the journal is
>>>>>>>>> destroyed eg:
>>>>>>>>>
>>>>>>>>> (umount)
>>>>>>>>> ext4_kill_sb
>>>>>>>>> kill_block_super
>>>>>>>>> generic_shutdown_super
>>>>>>>>> sync_filesystem /* commits all txns */
>>>>>>>>> evict_inodes
>>>>>>>>> /* might start a new txn */
>>>>>>>>> ext4_put_super
>>>>>>>>> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
>>>>>>>>> jbd2_journal_destroy
>>>>>>>>> journal_kill_thread
>>>>>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>>>>> jbd2_journal_commit_transaction
>>>>>>>>> jbd2_journal_get_descriptor_buffer
>>>>>>>>> jbd2_journal_bmap
>>>>>>>>> ext4_journal_bmap
>>>>>>>>> ext4_map_blocks
>>>>>>>>> ...
>>>>>>>>> ext4_inode_error
>>>>>>>>> ext4_handle_error
>>>>>>>>> schedule_work(&sbi->s_sb_upd_work)
>>>>>>>>>
>>>>>>>>> /* work queue kicks in */
>>>>>>>>> update_super_work
>>>>>>>>> jbd2_journal_start
>>>>>>>>> start_this_handle
>>>>>>>>> BUG_ON(journal->j_flags &
>>>>>>>>> JBD2_UNMOUNT)
>>>>>>>>>
>>>>>>>>> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
>>>>>>>>> destroying only do a journaled (and deferred) update of sb if this flag is not
>>>>>>>>> set. Otherwise, just fallback to an un-journaled commit.
>>>>>>>>>
>>>>>>>>> We set sbi->s_journal_destroying = true only after all the FS updates are done
>>>>>>>>> during ext4_put_super() (except a running transaction that will get commited
>>>>>>>>> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
>>>>>>>>> outside the journal as it won't race with a journaled update (refer
>>>>>>>>> 2d01ddc86606).
>>>>>>>>>
>>>>>>>>> Also, we don't need a similar check in ext4_grp_locked_error since it is only
>>>>>>>>> called from mballoc and AFAICT it would be always valid to schedule work here.
>>>>>>>>>
>>>>>>>>> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
>>>>>>>>> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
>>>>>>>>> Suggested-by: Jan Kara <jack@suse.cz>
>>>>>>>>> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
>>>>>>>>> ---
>>>>>>>>> fs/ext4/ext4.h | 2 ++
>>>>>>>>> fs/ext4/ext4_jbd2.h | 8 ++++++++
>>>>>>>>> fs/ext4/super.c | 4 +++-
>>>>>>>>> 3 files changed, 13 insertions(+), 1 deletion(-)
>>>>>>>>>
>>>>>>>>> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
>>>>>>>>> index 2b7d781bfcad..d48e93bd5690 100644
>>>>>>>>> --- a/fs/ext4/ext4.h
>>>>>>>>> +++ b/fs/ext4/ext4.h
>>>>>>>>> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
>>>>>>>>> */
>>>>>>>>> struct work_struct s_sb_upd_work;
>>>>>>>>>
>>>>>>>>> + bool s_journal_destorying;
>>>>>>>>> +
>>>>>>>>> /* Atomic write unit values in bytes */
>>>>>>>>> unsigned int s_awu_min;
>>>>>>>>> unsigned int s_awu_max;
>>>>>>>>> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
>>>>>>>>> index 9b3c9df02a39..6bd3ca84410d 100644
>>>>>>>>> --- a/fs/ext4/ext4_jbd2.h
>>>>>>>>> +++ b/fs/ext4/ext4_jbd2.h
>>>>>>>>> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
>>>>>>>>> {
>>>>>>>>> int err = 0;
>>>>>>>>>
>>>>>>>>> + /*
>>>>>>>>> + * At this point all pending FS updates should be done except a possible
>>>>>>>>> + * running transaction (which will commit in jbd2_journal_destroy). It
>>>>>>>>> + * is now safe for any new errors to directly commit superblock rather
>>>>>>>>> + * than going via journal.
>>>>>>>>> + */
>>>>>>>>> + sbi->s_journal_destorying = true;
>>>>>>>>> +
>>>>>>>>
>>>>>>>> Hi, Ojaswin!
>>>>>>>>
>>>>>>>> I'm afraid you still need to flush the superblock update work here,
>>>>>>>> otherwise I guess the race condition you mentioned in v1 could still
>>>>>>>> occur.
>>>>>>>>
>>>>>>>> ext4_put_super()
>>>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>>>>
>>>>>>>> **kjournald2**
>>>>>>>> jbd2_journal_commit_transaction()
>>>>>>>> ...
>>>>>>>> ext4_inode_error()
>>>>>>>> /* JBD2_UNMOUNT not set */
>>>>>>>> schedule_work(s_sb_upd_work)
>>>>>>>>
>>>>>>>> **workqueue**
>>>>>>>> update_super_work
>>>>>>>> /* s_journal_destorying is not set */
>>>>>>>> if (journal && !s_journal_destorying)
>>>>>>>>
>>>>>>>> ext4_journal_destroy()
>>>>>>>> /* set s_journal_destorying */
>>>>>>>> sbi->s_journal_destorying = true;
>>>>>>>> jbd2_journal_destroy()
>>>>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>>>>
>>>>>>>> jbd2_journal_start()
>>>>>>>> start_this_handle()
>>>>>>>> BUG_ON(JBD2_UNMOUNT)
>>>>>>>>
>>>>>>>> Thanks,
>>>>>>>> Yi.
>>>>>>> Hi Yi,
>>>>>>>
>>>>>>> Yes you are right, somehow missed this edge case :(
>>>>>>>
>>>>>>> Alright then, we have to move out sbi->s_journal_destroying outside the
>>>>>>> helper. Just wondering if I should still let it be in
>>>>>>> ext4_journal_destroy and just add an extra s_journal_destroying = false
>>>>>>> before schedule_work(s_sb_upd_work), because it makes sense.
>>>>>>>
>>>>>>> Okay let me give it some thought but thanks for pointing this out!
>>>>>>>
>>>>>>> Regards,
>>>>>>> ojaswin
>>>>>>
>>>>>> Okay so thinking about it a bit more, I see you also suggested to flush
>>>>>> the work after marking sbi->s_journal_destroying. But will that solve
>>>>>> it?
>>>>>>
>>>>>> ext4_put_super()
>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>>
>>>>>> **kjournald2**
>>>>>> jbd2_journal_commit_transaction()
>>>>>> ...
>>>>>> ext4_inode_error()
>>>>>> /* JBD2_UNMOUNT not set */
>>>>>> schedule_work(s_sb_upd_work)
>>>>>>
>>>>>> **workqueue**
>>>>>> update_super_work
>>>>>> /* s_journal_destorying is not set */
>>>>>> if (journal && !s_journal_destorying)
>>>>>>
>>>>>> ext4_journal_destroy()
>>>>>> /* set s_journal_destorying */
>>>>>> sbi->s_journal_destorying = true;
>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>> schedule_work()
>>>>> ^^^^^^^^^^^^^^^
>>>>> where does this come from?
>>>>>
>>>>> After this flush_work, we can guarantee that the running s_sb_upd_work
>>>>> finishes before we set JBD2_UNMOUNT. Additionally, the journal will
>>>>> not commit transaction or call schedule_work() again because it has
>>>>> been aborted due to the previous error. Am I missing something?
>>>>>
>>>>> Thanks,
>>>>> Yi.
>>>>
>>>> Hmm, so I am thinking of a corner case in ext4_handle_error() where
>>>>
>>>> if(journal && !is_journal_destroying)
>>>>
>>>> is computed but schedule_work() not called yet, which is possible cause
>>>> the cmp followed by jump is not atomic in nature. If the schedule_work
>>>> is only called after we have done the flush then we end up with this:
>>>>
>>>> if (journal && !s_journal_destorying)
>>>> ext4_journal_destroy()
>>>> /* set s_journal_destorying */
>>>> sbi->s_journal_destorying = true;
>>>> flush_work(&sbi->s_sb_upd_work)
>>>> schedule_work()
>>>>
>>>> Which is possible IMO, although the window is tiny.
>>>
>>> Yeah, right!
>>> Sorry for misread the location where you add the "!s_journal_destorying"
>>> check, the graph I provided was in update_super_work(), which was wrong.
>>
>> Oh right, I also misread your trace but yes as discussed, even
>>
>> sbi->s_journal_destorying = true;
>> flush_work()
>> jbd2_journal_destroy()
>>
>> doesn't work.
>>
>>> The right one should be:
>>>
>>> ext4_put_super()
>>> flush_work(&sbi->s_sb_upd_work)
>>>
>>> **kjournald2**
>>> jbd2_journal_commit_transaction()
>>> ...
>>> ext4_inode_error()
>>> /* s_journal_destorying is not set */
>>> if (journal && !s_journal_destorying)
>>> (schedule_work(s_sb_upd_work)) //can be here
>>>
>>> ext4_journal_destroy()
>>> /* set s_journal_destorying */
>>> sbi->s_journal_destorying = true;
>>> jbd2_journal_destroy()
>>> journal->j_flags |= JBD2_UNMOUNT;
>>>
>>> (schedule_work(s_sb_upd_work)) //also can be here
>>>
>>> **workqueue**
>>> update_super_work()
>>> journal = sbi->s_journal //get journal
>>> kfree(journal)
>>> jbd2_journal_start(journal) //journal UAF
>>> start_this_handle()
>>> BUG_ON(JBD2_UNMOUNT) //bugon here
>>>
>>>
>>> So there are two problems here, the first one is the 'journal' UAF,
>>> the second one is triggering JBD2_UNMOUNT flag BUGON.
>>
>> Indeed, there's a possible UAF here as well.
>>
>>>
>>>>>>
>>>>>> As for the fix, how about we do something like this:
>>>>>>
>>>>>> ext4_put_super()
>>>>>>
>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>> destroy_workqueue(sbi->rsv_conversion_wq);
>>>>>>
>>>>>> ext4_journal_destroy()
>>>>>> /* set s_journal_destorying */
>>>>>> sbi->s_journal_destorying = true;
>>>>>>
>>>>>> /* trigger a commit and wait for it to complete */
>>>>>>
>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>>
>>>>>> jbd2_journal_destroy()
>>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>>
>>>>>> jbd2_journal_start()
>>>>>> start_this_handle()
>>>>>> BUG_ON(JBD2_UNMOUNT)
>>>>>>
>>>>>> Still giving this codepath some thought but seems like this might just
>>>>>> be enough to fix the race. Thoughts on this?
>>>>>>
>>>
>>> I think this solution should work, the forced commit and flush_work()
>>> should ensure that the last transaction is committed and that the
>>> potential work is done.
>>>
>>> Besides, the s_journal_destorying flag is set and check concurrently
>>> now, so we need WRITE_ONCE() and READ_ONCE() for it. Besides, what
>>> about adding a new flag into sbi->s_mount_state instead of adding
>>> new s_journal_destorying?
>>
>> Right, that makes sence. I will incorporate these changes in the next
>> revision.
>>
>
> Think about this again, it seems that we no longer need the destroying
> flag. Because we force to commit and wait for the **last** transaction to
> complete, and the flush work should also ensure that the last sb_update
> work to complete. Regardless of whether it starts a new handle in the
> last update_super_work(), it will not commit since the journal should
> have aborted. What are your thoughts?
>
I think the confusion maybe coming because v2 patch isn't where we
discussed to put the s_journal_destroying to true, in this thread [1]
[1]: https://lore.kernel.org/linux-ext4/jnxpphuradrsf73cxfmohfu7wwwckihtulw6ovsitddgt5pqkg@2uoejkr66qnl/
> ext4_put_super()
+ sbi->s_journal_destroying = true;
We should add s_journal_destroying to true before calling for
flush_work.
> flush_work(&sbi->s_sb_upd_work)
After the above flush work is complete, we will always check if
s_journal_destroying is set. If yes, then we should never schedule the
sb update work
> destroy_workqueue(sbi->rsv_conversion_wq)
>
> ext4_journal_destroy()
> /* trigger a commit (it will commit the last trnasaction) */
>
> **kjournald2**
> jbd2_journal_commit_transaction()
> ...
> ext4_inode_error()
> schedule_work(s_sb_upd_work))
Then this schedule work will never happen, since it will check if
s_journal_destroying flag is set.
>
> **workqueue**
> update_super_work()
> jbd2_journal_start(journal)
> start_this_handle()
> //This new trans will
> //not be committed.
>
> jbd2_journal_abort()
>
> /* wait for it to complete */
>
> flush_work(&sbi->s_sb_upd_work)
No need to again call the flush work here, since there is no new work
which will be scheduled right.
Am I missing something?
-ritesh
> jbd2_journal_destroy()
> journal->j_flags |= JBD2_UNMOUNT;
> jbd2_journal_commit_transaction() //it will commit nothing
>
> Thanks,
> Yi.
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-08 9:58 ` Ojaswin Mujoo
@ 2025-03-08 10:10 ` Baokun Li
2025-03-08 12:57 ` Ojaswin Mujoo
0 siblings, 1 reply; 41+ messages in thread
From: Baokun Li @ 2025-03-08 10:10 UTC (permalink / raw)
To: Ojaswin Mujoo, Zhang Yi
Cc: Jan Kara, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On 2025/3/8 17:58, Ojaswin Mujoo wrote:
> On Sat, Mar 08, 2025 at 01:48:44PM +0530, Ojaswin Mujoo wrote:
>> On Sat, Mar 08, 2025 at 10:57:16AM +0800, Zhang Yi wrote:
>>> On 2025/3/8 1:26, Ojaswin Mujoo wrote:
>>>> On Fri, Mar 07, 2025 at 08:36:08PM +0800, Zhang Yi wrote:
>>>>> On 2025/3/7 18:27, Ojaswin Mujoo wrote:
>>>>>> On Fri, Mar 07, 2025 at 04:43:24PM +0800, Zhang Yi wrote:
>>>>>>> On 2025/3/7 16:13, Ojaswin Mujoo wrote:
>>>>>>>> On Fri, Mar 07, 2025 at 12:04:26PM +0530, Ojaswin Mujoo wrote:
>>>>>>>>> On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
>>>>>>>>>> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
>>>>>>>>>>> Presently we always BUG_ON if trying to start a transaction on a journal marked
>>>>>>>>>>> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
>>>>>>>>>>> stress tests, it was observed that in case of some error handling paths, it is
>>>>>>>>>>> possible for update_super_work to start a transaction after the journal is
>>>>>>>>>>> destroyed eg:
>>>>>>>>>>>
>>>>>>>>>>> (umount)
>>>>>>>>>>> ext4_kill_sb
>>>>>>>>>>> kill_block_super
>>>>>>>>>>> generic_shutdown_super
>>>>>>>>>>> sync_filesystem /* commits all txns */
>>>>>>>>>>> evict_inodes
>>>>>>>>>>> /* might start a new txn */
>>>>>>>>>>> ext4_put_super
>>>>>>>>>>> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
>>>>>>>>>>> jbd2_journal_destroy
>>>>>>>>>>> journal_kill_thread
>>>>>>>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>>>>>>> jbd2_journal_commit_transaction
>>>>>>>>>>> jbd2_journal_get_descriptor_buffer
>>>>>>>>>>> jbd2_journal_bmap
>>>>>>>>>>> ext4_journal_bmap
>>>>>>>>>>> ext4_map_blocks
>>>>>>>>>>> ...
>>>>>>>>>>> ext4_inode_error
>>>>>>>>>>> ext4_handle_error
>>>>>>>>>>> schedule_work(&sbi->s_sb_upd_work)
>>>>>>>>>>>
>>>>>>>>>>> /* work queue kicks in */
>>>>>>>>>>> update_super_work
>>>>>>>>>>> jbd2_journal_start
>>>>>>>>>>> start_this_handle
>>>>>>>>>>> BUG_ON(journal->j_flags &
>>>>>>>>>>> JBD2_UNMOUNT)
>>>>>>>>>>>
>>>>>>>>>>> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
>>>>>>>>>>> destroying only do a journaled (and deferred) update of sb if this flag is not
>>>>>>>>>>> set. Otherwise, just fallback to an un-journaled commit.
>>>>>>>>>>>
>>>>>>>>>>> We set sbi->s_journal_destroying = true only after all the FS updates are done
>>>>>>>>>>> during ext4_put_super() (except a running transaction that will get commited
>>>>>>>>>>> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
>>>>>>>>>>> outside the journal as it won't race with a journaled update (refer
>>>>>>>>>>> 2d01ddc86606).
>>>>>>>>>>>
>>>>>>>>>>> Also, we don't need a similar check in ext4_grp_locked_error since it is only
>>>>>>>>>>> called from mballoc and AFAICT it would be always valid to schedule work here.
>>>>>>>>>>>
>>>>>>>>>>> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
>>>>>>>>>>> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
>>>>>>>>>>> Suggested-by: Jan Kara <jack@suse.cz>
>>>>>>>>>>> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
>>>>>>>>>>> ---
>>>>>>>>>>> fs/ext4/ext4.h | 2 ++
>>>>>>>>>>> fs/ext4/ext4_jbd2.h | 8 ++++++++
>>>>>>>>>>> fs/ext4/super.c | 4 +++-
>>>>>>>>>>> 3 files changed, 13 insertions(+), 1 deletion(-)
>>>>>>>>>>>
>>>>>>>>>>> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
>>>>>>>>>>> index 2b7d781bfcad..d48e93bd5690 100644
>>>>>>>>>>> --- a/fs/ext4/ext4.h
>>>>>>>>>>> +++ b/fs/ext4/ext4.h
>>>>>>>>>>> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
>>>>>>>>>>> */
>>>>>>>>>>> struct work_struct s_sb_upd_work;
>>>>>>>>>>>
>>>>>>>>>>> + bool s_journal_destorying;
>>>>>>>>>>> +
>>>>>>>>>>> /* Atomic write unit values in bytes */
>>>>>>>>>>> unsigned int s_awu_min;
>>>>>>>>>>> unsigned int s_awu_max;
>>>>>>>>>>> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
>>>>>>>>>>> index 9b3c9df02a39..6bd3ca84410d 100644
>>>>>>>>>>> --- a/fs/ext4/ext4_jbd2.h
>>>>>>>>>>> +++ b/fs/ext4/ext4_jbd2.h
>>>>>>>>>>> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
>>>>>>>>>>> {
>>>>>>>>>>> int err = 0;
>>>>>>>>>>>
>>>>>>>>>>> + /*
>>>>>>>>>>> + * At this point all pending FS updates should be done except a possible
>>>>>>>>>>> + * running transaction (which will commit in jbd2_journal_destroy). It
>>>>>>>>>>> + * is now safe for any new errors to directly commit superblock rather
>>>>>>>>>>> + * than going via journal.
>>>>>>>>>>> + */
>>>>>>>>>>> + sbi->s_journal_destorying = true;
>>>>>>>>>>> +
>>>>>>>>>> Hi, Ojaswin!
>>>>>>>>>>
>>>>>>>>>> I'm afraid you still need to flush the superblock update work here,
>>>>>>>>>> otherwise I guess the race condition you mentioned in v1 could still
>>>>>>>>>> occur.
>>>>>>>>>>
>>>>>>>>>> ext4_put_super()
>>>>>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>>>>>>
>>>>>>>>>> **kjournald2**
>>>>>>>>>> jbd2_journal_commit_transaction()
>>>>>>>>>> ...
>>>>>>>>>> ext4_inode_error()
>>>>>>>>>> /* JBD2_UNMOUNT not set */
>>>>>>>>>> schedule_work(s_sb_upd_work)
>>>>>>>>>>
>>>>>>>>>> **workqueue**
>>>>>>>>>> update_super_work
>>>>>>>>>> /* s_journal_destorying is not set */
>>>>>>>>>> if (journal && !s_journal_destorying)
>>>>>>>>>>
>>>>>>>>>> ext4_journal_destroy()
>>>>>>>>>> /* set s_journal_destorying */
>>>>>>>>>> sbi->s_journal_destorying = true;
>>>>>>>>>> jbd2_journal_destroy()
>>>>>>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>>>>>>
>>>>>>>>>> jbd2_journal_start()
>>>>>>>>>> start_this_handle()
>>>>>>>>>> BUG_ON(JBD2_UNMOUNT)
>>>>>>>>>>
>>>>>>>>>> Thanks,
>>>>>>>>>> Yi.
>>>>>>>>> Hi Yi,
>>>>>>>>>
>>>>>>>>> Yes you are right, somehow missed this edge case :(
>>>>>>>>>
>>>>>>>>> Alright then, we have to move out sbi->s_journal_destroying outside the
>>>>>>>>> helper. Just wondering if I should still let it be in
>>>>>>>>> ext4_journal_destroy and just add an extra s_journal_destroying = false
>>>>>>>>> before schedule_work(s_sb_upd_work), because it makes sense.
>>>>>>>>>
>>>>>>>>> Okay let me give it some thought but thanks for pointing this out!
>>>>>>>>>
>>>>>>>>> Regards,
>>>>>>>>> ojaswin
>>>>>>>> Okay so thinking about it a bit more, I see you also suggested to flush
>>>>>>>> the work after marking sbi->s_journal_destroying. But will that solve
>>>>>>>> it?
>>>>>>>>
>>>>>>>> ext4_put_super()
>>>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>>>>
>>>>>>>> **kjournald2**
>>>>>>>> jbd2_journal_commit_transaction()
>>>>>>>> ...
>>>>>>>> ext4_inode_error()
>>>>>>>> /* JBD2_UNMOUNT not set */
>>>>>>>> schedule_work(s_sb_upd_work)
>>>>>>>>
>>>>>>>> **workqueue**
>>>>>>>> update_super_work
>>>>>>>> /* s_journal_destorying is not set */
>>>>>>>> if (journal && !s_journal_destorying)
>>>>>>>>
>>>>>>>> ext4_journal_destroy()
>>>>>>>> /* set s_journal_destorying */
>>>>>>>> sbi->s_journal_destorying = true;
>>>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>>>> schedule_work()
>>>>>>> ^^^^^^^^^^^^^^^
>>>>>>> where does this come from?
>>>>>>>
>>>>>>> After this flush_work, we can guarantee that the running s_sb_upd_work
>>>>>>> finishes before we set JBD2_UNMOUNT. Additionally, the journal will
>>>>>>> not commit transaction or call schedule_work() again because it has
>>>>>>> been aborted due to the previous error. Am I missing something?
>>>>>>>
>>>>>>> Thanks,
>>>>>>> Yi.
>>>>>> Hmm, so I am thinking of a corner case in ext4_handle_error() where
>>>>>>
>>>>>> if(journal && !is_journal_destroying)
>>>>>>
>>>>>> is computed but schedule_work() not called yet, which is possible cause
>>>>>> the cmp followed by jump is not atomic in nature. If the schedule_work
>>>>>> is only called after we have done the flush then we end up with this:
>>>>>>
>>>>>> if (journal && !s_journal_destorying)
>>>>>> ext4_journal_destroy()
>>>>>> /* set s_journal_destorying */
>>>>>> sbi->s_journal_destorying = true;
>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>> schedule_work()
>>>>>>
>>>>>> Which is possible IMO, although the window is tiny.
>>>>> Yeah, right!
>>>>> Sorry for misread the location where you add the "!s_journal_destorying"
>>>>> check, the graph I provided was in update_super_work(), which was wrong.
>>>> Oh right, I also misread your trace but yes as discussed, even
>>>>
>>>> sbi->s_journal_destorying = true;
>>>> flush_work()
>>>> jbd2_journal_destroy()
>>>>
>>>> doesn't work.
>>>>
>>>>> The right one should be:
>>>>>
>>>>> ext4_put_super()
>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>
>>>>> **kjournald2**
>>>>> jbd2_journal_commit_transaction()
>>>>> ...
>>>>> ext4_inode_error()
>>>>> /* s_journal_destorying is not set */
>>>>> if (journal && !s_journal_destorying)
>>>>> (schedule_work(s_sb_upd_work)) //can be here
>>>>>
>>>>> ext4_journal_destroy()
>>>>> /* set s_journal_destorying */
>>>>> sbi->s_journal_destorying = true;
>>>>> jbd2_journal_destroy()
>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>
>>>>> (schedule_work(s_sb_upd_work)) //also can be here
>>>>>
>>>>> **workqueue**
>>>>> update_super_work()
>>>>> journal = sbi->s_journal //get journal
>>>>> kfree(journal)
>>>>> jbd2_journal_start(journal) //journal UAF
>>>>> start_this_handle()
>>>>> BUG_ON(JBD2_UNMOUNT) //bugon here
>>>>>
>>>>>
>>>>> So there are two problems here, the first one is the 'journal' UAF,
>>>>> the second one is triggering JBD2_UNMOUNT flag BUGON.
>>>> Indeed, there's a possible UAF here as well.
>>>>
>>>>>>>> As for the fix, how about we do something like this:
>>>>>>>>
>>>>>>>> ext4_put_super()
>>>>>>>>
>>>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>>>> destroy_workqueue(sbi->rsv_conversion_wq);
>>>>>>>>
>>>>>>>> ext4_journal_destroy()
>>>>>>>> /* set s_journal_destorying */
>>>>>>>> sbi->s_journal_destorying = true;
>>>>>>>>
>>>>>>>> /* trigger a commit and wait for it to complete */
>>>>>>>>
>>>>>>>> flush_work(&sbi->s_sb_upd_work)
>>>>>>>>
>>>>>>>> jbd2_journal_destroy()
>>>>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>>>>
>>>>>>>> jbd2_journal_start()
>>>>>>>> start_this_handle()
>>>>>>>> BUG_ON(JBD2_UNMOUNT)
>>>>>>>>
>>>>>>>> Still giving this codepath some thought but seems like this might just
>>>>>>>> be enough to fix the race. Thoughts on this?
>>>>>>>>
>>>>> I think this solution should work, the forced commit and flush_work()
>>>>> should ensure that the last transaction is committed and that the
>>>>> potential work is done.
>>>>>
>>>>> Besides, the s_journal_destorying flag is set and check concurrently
>>>>> now, so we need WRITE_ONCE() and READ_ONCE() for it. Besides, what
>>>>> about adding a new flag into sbi->s_mount_state instead of adding
>>>>> new s_journal_destorying?
>>>> Right, that makes sence. I will incorporate these changes in the next
>>>> revision.
>>>>
>>> Think about this again, it seems that we no longer need the destroying
>>> flag. Because we force to commit and wait for the **last** transaction to
>>> complete, and the flush work should also ensure that the last sb_update
>>> work to complete. Regardless of whether it starts a new handle in the
>>> last update_super_work(), it will not commit since the journal should
>>> have aborted. What are your thoughts?
>>>
>>> ext4_put_super()
>>> flush_work(&sbi->s_sb_upd_work)
>>> destroy_workqueue(sbi->rsv_conversion_wq)
>>>
>>> ext4_journal_destroy()
>>> /* trigger a commit (it will commit the last trnasaction) */
>>>
>>> **kjournald2**
>>> jbd2_journal_commit_transaction()
>>> ...
>>> ext4_inode_error()
>>> schedule_work(s_sb_upd_work))
>>>
>>> **workqueue**
>>> update_super_work()
>>> jbd2_journal_start(journal)
>>> start_this_handle()
>>> //This new trans will
>>> //not be committed.
>>>
>>> jbd2_journal_abort()
>>>
>>> /* wait for it to complete */
>>>
>>> flush_work(&sbi->s_sb_upd_work)
>>> jbd2_journal_destroy()
>>> journal->j_flags |= JBD2_UNMOUNT;
>>> jbd2_journal_commit_transaction() //it will commit nothing
>>>
>>> Thanks,
>>> Yi.
>> Hi Yi,
>>
>> There's one more path for which we need the flag:
>>
>> ext4_journal_destroy()
>> /* trigger a commit (it will commit the last trnasaction) */
>>
>> **kjournald2**
>> jbd2_journal_commit_transaction()
>> journal->j_commit_callback()
>> ext4_journal_commit_callback()
>> ext4_maybe_update_superblock()
>> schedule_work()
>> /* start a transaction here */
>> flush_work()
>> jbd2_journal_destroy()
>> journal_kill_thread
>> flags |= JBD2_UNMOUNT
>> jbd2_journal_commit_transaction()
>> ...
>> ext4_inode_error()
>> schedule_work(s_sb_upd_work))
>> /* update_super_work_tries to start the txn */
>> BUG_ON()
> Oops the formatting is wrong, here's the trace:
>
> ext4_journal_destroy()
> /* trigger a commit (it will commit the last trnasaction) */
>
> **kjournald2**
> jbd2_journal_commit_transaction()
> journal->j_commit_callback()
> ext4_journal_commit_callback()
> ext4_maybe_update_superblock()
> schedule_work()
At this point, SB_ACTIVE should have been cleared,
so ext4_maybe_update_superblock() should do nothing.
With this in mind, it could be the case that an
additional flag is no longer needed.
Regards,
Baokun
>
> /* update_super_work starts a new txn here */
> flush_work()
> jbd2_journal_destroy()
> journal_kill_thread
> flags |= JBD2_UNMOUNT
> jbd2_journal_commit_transaction()
> ...
> ext4_inode_error()
> schedule_work(s_sb_upd_work))
> /* update_super_work_tries to start the txn */
> BUG_ON()
>
>> I think this to protect against this path we do need a flag.
>>
>> Regards,
>> ojaswin
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-08 10:10 ` Baokun Li
@ 2025-03-08 12:57 ` Ojaswin Mujoo
0 siblings, 0 replies; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-08 12:57 UTC (permalink / raw)
To: Baokun Li
Cc: Zhang Yi, Jan Kara, linux-kernel, Mahesh Kumar, linux-ext4,
Theodore Ts'o
On Sat, Mar 08, 2025 at 06:10:14PM +0800, Baokun Li wrote:
> On 2025/3/8 17:58, Ojaswin Mujoo wrote:
> > On Sat, Mar 08, 2025 at 01:48:44PM +0530, Ojaswin Mujoo wrote:
> > > On Sat, Mar 08, 2025 at 10:57:16AM +0800, Zhang Yi wrote:
> > > > On 2025/3/8 1:26, Ojaswin Mujoo wrote:
> > > > > On Fri, Mar 07, 2025 at 08:36:08PM +0800, Zhang Yi wrote:
> > > > > > On 2025/3/7 18:27, Ojaswin Mujoo wrote:
> > > > > > > On Fri, Mar 07, 2025 at 04:43:24PM +0800, Zhang Yi wrote:
> > > > > > > > On 2025/3/7 16:13, Ojaswin Mujoo wrote:
> > > > > > > > > On Fri, Mar 07, 2025 at 12:04:26PM +0530, Ojaswin Mujoo wrote:
> > > > > > > > > > On Fri, Mar 07, 2025 at 10:49:28AM +0800, Zhang Yi wrote:
> > > > > > > > > > > On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> > > > > > > > > > > > Presently we always BUG_ON if trying to start a transaction on a journal marked
> > > > > > > > > > > > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> > > > > > > > > > > > stress tests, it was observed that in case of some error handling paths, it is
> > > > > > > > > > > > possible for update_super_work to start a transaction after the journal is
> > > > > > > > > > > > destroyed eg:
> > > > > > > > > > > >
> > > > > > > > > > > > (umount)
> > > > > > > > > > > > ext4_kill_sb
> > > > > > > > > > > > kill_block_super
> > > > > > > > > > > > generic_shutdown_super
> > > > > > > > > > > > sync_filesystem /* commits all txns */
> > > > > > > > > > > > evict_inodes
> > > > > > > > > > > > /* might start a new txn */
> > > > > > > > > > > > ext4_put_super
> > > > > > > > > > > > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> > > > > > > > > > > > jbd2_journal_destroy
> > > > > > > > > > > > journal_kill_thread
> > > > > > > > > > > > journal->j_flags |= JBD2_UNMOUNT;
> > > > > > > > > > > > jbd2_journal_commit_transaction
> > > > > > > > > > > > jbd2_journal_get_descriptor_buffer
> > > > > > > > > > > > jbd2_journal_bmap
> > > > > > > > > > > > ext4_journal_bmap
> > > > > > > > > > > > ext4_map_blocks
> > > > > > > > > > > > ...
> > > > > > > > > > > > ext4_inode_error
> > > > > > > > > > > > ext4_handle_error
> > > > > > > > > > > > schedule_work(&sbi->s_sb_upd_work)
> > > > > > > > > > > >
> > > > > > > > > > > > /* work queue kicks in */
> > > > > > > > > > > > update_super_work
> > > > > > > > > > > > jbd2_journal_start
> > > > > > > > > > > > start_this_handle
> > > > > > > > > > > > BUG_ON(journal->j_flags &
> > > > > > > > > > > > JBD2_UNMOUNT)
> > > > > > > > > > > >
> > > > > > > > > > > > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> > > > > > > > > > > > destroying only do a journaled (and deferred) update of sb if this flag is not
> > > > > > > > > > > > set. Otherwise, just fallback to an un-journaled commit.
> > > > > > > > > > > >
> > > > > > > > > > > > We set sbi->s_journal_destroying = true only after all the FS updates are done
> > > > > > > > > > > > during ext4_put_super() (except a running transaction that will get commited
> > > > > > > > > > > > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> > > > > > > > > > > > outside the journal as it won't race with a journaled update (refer
> > > > > > > > > > > > 2d01ddc86606).
> > > > > > > > > > > >
> > > > > > > > > > > > Also, we don't need a similar check in ext4_grp_locked_error since it is only
> > > > > > > > > > > > called from mballoc and AFAICT it would be always valid to schedule work here.
> > > > > > > > > > > >
> > > > > > > > > > > > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> > > > > > > > > > > > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> > > > > > > > > > > > Suggested-by: Jan Kara <jack@suse.cz>
> > > > > > > > > > > > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> > > > > > > > > > > > ---
> > > > > > > > > > > > fs/ext4/ext4.h | 2 ++
> > > > > > > > > > > > fs/ext4/ext4_jbd2.h | 8 ++++++++
> > > > > > > > > > > > fs/ext4/super.c | 4 +++-
> > > > > > > > > > > > 3 files changed, 13 insertions(+), 1 deletion(-)
> > > > > > > > > > > >
> > > > > > > > > > > > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> > > > > > > > > > > > index 2b7d781bfcad..d48e93bd5690 100644
> > > > > > > > > > > > --- a/fs/ext4/ext4.h
> > > > > > > > > > > > +++ b/fs/ext4/ext4.h
> > > > > > > > > > > > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> > > > > > > > > > > > */
> > > > > > > > > > > > struct work_struct s_sb_upd_work;
> > > > > > > > > > > > + bool s_journal_destorying;
> > > > > > > > > > > > +
> > > > > > > > > > > > /* Atomic write unit values in bytes */
> > > > > > > > > > > > unsigned int s_awu_min;
> > > > > > > > > > > > unsigned int s_awu_max;
> > > > > > > > > > > > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> > > > > > > > > > > > index 9b3c9df02a39..6bd3ca84410d 100644
> > > > > > > > > > > > --- a/fs/ext4/ext4_jbd2.h
> > > > > > > > > > > > +++ b/fs/ext4/ext4_jbd2.h
> > > > > > > > > > > > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> > > > > > > > > > > > {
> > > > > > > > > > > > int err = 0;
> > > > > > > > > > > > + /*
> > > > > > > > > > > > + * At this point all pending FS updates should be done except a possible
> > > > > > > > > > > > + * running transaction (which will commit in jbd2_journal_destroy). It
> > > > > > > > > > > > + * is now safe for any new errors to directly commit superblock rather
> > > > > > > > > > > > + * than going via journal.
> > > > > > > > > > > > + */
> > > > > > > > > > > > + sbi->s_journal_destorying = true;
> > > > > > > > > > > > +
> > > > > > > > > > > Hi, Ojaswin!
> > > > > > > > > > >
> > > > > > > > > > > I'm afraid you still need to flush the superblock update work here,
> > > > > > > > > > > otherwise I guess the race condition you mentioned in v1 could still
> > > > > > > > > > > occur.
> > > > > > > > > > >
> > > > > > > > > > > ext4_put_super()
> > > > > > > > > > > flush_work(&sbi->s_sb_upd_work)
> > > > > > > > > > >
> > > > > > > > > > > **kjournald2**
> > > > > > > > > > > jbd2_journal_commit_transaction()
> > > > > > > > > > > ...
> > > > > > > > > > > ext4_inode_error()
> > > > > > > > > > > /* JBD2_UNMOUNT not set */
> > > > > > > > > > > schedule_work(s_sb_upd_work)
> > > > > > > > > > >
> > > > > > > > > > > **workqueue**
> > > > > > > > > > > update_super_work
> > > > > > > > > > > /* s_journal_destorying is not set */
> > > > > > > > > > > if (journal && !s_journal_destorying)
> > > > > > > > > > >
> > > > > > > > > > > ext4_journal_destroy()
> > > > > > > > > > > /* set s_journal_destorying */
> > > > > > > > > > > sbi->s_journal_destorying = true;
> > > > > > > > > > > jbd2_journal_destroy()
> > > > > > > > > > > journal->j_flags |= JBD2_UNMOUNT;
> > > > > > > > > > >
> > > > > > > > > > > jbd2_journal_start()
> > > > > > > > > > > start_this_handle()
> > > > > > > > > > > BUG_ON(JBD2_UNMOUNT)
> > > > > > > > > > >
> > > > > > > > > > > Thanks,
> > > > > > > > > > > Yi.
> > > > > > > > > > Hi Yi,
> > > > > > > > > >
> > > > > > > > > > Yes you are right, somehow missed this edge case :(
> > > > > > > > > >
> > > > > > > > > > Alright then, we have to move out sbi->s_journal_destroying outside the
> > > > > > > > > > helper. Just wondering if I should still let it be in
> > > > > > > > > > ext4_journal_destroy and just add an extra s_journal_destroying = false
> > > > > > > > > > before schedule_work(s_sb_upd_work), because it makes sense.
> > > > > > > > > >
> > > > > > > > > > Okay let me give it some thought but thanks for pointing this out!
> > > > > > > > > >
> > > > > > > > > > Regards,
> > > > > > > > > > ojaswin
> > > > > > > > > Okay so thinking about it a bit more, I see you also suggested to flush
> > > > > > > > > the work after marking sbi->s_journal_destroying. But will that solve
> > > > > > > > > it?
> > > > > > > > >
> > > > > > > > > ext4_put_super()
> > > > > > > > > flush_work(&sbi->s_sb_upd_work)
> > > > > > > > > **kjournald2**
> > > > > > > > > jbd2_journal_commit_transaction()
> > > > > > > > > ...
> > > > > > > > > ext4_inode_error()
> > > > > > > > > /* JBD2_UNMOUNT not set */
> > > > > > > > > schedule_work(s_sb_upd_work)
> > > > > > > > > **workqueue**
> > > > > > > > > update_super_work
> > > > > > > > > /* s_journal_destorying is not set */
> > > > > > > > > if (journal && !s_journal_destorying)
> > > > > > > > > ext4_journal_destroy()
> > > > > > > > > /* set s_journal_destorying */
> > > > > > > > > sbi->s_journal_destorying = true;
> > > > > > > > > flush_work(&sbi->s_sb_upd_work)
> > > > > > > > > schedule_work()
> > > > > > > > ^^^^^^^^^^^^^^^
> > > > > > > > where does this come from?
> > > > > > > >
> > > > > > > > After this flush_work, we can guarantee that the running s_sb_upd_work
> > > > > > > > finishes before we set JBD2_UNMOUNT. Additionally, the journal will
> > > > > > > > not commit transaction or call schedule_work() again because it has
> > > > > > > > been aborted due to the previous error. Am I missing something?
> > > > > > > >
> > > > > > > > Thanks,
> > > > > > > > Yi.
> > > > > > > Hmm, so I am thinking of a corner case in ext4_handle_error() where
> > > > > > >
> > > > > > > if(journal && !is_journal_destroying)
> > > > > > >
> > > > > > > is computed but schedule_work() not called yet, which is possible cause
> > > > > > > the cmp followed by jump is not atomic in nature. If the schedule_work
> > > > > > > is only called after we have done the flush then we end up with this:
> > > > > > >
> > > > > > > if (journal && !s_journal_destorying)
> > > > > > > ext4_journal_destroy()
> > > > > > > /* set s_journal_destorying */
> > > > > > > sbi->s_journal_destorying = true;
> > > > > > > flush_work(&sbi->s_sb_upd_work)
> > > > > > > schedule_work()
> > > > > > >
> > > > > > > Which is possible IMO, although the window is tiny.
> > > > > > Yeah, right!
> > > > > > Sorry for misread the location where you add the "!s_journal_destorying"
> > > > > > check, the graph I provided was in update_super_work(), which was wrong.
> > > > > Oh right, I also misread your trace but yes as discussed, even
> > > > >
> > > > > sbi->s_journal_destorying = true;
> > > > > flush_work()
> > > > > jbd2_journal_destroy()
> > > > >
> > > > > doesn't work.
> > > > >
> > > > > > The right one should be:
> > > > > >
> > > > > > ext4_put_super()
> > > > > > flush_work(&sbi->s_sb_upd_work)
> > > > > >
> > > > > > **kjournald2**
> > > > > > jbd2_journal_commit_transaction()
> > > > > > ...
> > > > > > ext4_inode_error()
> > > > > > /* s_journal_destorying is not set */
> > > > > > if (journal && !s_journal_destorying)
> > > > > > (schedule_work(s_sb_upd_work)) //can be here
> > > > > >
> > > > > > ext4_journal_destroy()
> > > > > > /* set s_journal_destorying */
> > > > > > sbi->s_journal_destorying = true;
> > > > > > jbd2_journal_destroy()
> > > > > > journal->j_flags |= JBD2_UNMOUNT;
> > > > > >
> > > > > > (schedule_work(s_sb_upd_work)) //also can be here
> > > > > >
> > > > > > **workqueue**
> > > > > > update_super_work()
> > > > > > journal = sbi->s_journal //get journal
> > > > > > kfree(journal)
> > > > > > jbd2_journal_start(journal) //journal UAF
> > > > > > start_this_handle()
> > > > > > BUG_ON(JBD2_UNMOUNT) //bugon here
> > > > > >
> > > > > >
> > > > > > So there are two problems here, the first one is the 'journal' UAF,
> > > > > > the second one is triggering JBD2_UNMOUNT flag BUGON.
> > > > > Indeed, there's a possible UAF here as well.
> > > > >
> > > > > > > > > As for the fix, how about we do something like this:
> > > > > > > > >
> > > > > > > > > ext4_put_super()
> > > > > > > > >
> > > > > > > > > flush_work(&sbi->s_sb_upd_work)
> > > > > > > > > destroy_workqueue(sbi->rsv_conversion_wq);
> > > > > > > > >
> > > > > > > > > ext4_journal_destroy()
> > > > > > > > > /* set s_journal_destorying */
> > > > > > > > > sbi->s_journal_destorying = true;
> > > > > > > > >
> > > > > > > > > /* trigger a commit and wait for it to complete */
> > > > > > > > >
> > > > > > > > > flush_work(&sbi->s_sb_upd_work)
> > > > > > > > >
> > > > > > > > > jbd2_journal_destroy()
> > > > > > > > > journal->j_flags |= JBD2_UNMOUNT;
> > > > > > > > > jbd2_journal_start()
> > > > > > > > > start_this_handle()
> > > > > > > > > BUG_ON(JBD2_UNMOUNT)
> > > > > > > > >
> > > > > > > > > Still giving this codepath some thought but seems like this might just
> > > > > > > > > be enough to fix the race. Thoughts on this?
> > > > > > > > >
> > > > > > I think this solution should work, the forced commit and flush_work()
> > > > > > should ensure that the last transaction is committed and that the
> > > > > > potential work is done.
> > > > > >
> > > > > > Besides, the s_journal_destorying flag is set and check concurrently
> > > > > > now, so we need WRITE_ONCE() and READ_ONCE() for it. Besides, what
> > > > > > about adding a new flag into sbi->s_mount_state instead of adding
> > > > > > new s_journal_destorying?
> > > > > Right, that makes sence. I will incorporate these changes in the next
> > > > > revision.
> > > > >
> > > > Think about this again, it seems that we no longer need the destroying
> > > > flag. Because we force to commit and wait for the **last** transaction to
> > > > complete, and the flush work should also ensure that the last sb_update
> > > > work to complete. Regardless of whether it starts a new handle in the
> > > > last update_super_work(), it will not commit since the journal should
> > > > have aborted. What are your thoughts?
> > > >
> > > > ext4_put_super()
> > > > flush_work(&sbi->s_sb_upd_work)
> > > > destroy_workqueue(sbi->rsv_conversion_wq)
> > > >
> > > > ext4_journal_destroy()
> > > > /* trigger a commit (it will commit the last trnasaction) */
> > > >
> > > > **kjournald2**
> > > > jbd2_journal_commit_transaction()
> > > > ...
> > > > ext4_inode_error()
> > > > schedule_work(s_sb_upd_work))
> > > >
> > > > **workqueue**
> > > > update_super_work()
> > > > jbd2_journal_start(journal)
> > > > start_this_handle()
> > > > //This new trans will
> > > > //not be committed.
> > > >
> > > > jbd2_journal_abort()
> > > >
> > > > /* wait for it to complete */
> > > >
> > > > flush_work(&sbi->s_sb_upd_work)
> > > > jbd2_journal_destroy()
> > > > journal->j_flags |= JBD2_UNMOUNT;
> > > > jbd2_journal_commit_transaction() //it will commit nothing
> > > >
> > > > Thanks,
> > > > Yi.
> > > Hi Yi,
> > >
> > > There's one more path for which we need the flag:
> > >
> > > ext4_journal_destroy()
> > > /* trigger a commit (it will commit the last trnasaction) */
> > > **kjournald2**
> > > jbd2_journal_commit_transaction()
> > > journal->j_commit_callback()
> > > ext4_journal_commit_callback()
> > > ext4_maybe_update_superblock()
> > > schedule_work()
> > > /* start a transaction here */
> > > flush_work()
> > > jbd2_journal_destroy()
> > > journal_kill_thread
> > > flags |= JBD2_UNMOUNT
> > > jbd2_journal_commit_transaction()
> > > ...
> > > ext4_inode_error()
> > > schedule_work(s_sb_upd_work))
> > > /* update_super_work_tries to start the txn */
> > > BUG_ON()
> > Oops the formatting is wrong, here's the trace:
> >
> > ext4_journal_destroy()
> > /* trigger a commit (it will commit the last trnasaction) */
> >
> > **kjournald2**
> > jbd2_journal_commit_transaction()
> > journal->j_commit_callback()
> > ext4_journal_commit_callback()
> > ext4_maybe_update_superblock()
> > schedule_work()
> At this point, SB_ACTIVE should have been cleared,
> so ext4_maybe_update_superblock() should do nothing.
>
> With this in mind, it could be the case that an
> additional flag is no longer needed.
Yes got it now, all the backtraces are confusing me haha
Alright then, I feel we can take 2 approaches now.
- Without the flag, (flushing sb update wq 2 times):
This approach looks like how Yi has described here [1] however
this relies on the fact that the last update_super_work is only
called in journal is aborted and hence will never start a txn.
This is possible because we flush the sb 2 times:
ext4_put_super()
flush_work(s_sb_upd_work) // 1st flush, clears all pending updates
ext4_journal_destroy
/* commit & wait for txn */
flush_work(s_sb_upd_work) // 2nd flush, only has work if journal is aborted */
The first flush flushes all pending updates and 2nd one is only invoked
when the journal commit faces an error and hence never starts a new
txn. Thus everything works.
[1] https://lore.kernel.org/all/cover.1741270780.git.ojaswin@linux.ibm.com/T/#m3de5dcae6afa979d01281f64b0c088131e72fc92
- With the flag. (single sb flush).
This is an alternate approach where we remove the flush_work() from
ext4_put_super() and only keep 1 in ext4_journal_destroy(). With this
we need to explicitly rely on a sbi/mount flag because the flush can
actually start a txn. WITHOUT the flag we can run into this:
**kjournald2**
jbd2_journal_commit_transaction()
journal->j_commit_callback()
ext4_journal_commit_callback()
ext4_maybe_update_superblock()
schedule_work()
ext4_put_super()
ext4_journal_destroy
/* commit & wait for txn */
flush_work(s_sb_upd_work) // This will have sb updates even if journal not aborted
/* update_super_work starts a txn */
jbd2_destroy_journal
flags |= JBD2_UNMOUNT
jbd2_journal_commit_transaction
/* error */
ext4_handle_error
scheduled_work()
/*update super work hits BUG_ON */
Hence the flag is needed in this approach.
I actually prefer the 2nd approach with the flag because it seems easier
to maintain in the long run than relying on the fragile
flush-commit-flush sequence, which might get silently broken as new code
is added.
I hope I didn't miss something this time. Thoughts? :)
Regards,
ojaswin
>
>
> Regards,
> Baokun
> >
> > /* update_super_work starts a new txn here */
> > flush_work()
> > jbd2_journal_destroy()
> > journal_kill_thread
> > flags |= JBD2_UNMOUNT
> > jbd2_journal_commit_transaction()
> > ...
> > ext4_inode_error()
> > schedule_work(s_sb_upd_work))
> > /* update_super_work_tries to start the txn */
> > BUG_ON()
> >
> > > I think this to protect against this path we do need a flag.
> > >
> > > Regards,
> > > ojaswin
>
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-08 9:55 ` Ritesh Harjani (IBM)
@ 2025-03-08 13:05 ` Ojaswin Mujoo
2025-03-08 13:26 ` Ritesh Harjani
0 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-08 13:05 UTC (permalink / raw)
To: Ritesh Harjani (IBM)
Cc: linux-ext4, Theodore Ts'o, Jan Kara, Baokun Li, linux-kernel,
Mahesh Kumar
On Sat, Mar 08, 2025 at 03:25:04PM +0530, Ritesh Harjani (IBM) wrote:
> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>
> > Presently we always BUG_ON if trying to start a transaction on a journal marked
> > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> > stress tests, it was observed that in case of some error handling paths, it is
> > possible for update_super_work to start a transaction after the journal is
> > destroyed eg:
> >
> > (umount)
> > ext4_kill_sb
> > kill_block_super
> > generic_shutdown_super
> > sync_filesystem /* commits all txns */
> > evict_inodes
> > /* might start a new txn */
> > ext4_put_super
> > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> > jbd2_journal_destroy
> > journal_kill_thread
> > journal->j_flags |= JBD2_UNMOUNT;
> > jbd2_journal_commit_transaction
> > jbd2_journal_get_descriptor_buffer
> > jbd2_journal_bmap
> > ext4_journal_bmap
> > ext4_map_blocks
> > ...
> > ext4_inode_error
> > ext4_handle_error
> > schedule_work(&sbi->s_sb_upd_work)
> >
> > /* work queue kicks in */
> > update_super_work
> > jbd2_journal_start
> > start_this_handle
> > BUG_ON(journal->j_flags &
> > JBD2_UNMOUNT)
> >
> > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> > destroying only do a journaled (and deferred) update of sb if this flag is not
> > set. Otherwise, just fallback to an un-journaled commit.
> >
> > We set sbi->s_journal_destroying = true only after all the FS updates are done
> > during ext4_put_super() (except a running transaction that will get commited
> > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> > outside the journal as it won't race with a journaled update (refer
> > 2d01ddc86606).
> >
> > Also, we don't need a similar check in ext4_grp_locked_error since it is only
> > called from mballoc and AFAICT it would be always valid to schedule work here.
> >
> > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> > Suggested-by: Jan Kara <jack@suse.cz>
> > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> > ---
> > fs/ext4/ext4.h | 2 ++
> > fs/ext4/ext4_jbd2.h | 8 ++++++++
> > fs/ext4/super.c | 4 +++-
> > 3 files changed, 13 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> > index 2b7d781bfcad..d48e93bd5690 100644
> > --- a/fs/ext4/ext4.h
> > +++ b/fs/ext4/ext4.h
> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> > */
> > struct work_struct s_sb_upd_work;
> >
> > + bool s_journal_destorying;
> > +
> > /* Atomic write unit values in bytes */
> > unsigned int s_awu_min;
> > unsigned int s_awu_max;
> > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> > index 9b3c9df02a39..6bd3ca84410d 100644
> > --- a/fs/ext4/ext4_jbd2.h
> > +++ b/fs/ext4/ext4_jbd2.h
> > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> > {
> > int err = 0;
> >
> > + /*
> > + * At this point all pending FS updates should be done except a possible
> > + * running transaction (which will commit in jbd2_journal_destroy). It
> > + * is now safe for any new errors to directly commit superblock rather
> > + * than going via journal.
> > + */
> > + sbi->s_journal_destorying = true;
>
> This is not correct right. I think what we decided to set this flag
> before we flush the workqueue. So that we don't schedule any new
> work after this flag has been set. At least that is what I understood.
>
> [1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
>
> -ritesh
Hey Ritesh,
Yes that is not correct, I missed that in my patch however we realised
that adding it before flush_work() also has issues [1]. More
specifically:
**kjournald2**
jbd2_journal_commit_transaction()
...
ext4_handle_error()
/* s_journal_destorying is not set */
if (journal && !s_journal_destorying)
ext4_put_super()
sbi->s_journal_destorying = true;
flush_work(&sbi->s_sb_upd_work)
schedule_work()
jbd2_journal_destroy()
journal->j_flags |= JBD2_UNMOUNT;
jbd2_journal_start()
start_this_handle()
BUG_ON(JBD2_UNMOUNT)
So the right thing to do seems to be that we need to force a journal
commit before the final flush as well. [1] Has more info on this and
some followup discussion as well.
[1] https://lore.kernel.org/all/cover.1741270780.git.ojaswin@linux.ibm.com/T/#mc8046d47b357665bdbd2878c91e51eb660f94b3e
Regards,
ojaswin
>
>
> > +
> > err = jbd2_journal_destroy(journal);
> > sbi->s_journal = NULL;
> >
> > diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> > index 8ad664d47806..31552cf0519a 100644
> > --- a/fs/ext4/super.c
> > +++ b/fs/ext4/super.c
> > @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
> > * constraints, it may not be safe to do it right here so we
> > * defer superblock flushing to a workqueue.
> > */
> > - if (continue_fs && journal)
> > + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
> > schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
> > else
> > ext4_commit_super(sb);
> > @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
> > spin_lock_init(&sbi->s_error_lock);
> > INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
> >
> > + sbi->s_journal_destorying = false;
> > +
> > err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
> > if (err)
> > goto failed_mount3;
> > --
> > 2.48.1
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle
2025-03-08 1:09 ` [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle Baokun Li
@ 2025-03-08 13:07 ` Ojaswin Mujoo
2025-03-08 15:21 ` Ojaswin Mujoo
0 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-08 13:07 UTC (permalink / raw)
To: Baokun Li
Cc: linux-ext4, Theodore Ts'o, Jan Kara, linux-kernel, Yang Erkun
On Sat, Mar 08, 2025 at 09:09:28AM +0800, Baokun Li wrote:
> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> > ** Changes since v1 [1] **
> >
> > * Picked up RVBs from Jan and Ritesh
> > * In patch 2/3, we now use a flag in sbi instead of SB_ACITVE
> > to determine when to journal sb vs when to commit directly.
> > * Added a prep patch 1/3
> >
> > [1] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#m5e659425b8c8fe2ac01e7242b77fed315ff89db4
> >
> > @Baokun, I didn't get a chance to look into the journal_inode
> > modifications we were discussing in [2]. I'll try to spend some time and
> > send that as a separate patch. Hope that's okay
> >
> > [2] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#mad8feb44d9b6ddadf87830b92caa7b78d902dc05
> That's fine, it's not a priority. And if this patch set makes sure we
> don't crash when things go wrong, I'm okay with leaving it as is.
>
> It's possible that jbd2_journal_commit_transaction() could call
> ext4_handle_error() in other places as the code evolves. Fixing known
> problems and protecting against potential ones is always a good thing.
Yep thats true, I did spend some time on this since the codepath was a
bit unfamiliar to me. Seems like a straighforward enough change. I'll
add it to the next patch.
thanks,
ojaswin
>
>
> Cheers,
> Baokun
> > ** Original Cover **
> >
> > When running LTP stress tests on ext4, after a multiday run we seemed to
> > have hit the following BUG_ON:
> >
> > [NIP : start_this_handle+268]
> > #3 [c000001067c27a40] start_this_handle at c008000004d40f74 [jbd2] (unreliable)
> > #4 [c000001067c27b60] jbd2__journal_start at c008000004d415cc [jbd2]
> > #5 [c000001067c27be0] update_super_work at c0080000053f9758 [ext4]
> > #6 [c000001067c27c70] process_one_work at c000000000188790
> > #7 [c000001067c27d20] worker_thread at c00000000018973c
> > #8 [c000001067c27dc0] kthread at c000000000196c84
> > #9 [c000001067c27e10] ret_from_kernel_thread at c00000000000cd64
> >
> > Which comes out to
> >
> > 382 repeat:
> > 383 read_lock(&journal->j_state_lock);
> > * 384 BUG_ON(journal->j_flags & JBD2_UNMOUNT);
> > 385 if (is_journal_aborted(journal) ||
> > 386 (journal->j_errno != 0 && !(journal->j_flags & JBD2_ACK_ERR))) {
> > 387 read_unlock(&journal->j_state_lock);
> >
> >
> > Initially this seemed like it should never happen but upon crash
> > analysis it seems like it could indeed be hit as described in patch 1/2.
> >
> > I would like to add that through the logs we only knew that:
> >
> > - ext4_journal_bmap -> ext4_map_blocks is failing with EFSCORRUPTED.
> > - update_super_work had hit the BUG_ON
> >
> > I was not able to hit this bug again (without modifying the kernel to
> > inject errors) but the above backtrace seems to be one possible paths
> > where this BUG_ON can be hit. Rest of the analysis and fix is in patch
> > 2/3. Patch 3 is just a small tweak that i found helpful while debugging.
> >
> > That being said, journalling is something I'm not very familiar with and
> > there might be gaps in my understanding so thoughts and suggestions are
> > welcome.
> >
> > Ojaswin Mujoo (3):
> > ext4: define ext4_journal_destroy wrapper
> > ext4: avoid journaling sb update on error if journal is destroying
> > ext4: Make sb update interval tunable
> >
> > fs/ext4/ext4.h | 11 +++++++++++
> > fs/ext4/ext4_jbd2.h | 22 ++++++++++++++++++++++
> > fs/ext4/super.c | 35 +++++++++++++++++------------------
> > fs/ext4/sysfs.c | 4 ++++
> > 4 files changed, 54 insertions(+), 18 deletions(-)
> >
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-08 13:05 ` Ojaswin Mujoo
@ 2025-03-08 13:26 ` Ritesh Harjani
2025-03-08 14:58 ` Ojaswin Mujoo
0 siblings, 1 reply; 41+ messages in thread
From: Ritesh Harjani @ 2025-03-08 13:26 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: linux-ext4, Theodore Ts'o, Jan Kara, Baokun Li, linux-kernel,
Mahesh Kumar
Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> On Sat, Mar 08, 2025 at 03:25:04PM +0530, Ritesh Harjani (IBM) wrote:
>> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>>
>> > Presently we always BUG_ON if trying to start a transaction on a journal marked
>> > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
>> > stress tests, it was observed that in case of some error handling paths, it is
>> > possible for update_super_work to start a transaction after the journal is
>> > destroyed eg:
>> >
>> > (umount)
>> > ext4_kill_sb
>> > kill_block_super
>> > generic_shutdown_super
>> > sync_filesystem /* commits all txns */
>> > evict_inodes
>> > /* might start a new txn */
>> > ext4_put_super
>> > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
>> > jbd2_journal_destroy
>> > journal_kill_thread
>> > journal->j_flags |= JBD2_UNMOUNT;
>> > jbd2_journal_commit_transaction
>> > jbd2_journal_get_descriptor_buffer
>> > jbd2_journal_bmap
>> > ext4_journal_bmap
>> > ext4_map_blocks
>> > ...
>> > ext4_inode_error
>> > ext4_handle_error
>> > schedule_work(&sbi->s_sb_upd_work)
>> >
>> > /* work queue kicks in */
>> > update_super_work
>> > jbd2_journal_start
>> > start_this_handle
>> > BUG_ON(journal->j_flags &
>> > JBD2_UNMOUNT)
>> >
>> > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
>> > destroying only do a journaled (and deferred) update of sb if this flag is not
>> > set. Otherwise, just fallback to an un-journaled commit.
>> >
>> > We set sbi->s_journal_destroying = true only after all the FS updates are done
>> > during ext4_put_super() (except a running transaction that will get commited
>> > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
>> > outside the journal as it won't race with a journaled update (refer
>> > 2d01ddc86606).
>> >
>> > Also, we don't need a similar check in ext4_grp_locked_error since it is only
>> > called from mballoc and AFAICT it would be always valid to schedule work here.
>> >
>> > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
>> > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
>> > Suggested-by: Jan Kara <jack@suse.cz>
>> > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
>> > ---
>> > fs/ext4/ext4.h | 2 ++
>> > fs/ext4/ext4_jbd2.h | 8 ++++++++
>> > fs/ext4/super.c | 4 +++-
>> > 3 files changed, 13 insertions(+), 1 deletion(-)
>> >
>> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
>> > index 2b7d781bfcad..d48e93bd5690 100644
>> > --- a/fs/ext4/ext4.h
>> > +++ b/fs/ext4/ext4.h
>> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
>> > */
>> > struct work_struct s_sb_upd_work;
>> >
>> > + bool s_journal_destorying;
>> > +
>> > /* Atomic write unit values in bytes */
>> > unsigned int s_awu_min;
>> > unsigned int s_awu_max;
>> > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
>> > index 9b3c9df02a39..6bd3ca84410d 100644
>> > --- a/fs/ext4/ext4_jbd2.h
>> > +++ b/fs/ext4/ext4_jbd2.h
>> > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
>> > {
>> > int err = 0;
>> >
>> > + /*
>> > + * At this point all pending FS updates should be done except a possible
>> > + * running transaction (which will commit in jbd2_journal_destroy). It
>> > + * is now safe for any new errors to directly commit superblock rather
>> > + * than going via journal.
>> > + */
>> > + sbi->s_journal_destorying = true;
>>
>> This is not correct right. I think what we decided to set this flag
>> before we flush the workqueue. So that we don't schedule any new
>> work after this flag has been set. At least that is what I understood.
>>
>> [1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
>>
>> -ritesh
>
> Hey Ritesh,
>
> Yes that is not correct, I missed that in my patch however we realised
> that adding it before flush_work() also has issues [1]. More
> specifically:
Ohk. right.
>
> **kjournald2**
> jbd2_journal_commit_transaction()
> ...
> ext4_handle_error()
> /* s_journal_destorying is not set */
> if (journal && !s_journal_destorying)
Then maybe we should not schedule another work to update the superblock
via journalling, it the error itself occurred while were trying to
commit the journal txn?
-ritesh
> ext4_put_super()
> sbi->s_journal_destorying = true;
> flush_work(&sbi->s_sb_upd_work)
> schedule_work()
> jbd2_journal_destroy()
> journal->j_flags |= JBD2_UNMOUNT;
>
> jbd2_journal_start()
> start_this_handle()
> BUG_ON(JBD2_UNMOUNT)
>
> So the right thing to do seems to be that we need to force a journal
> commit before the final flush as well. [1] Has more info on this and
> some followup discussion as well.
>
> [1] https://lore.kernel.org/all/cover.1741270780.git.ojaswin@linux.ibm.com/T/#mc8046d47b357665bdbd2878c91e51eb660f94b3e
>
> Regards,
> ojaswin
>>
>>
>> > +
>> > err = jbd2_journal_destroy(journal);
>> > sbi->s_journal = NULL;
>> >
>> > diff --git a/fs/ext4/super.c b/fs/ext4/super.c
>> > index 8ad664d47806..31552cf0519a 100644
>> > --- a/fs/ext4/super.c
>> > +++ b/fs/ext4/super.c
>> > @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
>> > * constraints, it may not be safe to do it right here so we
>> > * defer superblock flushing to a workqueue.
>> > */
>> > - if (continue_fs && journal)
>> > + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
>> > schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
>> > else
>> > ext4_commit_super(sb);
>> > @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
>> > spin_lock_init(&sbi->s_error_lock);
>> > INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
>> >
>> > + sbi->s_journal_destorying = false;
>> > +
>> > err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
>> > if (err)
>> > goto failed_mount3;
>> > --
>> > 2.48.1
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-08 13:26 ` Ritesh Harjani
@ 2025-03-08 14:58 ` Ojaswin Mujoo
2025-03-08 18:41 ` Ritesh Harjani
0 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-08 14:58 UTC (permalink / raw)
To: Ritesh Harjani
Cc: linux-ext4, Theodore Ts'o, Jan Kara, Baokun Li, linux-kernel,
Mahesh Kumar
On Sat, Mar 08, 2025 at 06:56:23PM +0530, Ritesh Harjani wrote:
> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>
> > On Sat, Mar 08, 2025 at 03:25:04PM +0530, Ritesh Harjani (IBM) wrote:
> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> >>
> >> > Presently we always BUG_ON if trying to start a transaction on a journal marked
> >> > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> >> > stress tests, it was observed that in case of some error handling paths, it is
> >> > possible for update_super_work to start a transaction after the journal is
> >> > destroyed eg:
> >> >
> >> > (umount)
> >> > ext4_kill_sb
> >> > kill_block_super
> >> > generic_shutdown_super
> >> > sync_filesystem /* commits all txns */
> >> > evict_inodes
> >> > /* might start a new txn */
> >> > ext4_put_super
> >> > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> >> > jbd2_journal_destroy
> >> > journal_kill_thread
> >> > journal->j_flags |= JBD2_UNMOUNT;
> >> > jbd2_journal_commit_transaction
> >> > jbd2_journal_get_descriptor_buffer
> >> > jbd2_journal_bmap
> >> > ext4_journal_bmap
> >> > ext4_map_blocks
> >> > ...
> >> > ext4_inode_error
> >> > ext4_handle_error
> >> > schedule_work(&sbi->s_sb_upd_work)
> >> >
> >> > /* work queue kicks in */
> >> > update_super_work
> >> > jbd2_journal_start
> >> > start_this_handle
> >> > BUG_ON(journal->j_flags &
> >> > JBD2_UNMOUNT)
> >> >
> >> > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> >> > destroying only do a journaled (and deferred) update of sb if this flag is not
> >> > set. Otherwise, just fallback to an un-journaled commit.
> >> >
> >> > We set sbi->s_journal_destroying = true only after all the FS updates are done
> >> > during ext4_put_super() (except a running transaction that will get commited
> >> > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> >> > outside the journal as it won't race with a journaled update (refer
> >> > 2d01ddc86606).
> >> >
> >> > Also, we don't need a similar check in ext4_grp_locked_error since it is only
> >> > called from mballoc and AFAICT it would be always valid to schedule work here.
> >> >
> >> > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> >> > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> >> > Suggested-by: Jan Kara <jack@suse.cz>
> >> > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> >> > ---
> >> > fs/ext4/ext4.h | 2 ++
> >> > fs/ext4/ext4_jbd2.h | 8 ++++++++
> >> > fs/ext4/super.c | 4 +++-
> >> > 3 files changed, 13 insertions(+), 1 deletion(-)
> >> >
> >> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> >> > index 2b7d781bfcad..d48e93bd5690 100644
> >> > --- a/fs/ext4/ext4.h
> >> > +++ b/fs/ext4/ext4.h
> >> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> >> > */
> >> > struct work_struct s_sb_upd_work;
> >> >
> >> > + bool s_journal_destorying;
> >> > +
> >> > /* Atomic write unit values in bytes */
> >> > unsigned int s_awu_min;
> >> > unsigned int s_awu_max;
> >> > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> >> > index 9b3c9df02a39..6bd3ca84410d 100644
> >> > --- a/fs/ext4/ext4_jbd2.h
> >> > +++ b/fs/ext4/ext4_jbd2.h
> >> > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> >> > {
> >> > int err = 0;
> >> >
> >> > + /*
> >> > + * At this point all pending FS updates should be done except a possible
> >> > + * running transaction (which will commit in jbd2_journal_destroy). It
> >> > + * is now safe for any new errors to directly commit superblock rather
> >> > + * than going via journal.
> >> > + */
> >> > + sbi->s_journal_destorying = true;
> >>
> >> This is not correct right. I think what we decided to set this flag
> >> before we flush the workqueue. So that we don't schedule any new
> >> work after this flag has been set. At least that is what I understood.
> >>
> >> [1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
> >>
> >> -ritesh
> >
> > Hey Ritesh,
> >
> > Yes that is not correct, I missed that in my patch however we realised
> > that adding it before flush_work() also has issues [1]. More
> > specifically:
>
> Ohk. right.
>
> >
> > **kjournald2**
> > jbd2_journal_commit_transaction()
> > ...
> > ext4_handle_error()
> > /* s_journal_destorying is not set */
> > if (journal && !s_journal_destorying)
>
> Then maybe we should not schedule another work to update the superblock
> via journalling, it the error itself occurred while were trying to
> commit the journal txn?
>
>
> -ritesh
Hmm, ideally yes that should not happen, but how can we achieve that?
For example with the trace we saw:
**kjournald2**
jbd2_journal_commit_transaction()
jbd2_journal_get_descriptor_buffer
jbd2_journal_bmap
ext4_journal_bmap
ext4_map_blocks
...
ext4_inode_error
ext4_handle_error
schedule_work(&sbi->s_sb_upd_work)
How do we tell ext4_handle_error that it is in the context of a
committing txn. We can't pass down an argument all the way down
cause that is not feasible. An sb level flag will also not work
I think. Any thoughts on this?
regards,
ojaswin
>
>
> > ext4_put_super()
> > sbi->s_journal_destorying = true;
> > flush_work(&sbi->s_sb_upd_work)
> > schedule_work()
> > jbd2_journal_destroy()
> > journal->j_flags |= JBD2_UNMOUNT;
> >
> > jbd2_journal_start()
> > start_this_handle()
> > BUG_ON(JBD2_UNMOUNT)
> >
> > So the right thing to do seems to be that we need to force a journal
> > commit before the final flush as well. [1] Has more info on this and
> > some followup discussion as well.
> >
> > [1] https://lore.kernel.org/all/cover.1741270780.git.ojaswin@linux.ibm.com/T/#mc8046d47b357665bdbd2878c91e51eb660f94b3e
> >
> > Regards,
> > ojaswin
> >>
> >>
> >> > +
> >> > err = jbd2_journal_destroy(journal);
> >> > sbi->s_journal = NULL;
> >> >
> >> > diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> >> > index 8ad664d47806..31552cf0519a 100644
> >> > --- a/fs/ext4/super.c
> >> > +++ b/fs/ext4/super.c
> >> > @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
> >> > * constraints, it may not be safe to do it right here so we
> >> > * defer superblock flushing to a workqueue.
> >> > */
> >> > - if (continue_fs && journal)
> >> > + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
> >> > schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
> >> > else
> >> > ext4_commit_super(sb);
> >> > @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
> >> > spin_lock_init(&sbi->s_error_lock);
> >> > INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
> >> >
> >> > + sbi->s_journal_destorying = false;
> >> > +
> >> > err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
> >> > if (err)
> >> > goto failed_mount3;
> >> > --
> >> > 2.48.1
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle
2025-03-08 13:07 ` Ojaswin Mujoo
@ 2025-03-08 15:21 ` Ojaswin Mujoo
2025-03-10 3:10 ` Baokun Li
0 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-08 15:21 UTC (permalink / raw)
To: Baokun Li
Cc: linux-ext4, Theodore Ts'o, Jan Kara, linux-kernel, Yang Erkun
On Sat, Mar 08, 2025 at 06:37:41PM +0530, Ojaswin Mujoo wrote:
> On Sat, Mar 08, 2025 at 09:09:28AM +0800, Baokun Li wrote:
> > On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> > > ** Changes since v1 [1] **
> > >
> > > * Picked up RVBs from Jan and Ritesh
> > > * In patch 2/3, we now use a flag in sbi instead of SB_ACITVE
> > > to determine when to journal sb vs when to commit directly.
> > > * Added a prep patch 1/3
> > >
> > > [1] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#m5e659425b8c8fe2ac01e7242b77fed315ff89db4
> > >
> > > @Baokun, I didn't get a chance to look into the journal_inode
> > > modifications we were discussing in [2]. I'll try to spend some time and
> > > send that as a separate patch. Hope that's okay
> > >
> > > [2] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#mad8feb44d9b6ddadf87830b92caa7b78d902dc05
> > That's fine, it's not a priority. And if this patch set makes sure we
> > don't crash when things go wrong, I'm okay with leaving it as is.
> >
> > It's possible that jbd2_journal_commit_transaction() could call
> > ext4_handle_error() in other places as the code evolves. Fixing known
> > problems and protecting against potential ones is always a good thing.
>
> Yep thats true, I did spend some time on this since the codepath was a
> bit unfamiliar to me. Seems like a straighforward enough change. I'll
> add it to the next patch.
>
> thanks,
> ojaswin
Hey Baokun,
So while coding this up, I started looking at some codepaths and it got
me wondering when can we actually change the sbi->s_es->s_journal_inum
(or sbi->s_sbh) from the time it gets populated to the umount time?
Since the sbi->s_sbh buffer head is always in memory and never reclaimed
due the elevated reference, the only way to modify it should be if we
modify the memory page somehow. Or is there some codepath/tooling magic
I'm missing that can modify this value?
Regards,
ojaswin
> >
> >
> > Cheers,
> > Baokun
> > > ** Original Cover **
> > >
> > > When running LTP stress tests on ext4, after a multiday run we seemed to
> > > have hit the following BUG_ON:
> > >
> > > [NIP : start_this_handle+268]
> > > #3 [c000001067c27a40] start_this_handle at c008000004d40f74 [jbd2] (unreliable)
> > > #4 [c000001067c27b60] jbd2__journal_start at c008000004d415cc [jbd2]
> > > #5 [c000001067c27be0] update_super_work at c0080000053f9758 [ext4]
> > > #6 [c000001067c27c70] process_one_work at c000000000188790
> > > #7 [c000001067c27d20] worker_thread at c00000000018973c
> > > #8 [c000001067c27dc0] kthread at c000000000196c84
> > > #9 [c000001067c27e10] ret_from_kernel_thread at c00000000000cd64
> > >
> > > Which comes out to
> > >
> > > 382 repeat:
> > > 383 read_lock(&journal->j_state_lock);
> > > * 384 BUG_ON(journal->j_flags & JBD2_UNMOUNT);
> > > 385 if (is_journal_aborted(journal) ||
> > > 386 (journal->j_errno != 0 && !(journal->j_flags & JBD2_ACK_ERR))) {
> > > 387 read_unlock(&journal->j_state_lock);
> > >
> > >
> > > Initially this seemed like it should never happen but upon crash
> > > analysis it seems like it could indeed be hit as described in patch 1/2.
> > >
> > > I would like to add that through the logs we only knew that:
> > >
> > > - ext4_journal_bmap -> ext4_map_blocks is failing with EFSCORRUPTED.
> > > - update_super_work had hit the BUG_ON
> > >
> > > I was not able to hit this bug again (without modifying the kernel to
> > > inject errors) but the above backtrace seems to be one possible paths
> > > where this BUG_ON can be hit. Rest of the analysis and fix is in patch
> > > 2/3. Patch 3 is just a small tweak that i found helpful while debugging.
> > >
> > > That being said, journalling is something I'm not very familiar with and
> > > there might be gaps in my understanding so thoughts and suggestions are
> > > welcome.
> > >
> > > Ojaswin Mujoo (3):
> > > ext4: define ext4_journal_destroy wrapper
> > > ext4: avoid journaling sb update on error if journal is destroying
> > > ext4: Make sb update interval tunable
> > >
> > > fs/ext4/ext4.h | 11 +++++++++++
> > > fs/ext4/ext4_jbd2.h | 22 ++++++++++++++++++++++
> > > fs/ext4/super.c | 35 +++++++++++++++++------------------
> > > fs/ext4/sysfs.c | 4 ++++
> > > 4 files changed, 54 insertions(+), 18 deletions(-)
> > >
> >
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-08 14:58 ` Ojaswin Mujoo
@ 2025-03-08 18:41 ` Ritesh Harjani
2025-03-09 12:07 ` Ojaswin Mujoo
0 siblings, 1 reply; 41+ messages in thread
From: Ritesh Harjani @ 2025-03-08 18:41 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: linux-ext4, Theodore Ts'o, Jan Kara, Baokun Li, linux-kernel,
Mahesh Kumar
Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> On Sat, Mar 08, 2025 at 06:56:23PM +0530, Ritesh Harjani wrote:
>> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>>
>> > On Sat, Mar 08, 2025 at 03:25:04PM +0530, Ritesh Harjani (IBM) wrote:
>> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>> >>
>> >> > Presently we always BUG_ON if trying to start a transaction on a journal marked
>> >> > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
>> >> > stress tests, it was observed that in case of some error handling paths, it is
>> >> > possible for update_super_work to start a transaction after the journal is
>> >> > destroyed eg:
>> >> >
>> >> > (umount)
>> >> > ext4_kill_sb
>> >> > kill_block_super
>> >> > generic_shutdown_super
>> >> > sync_filesystem /* commits all txns */
>> >> > evict_inodes
>> >> > /* might start a new txn */
>> >> > ext4_put_super
>> >> > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
>> >> > jbd2_journal_destroy
>> >> > journal_kill_thread
>> >> > journal->j_flags |= JBD2_UNMOUNT;
>> >> > jbd2_journal_commit_transaction
>> >> > jbd2_journal_get_descriptor_buffer
>> >> > jbd2_journal_bmap
>> >> > ext4_journal_bmap
>> >> > ext4_map_blocks
>> >> > ...
>> >> > ext4_inode_error
>> >> > ext4_handle_error
>> >> > schedule_work(&sbi->s_sb_upd_work)
>> >> >
>> >> > /* work queue kicks in */
>> >> > update_super_work
>> >> > jbd2_journal_start
>> >> > start_this_handle
>> >> > BUG_ON(journal->j_flags &
>> >> > JBD2_UNMOUNT)
>> >> >
>> >> > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
>> >> > destroying only do a journaled (and deferred) update of sb if this flag is not
>> >> > set. Otherwise, just fallback to an un-journaled commit.
>> >> >
>> >> > We set sbi->s_journal_destroying = true only after all the FS updates are done
>> >> > during ext4_put_super() (except a running transaction that will get commited
>> >> > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
>> >> > outside the journal as it won't race with a journaled update (refer
>> >> > 2d01ddc86606).
>> >> >
>> >> > Also, we don't need a similar check in ext4_grp_locked_error since it is only
>> >> > called from mballoc and AFAICT it would be always valid to schedule work here.
>> >> >
>> >> > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
>> >> > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
>> >> > Suggested-by: Jan Kara <jack@suse.cz>
>> >> > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
>> >> > ---
>> >> > fs/ext4/ext4.h | 2 ++
>> >> > fs/ext4/ext4_jbd2.h | 8 ++++++++
>> >> > fs/ext4/super.c | 4 +++-
>> >> > 3 files changed, 13 insertions(+), 1 deletion(-)
>> >> >
>> >> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
>> >> > index 2b7d781bfcad..d48e93bd5690 100644
>> >> > --- a/fs/ext4/ext4.h
>> >> > +++ b/fs/ext4/ext4.h
>> >> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
>> >> > */
>> >> > struct work_struct s_sb_upd_work;
>> >> >
>> >> > + bool s_journal_destorying;
>> >> > +
>> >> > /* Atomic write unit values in bytes */
>> >> > unsigned int s_awu_min;
>> >> > unsigned int s_awu_max;
>> >> > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
>> >> > index 9b3c9df02a39..6bd3ca84410d 100644
>> >> > --- a/fs/ext4/ext4_jbd2.h
>> >> > +++ b/fs/ext4/ext4_jbd2.h
>> >> > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
>> >> > {
>> >> > int err = 0;
>> >> >
>> >> > + /*
>> >> > + * At this point all pending FS updates should be done except a possible
>> >> > + * running transaction (which will commit in jbd2_journal_destroy). It
>> >> > + * is now safe for any new errors to directly commit superblock rather
>> >> > + * than going via journal.
>> >> > + */
>> >> > + sbi->s_journal_destorying = true;
>> >>
>> >> This is not correct right. I think what we decided to set this flag
>> >> before we flush the workqueue. So that we don't schedule any new
>> >> work after this flag has been set. At least that is what I understood.
>> >>
>> >> [1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
>> >>
>> >> -ritesh
>> >
>> > Hey Ritesh,
>> >
>> > Yes that is not correct, I missed that in my patch however we realised
>> > that adding it before flush_work() also has issues [1]. More
>> > specifically:
>>
>> Ohk. right.
>>
>> >
>> > **kjournald2**
>> > jbd2_journal_commit_transaction()
>> > ...
>> > ext4_handle_error()
>> > /* s_journal_destorying is not set */
>> > if (journal && !s_journal_destorying)
>>
>> Then maybe we should not schedule another work to update the superblock
>> via journalling, it the error itself occurred while were trying to
>> commit the journal txn?
>>
>>
>> -ritesh
>
> Hmm, ideally yes that should not happen, but how can we achieve that?
> For example with the trace we saw:
>
> **kjournald2**
> jbd2_journal_commit_transaction()
> jbd2_journal_get_descriptor_buffer
> jbd2_journal_bmap
> ext4_journal_bmap
> ext4_map_blocks
> ...
> ext4_inode_error
> ext4_handle_error
> schedule_work(&sbi->s_sb_upd_work)
>
> How do we tell ext4_handle_error that it is in the context of a
> committing txn.
So even if we identify that the current
jbd2_journal_commit_transaction() is coming from kjournald2(), that is
sufficient right? Because the only other place where we call
jbd2_journal_commit_transaction() is jbd2_journal_destroy() and that
happens after we can set few things from ext4_put_super() and flush work
is completed, correct?
> We can't pass down an argument all the way down
> cause that is not feasible. An sb level flag will also not work
> I think. Any thoughts on this?
I was thinking if we should have a per task flag? Something like
PF_KJOURNALD? (Similar to how we have PF_KSWAPD or PF_KCOMPACTD)? This
can help us identify if we are a kjournald2() kthread.
That will help prevent scheduling another work item to start a new
transaction in case an error occurs while committing the currently
running transaction. Correct?
Now I don't know if we have any free bit available in current->flags. If
not shall we use current->journal_info pointer to have 0th bit as a
flag? Basically override current->journal_info to also store a flag. We
can create a wrapper to get the journal_info from current by masking
this flag bit and use it to dereference journal_info.
But before going down that road, it's better to know what others think?
-ritesh
>
> regards,
> ojaswin
>
>>
>>
>> > ext4_put_super()
>> > sbi->s_journal_destorying = true;
>> > flush_work(&sbi->s_sb_upd_work)
>> > schedule_work()
>> > jbd2_journal_destroy()
>> > journal->j_flags |= JBD2_UNMOUNT;
>> >
>> > jbd2_journal_start()
>> > start_this_handle()
>> > BUG_ON(JBD2_UNMOUNT)
>> >
>> > So the right thing to do seems to be that we need to force a journal
>> > commit before the final flush as well. [1] Has more info on this and
>> > some followup discussion as well.
>> >
>> > [1] https://lore.kernel.org/all/cover.1741270780.git.ojaswin@linux.ibm.com/T/#mc8046d47b357665bdbd2878c91e51eb660f94b3e
>> >
>> > Regards,
>> > ojaswin
>> >>
>> >>
>> >> > +
>> >> > err = jbd2_journal_destroy(journal);
>> >> > sbi->s_journal = NULL;
>> >> >
>> >> > diff --git a/fs/ext4/super.c b/fs/ext4/super.c
>> >> > index 8ad664d47806..31552cf0519a 100644
>> >> > --- a/fs/ext4/super.c
>> >> > +++ b/fs/ext4/super.c
>> >> > @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
>> >> > * constraints, it may not be safe to do it right here so we
>> >> > * defer superblock flushing to a workqueue.
>> >> > */
>> >> > - if (continue_fs && journal)
>> >> > + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
>> >> > schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
>> >> > else
>> >> > ext4_commit_super(sb);
>> >> > @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
>> >> > spin_lock_init(&sbi->s_error_lock);
>> >> > INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
>> >> >
>> >> > + sbi->s_journal_destorying = false;
>> >> > +
>> >> > err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
>> >> > if (err)
>> >> > goto failed_mount3;
>> >> > --
>> >> > 2.48.1
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-08 18:41 ` Ritesh Harjani
@ 2025-03-09 12:07 ` Ojaswin Mujoo
2025-03-10 4:43 ` Ritesh Harjani
0 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-09 12:07 UTC (permalink / raw)
To: Ritesh Harjani
Cc: linux-ext4, Theodore Ts'o, Jan Kara, Baokun Li, linux-kernel,
Mahesh Kumar
On Sun, Mar 09, 2025 at 12:11:22AM +0530, Ritesh Harjani wrote:
> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>
> > On Sat, Mar 08, 2025 at 06:56:23PM +0530, Ritesh Harjani wrote:
> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> >>
> >> > On Sat, Mar 08, 2025 at 03:25:04PM +0530, Ritesh Harjani (IBM) wrote:
> >> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> >> >>
> >> >> > Presently we always BUG_ON if trying to start a transaction on a journal marked
> >> >> > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> >> >> > stress tests, it was observed that in case of some error handling paths, it is
> >> >> > possible for update_super_work to start a transaction after the journal is
> >> >> > destroyed eg:
> >> >> >
> >> >> > (umount)
> >> >> > ext4_kill_sb
> >> >> > kill_block_super
> >> >> > generic_shutdown_super
> >> >> > sync_filesystem /* commits all txns */
> >> >> > evict_inodes
> >> >> > /* might start a new txn */
> >> >> > ext4_put_super
> >> >> > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> >> >> > jbd2_journal_destroy
> >> >> > journal_kill_thread
> >> >> > journal->j_flags |= JBD2_UNMOUNT;
> >> >> > jbd2_journal_commit_transaction
> >> >> > jbd2_journal_get_descriptor_buffer
> >> >> > jbd2_journal_bmap
> >> >> > ext4_journal_bmap
> >> >> > ext4_map_blocks
> >> >> > ...
> >> >> > ext4_inode_error
> >> >> > ext4_handle_error
> >> >> > schedule_work(&sbi->s_sb_upd_work)
> >> >> >
> >> >> > /* work queue kicks in */
> >> >> > update_super_work
> >> >> > jbd2_journal_start
> >> >> > start_this_handle
> >> >> > BUG_ON(journal->j_flags &
> >> >> > JBD2_UNMOUNT)
> >> >> >
> >> >> > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> >> >> > destroying only do a journaled (and deferred) update of sb if this flag is not
> >> >> > set. Otherwise, just fallback to an un-journaled commit.
> >> >> >
> >> >> > We set sbi->s_journal_destroying = true only after all the FS updates are done
> >> >> > during ext4_put_super() (except a running transaction that will get commited
> >> >> > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> >> >> > outside the journal as it won't race with a journaled update (refer
> >> >> > 2d01ddc86606).
> >> >> >
> >> >> > Also, we don't need a similar check in ext4_grp_locked_error since it is only
> >> >> > called from mballoc and AFAICT it would be always valid to schedule work here.
> >> >> >
> >> >> > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> >> >> > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> >> >> > Suggested-by: Jan Kara <jack@suse.cz>
> >> >> > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> >> >> > ---
> >> >> > fs/ext4/ext4.h | 2 ++
> >> >> > fs/ext4/ext4_jbd2.h | 8 ++++++++
> >> >> > fs/ext4/super.c | 4 +++-
> >> >> > 3 files changed, 13 insertions(+), 1 deletion(-)
> >> >> >
> >> >> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> >> >> > index 2b7d781bfcad..d48e93bd5690 100644
> >> >> > --- a/fs/ext4/ext4.h
> >> >> > +++ b/fs/ext4/ext4.h
> >> >> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> >> >> > */
> >> >> > struct work_struct s_sb_upd_work;
> >> >> >
> >> >> > + bool s_journal_destorying;
> >> >> > +
> >> >> > /* Atomic write unit values in bytes */
> >> >> > unsigned int s_awu_min;
> >> >> > unsigned int s_awu_max;
> >> >> > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> >> >> > index 9b3c9df02a39..6bd3ca84410d 100644
> >> >> > --- a/fs/ext4/ext4_jbd2.h
> >> >> > +++ b/fs/ext4/ext4_jbd2.h
> >> >> > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> >> >> > {
> >> >> > int err = 0;
> >> >> >
> >> >> > + /*
> >> >> > + * At this point all pending FS updates should be done except a possible
> >> >> > + * running transaction (which will commit in jbd2_journal_destroy). It
> >> >> > + * is now safe for any new errors to directly commit superblock rather
> >> >> > + * than going via journal.
> >> >> > + */
> >> >> > + sbi->s_journal_destorying = true;
> >> >>
> >> >> This is not correct right. I think what we decided to set this flag
> >> >> before we flush the workqueue. So that we don't schedule any new
> >> >> work after this flag has been set. At least that is what I understood.
> >> >>
> >> >> [1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
> >> >>
> >> >> -ritesh
> >> >
> >> > Hey Ritesh,
> >> >
> >> > Yes that is not correct, I missed that in my patch however we realised
> >> > that adding it before flush_work() also has issues [1]. More
> >> > specifically:
> >>
> >> Ohk. right.
> >>
> >> >
> >> > **kjournald2**
> >> > jbd2_journal_commit_transaction()
> >> > ...
> >> > ext4_handle_error()
> >> > /* s_journal_destorying is not set */
> >> > if (journal && !s_journal_destorying)
> >>
> >> Then maybe we should not schedule another work to update the superblock
> >> via journalling, it the error itself occurred while were trying to
> >> commit the journal txn?
> >>
> >>
> >> -ritesh
> >
> > Hmm, ideally yes that should not happen, but how can we achieve that?
> > For example with the trace we saw:
> >
> > **kjournald2**
> > jbd2_journal_commit_transaction()
> > jbd2_journal_get_descriptor_buffer
> > jbd2_journal_bmap
> > ext4_journal_bmap
> > ext4_map_blocks
> > ...
> > ext4_inode_error
> > ext4_handle_error
> > schedule_work(&sbi->s_sb_upd_work)
> >
> > How do we tell ext4_handle_error that it is in the context of a
> > committing txn.
>
> So even if we identify that the current
> jbd2_journal_commit_transaction() is coming from kjournald2(), that is
> sufficient right? Because the only other place where we call
> jbd2_journal_commit_transaction() is jbd2_journal_destroy() and that
> happens after we can set few things from ext4_put_super() and flush work
> is completed, correct?
>
>
> > We can't pass down an argument all the way down
> > cause that is not feasible. An sb level flag will also not work
> > I think. Any thoughts on this?
>
> I was thinking if we should have a per task flag? Something like
> PF_KJOURNALD? (Similar to how we have PF_KSWAPD or PF_KCOMPACTD)? This
> can help us identify if we are a kjournald2() kthread.
>
> That will help prevent scheduling another work item to start a new
> transaction in case an error occurs while committing the currently
> running transaction. Correct?
Yes, I like this approach. I think this will also help us avoid the
extra checks in ext4_journal_destroy() since the journal will no longer
schecule work for updating the sb. Hence we can be sure that after the
final flush_work() noone will try to schedule more work or start a new
transaction.
I'll try to spin up a poc and test it. Does seem like we are out of flags in
task struct though.
Regards,
ojaswin
>
> Now I don't know if we have any free bit available in current->flags. If
> not shall we use current->journal_info pointer to have 0th bit as a
> flag? Basically override current->journal_info to also store a flag. We
> can create a wrapper to get the journal_info from current by masking
> this flag bit and use it to dereference journal_info.
Hmm so journal_info will be holding a kernel address of the handle. Is
it possible to have it share a flag as well? I thought the address would
utilize the full 64bits?
Regards,
ojaswin
>
> But before going down that road, it's better to know what others think?
>
> -ritesh
>
>
> >
> > regards,
> > ojaswin
> >
> >>
> >>
> >> > ext4_put_super()
> >> > sbi->s_journal_destorying = true;
> >> > flush_work(&sbi->s_sb_upd_work)
> >> > schedule_work()
> >> > jbd2_journal_destroy()
> >> > journal->j_flags |= JBD2_UNMOUNT;
> >> >
> >> > jbd2_journal_start()
> >> > start_this_handle()
> >> > BUG_ON(JBD2_UNMOUNT)
> >> >
> >> > So the right thing to do seems to be that we need to force a journal
> >> > commit before the final flush as well. [1] Has more info on this and
> >> > some followup discussion as well.
> >> >
> >> > [1] https://lore.kernel.org/all/cover.1741270780.git.ojaswin@linux.ibm.com/T/#mc8046d47b357665bdbd2878c91e51eb660f94b3e
> >> >
> >> > Regards,
> >> > ojaswin
> >> >>
> >> >>
> >> >> > +
> >> >> > err = jbd2_journal_destroy(journal);
> >> >> > sbi->s_journal = NULL;
> >> >> >
> >> >> > diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> >> >> > index 8ad664d47806..31552cf0519a 100644
> >> >> > --- a/fs/ext4/super.c
> >> >> > +++ b/fs/ext4/super.c
> >> >> > @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
> >> >> > * constraints, it may not be safe to do it right here so we
> >> >> > * defer superblock flushing to a workqueue.
> >> >> > */
> >> >> > - if (continue_fs && journal)
> >> >> > + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
> >> >> > schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
> >> >> > else
> >> >> > ext4_commit_super(sb);
> >> >> > @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
> >> >> > spin_lock_init(&sbi->s_error_lock);
> >> >> > INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
> >> >> >
> >> >> > + sbi->s_journal_destorying = false;
> >> >> > +
> >> >> > err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
> >> >> > if (err)
> >> >> > goto failed_mount3;
> >> >> > --
> >> >> > 2.48.1
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle
2025-03-08 15:21 ` Ojaswin Mujoo
@ 2025-03-10 3:10 ` Baokun Li
2025-03-10 7:59 ` Ojaswin Mujoo
0 siblings, 1 reply; 41+ messages in thread
From: Baokun Li @ 2025-03-10 3:10 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: linux-ext4, Theodore Ts'o, Jan Kara, linux-kernel, Yang Erkun
On 2025/3/8 23:21, Ojaswin Mujoo wrote:
> On Sat, Mar 08, 2025 at 06:37:41PM +0530, Ojaswin Mujoo wrote:
>> On Sat, Mar 08, 2025 at 09:09:28AM +0800, Baokun Li wrote:
>>> On 2025/3/6 22:28, Ojaswin Mujoo wrote:
>>>> ** Changes since v1 [1] **
>>>>
>>>> * Picked up RVBs from Jan and Ritesh
>>>> * In patch 2/3, we now use a flag in sbi instead of SB_ACITVE
>>>> to determine when to journal sb vs when to commit directly.
>>>> * Added a prep patch 1/3
>>>>
>>>> [1] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#m5e659425b8c8fe2ac01e7242b77fed315ff89db4
>>>>
>>>> @Baokun, I didn't get a chance to look into the journal_inode
>>>> modifications we were discussing in [2]. I'll try to spend some time and
>>>> send that as a separate patch. Hope that's okay
>>>>
>>>> [2] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#mad8feb44d9b6ddadf87830b92caa7b78d902dc05
>>> That's fine, it's not a priority. And if this patch set makes sure we
>>> don't crash when things go wrong, I'm okay with leaving it as is.
>>>
>>> It's possible that jbd2_journal_commit_transaction() could call
>>> ext4_handle_error() in other places as the code evolves. Fixing known
>>> problems and protecting against potential ones is always a good thing.
>> Yep thats true, I did spend some time on this since the codepath was a
>> bit unfamiliar to me. Seems like a straighforward enough change. I'll
>> add it to the next patch.
>>
>> thanks,
>> ojaswin
> Hey Baokun,
>
> So while coding this up, I started looking at some codepaths and it got
> me wondering when can we actually change the sbi->s_es->s_journal_inum
> (or sbi->s_sbh) from the time it gets populated to the umount time?
>
> Since the sbi->s_sbh buffer head is always in memory and never reclaimed
> due the elevated reference, the only way to modify it should be if we
> modify the memory page somehow. Or is there some codepath/tooling magic
> I'm missing that can modify this value?
For the ext4 file system, s_journal_inum is fixed after mkfs and is not
expected to be modified. However, the sbi->s_sbh buffer head belongs to
the block device, so direct write operations to the file system's block
device /dev/xxx may directly modify sbi->s_sbh.
For example, you can use the following script to trigger a journal bmap
failure:
mkfs.ext4 -F /dev/sda
mount /dev/sda /tmp/test
dd if=/dev/zero of=/dev/sda bs=4096 count=1
echo 1 > /tmp/test/file
umount /tmp/test
(Adding a delay in put_super and performing the script during the delay
can trigger the issue described in the patch.)
Cheers,
Baokun
>
> Regards,
> ojaswin
>>>
>>> Cheers,
>>> Baokun
>>>> ** Original Cover **
>>>>
>>>> When running LTP stress tests on ext4, after a multiday run we seemed to
>>>> have hit the following BUG_ON:
>>>>
>>>> [NIP : start_this_handle+268]
>>>> #3 [c000001067c27a40] start_this_handle at c008000004d40f74 [jbd2] (unreliable)
>>>> #4 [c000001067c27b60] jbd2__journal_start at c008000004d415cc [jbd2]
>>>> #5 [c000001067c27be0] update_super_work at c0080000053f9758 [ext4]
>>>> #6 [c000001067c27c70] process_one_work at c000000000188790
>>>> #7 [c000001067c27d20] worker_thread at c00000000018973c
>>>> #8 [c000001067c27dc0] kthread at c000000000196c84
>>>> #9 [c000001067c27e10] ret_from_kernel_thread at c00000000000cd64
>>>>
>>>> Which comes out to
>>>>
>>>> 382 repeat:
>>>> 383 read_lock(&journal->j_state_lock);
>>>> * 384 BUG_ON(journal->j_flags & JBD2_UNMOUNT);
>>>> 385 if (is_journal_aborted(journal) ||
>>>> 386 (journal->j_errno != 0 && !(journal->j_flags & JBD2_ACK_ERR))) {
>>>> 387 read_unlock(&journal->j_state_lock);
>>>>
>>>>
>>>> Initially this seemed like it should never happen but upon crash
>>>> analysis it seems like it could indeed be hit as described in patch 1/2.
>>>>
>>>> I would like to add that through the logs we only knew that:
>>>>
>>>> - ext4_journal_bmap -> ext4_map_blocks is failing with EFSCORRUPTED.
>>>> - update_super_work had hit the BUG_ON
>>>>
>>>> I was not able to hit this bug again (without modifying the kernel to
>>>> inject errors) but the above backtrace seems to be one possible paths
>>>> where this BUG_ON can be hit. Rest of the analysis and fix is in patch
>>>> 2/3. Patch 3 is just a small tweak that i found helpful while debugging.
>>>>
>>>> That being said, journalling is something I'm not very familiar with and
>>>> there might be gaps in my understanding so thoughts and suggestions are
>>>> welcome.
>>>>
>>>> Ojaswin Mujoo (3):
>>>> ext4: define ext4_journal_destroy wrapper
>>>> ext4: avoid journaling sb update on error if journal is destroying
>>>> ext4: Make sb update interval tunable
>>>>
>>>> fs/ext4/ext4.h | 11 +++++++++++
>>>> fs/ext4/ext4_jbd2.h | 22 ++++++++++++++++++++++
>>>> fs/ext4/super.c | 35 +++++++++++++++++------------------
>>>> fs/ext4/sysfs.c | 4 ++++
>>>> 4 files changed, 54 insertions(+), 18 deletions(-)
>>>>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-09 12:07 ` Ojaswin Mujoo
@ 2025-03-10 4:43 ` Ritesh Harjani
2025-03-12 10:51 ` Jan Kara
0 siblings, 1 reply; 41+ messages in thread
From: Ritesh Harjani @ 2025-03-10 4:43 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: linux-ext4, Theodore Ts'o, Jan Kara, Baokun Li, linux-kernel,
Mahesh Kumar
Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> On Sun, Mar 09, 2025 at 12:11:22AM +0530, Ritesh Harjani wrote:
>> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>>
>> > On Sat, Mar 08, 2025 at 06:56:23PM +0530, Ritesh Harjani wrote:
>> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>> >>
>> >> > On Sat, Mar 08, 2025 at 03:25:04PM +0530, Ritesh Harjani (IBM) wrote:
>> >> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>> >> >>
>> >> >> > Presently we always BUG_ON if trying to start a transaction on a journal marked
>> >> >> > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
>> >> >> > stress tests, it was observed that in case of some error handling paths, it is
>> >> >> > possible for update_super_work to start a transaction after the journal is
>> >> >> > destroyed eg:
>> >> >> >
>> >> >> > (umount)
>> >> >> > ext4_kill_sb
>> >> >> > kill_block_super
>> >> >> > generic_shutdown_super
>> >> >> > sync_filesystem /* commits all txns */
>> >> >> > evict_inodes
>> >> >> > /* might start a new txn */
>> >> >> > ext4_put_super
>> >> >> > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
>> >> >> > jbd2_journal_destroy
>> >> >> > journal_kill_thread
>> >> >> > journal->j_flags |= JBD2_UNMOUNT;
>> >> >> > jbd2_journal_commit_transaction
>> >> >> > jbd2_journal_get_descriptor_buffer
>> >> >> > jbd2_journal_bmap
>> >> >> > ext4_journal_bmap
>> >> >> > ext4_map_blocks
>> >> >> > ...
>> >> >> > ext4_inode_error
>> >> >> > ext4_handle_error
>> >> >> > schedule_work(&sbi->s_sb_upd_work)
>> >> >> >
>> >> >> > /* work queue kicks in */
>> >> >> > update_super_work
>> >> >> > jbd2_journal_start
>> >> >> > start_this_handle
>> >> >> > BUG_ON(journal->j_flags &
>> >> >> > JBD2_UNMOUNT)
>> >> >> >
>> >> >> > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
>> >> >> > destroying only do a journaled (and deferred) update of sb if this flag is not
>> >> >> > set. Otherwise, just fallback to an un-journaled commit.
>> >> >> >
>> >> >> > We set sbi->s_journal_destroying = true only after all the FS updates are done
>> >> >> > during ext4_put_super() (except a running transaction that will get commited
>> >> >> > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
>> >> >> > outside the journal as it won't race with a journaled update (refer
>> >> >> > 2d01ddc86606).
>> >> >> >
>> >> >> > Also, we don't need a similar check in ext4_grp_locked_error since it is only
>> >> >> > called from mballoc and AFAICT it would be always valid to schedule work here.
>> >> >> >
>> >> >> > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
>> >> >> > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
>> >> >> > Suggested-by: Jan Kara <jack@suse.cz>
>> >> >> > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
>> >> >> > ---
>> >> >> > fs/ext4/ext4.h | 2 ++
>> >> >> > fs/ext4/ext4_jbd2.h | 8 ++++++++
>> >> >> > fs/ext4/super.c | 4 +++-
>> >> >> > 3 files changed, 13 insertions(+), 1 deletion(-)
>> >> >> >
>> >> >> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
>> >> >> > index 2b7d781bfcad..d48e93bd5690 100644
>> >> >> > --- a/fs/ext4/ext4.h
>> >> >> > +++ b/fs/ext4/ext4.h
>> >> >> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
>> >> >> > */
>> >> >> > struct work_struct s_sb_upd_work;
>> >> >> >
>> >> >> > + bool s_journal_destorying;
>> >> >> > +
>> >> >> > /* Atomic write unit values in bytes */
>> >> >> > unsigned int s_awu_min;
>> >> >> > unsigned int s_awu_max;
>> >> >> > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
>> >> >> > index 9b3c9df02a39..6bd3ca84410d 100644
>> >> >> > --- a/fs/ext4/ext4_jbd2.h
>> >> >> > +++ b/fs/ext4/ext4_jbd2.h
>> >> >> > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
>> >> >> > {
>> >> >> > int err = 0;
>> >> >> >
>> >> >> > + /*
>> >> >> > + * At this point all pending FS updates should be done except a possible
>> >> >> > + * running transaction (which will commit in jbd2_journal_destroy). It
>> >> >> > + * is now safe for any new errors to directly commit superblock rather
>> >> >> > + * than going via journal.
>> >> >> > + */
>> >> >> > + sbi->s_journal_destorying = true;
>> >> >>
>> >> >> This is not correct right. I think what we decided to set this flag
>> >> >> before we flush the workqueue. So that we don't schedule any new
>> >> >> work after this flag has been set. At least that is what I understood.
>> >> >>
>> >> >> [1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
>> >> >>
>> >> >> -ritesh
>> >> >
>> >> > Hey Ritesh,
>> >> >
>> >> > Yes that is not correct, I missed that in my patch however we realised
>> >> > that adding it before flush_work() also has issues [1]. More
>> >> > specifically:
>> >>
>> >> Ohk. right.
>> >>
>> >> >
>> >> > **kjournald2**
>> >> > jbd2_journal_commit_transaction()
>> >> > ...
>> >> > ext4_handle_error()
>> >> > /* s_journal_destorying is not set */
>> >> > if (journal && !s_journal_destorying)
>> >>
>> >> Then maybe we should not schedule another work to update the superblock
>> >> via journalling, it the error itself occurred while were trying to
>> >> commit the journal txn?
>> >>
>> >>
>> >> -ritesh
>> >
>> > Hmm, ideally yes that should not happen, but how can we achieve that?
>> > For example with the trace we saw:
>> >
>> > **kjournald2**
>> > jbd2_journal_commit_transaction()
>> > jbd2_journal_get_descriptor_buffer
>> > jbd2_journal_bmap
>> > ext4_journal_bmap
>> > ext4_map_blocks
>> > ...
>> > ext4_inode_error
>> > ext4_handle_error
>> > schedule_work(&sbi->s_sb_upd_work)
>> >
>> > How do we tell ext4_handle_error that it is in the context of a
>> > committing txn.
>>
>> So even if we identify that the current
>> jbd2_journal_commit_transaction() is coming from kjournald2(), that is
>> sufficient right? Because the only other place where we call
>> jbd2_journal_commit_transaction() is jbd2_journal_destroy() and that
>> happens after we can set few things from ext4_put_super() and flush work
>> is completed, correct?
>>
>>
>> > We can't pass down an argument all the way down
>> > cause that is not feasible. An sb level flag will also not work
>> > I think. Any thoughts on this?
>>
>> I was thinking if we should have a per task flag? Something like
>> PF_KJOURNALD? (Similar to how we have PF_KSWAPD or PF_KCOMPACTD)? This
>> can help us identify if we are a kjournald2() kthread.
>>
>> That will help prevent scheduling another work item to start a new
>> transaction in case an error occurs while committing the currently
>> running transaction. Correct?
>
> Yes, I like this approach. I think this will also help us avoid the
> extra checks in ext4_journal_destroy() since the journal will no longer
> schecule work for updating the sb. Hence we can be sure that after the
> final flush_work() noone will try to schedule more work or start a new
> transaction.
>
> I'll try to spin up a poc and test it. Does seem like we are out of flags in
> task struct though.
>
> Regards,
> ojaswin
>
>>
>> Now I don't know if we have any free bit available in current->flags. If
>> not shall we use current->journal_info pointer to have 0th bit as a
>> flag? Basically override current->journal_info to also store a flag. We
>> can create a wrapper to get the journal_info from current by masking
>> this flag bit and use it to dereference journal_info.
>
> Hmm so journal_info will be holding a kernel address of the handle. Is
> it possible to have it share a flag as well? I thought the address would
> utilize the full 64bits?
What I meant here was -
In general I assume we should be able to play some tricks with a pointer
which at least should be 4 byte aligned. So we can save some flag bits in
the lower bits of a pointer. For e.g. check struct address_space &
PAGE_MAPPING_FLAGS. There maybe few other examples too.
-ritesh
>
> Regards,
> ojaswin
>
>>
>> But before going down that road, it's better to know what others think?
>>
>> -ritesh
>>
>>
>> >
>> > regards,
>> > ojaswin
>> >
>> >>
>> >>
>> >> > ext4_put_super()
>> >> > sbi->s_journal_destorying = true;
>> >> > flush_work(&sbi->s_sb_upd_work)
>> >> > schedule_work()
>> >> > jbd2_journal_destroy()
>> >> > journal->j_flags |= JBD2_UNMOUNT;
>> >> >
>> >> > jbd2_journal_start()
>> >> > start_this_handle()
>> >> > BUG_ON(JBD2_UNMOUNT)
>> >> >
>> >> > So the right thing to do seems to be that we need to force a journal
>> >> > commit before the final flush as well. [1] Has more info on this and
>> >> > some followup discussion as well.
>> >> >
>> >> > [1] https://lore.kernel.org/all/cover.1741270780.git.ojaswin@linux.ibm.com/T/#mc8046d47b357665bdbd2878c91e51eb660f94b3e
>> >> >
>> >> > Regards,
>> >> > ojaswin
>> >> >>
>> >> >>
>> >> >> > +
>> >> >> > err = jbd2_journal_destroy(journal);
>> >> >> > sbi->s_journal = NULL;
>> >> >> >
>> >> >> > diff --git a/fs/ext4/super.c b/fs/ext4/super.c
>> >> >> > index 8ad664d47806..31552cf0519a 100644
>> >> >> > --- a/fs/ext4/super.c
>> >> >> > +++ b/fs/ext4/super.c
>> >> >> > @@ -706,7 +706,7 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
>> >> >> > * constraints, it may not be safe to do it right here so we
>> >> >> > * defer superblock flushing to a workqueue.
>> >> >> > */
>> >> >> > - if (continue_fs && journal)
>> >> >> > + if (continue_fs && journal && !EXT4_SB(sb)->s_journal_destorying)
>> >> >> > schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
>> >> >> > else
>> >> >> > ext4_commit_super(sb);
>> >> >> > @@ -5311,6 +5311,8 @@ static int __ext4_fill_super(struct fs_context *fc, struct super_block *sb)
>> >> >> > spin_lock_init(&sbi->s_error_lock);
>> >> >> > INIT_WORK(&sbi->s_sb_upd_work, update_super_work);
>> >> >> >
>> >> >> > + sbi->s_journal_destorying = false;
>> >> >> > +
>> >> >> > err = ext4_group_desc_init(sb, es, logical_sb_block, &first_not_zeroed);
>> >> >> > if (err)
>> >> >> > goto failed_mount3;
>> >> >> > --
>> >> >> > 2.48.1
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle
2025-03-10 3:10 ` Baokun Li
@ 2025-03-10 7:59 ` Ojaswin Mujoo
0 siblings, 0 replies; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-10 7:59 UTC (permalink / raw)
To: Baokun Li
Cc: linux-ext4, Theodore Ts'o, Jan Kara, linux-kernel, Yang Erkun
On Mon, Mar 10, 2025 at 11:10:26AM +0800, Baokun Li wrote:
> On 2025/3/8 23:21, Ojaswin Mujoo wrote:
> > On Sat, Mar 08, 2025 at 06:37:41PM +0530, Ojaswin Mujoo wrote:
> > > On Sat, Mar 08, 2025 at 09:09:28AM +0800, Baokun Li wrote:
> > > > On 2025/3/6 22:28, Ojaswin Mujoo wrote:
> > > > > ** Changes since v1 [1] **
> > > > >
> > > > > * Picked up RVBs from Jan and Ritesh
> > > > > * In patch 2/3, we now use a flag in sbi instead of SB_ACITVE
> > > > > to determine when to journal sb vs when to commit directly.
> > > > > * Added a prep patch 1/3
> > > > >
> > > > > [1] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#m5e659425b8c8fe2ac01e7242b77fed315ff89db4
> > > > >
> > > > > @Baokun, I didn't get a chance to look into the journal_inode
> > > > > modifications we were discussing in [2]. I'll try to spend some time and
> > > > > send that as a separate patch. Hope that's okay
> > > > >
> > > > > [2] https://lore.kernel.org/linux-ext4/cover.1740212945.git.ojaswin@linux.ibm.com/T/#mad8feb44d9b6ddadf87830b92caa7b78d902dc05
> > > > That's fine, it's not a priority. And if this patch set makes sure we
> > > > don't crash when things go wrong, I'm okay with leaving it as is.
> > > >
> > > > It's possible that jbd2_journal_commit_transaction() could call
> > > > ext4_handle_error() in other places as the code evolves. Fixing known
> > > > problems and protecting against potential ones is always a good thing.
> > > Yep thats true, I did spend some time on this since the codepath was a
> > > bit unfamiliar to me. Seems like a straighforward enough change. I'll
> > > add it to the next patch.
> > >
> > > thanks,
> > > ojaswin
> > Hey Baokun,
> >
> > So while coding this up, I started looking at some codepaths and it got
> > me wondering when can we actually change the sbi->s_es->s_journal_inum
> > (or sbi->s_sbh) from the time it gets populated to the umount time?
> >
> > Since the sbi->s_sbh buffer head is always in memory and never reclaimed
> > due the elevated reference, the only way to modify it should be if we
> > modify the memory page somehow. Or is there some codepath/tooling magic
> > I'm missing that can modify this value?
> For the ext4 file system, s_journal_inum is fixed after mkfs and is not
> expected to be modified. However, the sbi->s_sbh buffer head belongs to
> the block device, so direct write operations to the file system's block
> device /dev/xxx may directly modify sbi->s_sbh.
Right got it, now I get the full picture of the change you are
suggesting. Thanks Baokun, I'll do that in next revision.
Regards,
ojaswin
>
> For example, you can use the following script to trigger a journal bmap
> failure:
>
> mkfs.ext4 -F /dev/sda
> mount /dev/sda /tmp/test
> dd if=/dev/zero of=/dev/sda bs=4096 count=1
> echo 1 > /tmp/test/file
> umount /tmp/test
>
> (Adding a delay in put_super and performing the script during the delay
> can trigger the issue described in the patch.)
>
>
> Cheers,
> Baokun
> >
> > Regards,
> > ojaswin
> > > >
> > > > Cheers,
> > > > Baokun
> > > > > ** Original Cover **
> > > > >
> > > > > When running LTP stress tests on ext4, after a multiday run we seemed to
> > > > > have hit the following BUG_ON:
> > > > >
> > > > > [NIP : start_this_handle+268]
> > > > > #3 [c000001067c27a40] start_this_handle at c008000004d40f74 [jbd2] (unreliable)
> > > > > #4 [c000001067c27b60] jbd2__journal_start at c008000004d415cc [jbd2]
> > > > > #5 [c000001067c27be0] update_super_work at c0080000053f9758 [ext4]
> > > > > #6 [c000001067c27c70] process_one_work at c000000000188790
> > > > > #7 [c000001067c27d20] worker_thread at c00000000018973c
> > > > > #8 [c000001067c27dc0] kthread at c000000000196c84
> > > > > #9 [c000001067c27e10] ret_from_kernel_thread at c00000000000cd64
> > > > >
> > > > > Which comes out to
> > > > >
> > > > > 382 repeat:
> > > > > 383 read_lock(&journal->j_state_lock);
> > > > > * 384 BUG_ON(journal->j_flags & JBD2_UNMOUNT);
> > > > > 385 if (is_journal_aborted(journal) ||
> > > > > 386 (journal->j_errno != 0 && !(journal->j_flags & JBD2_ACK_ERR))) {
> > > > > 387 read_unlock(&journal->j_state_lock);
> > > > >
> > > > >
> > > > > Initially this seemed like it should never happen but upon crash
> > > > > analysis it seems like it could indeed be hit as described in patch 1/2.
> > > > >
> > > > > I would like to add that through the logs we only knew that:
> > > > >
> > > > > - ext4_journal_bmap -> ext4_map_blocks is failing with EFSCORRUPTED.
> > > > > - update_super_work had hit the BUG_ON
> > > > >
> > > > > I was not able to hit this bug again (without modifying the kernel to
> > > > > inject errors) but the above backtrace seems to be one possible paths
> > > > > where this BUG_ON can be hit. Rest of the analysis and fix is in patch
> > > > > 2/3. Patch 3 is just a small tweak that i found helpful while debugging.
> > > > >
> > > > > That being said, journalling is something I'm not very familiar with and
> > > > > there might be gaps in my understanding so thoughts and suggestions are
> > > > > welcome.
> > > > >
> > > > > Ojaswin Mujoo (3):
> > > > > ext4: define ext4_journal_destroy wrapper
> > > > > ext4: avoid journaling sb update on error if journal is destroying
> > > > > ext4: Make sb update interval tunable
> > > > >
> > > > > fs/ext4/ext4.h | 11 +++++++++++
> > > > > fs/ext4/ext4_jbd2.h | 22 ++++++++++++++++++++++
> > > > > fs/ext4/super.c | 35 +++++++++++++++++------------------
> > > > > fs/ext4/sysfs.c | 4 ++++
> > > > > 4 files changed, 54 insertions(+), 18 deletions(-)
> > > > >
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-10 4:43 ` Ritesh Harjani
@ 2025-03-12 10:51 ` Jan Kara
2025-03-12 14:26 ` Ojaswin Mujoo
0 siblings, 1 reply; 41+ messages in thread
From: Jan Kara @ 2025-03-12 10:51 UTC (permalink / raw)
To: Ritesh Harjani
Cc: Ojaswin Mujoo, linux-ext4, Theodore Ts'o, Jan Kara, Baokun Li,
linux-kernel, Mahesh Kumar
On Mon 10-03-25 10:13:36, Ritesh Harjani wrote:
> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> > On Sun, Mar 09, 2025 at 12:11:22AM +0530, Ritesh Harjani wrote:
> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> >> > On Sat, Mar 08, 2025 at 06:56:23PM +0530, Ritesh Harjani wrote:
> >> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> >> >> > On Sat, Mar 08, 2025 at 03:25:04PM +0530, Ritesh Harjani (IBM) wrote:
> >> >> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> >> >> >> > Presently we always BUG_ON if trying to start a transaction on a journal marked
> >> >> >> > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> >> >> >> > stress tests, it was observed that in case of some error handling paths, it is
> >> >> >> > possible for update_super_work to start a transaction after the journal is
> >> >> >> > destroyed eg:
> >> >> >> >
> >> >> >> > (umount)
> >> >> >> > ext4_kill_sb
> >> >> >> > kill_block_super
> >> >> >> > generic_shutdown_super
> >> >> >> > sync_filesystem /* commits all txns */
> >> >> >> > evict_inodes
> >> >> >> > /* might start a new txn */
> >> >> >> > ext4_put_super
> >> >> >> > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> >> >> >> > jbd2_journal_destroy
> >> >> >> > journal_kill_thread
> >> >> >> > journal->j_flags |= JBD2_UNMOUNT;
> >> >> >> > jbd2_journal_commit_transaction
> >> >> >> > jbd2_journal_get_descriptor_buffer
> >> >> >> > jbd2_journal_bmap
> >> >> >> > ext4_journal_bmap
> >> >> >> > ext4_map_blocks
> >> >> >> > ...
> >> >> >> > ext4_inode_error
> >> >> >> > ext4_handle_error
> >> >> >> > schedule_work(&sbi->s_sb_upd_work)
> >> >> >> >
> >> >> >> > /* work queue kicks in */
> >> >> >> > update_super_work
> >> >> >> > jbd2_journal_start
> >> >> >> > start_this_handle
> >> >> >> > BUG_ON(journal->j_flags &
> >> >> >> > JBD2_UNMOUNT)
> >> >> >> >
> >> >> >> > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> >> >> >> > destroying only do a journaled (and deferred) update of sb if this flag is not
> >> >> >> > set. Otherwise, just fallback to an un-journaled commit.
> >> >> >> >
> >> >> >> > We set sbi->s_journal_destroying = true only after all the FS updates are done
> >> >> >> > during ext4_put_super() (except a running transaction that will get commited
> >> >> >> > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> >> >> >> > outside the journal as it won't race with a journaled update (refer
> >> >> >> > 2d01ddc86606).
> >> >> >> >
> >> >> >> > Also, we don't need a similar check in ext4_grp_locked_error since it is only
> >> >> >> > called from mballoc and AFAICT it would be always valid to schedule work here.
> >> >> >> >
> >> >> >> > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> >> >> >> > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> >> >> >> > Suggested-by: Jan Kara <jack@suse.cz>
> >> >> >> > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> >> >> >> > ---
> >> >> >> > fs/ext4/ext4.h | 2 ++
> >> >> >> > fs/ext4/ext4_jbd2.h | 8 ++++++++
> >> >> >> > fs/ext4/super.c | 4 +++-
> >> >> >> > 3 files changed, 13 insertions(+), 1 deletion(-)
> >> >> >> >
> >> >> >> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> >> >> >> > index 2b7d781bfcad..d48e93bd5690 100644
> >> >> >> > --- a/fs/ext4/ext4.h
> >> >> >> > +++ b/fs/ext4/ext4.h
> >> >> >> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> >> >> >> > */
> >> >> >> > struct work_struct s_sb_upd_work;
> >> >> >> >
> >> >> >> > + bool s_journal_destorying;
> >> >> >> > +
> >> >> >> > /* Atomic write unit values in bytes */
> >> >> >> > unsigned int s_awu_min;
> >> >> >> > unsigned int s_awu_max;
> >> >> >> > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> >> >> >> > index 9b3c9df02a39..6bd3ca84410d 100644
> >> >> >> > --- a/fs/ext4/ext4_jbd2.h
> >> >> >> > +++ b/fs/ext4/ext4_jbd2.h
> >> >> >> > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> >> >> >> > {
> >> >> >> > int err = 0;
> >> >> >> >
> >> >> >> > + /*
> >> >> >> > + * At this point all pending FS updates should be done except a possible
> >> >> >> > + * running transaction (which will commit in jbd2_journal_destroy). It
> >> >> >> > + * is now safe for any new errors to directly commit superblock rather
> >> >> >> > + * than going via journal.
> >> >> >> > + */
> >> >> >> > + sbi->s_journal_destorying = true;
> >> >> >>
> >> >> >> This is not correct right. I think what we decided to set this flag
> >> >> >> before we flush the workqueue. So that we don't schedule any new
> >> >> >> work after this flag has been set. At least that is what I understood.
> >> >> >>
> >> >> >> [1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
> >> >> >>
> >> >> >> -ritesh
> >> >> >
> >> >> > Hey Ritesh,
> >> >> >
> >> >> > Yes that is not correct, I missed that in my patch however we realised
> >> >> > that adding it before flush_work() also has issues [1]. More
> >> >> > specifically:
> >> >>
> >> >> Ohk. right.
> >> >>
> >> >> >
> >> >> > **kjournald2**
> >> >> > jbd2_journal_commit_transaction()
> >> >> > ...
> >> >> > ext4_handle_error()
> >> >> > /* s_journal_destorying is not set */
> >> >> > if (journal && !s_journal_destorying)
> >> >>
> >> >> Then maybe we should not schedule another work to update the superblock
> >> >> via journalling, it the error itself occurred while were trying to
> >> >> commit the journal txn?
> >> >>
> >> >>
> >> >> -ritesh
> >> >
> >> > Hmm, ideally yes that should not happen, but how can we achieve that?
> >> > For example with the trace we saw:
> >> >
> >> > **kjournald2**
> >> > jbd2_journal_commit_transaction()
> >> > jbd2_journal_get_descriptor_buffer
> >> > jbd2_journal_bmap
> >> > ext4_journal_bmap
> >> > ext4_map_blocks
> >> > ...
> >> > ext4_inode_error
> >> > ext4_handle_error
> >> > schedule_work(&sbi->s_sb_upd_work)
> >> >
> >> > How do we tell ext4_handle_error that it is in the context of a
> >> > committing txn.
So I was thinking about this. It is not a problem to determine we are
running in kjournald context - it is enough to check
current == EXT4_SB(sb)->s_journal->j_task
But I'm not sure checking this in ext4_handle_error() and doing direct sb
update instead of scheduling a journalled one is always correct. For
example kjournald does also writeback of ordered data and if that hits an
error, we do not necessarily abort the journal (well, currently we do as
far as I'm checking but it seems a bit fragile to rely on this).
So I'd rather keep the solution for these umount issues specific to the
umount path. What if we did:
static void ext4_journal_destroy(struct super_block *sb)
{
/*
* At this point only two things can be operating on the journal.
* JBD2 thread performing transaction commit and s_sb_upd_work
* issuing sb update through the journal. Once we set
* EXT4_FLAGS_JOURNAL_DESTROY, new ext4_handle_error() calls will not
* queue s_sb_upd_work and ext4_force_commit() makes sure any
* ext4_handle_error() calls from the running transaction commit are
* finished. Hence no new s_sb_upd_work can be queued after we
* flush it here.
*/
set_bit(EXT4_FLAGS_JOURNAL_DESTROY, &EXT4_SB(sb)->s_ext4_flags);
ext4_force_commit(sb);
flush_work(&EXT4_SB(sb)->s_sb_upd_work);
jbd2_journal_destroy(EXT4_SB(sb)->s_journal);
}
And then add the check to ext4_handle_error():
/*
* In case the fs should keep running, we need to writeout
* superblock through the journal. Due to lock ordering
* constraints, it may not be safe to do it right here so we
- * defer superblock flushing to a workqueue.
+ * defer superblock flushing to a workqueue. We just need
+ * to be careful when the journal is already shutting down.
+ * If we get here in that case, just update the sb directly
+ * as the last transaction won't commit anyway.
*/
- if (continue_fs && journal)
+ if (continue_fs && journal &&
+ !test_bit(EXT4_FLAGS_JOURNAL_DESTROY,
+ &EXT4_SB(sb)->s_ext4_flags))
schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
else
ext4_commit_super(sb);
What do people think about this? Am I missing some possible race?
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-06 14:28 ` [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying Ojaswin Mujoo
` (2 preceding siblings ...)
2025-03-08 9:55 ` Ritesh Harjani (IBM)
@ 2025-03-12 13:57 ` Eric Sandeen
2025-03-12 14:27 ` Ojaswin Mujoo
3 siblings, 1 reply; 41+ messages in thread
From: Eric Sandeen @ 2025-03-12 13:57 UTC (permalink / raw)
To: Ojaswin Mujoo, linux-ext4, Theodore Ts'o
Cc: Jan Kara, Baokun Li, linux-kernel, Mahesh Kumar
On 3/6/25 8:28 AM, Ojaswin Mujoo wrote:
> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> index 2b7d781bfcad..d48e93bd5690 100644
> --- a/fs/ext4/ext4.h
> +++ b/fs/ext4/ext4.h
> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> */
> struct work_struct s_sb_upd_work;
>
> + bool s_journal_destorying;
Just a late nitpick and noted that Jan suggested making this a flag,
but just in case, this is a typo: s_journal_destorying -> s_journal_destroying
Thanks,
-Eric
> /* Atomic write unit values in bytes */
> unsigned int s_awu_min;
> unsigned int s_awu_max;
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-12 10:51 ` Jan Kara
@ 2025-03-12 14:26 ` Ojaswin Mujoo
2025-03-12 17:15 ` Jan Kara
0 siblings, 1 reply; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-12 14:26 UTC (permalink / raw)
To: Jan Kara
Cc: Ritesh Harjani, linux-ext4, Theodore Ts'o, Baokun Li,
linux-kernel, Mahesh Kumar
On Wed, Mar 12, 2025 at 11:51:03AM +0100, Jan Kara wrote:
> On Mon 10-03-25 10:13:36, Ritesh Harjani wrote:
> > Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> > > On Sun, Mar 09, 2025 at 12:11:22AM +0530, Ritesh Harjani wrote:
> > >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> > >> > On Sat, Mar 08, 2025 at 06:56:23PM +0530, Ritesh Harjani wrote:
> > >> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> > >> >> > On Sat, Mar 08, 2025 at 03:25:04PM +0530, Ritesh Harjani (IBM) wrote:
> > >> >> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> > >> >> >> > Presently we always BUG_ON if trying to start a transaction on a journal marked
> > >> >> >> > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> > >> >> >> > stress tests, it was observed that in case of some error handling paths, it is
> > >> >> >> > possible for update_super_work to start a transaction after the journal is
> > >> >> >> > destroyed eg:
> > >> >> >> >
> > >> >> >> > (umount)
> > >> >> >> > ext4_kill_sb
> > >> >> >> > kill_block_super
> > >> >> >> > generic_shutdown_super
> > >> >> >> > sync_filesystem /* commits all txns */
> > >> >> >> > evict_inodes
> > >> >> >> > /* might start a new txn */
> > >> >> >> > ext4_put_super
> > >> >> >> > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> > >> >> >> > jbd2_journal_destroy
> > >> >> >> > journal_kill_thread
> > >> >> >> > journal->j_flags |= JBD2_UNMOUNT;
> > >> >> >> > jbd2_journal_commit_transaction
> > >> >> >> > jbd2_journal_get_descriptor_buffer
> > >> >> >> > jbd2_journal_bmap
> > >> >> >> > ext4_journal_bmap
> > >> >> >> > ext4_map_blocks
> > >> >> >> > ...
> > >> >> >> > ext4_inode_error
> > >> >> >> > ext4_handle_error
> > >> >> >> > schedule_work(&sbi->s_sb_upd_work)
> > >> >> >> >
> > >> >> >> > /* work queue kicks in */
> > >> >> >> > update_super_work
> > >> >> >> > jbd2_journal_start
> > >> >> >> > start_this_handle
> > >> >> >> > BUG_ON(journal->j_flags &
> > >> >> >> > JBD2_UNMOUNT)
> > >> >> >> >
> > >> >> >> > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> > >> >> >> > destroying only do a journaled (and deferred) update of sb if this flag is not
> > >> >> >> > set. Otherwise, just fallback to an un-journaled commit.
> > >> >> >> >
> > >> >> >> > We set sbi->s_journal_destroying = true only after all the FS updates are done
> > >> >> >> > during ext4_put_super() (except a running transaction that will get commited
> > >> >> >> > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> > >> >> >> > outside the journal as it won't race with a journaled update (refer
> > >> >> >> > 2d01ddc86606).
> > >> >> >> >
> > >> >> >> > Also, we don't need a similar check in ext4_grp_locked_error since it is only
> > >> >> >> > called from mballoc and AFAICT it would be always valid to schedule work here.
> > >> >> >> >
> > >> >> >> > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> > >> >> >> > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> > >> >> >> > Suggested-by: Jan Kara <jack@suse.cz>
> > >> >> >> > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> > >> >> >> > ---
> > >> >> >> > fs/ext4/ext4.h | 2 ++
> > >> >> >> > fs/ext4/ext4_jbd2.h | 8 ++++++++
> > >> >> >> > fs/ext4/super.c | 4 +++-
> > >> >> >> > 3 files changed, 13 insertions(+), 1 deletion(-)
> > >> >> >> >
> > >> >> >> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> > >> >> >> > index 2b7d781bfcad..d48e93bd5690 100644
> > >> >> >> > --- a/fs/ext4/ext4.h
> > >> >> >> > +++ b/fs/ext4/ext4.h
> > >> >> >> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> > >> >> >> > */
> > >> >> >> > struct work_struct s_sb_upd_work;
> > >> >> >> >
> > >> >> >> > + bool s_journal_destorying;
> > >> >> >> > +
> > >> >> >> > /* Atomic write unit values in bytes */
> > >> >> >> > unsigned int s_awu_min;
> > >> >> >> > unsigned int s_awu_max;
> > >> >> >> > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> > >> >> >> > index 9b3c9df02a39..6bd3ca84410d 100644
> > >> >> >> > --- a/fs/ext4/ext4_jbd2.h
> > >> >> >> > +++ b/fs/ext4/ext4_jbd2.h
> > >> >> >> > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> > >> >> >> > {
> > >> >> >> > int err = 0;
> > >> >> >> >
> > >> >> >> > + /*
> > >> >> >> > + * At this point all pending FS updates should be done except a possible
> > >> >> >> > + * running transaction (which will commit in jbd2_journal_destroy). It
> > >> >> >> > + * is now safe for any new errors to directly commit superblock rather
> > >> >> >> > + * than going via journal.
> > >> >> >> > + */
> > >> >> >> > + sbi->s_journal_destorying = true;
> > >> >> >>
> > >> >> >> This is not correct right. I think what we decided to set this flag
> > >> >> >> before we flush the workqueue. So that we don't schedule any new
> > >> >> >> work after this flag has been set. At least that is what I understood.
> > >> >> >>
> > >> >> >> [1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
> > >> >> >>
> > >> >> >> -ritesh
> > >> >> >
> > >> >> > Hey Ritesh,
> > >> >> >
> > >> >> > Yes that is not correct, I missed that in my patch however we realised
> > >> >> > that adding it before flush_work() also has issues [1]. More
> > >> >> > specifically:
> > >> >>
> > >> >> Ohk. right.
> > >> >>
> > >> >> >
> > >> >> > **kjournald2**
> > >> >> > jbd2_journal_commit_transaction()
> > >> >> > ...
> > >> >> > ext4_handle_error()
> > >> >> > /* s_journal_destorying is not set */
> > >> >> > if (journal && !s_journal_destorying)
> > >> >>
> > >> >> Then maybe we should not schedule another work to update the superblock
> > >> >> via journalling, it the error itself occurred while were trying to
> > >> >> commit the journal txn?
> > >> >>
> > >> >>
> > >> >> -ritesh
> > >> >
> > >> > Hmm, ideally yes that should not happen, but how can we achieve that?
> > >> > For example with the trace we saw:
> > >> >
> > >> > **kjournald2**
> > >> > jbd2_journal_commit_transaction()
> > >> > jbd2_journal_get_descriptor_buffer
> > >> > jbd2_journal_bmap
> > >> > ext4_journal_bmap
> > >> > ext4_map_blocks
> > >> > ...
> > >> > ext4_inode_error
> > >> > ext4_handle_error
> > >> > schedule_work(&sbi->s_sb_upd_work)
> > >> >
> > >> > How do we tell ext4_handle_error that it is in the context of a
> > >> > committing txn.
>
> So I was thinking about this. It is not a problem to determine we are
> running in kjournald context - it is enough to check
>
> current == EXT4_SB(sb)->s_journal->j_task
Oh, right :)
>
> But I'm not sure checking this in ext4_handle_error() and doing direct sb
> update instead of scheduling a journalled one is always correct. For
> example kjournald does also writeback of ordered data and if that hits an
> error, we do not necessarily abort the journal (well, currently we do as
> far as I'm checking but it seems a bit fragile to rely on this).
Okay so IIUC your concern is there might be some codepaths, now or in
the future, where kjournald might call the FS layer, hit an error and
still decide to not abort. In which case we would still want to update
the sb via journal.
Im having some difficulty imagining when this can happen but I'm okay
with the alternate approach of hardening the umount path as well. Fwiw
this approach did feel a bit more cleaner as we could avoid the journal
commit and flushing dance in ext4_journal_destory()
>
> So I'd rather keep the solution for these umount issues specific to the
> umount path. What if we did:
>
> static void ext4_journal_destroy(struct super_block *sb)
> {
> /*
> * At this point only two things can be operating on the journal.
> * JBD2 thread performing transaction commit and s_sb_upd_work
> * issuing sb update through the journal. Once we set
> * EXT4_FLAGS_JOURNAL_DESTROY, new ext4_handle_error() calls will not
> * queue s_sb_upd_work and ext4_force_commit() makes sure any
> * ext4_handle_error() calls from the running transaction commit are
> * finished. Hence no new s_sb_upd_work can be queued after we
> * flush it here.
> */
> set_bit(EXT4_FLAGS_JOURNAL_DESTROY, &EXT4_SB(sb)->s_ext4_flags);
Offtopic, how are s_ext4_flags different from s_mount_flags, since in a
draft patchset for this, I am using:
ext4_set_mount_flag(sbi->s_sb, EXT4_JBD2_DESTORYING);
so just curious.
> ext4_force_commit(sb);
> flush_work(&EXT4_SB(sb)->s_sb_upd_work);
> jbd2_journal_destroy(EXT4_SB(sb)->s_journal);
> }
>
> And then add the check to ext4_handle_error():
>
> /*
> * In case the fs should keep running, we need to writeout
> * superblock through the journal. Due to lock ordering
> * constraints, it may not be safe to do it right here so we
> - * defer superblock flushing to a workqueue.
> + * defer superblock flushing to a workqueue. We just need
> + * to be careful when the journal is already shutting down.
> + * If we get here in that case, just update the sb directly
> + * as the last transaction won't commit anyway.
> */
> - if (continue_fs && journal)
> + if (continue_fs && journal &&
> + !test_bit(EXT4_FLAGS_JOURNAL_DESTROY,
> + &EXT4_SB(sb)->s_ext4_flags))
> schedule_work(&EXT4_SB(sb)->s_sb_upd_work);
> else
> ext4_commit_super(sb);
>
> What do people think about this? Am I missing some possible race?
This approach looks good Jan, I think its similar to what we were
discussing previous to the dont-schedule-if-kjournald alternative.
I was working on a similar patchset as this, I'll borrow your wording
for the comments and run some more tests on this. Thanks for the review.
Regards,
ojaswin
>
> Honza
>
> --
> Jan Kara <jack@suse.com>
> SUSE Labs, CR
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-12 13:57 ` Eric Sandeen
@ 2025-03-12 14:27 ` Ojaswin Mujoo
0 siblings, 0 replies; 41+ messages in thread
From: Ojaswin Mujoo @ 2025-03-12 14:27 UTC (permalink / raw)
To: Eric Sandeen
Cc: linux-ext4, Theodore Ts'o, Jan Kara, Baokun Li, linux-kernel,
Mahesh Kumar
On Wed, Mar 12, 2025 at 08:57:34AM -0500, Eric Sandeen wrote:
> On 3/6/25 8:28 AM, Ojaswin Mujoo wrote:
> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> > index 2b7d781bfcad..d48e93bd5690 100644
> > --- a/fs/ext4/ext4.h
> > +++ b/fs/ext4/ext4.h
> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> > */
> > struct work_struct s_sb_upd_work;
> >
> > + bool s_journal_destorying;
>
> Just a late nitpick and noted that Jan suggested making this a flag,
> but just in case, this is a typo: s_journal_destorying -> s_journal_destroying
>
> Thanks,
> -Eric
Thanks for pointing that Eric. We will be moving to a flag in next
version mostly so we should be okay :)
regards,
ojaswin
>
> > /* Atomic write unit values in bytes */
> > unsigned int s_awu_min;
> > unsigned int s_awu_max;
>
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-12 14:26 ` Ojaswin Mujoo
@ 2025-03-12 17:15 ` Jan Kara
2025-03-13 1:20 ` Zhang Yi
0 siblings, 1 reply; 41+ messages in thread
From: Jan Kara @ 2025-03-12 17:15 UTC (permalink / raw)
To: Ojaswin Mujoo
Cc: Jan Kara, Ritesh Harjani, linux-ext4, Theodore Ts'o,
Baokun Li, linux-kernel, Mahesh Kumar
On Wed 12-03-25 19:56:36, Ojaswin Mujoo wrote:
> On Wed, Mar 12, 2025 at 11:51:03AM +0100, Jan Kara wrote:
> > On Mon 10-03-25 10:13:36, Ritesh Harjani wrote:
> > > Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> > > > On Sun, Mar 09, 2025 at 12:11:22AM +0530, Ritesh Harjani wrote:
> > > >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> > > >> > On Sat, Mar 08, 2025 at 06:56:23PM +0530, Ritesh Harjani wrote:
> > > >> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> > > >> >> > On Sat, Mar 08, 2025 at 03:25:04PM +0530, Ritesh Harjani (IBM) wrote:
> > > >> >> >> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
> > > >> >> >> > Presently we always BUG_ON if trying to start a transaction on a journal marked
> > > >> >> >> > with JBD2_UNMOUNT, since this should never happen. However, while ltp running
> > > >> >> >> > stress tests, it was observed that in case of some error handling paths, it is
> > > >> >> >> > possible for update_super_work to start a transaction after the journal is
> > > >> >> >> > destroyed eg:
> > > >> >> >> >
> > > >> >> >> > (umount)
> > > >> >> >> > ext4_kill_sb
> > > >> >> >> > kill_block_super
> > > >> >> >> > generic_shutdown_super
> > > >> >> >> > sync_filesystem /* commits all txns */
> > > >> >> >> > evict_inodes
> > > >> >> >> > /* might start a new txn */
> > > >> >> >> > ext4_put_super
> > > >> >> >> > flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
> > > >> >> >> > jbd2_journal_destroy
> > > >> >> >> > journal_kill_thread
> > > >> >> >> > journal->j_flags |= JBD2_UNMOUNT;
> > > >> >> >> > jbd2_journal_commit_transaction
> > > >> >> >> > jbd2_journal_get_descriptor_buffer
> > > >> >> >> > jbd2_journal_bmap
> > > >> >> >> > ext4_journal_bmap
> > > >> >> >> > ext4_map_blocks
> > > >> >> >> > ...
> > > >> >> >> > ext4_inode_error
> > > >> >> >> > ext4_handle_error
> > > >> >> >> > schedule_work(&sbi->s_sb_upd_work)
> > > >> >> >> >
> > > >> >> >> > /* work queue kicks in */
> > > >> >> >> > update_super_work
> > > >> >> >> > jbd2_journal_start
> > > >> >> >> > start_this_handle
> > > >> >> >> > BUG_ON(journal->j_flags &
> > > >> >> >> > JBD2_UNMOUNT)
> > > >> >> >> >
> > > >> >> >> > Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
> > > >> >> >> > destroying only do a journaled (and deferred) update of sb if this flag is not
> > > >> >> >> > set. Otherwise, just fallback to an un-journaled commit.
> > > >> >> >> >
> > > >> >> >> > We set sbi->s_journal_destroying = true only after all the FS updates are done
> > > >> >> >> > during ext4_put_super() (except a running transaction that will get commited
> > > >> >> >> > during jbd2_journal_destroy()). After this point, it is safe to commit the sb
> > > >> >> >> > outside the journal as it won't race with a journaled update (refer
> > > >> >> >> > 2d01ddc86606).
> > > >> >> >> >
> > > >> >> >> > Also, we don't need a similar check in ext4_grp_locked_error since it is only
> > > >> >> >> > called from mballoc and AFAICT it would be always valid to schedule work here.
> > > >> >> >> >
> > > >> >> >> > Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
> > > >> >> >> > Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
> > > >> >> >> > Suggested-by: Jan Kara <jack@suse.cz>
> > > >> >> >> > Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
> > > >> >> >> > ---
> > > >> >> >> > fs/ext4/ext4.h | 2 ++
> > > >> >> >> > fs/ext4/ext4_jbd2.h | 8 ++++++++
> > > >> >> >> > fs/ext4/super.c | 4 +++-
> > > >> >> >> > 3 files changed, 13 insertions(+), 1 deletion(-)
> > > >> >> >> >
> > > >> >> >> > diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> > > >> >> >> > index 2b7d781bfcad..d48e93bd5690 100644
> > > >> >> >> > --- a/fs/ext4/ext4.h
> > > >> >> >> > +++ b/fs/ext4/ext4.h
> > > >> >> >> > @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
> > > >> >> >> > */
> > > >> >> >> > struct work_struct s_sb_upd_work;
> > > >> >> >> >
> > > >> >> >> > + bool s_journal_destorying;
> > > >> >> >> > +
> > > >> >> >> > /* Atomic write unit values in bytes */
> > > >> >> >> > unsigned int s_awu_min;
> > > >> >> >> > unsigned int s_awu_max;
> > > >> >> >> > diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
> > > >> >> >> > index 9b3c9df02a39..6bd3ca84410d 100644
> > > >> >> >> > --- a/fs/ext4/ext4_jbd2.h
> > > >> >> >> > +++ b/fs/ext4/ext4_jbd2.h
> > > >> >> >> > @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
> > > >> >> >> > {
> > > >> >> >> > int err = 0;
> > > >> >> >> >
> > > >> >> >> > + /*
> > > >> >> >> > + * At this point all pending FS updates should be done except a possible
> > > >> >> >> > + * running transaction (which will commit in jbd2_journal_destroy). It
> > > >> >> >> > + * is now safe for any new errors to directly commit superblock rather
> > > >> >> >> > + * than going via journal.
> > > >> >> >> > + */
> > > >> >> >> > + sbi->s_journal_destorying = true;
> > > >> >> >>
> > > >> >> >> This is not correct right. I think what we decided to set this flag
> > > >> >> >> before we flush the workqueue. So that we don't schedule any new
> > > >> >> >> work after this flag has been set. At least that is what I understood.
> > > >> >> >>
> > > >> >> >> [1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
> > > >> >> >>
> > > >> >> >> -ritesh
> > > >> >> >
> > > >> >> > Hey Ritesh,
> > > >> >> >
> > > >> >> > Yes that is not correct, I missed that in my patch however we realised
> > > >> >> > that adding it before flush_work() also has issues [1]. More
> > > >> >> > specifically:
> > > >> >>
> > > >> >> Ohk. right.
> > > >> >>
> > > >> >> >
> > > >> >> > **kjournald2**
> > > >> >> > jbd2_journal_commit_transaction()
> > > >> >> > ...
> > > >> >> > ext4_handle_error()
> > > >> >> > /* s_journal_destorying is not set */
> > > >> >> > if (journal && !s_journal_destorying)
> > > >> >>
> > > >> >> Then maybe we should not schedule another work to update the superblock
> > > >> >> via journalling, it the error itself occurred while were trying to
> > > >> >> commit the journal txn?
> > > >> >>
> > > >> >>
> > > >> >> -ritesh
> > > >> >
> > > >> > Hmm, ideally yes that should not happen, but how can we achieve that?
> > > >> > For example with the trace we saw:
> > > >> >
> > > >> > **kjournald2**
> > > >> > jbd2_journal_commit_transaction()
> > > >> > jbd2_journal_get_descriptor_buffer
> > > >> > jbd2_journal_bmap
> > > >> > ext4_journal_bmap
> > > >> > ext4_map_blocks
> > > >> > ...
> > > >> > ext4_inode_error
> > > >> > ext4_handle_error
> > > >> > schedule_work(&sbi->s_sb_upd_work)
> > > >> >
> > > >> > How do we tell ext4_handle_error that it is in the context of a
> > > >> > committing txn.
> >
> > So I was thinking about this. It is not a problem to determine we are
> > running in kjournald context - it is enough to check
> >
> > current == EXT4_SB(sb)->s_journal->j_task
>
> Oh, right :)
>
> >
> > But I'm not sure checking this in ext4_handle_error() and doing direct sb
> > update instead of scheduling a journalled one is always correct. For
> > example kjournald does also writeback of ordered data and if that hits an
> > error, we do not necessarily abort the journal (well, currently we do as
> > far as I'm checking but it seems a bit fragile to rely on this).
>
> Okay so IIUC your concern is there might be some codepaths, now or in
> the future, where kjournald might call the FS layer, hit an error and
> still decide to not abort. In which case we would still want to update
> the sb via journal.
Yeah. The reason why I'm a bit concerned about it is mostly the case of
kjournald also handling ordered data and situations like
!(journal->j_flags & JBD2_ABORT_ON_SYNCDATA_ERR) where people want to
continue although ordered data had issues. Or situations where something in
j_commit_callback or another jbd2 hook ends up calling ext4_error()...
> > static void ext4_journal_destroy(struct super_block *sb)
> > {
> > /*
> > * At this point only two things can be operating on the journal.
> > * JBD2 thread performing transaction commit and s_sb_upd_work
> > * issuing sb update through the journal. Once we set
> > * EXT4_FLAGS_JOURNAL_DESTROY, new ext4_handle_error() calls will not
> > * queue s_sb_upd_work and ext4_force_commit() makes sure any
> > * ext4_handle_error() calls from the running transaction commit are
> > * finished. Hence no new s_sb_upd_work can be queued after we
> > * flush it here.
> > */
> > set_bit(EXT4_FLAGS_JOURNAL_DESTROY, &EXT4_SB(sb)->s_ext4_flags);
>
> Offtopic, how are s_ext4_flags different from s_mount_flags, since in a
> draft patchset for this, I am using:
>
> ext4_set_mount_flag(sbi->s_sb, EXT4_JBD2_DESTORYING);
>
> so just curious.
I don't think there's a difference and I think we can unify them. For now
pick whatever you like :)
Honza
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-12 17:15 ` Jan Kara
@ 2025-03-13 1:20 ` Zhang Yi
2025-03-13 2:08 ` Baokun Li
0 siblings, 1 reply; 41+ messages in thread
From: Zhang Yi @ 2025-03-13 1:20 UTC (permalink / raw)
To: Jan Kara
Cc: Ritesh Harjani, linux-ext4, Theodore Ts'o, Baokun Li,
linux-kernel, Mahesh Kumar, Ojaswin Mujoo
On 2025/3/13 1:15, Jan Kara wrote:
> On Wed 12-03-25 19:56:36, Ojaswin Mujoo wrote:
>> On Wed, Mar 12, 2025 at 11:51:03AM +0100, Jan Kara wrote:
>>> On Mon 10-03-25 10:13:36, Ritesh Harjani wrote:
>>>> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>>>>> On Sun, Mar 09, 2025 at 12:11:22AM +0530, Ritesh Harjani wrote:
>>>>>> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>>>>>>> On Sat, Mar 08, 2025 at 06:56:23PM +0530, Ritesh Harjani wrote:
>>>>>>>> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>>>>>>>>> On Sat, Mar 08, 2025 at 03:25:04PM +0530, Ritesh Harjani (IBM) wrote:
>>>>>>>>>> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>>>>>>>>>>> Presently we always BUG_ON if trying to start a transaction on a journal marked
>>>>>>>>>>> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
>>>>>>>>>>> stress tests, it was observed that in case of some error handling paths, it is
>>>>>>>>>>> possible for update_super_work to start a transaction after the journal is
>>>>>>>>>>> destroyed eg:
>>>>>>>>>>>
>>>>>>>>>>> (umount)
>>>>>>>>>>> ext4_kill_sb
>>>>>>>>>>> kill_block_super
>>>>>>>>>>> generic_shutdown_super
>>>>>>>>>>> sync_filesystem /* commits all txns */
>>>>>>>>>>> evict_inodes
>>>>>>>>>>> /* might start a new txn */
>>>>>>>>>>> ext4_put_super
>>>>>>>>>>> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
>>>>>>>>>>> jbd2_journal_destroy
>>>>>>>>>>> journal_kill_thread
>>>>>>>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>>>>>>> jbd2_journal_commit_transaction
>>>>>>>>>>> jbd2_journal_get_descriptor_buffer
>>>>>>>>>>> jbd2_journal_bmap
>>>>>>>>>>> ext4_journal_bmap
>>>>>>>>>>> ext4_map_blocks
>>>>>>>>>>> ...
>>>>>>>>>>> ext4_inode_error
>>>>>>>>>>> ext4_handle_error
>>>>>>>>>>> schedule_work(&sbi->s_sb_upd_work)
>>>>>>>>>>>
>>>>>>>>>>> /* work queue kicks in */
>>>>>>>>>>> update_super_work
>>>>>>>>>>> jbd2_journal_start
>>>>>>>>>>> start_this_handle
>>>>>>>>>>> BUG_ON(journal->j_flags &
>>>>>>>>>>> JBD2_UNMOUNT)
>>>>>>>>>>>
>>>>>>>>>>> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
>>>>>>>>>>> destroying only do a journaled (and deferred) update of sb if this flag is not
>>>>>>>>>>> set. Otherwise, just fallback to an un-journaled commit.
>>>>>>>>>>>
>>>>>>>>>>> We set sbi->s_journal_destroying = true only after all the FS updates are done
>>>>>>>>>>> during ext4_put_super() (except a running transaction that will get commited
>>>>>>>>>>> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
>>>>>>>>>>> outside the journal as it won't race with a journaled update (refer
>>>>>>>>>>> 2d01ddc86606).
>>>>>>>>>>>
>>>>>>>>>>> Also, we don't need a similar check in ext4_grp_locked_error since it is only
>>>>>>>>>>> called from mballoc and AFAICT it would be always valid to schedule work here.
>>>>>>>>>>>
>>>>>>>>>>> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
>>>>>>>>>>> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
>>>>>>>>>>> Suggested-by: Jan Kara <jack@suse.cz>
>>>>>>>>>>> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
>>>>>>>>>>> ---
>>>>>>>>>>> fs/ext4/ext4.h | 2 ++
>>>>>>>>>>> fs/ext4/ext4_jbd2.h | 8 ++++++++
>>>>>>>>>>> fs/ext4/super.c | 4 +++-
>>>>>>>>>>> 3 files changed, 13 insertions(+), 1 deletion(-)
>>>>>>>>>>>
>>>>>>>>>>> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
>>>>>>>>>>> index 2b7d781bfcad..d48e93bd5690 100644
>>>>>>>>>>> --- a/fs/ext4/ext4.h
>>>>>>>>>>> +++ b/fs/ext4/ext4.h
>>>>>>>>>>> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
>>>>>>>>>>> */
>>>>>>>>>>> struct work_struct s_sb_upd_work;
>>>>>>>>>>>
>>>>>>>>>>> + bool s_journal_destorying;
>>>>>>>>>>> +
>>>>>>>>>>> /* Atomic write unit values in bytes */
>>>>>>>>>>> unsigned int s_awu_min;
>>>>>>>>>>> unsigned int s_awu_max;
>>>>>>>>>>> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
>>>>>>>>>>> index 9b3c9df02a39..6bd3ca84410d 100644
>>>>>>>>>>> --- a/fs/ext4/ext4_jbd2.h
>>>>>>>>>>> +++ b/fs/ext4/ext4_jbd2.h
>>>>>>>>>>> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
>>>>>>>>>>> {
>>>>>>>>>>> int err = 0;
>>>>>>>>>>>
>>>>>>>>>>> + /*
>>>>>>>>>>> + * At this point all pending FS updates should be done except a possible
>>>>>>>>>>> + * running transaction (which will commit in jbd2_journal_destroy). It
>>>>>>>>>>> + * is now safe for any new errors to directly commit superblock rather
>>>>>>>>>>> + * than going via journal.
>>>>>>>>>>> + */
>>>>>>>>>>> + sbi->s_journal_destorying = true;
>>>>>>>>>>
>>>>>>>>>> This is not correct right. I think what we decided to set this flag
>>>>>>>>>> before we flush the workqueue. So that we don't schedule any new
>>>>>>>>>> work after this flag has been set. At least that is what I understood.
>>>>>>>>>>
>>>>>>>>>> [1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
>>>>>>>>>>
>>>>>>>>>> -ritesh
>>>>>>>>>
>>>>>>>>> Hey Ritesh,
>>>>>>>>>
>>>>>>>>> Yes that is not correct, I missed that in my patch however we realised
>>>>>>>>> that adding it before flush_work() also has issues [1]. More
>>>>>>>>> specifically:
>>>>>>>>
>>>>>>>> Ohk. right.
>>>>>>>>
>>>>>>>>>
>>>>>>>>> **kjournald2**
>>>>>>>>> jbd2_journal_commit_transaction()
>>>>>>>>> ...
>>>>>>>>> ext4_handle_error()
>>>>>>>>> /* s_journal_destorying is not set */
>>>>>>>>> if (journal && !s_journal_destorying)
>>>>>>>>
>>>>>>>> Then maybe we should not schedule another work to update the superblock
>>>>>>>> via journalling, it the error itself occurred while were trying to
>>>>>>>> commit the journal txn?
>>>>>>>>
>>>>>>>>
>>>>>>>> -ritesh
>>>>>>>
>>>>>>> Hmm, ideally yes that should not happen, but how can we achieve that?
>>>>>>> For example with the trace we saw:
>>>>>>>
>>>>>>> **kjournald2**
>>>>>>> jbd2_journal_commit_transaction()
>>>>>>> jbd2_journal_get_descriptor_buffer
>>>>>>> jbd2_journal_bmap
>>>>>>> ext4_journal_bmap
>>>>>>> ext4_map_blocks
>>>>>>> ...
>>>>>>> ext4_inode_error
>>>>>>> ext4_handle_error
>>>>>>> schedule_work(&sbi->s_sb_upd_work)
>>>>>>>
>>>>>>> How do we tell ext4_handle_error that it is in the context of a
>>>>>>> committing txn.
>>>
>>> So I was thinking about this. It is not a problem to determine we are
>>> running in kjournald context - it is enough to check
>>>
>>> current == EXT4_SB(sb)->s_journal->j_task
>>
>> Oh, right :)
>>
>>>
>>> But I'm not sure checking this in ext4_handle_error() and doing direct sb
>>> update instead of scheduling a journalled one is always correct. For
>>> example kjournald does also writeback of ordered data and if that hits an
>>> error, we do not necessarily abort the journal (well, currently we do as
>>> far as I'm checking but it seems a bit fragile to rely on this).
>>
>> Okay so IIUC your concern is there might be some codepaths, now or in
>> the future, where kjournald might call the FS layer, hit an error and
>> still decide to not abort. In which case we would still want to update
>> the sb via journal.
>
> Yeah. The reason why I'm a bit concerned about it is mostly the case of
> kjournald also handling ordered data and situations like
> !(journal->j_flags & JBD2_ABORT_ON_SYNCDATA_ERR) where people want to
> continue although ordered data had issues. Or situations where something in
> j_commit_callback or another jbd2 hook ends up calling ext4_error()...
>
Ha, right! This is a case where kjournald triggers an ext4 error but does
not abort the journal for now, I forgot this one, and there may be more.
Thanks for pointing it out. I would also prefer to use this solution of
adding ext4_journal_destory().
Thanks,
Yi.
^ permalink raw reply [flat|nested] 41+ messages in thread
* Re: [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying
2025-03-13 1:20 ` Zhang Yi
@ 2025-03-13 2:08 ` Baokun Li
0 siblings, 0 replies; 41+ messages in thread
From: Baokun Li @ 2025-03-13 2:08 UTC (permalink / raw)
To: Ojaswin Mujoo, Zhang Yi, Jan Kara
Cc: Ritesh Harjani, linux-ext4, Theodore Ts'o, linux-kernel,
Mahesh Kumar, Yang Erkun
On 2025/3/13 9:20, Zhang Yi wrote:
> On 2025/3/13 1:15, Jan Kara wrote:
>> On Wed 12-03-25 19:56:36, Ojaswin Mujoo wrote:
>>> On Wed, Mar 12, 2025 at 11:51:03AM +0100, Jan Kara wrote:
>>>> On Mon 10-03-25 10:13:36, Ritesh Harjani wrote:
>>>>> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>>>>>> On Sun, Mar 09, 2025 at 12:11:22AM +0530, Ritesh Harjani wrote:
>>>>>>> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>>>>>>>> On Sat, Mar 08, 2025 at 06:56:23PM +0530, Ritesh Harjani wrote:
>>>>>>>>> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>>>>>>>>>> On Sat, Mar 08, 2025 at 03:25:04PM +0530, Ritesh Harjani (IBM) wrote:
>>>>>>>>>>> Ojaswin Mujoo <ojaswin@linux.ibm.com> writes:
>>>>>>>>>>>> Presently we always BUG_ON if trying to start a transaction on a journal marked
>>>>>>>>>>>> with JBD2_UNMOUNT, since this should never happen. However, while ltp running
>>>>>>>>>>>> stress tests, it was observed that in case of some error handling paths, it is
>>>>>>>>>>>> possible for update_super_work to start a transaction after the journal is
>>>>>>>>>>>> destroyed eg:
>>>>>>>>>>>>
>>>>>>>>>>>> (umount)
>>>>>>>>>>>> ext4_kill_sb
>>>>>>>>>>>> kill_block_super
>>>>>>>>>>>> generic_shutdown_super
>>>>>>>>>>>> sync_filesystem /* commits all txns */
>>>>>>>>>>>> evict_inodes
>>>>>>>>>>>> /* might start a new txn */
>>>>>>>>>>>> ext4_put_super
>>>>>>>>>>>> flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */
>>>>>>>>>>>> jbd2_journal_destroy
>>>>>>>>>>>> journal_kill_thread
>>>>>>>>>>>> journal->j_flags |= JBD2_UNMOUNT;
>>>>>>>>>>>> jbd2_journal_commit_transaction
>>>>>>>>>>>> jbd2_journal_get_descriptor_buffer
>>>>>>>>>>>> jbd2_journal_bmap
>>>>>>>>>>>> ext4_journal_bmap
>>>>>>>>>>>> ext4_map_blocks
>>>>>>>>>>>> ...
>>>>>>>>>>>> ext4_inode_error
>>>>>>>>>>>> ext4_handle_error
>>>>>>>>>>>> schedule_work(&sbi->s_sb_upd_work)
>>>>>>>>>>>>
>>>>>>>>>>>> /* work queue kicks in */
>>>>>>>>>>>> update_super_work
>>>>>>>>>>>> jbd2_journal_start
>>>>>>>>>>>> start_this_handle
>>>>>>>>>>>> BUG_ON(journal->j_flags &
>>>>>>>>>>>> JBD2_UNMOUNT)
>>>>>>>>>>>>
>>>>>>>>>>>> Hence, introduce a new sbi flag s_journal_destroying to indicate journal is
>>>>>>>>>>>> destroying only do a journaled (and deferred) update of sb if this flag is not
>>>>>>>>>>>> set. Otherwise, just fallback to an un-journaled commit.
>>>>>>>>>>>>
>>>>>>>>>>>> We set sbi->s_journal_destroying = true only after all the FS updates are done
>>>>>>>>>>>> during ext4_put_super() (except a running transaction that will get commited
>>>>>>>>>>>> during jbd2_journal_destroy()). After this point, it is safe to commit the sb
>>>>>>>>>>>> outside the journal as it won't race with a journaled update (refer
>>>>>>>>>>>> 2d01ddc86606).
>>>>>>>>>>>>
>>>>>>>>>>>> Also, we don't need a similar check in ext4_grp_locked_error since it is only
>>>>>>>>>>>> called from mballoc and AFAICT it would be always valid to schedule work here.
>>>>>>>>>>>>
>>>>>>>>>>>> Fixes: 2d01ddc86606 ("ext4: save error info to sb through journal if available")
>>>>>>>>>>>> Reported-by: Mahesh Kumar <maheshkumar657g@gmail.com>
>>>>>>>>>>>> Suggested-by: Jan Kara <jack@suse.cz>
>>>>>>>>>>>> Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
>>>>>>>>>>>> ---
>>>>>>>>>>>> fs/ext4/ext4.h | 2 ++
>>>>>>>>>>>> fs/ext4/ext4_jbd2.h | 8 ++++++++
>>>>>>>>>>>> fs/ext4/super.c | 4 +++-
>>>>>>>>>>>> 3 files changed, 13 insertions(+), 1 deletion(-)
>>>>>>>>>>>>
>>>>>>>>>>>> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
>>>>>>>>>>>> index 2b7d781bfcad..d48e93bd5690 100644
>>>>>>>>>>>> --- a/fs/ext4/ext4.h
>>>>>>>>>>>> +++ b/fs/ext4/ext4.h
>>>>>>>>>>>> @@ -1728,6 +1728,8 @@ struct ext4_sb_info {
>>>>>>>>>>>> */
>>>>>>>>>>>> struct work_struct s_sb_upd_work;
>>>>>>>>>>>>
>>>>>>>>>>>> + bool s_journal_destorying;
>>>>>>>>>>>> +
>>>>>>>>>>>> /* Atomic write unit values in bytes */
>>>>>>>>>>>> unsigned int s_awu_min;
>>>>>>>>>>>> unsigned int s_awu_max;
>>>>>>>>>>>> diff --git a/fs/ext4/ext4_jbd2.h b/fs/ext4/ext4_jbd2.h
>>>>>>>>>>>> index 9b3c9df02a39..6bd3ca84410d 100644
>>>>>>>>>>>> --- a/fs/ext4/ext4_jbd2.h
>>>>>>>>>>>> +++ b/fs/ext4/ext4_jbd2.h
>>>>>>>>>>>> @@ -437,6 +437,14 @@ static inline int ext4_journal_destroy(struct ext4_sb_info *sbi, journal_t *jour
>>>>>>>>>>>> {
>>>>>>>>>>>> int err = 0;
>>>>>>>>>>>>
>>>>>>>>>>>> + /*
>>>>>>>>>>>> + * At this point all pending FS updates should be done except a possible
>>>>>>>>>>>> + * running transaction (which will commit in jbd2_journal_destroy). It
>>>>>>>>>>>> + * is now safe for any new errors to directly commit superblock rather
>>>>>>>>>>>> + * than going via journal.
>>>>>>>>>>>> + */
>>>>>>>>>>>> + sbi->s_journal_destorying = true;
>>>>>>>>>>> This is not correct right. I think what we decided to set this flag
>>>>>>>>>>> before we flush the workqueue. So that we don't schedule any new
>>>>>>>>>>> work after this flag has been set. At least that is what I understood.
>>>>>>>>>>>
>>>>>>>>>>> [1]: https://lore.kernel.org/all/87eczc6rlt.fsf@gmail.com/
>>>>>>>>>>>
>>>>>>>>>>> -ritesh
>>>>>>>>>> Hey Ritesh,
>>>>>>>>>>
>>>>>>>>>> Yes that is not correct, I missed that in my patch however we realised
>>>>>>>>>> that adding it before flush_work() also has issues [1]. More
>>>>>>>>>> specifically:
>>>>>>>>> Ohk. right.
>>>>>>>>>
>>>>>>>>>> **kjournald2**
>>>>>>>>>> jbd2_journal_commit_transaction()
>>>>>>>>>> ...
>>>>>>>>>> ext4_handle_error()
>>>>>>>>>> /* s_journal_destorying is not set */
>>>>>>>>>> if (journal && !s_journal_destorying)
>>>>>>>>> Then maybe we should not schedule another work to update the superblock
>>>>>>>>> via journalling, it the error itself occurred while were trying to
>>>>>>>>> commit the journal txn?
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> -ritesh
>>>>>>>> Hmm, ideally yes that should not happen, but how can we achieve that?
>>>>>>>> For example with the trace we saw:
>>>>>>>>
>>>>>>>> **kjournald2**
>>>>>>>> jbd2_journal_commit_transaction()
>>>>>>>> jbd2_journal_get_descriptor_buffer
>>>>>>>> jbd2_journal_bmap
>>>>>>>> ext4_journal_bmap
>>>>>>>> ext4_map_blocks
>>>>>>>> ...
>>>>>>>> ext4_inode_error
>>>>>>>> ext4_handle_error
>>>>>>>> schedule_work(&sbi->s_sb_upd_work)
>>>>>>>>
>>>>>>>> How do we tell ext4_handle_error that it is in the context of a
>>>>>>>> committing txn.
>>>> So I was thinking about this. It is not a problem to determine we are
>>>> running in kjournald context - it is enough to check
>>>>
>>>> current == EXT4_SB(sb)->s_journal->j_task
>>> Oh, right :)
>>>
>>>> But I'm not sure checking this in ext4_handle_error() and doing direct sb
>>>> update instead of scheduling a journalled one is always correct. For
>>>> example kjournald does also writeback of ordered data and if that hits an
>>>> error, we do not necessarily abort the journal (well, currently we do as
>>>> far as I'm checking but it seems a bit fragile to rely on this).
>>> Okay so IIUC your concern is there might be some codepaths, now or in
>>> the future, where kjournald might call the FS layer, hit an error and
>>> still decide to not abort. In which case we would still want to update
>>> the sb via journal.
>> Yeah. The reason why I'm a bit concerned about it is mostly the case of
>> kjournald also handling ordered data and situations like
>> !(journal->j_flags & JBD2_ABORT_ON_SYNCDATA_ERR) where people want to
>> continue although ordered data had issues. Or situations where something in
>> j_commit_callback or another jbd2 hook ends up calling ext4_error()...
>>
> Ha, right! This is a case where kjournald triggers an ext4 error but does
> not abort the journal for now, I forgot this one, and there may be more.
> Thanks for pointing it out. I would also prefer to use this solution of
> adding ext4_journal_destory().
>
If we consider the possibility that there might be calls to ext4_error()
without aborting the journal, although I cannot imagine how this might
happen, this situation may indeed appear in hidden corners now or in the
future. Therefore, an extra flag is indeed needed, with which we don't
have to think so much. 😀
Cheers,
Baokun
^ permalink raw reply [flat|nested] 41+ messages in thread
end of thread, other threads:[~2025-03-13 2:08 UTC | newest]
Thread overview: 41+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-03-06 14:28 [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle Ojaswin Mujoo
2025-03-06 14:28 ` [PATCH v2 1/3] ext4: define ext4_journal_destroy wrapper Ojaswin Mujoo
2025-03-07 14:05 ` Jan Kara
2025-03-08 1:18 ` Baokun Li
2025-03-06 14:28 ` [PATCH v2 2/3] ext4: avoid journaling sb update on error if journal is destroying Ojaswin Mujoo
2025-03-07 2:49 ` Zhang Yi
2025-03-07 6:34 ` Ojaswin Mujoo
2025-03-07 8:13 ` Ojaswin Mujoo
2025-03-07 8:43 ` Zhang Yi
2025-03-07 10:27 ` Ojaswin Mujoo
2025-03-07 12:36 ` Zhang Yi
2025-03-07 17:26 ` Ojaswin Mujoo
2025-03-08 2:57 ` Zhang Yi
2025-03-08 8:18 ` Ojaswin Mujoo
2025-03-08 9:58 ` Ojaswin Mujoo
2025-03-08 10:10 ` Baokun Li
2025-03-08 12:57 ` Ojaswin Mujoo
2025-03-08 10:01 ` Ritesh Harjani
2025-03-07 14:26 ` Jan Kara
2025-03-07 17:00 ` Ojaswin Mujoo
2025-03-08 9:55 ` Ritesh Harjani (IBM)
2025-03-08 13:05 ` Ojaswin Mujoo
2025-03-08 13:26 ` Ritesh Harjani
2025-03-08 14:58 ` Ojaswin Mujoo
2025-03-08 18:41 ` Ritesh Harjani
2025-03-09 12:07 ` Ojaswin Mujoo
2025-03-10 4:43 ` Ritesh Harjani
2025-03-12 10:51 ` Jan Kara
2025-03-12 14:26 ` Ojaswin Mujoo
2025-03-12 17:15 ` Jan Kara
2025-03-13 1:20 ` Zhang Yi
2025-03-13 2:08 ` Baokun Li
2025-03-12 13:57 ` Eric Sandeen
2025-03-12 14:27 ` Ojaswin Mujoo
2025-03-06 14:28 ` [PATCH v2 3/3] ext4: Make sb update interval tunable Ojaswin Mujoo
2025-03-08 2:25 ` Baokun Li
2025-03-08 1:09 ` [PATCH v2 0/3] Fix a BUG_ON crashing the kernel in start_this_handle Baokun Li
2025-03-08 13:07 ` Ojaswin Mujoo
2025-03-08 15:21 ` Ojaswin Mujoo
2025-03-10 3:10 ` Baokun Li
2025-03-10 7:59 ` Ojaswin Mujoo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).