From: bugzilla-daemon@bugzilla.kernel.org
To: linux-xfs@vger.kernel.org
Subject: [Bug 203947] [xfstests generic/475]: general protection fault: 0000 [#1] RIP: 0010:xfs_setfilesize_ioend+0xb1/0x220 [xfs]
Date: Thu, 27 Jun 2019 18:35:30 +0000 [thread overview]
Message-ID: <bug-203947-201763-BIraDUAzxc@https.bugzilla.kernel.org/> (raw)
In-Reply-To: <bug-203947-201763@https.bugzilla.kernel.org/>
https://bugzilla.kernel.org/show_bug.cgi?id=203947
Darrick J. Wong (djwong+kernel@djwong.org) changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djwong+kernel@djwong.org
--- Comment #2 from Darrick J. Wong (djwong+kernel@djwong.org) ---
Hmm... so we're clearly in a situation where we have ioend A -> ioend B and
we're trying to merge A and B. A has a setfilesize transaction and B does not,
but current code assumes that if A has one then B must have one and that it
must cancel B's. Then we crash trying to cancel the transaction that B doesn't
have.
How do we end up in this situation? I can't trigger it on my systems, but I
guess this sounds plausible:
1. Dirty pages 0, 1, and 2 of an empty file.
2. Writeback gets scheduled for pages 0 and 2, creating ioends A and C. Both
ioends describe writes past the on-disk isize so we allocate transactions.
3. ioend C completes immediately, sets the ondisk isize to (3 * PAGESIZE).
4. Writeback gets scheduled for page 1, creating ioend B. ioend B describes a
write within the on-disk isize so we do not allocate setfilesize transaction.
5. ioend A and B complete and are sorted into the per-inode ioend completion
list. xfs_ioend_try_merge looks at ioend A, sees that ioend A has a
setfilesize transaction and that there's an ioend B that can be merged with A.
6. _try_merge tries to call xfs_setfilesize_ioend(ioend B, -1) to cancel ioend
B's transaction, but as we saw in (4), ioend B has no transaction and crashes.
I wonder how hard it will be to write a regression test for this, since it
requires fairly tight timing?
Coincidentally, Christoph just posted "xfs: allow merging ioends over append
boundaries" which I think fixes this problem. Zorro, can you apply it and
retry?
--
You are receiving this mail because:
You are watching the assignee of the bug.
next prev parent reply other threads:[~2019-06-27 18:35 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-21 8:32 [Bug 203947] New: [xfstests generic/475]: general protection fault: 0000 [#1] RIP: 0010:xfs_setfilesize_ioend+0xb1/0x220 [xfs] bugzilla-daemon
2019-06-27 8:35 ` [Bug 203947] " bugzilla-daemon
2019-06-27 18:35 ` bugzilla-daemon [this message]
2019-06-27 18:35 ` bugzilla-daemon
2019-06-29 3:30 ` bugzilla-daemon
2019-06-29 3:46 ` bugzilla-daemon
2019-06-29 3:48 ` bugzilla-daemon
2019-06-29 16:07 ` bugzilla-daemon
2019-06-29 17:31 ` bugzilla-daemon
2019-06-29 17:35 ` bugzilla-daemon
2019-06-30 13:52 ` bugzilla-daemon
2019-07-09 4:30 ` bugzilla-daemon
2019-07-11 22:59 ` bugzilla-daemon
2019-07-12 4:27 ` bugzilla-daemon
2019-07-12 13:18 ` bugzilla-daemon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=bug-203947-201763-BIraDUAzxc@https.bugzilla.kernel.org/ \
--to=bugzilla-daemon@bugzilla.kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).