From: Vivek Goyal <vgoyal@redhat.com>
To: Jerome Marchand <jmarchan@redhat.com>
Cc: Jens Axboe <jaxboe@fusionio.com>,
Satoru Takeuchi <takeuchi_satoru@jp.fujitsu.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Yasuaki Ishimatsu <isimatu.yasuaki@jp.fujitsu.com>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] block: fix accounting bug on cross partition merges
Date: Thu, 23 Dec 2010 10:39:15 -0500 [thread overview]
Message-ID: <20101223153915.GE9502@redhat.com> (raw)
In-Reply-To: <4D13664C.3020500@redhat.com>
On Thu, Dec 23, 2010 at 04:10:04PM +0100, Jerome Marchand wrote:
> On 12/17/2010 08:06 PM, Jens Axboe wrote:
> > On 2010-12-17 14:42, Jerome Marchand wrote:
> >>
> >> /proc/diskstats would display a strange output as follows.
> >
> > [snip]
> >
> > This looks a lot better! One comment:
> >
> >> diff --git a/block/blk-core.c b/block/blk-core.c
> >> index 4ce953f..064921d 100644
> >> --- a/block/blk-core.c
> >> +++ b/block/blk-core.c
> >> @@ -64,13 +64,16 @@ static void drive_stat_acct(struct request *rq, int new_io)
> >> return;
> >>
> >> cpu = part_stat_lock();
> >> - part = disk_map_sector_rcu(rq->rq_disk, blk_rq_pos(rq));
> >>
> >> - if (!new_io)
> >> + if (!new_io) {
> >> + part = rq->part;
> >> part_stat_inc(cpu, part, merges[rw]);
> >> - else {
> >> + } else {
> >> + part = disk_map_sector_rcu(rq->rq_disk, blk_rq_pos(rq));
> >> part_round_stats(cpu, part);
> >> part_inc_in_flight(part, rw);
> >> + kref_get(&part->ref);
> >> + rq->part = part;
> >> }
> >>
> >> part_stat_unlock();
> >
> > I don't think this is completely safe. The rcu lock is held due to the
> > part_stat_lock(), but that only prevents the __delete_partition()
> > callback from happening. Lets say you have this:
> >
> > CPU0 CPU1
> > part = disk_map_sector_rcu()
> > kref_put(part); <- now 0
>
> A kref_get(part) happens here, or am I missing something?
It might happen that kref_get(part) is called after kref_put() has been
called and reference has reached 0 and and delete_parition() call has
been scheduled as soon as rcu grace period is over. So if you do
kref_get() after that, it is not going to help.
> If we use an atomic kref_test_and_get() function, which only increment the
> refcount if it's not zero, we would be safe. If kref_test_and_get() fails,
> we can cache rq->rq_disk->part0 instead. See my drafty patch below.
Conceptually it kind of makes sense to me. So if even if we get the
pointer to partition under rcu_read_lock(), we will not account the IO
to partition if it is going away.
>
> > part_stat_unlock()
> > __delete_partition();
> > ...
> > delete_partition_rcu_cb();
> > merge, or endio, boom
> >
> > Now rq has ->part pointing to freed memory, later merges or end
> > accounting will touch freed memory.
> >
> > I think we can fix this by just having delete_partition_rcu_rb() check
> > the reference count and return if non-zero. Since someone holds a
> > reference to the table, they will drop it and we'll re-schedule the rcu
> > callback.
> >
> >
>
>
> ---
>
> diff --git a/block/blk-core.c b/block/blk-core.c
> index 4ce953f..72d12d2 100644
> --- a/block/blk-core.c
> +++ b/block/blk-core.c
> @@ -64,13 +64,21 @@ static void drive_stat_acct(struct request *rq, int new_io)
> return;
>
> cpu = part_stat_lock();
> - part = disk_map_sector_rcu(rq->rq_disk, blk_rq_pos(rq));
>
> - if (!new_io)
> + if (!new_io) {
> + part = rq->part;
> part_stat_inc(cpu, part, merges[rw]);
> - else {
> + } else {
> + part = disk_map_sector_rcu(rq->rq_disk, blk_rq_pos(rq));
> + if(part->partno && !kref_test_and_get(&part->ref))
> + /*
Do we have to check this part->partno both while taking and releasing
reference. Can't we take one extra reference for disk->part0, at
alloc_disk_node() time so that it is never freed and only freed when
disk is going away and gendisk is being freed.
That way, you don't have to differentiate between disk->part0 and rest
of the partitions while taking or dropping references.
Thanks
Vivek
> + * The partition is already being removed,
> + * the request will be accounted on the disk only
> + */
> + part = &rq->rq_disk->part0;
> part_round_stats(cpu, part);
> part_inc_in_flight(part, rw);
> + rq->part = part;
> }
>
> part_stat_unlock();
> @@ -128,6 +136,7 @@ void blk_rq_init(struct request_queue *q, struct request *rq)
> rq->ref_count = 1;
> rq->start_time = jiffies;
> set_start_time_ns(rq);
> + rq->part = NULL;
> }
> EXPORT_SYMBOL(blk_rq_init);
>
> @@ -1776,7 +1785,7 @@ static void blk_account_io_completion(struct request *req, unsigned int bytes)
> int cpu;
>
> cpu = part_stat_lock();
> - part = disk_map_sector_rcu(req->rq_disk, blk_rq_pos(req));
> + part = req->part;
> part_stat_add(cpu, part, sectors[rw], bytes >> 9);
> part_stat_unlock();
> }
> @@ -1796,13 +1805,15 @@ static void blk_account_io_done(struct request *req)
> int cpu;
>
> cpu = part_stat_lock();
> - part = disk_map_sector_rcu(req->rq_disk, blk_rq_pos(req));
> + part = req->part;
>
> part_stat_inc(cpu, part, ios[rw]);
> part_stat_add(cpu, part, ticks[rw], duration);
> part_round_stats(cpu, part);
> part_dec_in_flight(part, rw);
>
> + if (part->partno)
> + kref_put(&part->ref, __delete_partition);
> part_stat_unlock();
> }
> }
> diff --git a/block/blk-merge.c b/block/blk-merge.c
> index 77b7c26..3334578 100644
> --- a/block/blk-merge.c
> +++ b/block/blk-merge.c
> @@ -351,11 +351,13 @@ static void blk_account_io_merge(struct request *req)
> int cpu;
>
> cpu = part_stat_lock();
> - part = disk_map_sector_rcu(req->rq_disk, blk_rq_pos(req));
> + part = req->part;
>
> part_round_stats(cpu, part);
> part_dec_in_flight(part, rq_data_dir(req));
>
> + if (part->partno)
> + kref_put(&part->ref, __delete_partition);
> part_stat_unlock();
> }
> }
> diff --git a/block/genhd.c b/block/genhd.c
> index 5fa2b44..0c55eae 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -1192,6 +1192,7 @@ struct gendisk *alloc_disk_node(int minors, int node_id)
> return NULL;
> }
> disk->part_tbl->part[0] = &disk->part0;
> + kref_init(&disk->part0.ref);
>
> disk->minors = minors;
> rand_initialize_disk(disk);
> diff --git a/fs/partitions/check.c b/fs/partitions/check.c
> index 0a8b0ad..0123717 100644
> --- a/fs/partitions/check.c
> +++ b/fs/partitions/check.c
> @@ -372,6 +372,13 @@ static void delete_partition_rcu_cb(struct rcu_head *head)
> put_device(part_to_dev(part));
> }
>
> +void __delete_partition(struct kref *ref)
> +{
> + struct hd_struct *part = container_of(ref, struct hd_struct, ref);
> +
> + call_rcu(&part->rcu_head, delete_partition_rcu_cb);
> +}
> +
> void delete_partition(struct gendisk *disk, int partno)
> {
> struct disk_part_tbl *ptbl = disk->part_tbl;
> @@ -390,7 +397,7 @@ void delete_partition(struct gendisk *disk, int partno)
> kobject_put(part->holder_dir);
> device_del(part_to_dev(part));
>
> - call_rcu(&part->rcu_head, delete_partition_rcu_cb);
> + kref_put(&part->ref, __delete_partition);
> }
>
> static ssize_t whole_disk_show(struct device *dev,
> @@ -489,6 +496,7 @@ struct hd_struct *add_partition(struct gendisk *disk, int partno,
> if (!dev_get_uevent_suppress(ddev))
> kobject_uevent(&pdev->kobj, KOBJ_ADD);
>
> + kref_init(&p->ref);
> return p;
>
> out_free_info:
> diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
> index aae86fd..482a7fd 100644
> --- a/include/linux/blkdev.h
> +++ b/include/linux/blkdev.h
> @@ -115,6 +115,7 @@ struct request {
> void *elevator_private3;
>
> struct gendisk *rq_disk;
> + struct hd_struct *part;
> unsigned long start_time;
> #ifdef CONFIG_BLK_CGROUP
> unsigned long long start_time_ns;
> diff --git a/include/linux/genhd.h b/include/linux/genhd.h
> index 7a7b9c1..2ba2792 100644
> --- a/include/linux/genhd.h
> +++ b/include/linux/genhd.h
> @@ -116,6 +116,7 @@ struct hd_struct {
> struct disk_stats dkstats;
> #endif
> struct rcu_head rcu_head;
> + struct kref ref;
> };
>
> #define GENHD_FL_REMOVABLE 1
> @@ -583,6 +584,7 @@ extern struct hd_struct * __must_check add_partition(struct gendisk *disk,
> sector_t len, int flags,
> struct partition_meta_info
> *info);
> +extern void __delete_partition(struct kref *ref);
> extern void delete_partition(struct gendisk *, int);
> extern void printk_all_partitions(void);
>
> diff --git a/include/linux/kref.h b/include/linux/kref.h
> index 6cc38fc..90b9e44 100644
> --- a/include/linux/kref.h
> +++ b/include/linux/kref.h
> @@ -23,6 +23,7 @@ struct kref {
>
> void kref_init(struct kref *kref);
> void kref_get(struct kref *kref);
> +int kref_test_and_get(struct kref *kref);
> int kref_put(struct kref *kref, void (*release) (struct kref *kref));
>
> #endif /* _KREF_H_ */
> diff --git a/lib/kref.c b/lib/kref.c
> index d3d227a..5f663b9 100644
> --- a/lib/kref.c
> +++ b/lib/kref.c
> @@ -37,6 +37,22 @@ void kref_get(struct kref *kref)
> }
>
> /**
> + * kref_test_and_get - increment refcount for object only if refcount is not
> + * zero.
> + * @kref: object.
> + *
> + * Return non-zero if the refcount was incremented, 0 otherwise
> + */
> +int kref_test_and_get(struct kref *kref)
> +{
> + int ret;
> + smp_mb__before_atomic_inc();
> + ret = atomic_inc_not_zero(&kref->refcount);
> + smp_mb__after_atomic_inc();
> + return ret;
> +}
> +
> +/**
> * kref_put - decrement refcount for object.
> * @kref: object.
> * @release: pointer to the function that will clean up the object when the
next prev parent reply other threads:[~2010-12-23 15:39 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-06 9:44 [PATCH 1/2] Don't merge different partition's IOs Yasuaki Ishimatsu
2010-12-06 16:08 ` Linus Torvalds
2010-12-07 7:18 ` Satoru Takeuchi
2010-12-07 18:39 ` Vivek Goyal
2010-12-08 7:33 ` Jens Axboe
2010-12-08 7:59 ` Satoru Takeuchi
2010-12-08 8:06 ` Jens Axboe
2010-12-08 8:11 ` Satoru Takeuchi
2010-12-08 14:46 ` Jens Axboe
2010-12-08 15:51 ` Vivek Goyal
2010-12-08 15:58 ` Vivek Goyal
2010-12-10 11:22 ` Jerome Marchand
2010-12-10 16:12 ` Jerome Marchand
2010-12-10 16:55 ` Vivek Goyal
2010-12-14 20:25 ` Jens Axboe
2010-12-17 13:42 ` [PATCH] block: fix accounting bug on cross partition merges Jerome Marchand
2010-12-17 19:06 ` Jens Axboe
2010-12-17 22:32 ` Vivek Goyal
2010-12-23 15:10 ` Jerome Marchand
2010-12-23 15:39 ` Vivek Goyal [this message]
2010-12-23 17:04 ` Jerome Marchand
2010-12-24 19:29 ` Vivek Goyal
2011-01-04 15:52 ` [PATCH 1/2] kref: add kref_test_and_get Jerome Marchand
2011-01-04 15:55 ` [PATCH 2/2] block: fix accounting bug on cross partition merges Jerome Marchand
2011-01-04 21:00 ` Greg KH
2011-01-05 13:51 ` Jerome Marchand
2011-01-05 16:00 ` Greg KH
2011-01-05 16:19 ` Jerome Marchand
2011-01-05 16:27 ` Greg KH
2011-01-05 13:55 ` Jens Axboe
2011-01-05 15:58 ` Greg KH
2011-01-05 18:46 ` Jens Axboe
2011-01-05 20:08 ` Greg KH
2011-01-05 21:38 ` Jens Axboe
2011-01-05 22:16 ` Greg KH
2011-01-06 9:46 ` Jens Axboe
2011-01-05 14:00 ` Jens Axboe
2011-01-05 14:09 ` Jerome Marchand
2011-01-05 14:17 ` Jens Axboe
2011-01-04 16:05 ` [PATCH 1/2] kref: add kref_test_and_get Eric Dumazet
2011-01-05 15:02 ` [PATCH 1/2 v2] " Jerome Marchand
2011-01-05 15:43 ` Alexey Dobriyan
2011-01-05 15:57 ` Greg KH
2011-01-05 15:56 ` Greg KH
2011-01-04 20:57 ` [PATCH 1/2] " Greg KH
2011-01-05 13:35 ` Jerome Marchand
2011-01-05 15:55 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101223153915.GE9502@redhat.com \
--to=vgoyal@redhat.com \
--cc=isimatu.yasuaki@jp.fujitsu.com \
--cc=jaxboe@fusionio.com \
--cc=jmarchan@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=takeuchi_satoru@jp.fujitsu.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox