linux

mirror of https://github.com/torvalds/linux synced 2024-10-03 01:43:05 +00:00

Find a file

Qu Wenruo f3a5367c67 btrfs: protect folio::private when attaching extent buffer folios [BUG] Since v6.8 there are rare kernel crashes reported by various people, the common factor is bad page status error messages like this: BUG: Bad page state in process kswapd0 pfn:d6e840 page: refcount:0 mapcount:0 mapping:000000007512f4f2 index:0x2796c2c7c pfn:0xd6e840 aops:btree_aops ino:1 flags: 0x17ffffe0000008(uptodate\|node=0\|zone=2\|lastcpupid=0x3fffff) page_type: 0xffffffff() raw: 0017ffffe0000008 dead000000000100 dead000000000122 ffff88826d0be4c0 raw: 00000002796c2c7c 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: non-NULL mapping [CAUSE] Commit `09e6cef19c` ("btrfs: refactor alloc_extent_buffer() to allocate-then-attach method") changes the sequence when allocating a new extent buffer. Previously we always called grab_extent_buffer() under mapping->i_private_lock, to ensure the safety on modification on folio::private (which is a pointer to extent buffer for regular sectorsize). This can lead to the following race: Thread A is trying to allocate an extent buffer at bytenr X, with 4 4K pages, meanwhile thread B is trying to release the page at X + 4K (the second page of the extent buffer at X). Thread A \| Thread B -----------------------------------+------------------------------------- \| btree_release_folio() \| \| This is for the page at X + 4K, \| \| Not page X. \| \| alloc_extent_buffer() \| \|- release_extent_buffer() \|- filemap_add_folio() for the \| \| \|- atomic_dec_and_test(eb->refs) \| page at bytenr X (the first \| \| \| \| page). \| \| \| \| Which returned -EEXIST. \| \| \| \| \| \| \| \|- filemap_lock_folio() \| \| \| \| Returned the first page locked. \| \| \| \| \| \| \| \|- grab_extent_buffer() \| \| \| \| \|- atomic_inc_not_zero() \| \| \| \| \| Returned false \| \| \| \| \|- folio_detach_private() \| \| \|- folio_detach_private() for X \| \|- folio_test_private() \| \| \|- folio_test_private() \| Returned true \| \| \| Returned true \|- folio_put() \| \|- folio_put() Now there are two puts on the same folio at folio X, leading to refcount underflow of the folio X, and eventually causing the BUG_ON() on the page->mapping. The condition is not that easy to hit: - The release must be triggered for the middle page of an eb If the release is on the same first page of an eb, page lock would kick in and prevent the race. - folio_detach_private() has a very small race window It's only between folio_test_private() and folio_clear_private(). That's exactly when mapping->i_private_lock is used to prevent such race, and commit `09e6cef19c` ("btrfs: refactor alloc_extent_buffer() to allocate-then-attach method") screwed that up. At that time, I thought the page lock would kick in as filemap_release_folio() also requires the page to be locked, but forgot the filemap_release_folio() only locks one page, not all pages of an extent buffer. [FIX] Move all the code requiring i_private_lock into attach_eb_folio_to_filemap(), so that everything is done with proper lock protection. Furthermore to prevent future problems, add an extra lockdep_assert_locked() to ensure we're holding the proper lock. To reproducer that is able to hit the race (takes a few minutes with instrumented code inserting delays to alloc_extent_buffer()): #!/bin/sh drop_caches () { while(true); do echo 3 > /proc/sys/vm/drop_caches echo 1 > /proc/sys/vm/compact_memory done } run_tar () { while(true); do for x in `seq 1 80` ; do tar cf /dev/zero /mnt > /dev/null & done wait done } mkfs.btrfs -f -d single -m single /dev/vda mount -o noatime /dev/vda /mnt # create 200,000 files, 1K each ./simoop -n 200000 -E -f 1k /mnt drop_caches & (run_tar) Reported-by: Linus Torvalds <torvalds@linux-foundation.org> Link: https://lore.kernel.org/linux-btrfs/CAHk-=wgt362nGfScVOOii8cgKn2LVVHeOvOA7OBwg1OwbuJQcw@mail.gmail.com/ Reported-by: Mikhail Gavrilov <mikhail.v.gavrilov@gmail.com> Link: https://lore.kernel.org/lkml/CABXGCsPktcHQOvKTbPaTwegMExije=Gpgci5NW=hqORo-s7diA@mail.gmail.com/ Reported-by: Toralf Förster <toralf.foerster@gmx.de> Link: https://lore.kernel.org/linux-btrfs/e8b3311c-9a75-4903-907f-fc0f7a3fe423@gmx.de/ Reported-by: syzbot+f80b066392366b4af85e@syzkaller.appspotmail.com Fixes: `09e6cef19c` ("btrfs: refactor alloc_extent_buffer() to allocate-then-attach method") CC: stable@vger.kernel.org # 6.8+ CC: Chris Mason <clm@fb.com> Reviewed-by: Filipe Manana <fdmanana@suse.com> Reviewed-by: Josef Bacik <josef@toxicpanda.com> Signed-off-by: Qu Wenruo <wqu@suse.com> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>		2024-06-06 21:42:22 +02:00
arch	powerpc fixes for 6.9 #4	2024-05-05 10:44:04 -07:00
block	bio: Export bio_add_folio_nofail to modules	2024-05-07 21:31:10 +02:00
certs	This update includes the following changes:	2023-11-02 16:15:30 -10:00
crypto	This push fixes a regression that broke iwd as well as a divide by	2024-03-25 10:48:23 -07:00
Documentation	Char/Misc driver fixes for 6.9-rc7	2024-05-05 10:08:52 -07:00
drivers	Reapply "drm/qxl: simplify qxl_fence_wait"	2024-05-06 13:28:59 -07:00
fs	btrfs: protect folio::private when attaching extent buffer folios	2024-06-06 21:42:22 +02:00
include	btrfs: add tracepoints for extent map shrinker events	2024-05-07 21:31:07 +02:00
init	Rust fixes for v6.9	2024-04-27 12:11:55 -07:00
io_uring	io_uring/net: restore msg_control on sendzc retry	2024-04-08 21:48:41 -06:00
ipc	sysctl changes for v6.9-rc1	2024-03-18 14:59:13 -07:00
kernel	Fix suspicious RCU usage in __do_softirq().	2024-05-05 10:12:32 -07:00
lib	Char/Misc driver fixes for 6.9-rc7	2024-05-05 10:08:52 -07:00
LICENSES	LICENSES: Add the copyleft-next-0.3.1 license	2022-11-08 15:44:01 +01:00
mm	mm/slub: avoid zeroing outside-object freepointer for single free	2024-05-01 17:28:56 +02:00
net	Including fixes from bpf.	2024-05-02 08:51:47 -07:00
rust	rust: remove `params` from `module` macro example	2024-04-25 17:34:33 +02:00
samples	Tracing updates for 6.9:	2024-03-18 15:11:44 -07:00
scripts	Rust fixes for v6.9	2024-04-27 12:11:55 -07:00
security	security: Place security_path_post_mknod() where the original IMA call was	2024-04-03 10:21:32 -07:00
sound	ALSA: hda/realtek: Fix build error without CONFIG_PM	2024-05-02 08:25:06 +02:00
tools	cxl fix for v6.9-rc7	2024-05-03 16:21:05 -07:00
usr	Kbuild updates for v6.8	2024-01-18 17:57:07 -08:00
virt	KVM: Drop unused @may_block param from gfn_to_pfn_cache_invalidate_start()	2024-04-11 12:58:53 -07:00
.clang-format	clang-format: Update with v6.7-rc4's `for_each` macro list	2023-12-08 23:54:38 +01:00
.cocciconfig
.editorconfig	Add .editorconfig file for basic formatting	2023-12-28 16:22:47 +09:00
.get_maintainer.ignore	Add Jeff Kirsher to .get_maintainer.ignore	2024-03-08 11:36:54 +00:00
.gitattributes	.gitattributes: set diff driver for Rust source code files	2023-05-31 17:48:25 +02:00
.gitignore	kbuild: create a list of all built DTB files	2024-02-19 18:20:39 +09:00
.mailmap	bpf-for-netdev	2024-04-26 17:36:53 -07:00
.rustfmt.toml	rust: add `.rustfmt.toml`	2022-09-28 09:02:20 +02:00
COPYING	COPYING: state that all contributions really are covered by this file	2020-02-10 13:32:20 -08:00
CREDITS	MAINTAINERS: Drop Gustavo Pimentel as PCI DWC Maintainer	2024-03-27 13:41:02 -05:00
Kbuild	Kbuild updates for v6.1	2022-10-10 12:00:45 -07:00
Kconfig	kbuild: ensure full rebuild when the compiler is updated	2020-05-12 13:28:33 +09:00
MAINTAINERS	Including fixes from bpf.	2024-05-02 08:51:47 -07:00
Makefile	Linux 6.9-rc7	2024-05-05 14:06:01 -07:00
README	README: Fix spelling	2024-03-18 03:36:32 -06:00

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the reStructuredText markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.