2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2006-06-09 12:48:12 +08:00
|
|
|
* Copyright (c) 2000-2006 Silicon Graphics, Inc.
|
2005-11-02 11:58:39 +08:00
|
|
|
* All Rights Reserved.
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
2005-11-02 11:58:39 +08:00
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
* modify it under the terms of the GNU General Public License as
|
2005-04-17 06:20:36 +08:00
|
|
|
* published by the Free Software Foundation.
|
|
|
|
*
|
2005-11-02 11:58:39 +08:00
|
|
|
* This program is distributed in the hope that it would be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
2005-11-02 11:58:39 +08:00
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
* along with this program; if not, write the Free Software Foundation,
|
|
|
|
* Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2007-11-23 13:30:51 +08:00
|
|
|
#include <linux/log2.h>
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
#include "xfs.h"
|
2005-11-02 11:38:42 +08:00
|
|
|
#include "xfs_fs.h"
|
2013-10-23 07:36:05 +08:00
|
|
|
#include "xfs_shared.h"
|
2013-10-23 07:50:10 +08:00
|
|
|
#include "xfs_format.h"
|
|
|
|
#include "xfs_log_format.h"
|
|
|
|
#include "xfs_trans_resv.h"
|
2005-04-17 06:20:36 +08:00
|
|
|
#include "xfs_sb.h"
|
|
|
|
#include "xfs_mount.h"
|
2013-10-23 07:51:50 +08:00
|
|
|
#include "xfs_inode.h"
|
2013-10-15 06:17:51 +08:00
|
|
|
#include "xfs_da_format.h"
|
2013-08-12 18:49:45 +08:00
|
|
|
#include "xfs_da_btree.h"
|
|
|
|
#include "xfs_dir2.h"
|
2005-11-02 11:38:42 +08:00
|
|
|
#include "xfs_attr_sf.h"
|
2013-08-12 18:49:45 +08:00
|
|
|
#include "xfs_attr.h"
|
2013-10-23 07:50:10 +08:00
|
|
|
#include "xfs_trans_space.h"
|
|
|
|
#include "xfs_trans.h"
|
2005-04-17 06:20:36 +08:00
|
|
|
#include "xfs_buf_item.h"
|
2005-11-02 11:38:42 +08:00
|
|
|
#include "xfs_inode_item.h"
|
|
|
|
#include "xfs_ialloc.h"
|
|
|
|
#include "xfs_bmap.h"
|
2013-08-12 18:49:42 +08:00
|
|
|
#include "xfs_bmap_util.h"
|
2005-04-17 06:20:36 +08:00
|
|
|
#include "xfs_error.h"
|
|
|
|
#include "xfs_quota.h"
|
2007-07-11 09:09:12 +08:00
|
|
|
#include "xfs_filestream.h"
|
2013-04-03 13:11:17 +08:00
|
|
|
#include "xfs_cksum.h"
|
2009-12-15 07:14:59 +08:00
|
|
|
#include "xfs_trace.h"
|
2012-10-08 18:56:11 +08:00
|
|
|
#include "xfs_icache.h"
|
2013-08-12 18:49:45 +08:00
|
|
|
#include "xfs_symlink.h"
|
2013-10-23 07:50:10 +08:00
|
|
|
#include "xfs_trans_priv.h"
|
|
|
|
#include "xfs_log.h"
|
2013-10-23 07:51:50 +08:00
|
|
|
#include "xfs_bmap_btree.h"
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
kmem_zone_t *xfs_inode_zone;
|
|
|
|
|
|
|
|
/*
|
2011-07-08 20:34:34 +08:00
|
|
|
* Used in xfs_itruncate_extents(). This is the maximum number of extents
|
2005-04-17 06:20:36 +08:00
|
|
|
* freed from a file in a single transaction.
|
|
|
|
*/
|
|
|
|
#define XFS_ITRUNC_MAX_EXTENTS 2
|
|
|
|
|
|
|
|
STATIC int xfs_iflush_int(xfs_inode_t *, xfs_buf_t *);
|
|
|
|
|
2013-12-18 08:22:41 +08:00
|
|
|
STATIC int xfs_iunlink_remove(xfs_trans_t *, xfs_inode_t *);
|
|
|
|
|
2012-04-23 13:59:02 +08:00
|
|
|
/*
|
|
|
|
* helper function to extract extent size hint from inode
|
|
|
|
*/
|
|
|
|
xfs_extlen_t
|
|
|
|
xfs_get_extsz_hint(
|
|
|
|
struct xfs_inode *ip)
|
|
|
|
{
|
|
|
|
if ((ip->i_d.di_flags & XFS_DIFLAG_EXTSIZE) && ip->i_d.di_extsize)
|
|
|
|
return ip->i_d.di_extsize;
|
|
|
|
if (XFS_IS_REALTIME_INODE(ip))
|
|
|
|
return ip->i_mount->m_sb.sb_rextsize;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-10-08 18:56:10 +08:00
|
|
|
/*
|
2013-12-18 18:14:39 +08:00
|
|
|
* These two are wrapper routines around the xfs_ilock() routine used to
|
|
|
|
* centralize some grungy code. They are used in places that wish to lock the
|
|
|
|
* inode solely for reading the extents. The reason these places can't just
|
|
|
|
* call xfs_ilock(ip, XFS_ILOCK_SHARED) is that the inode lock also guards to
|
|
|
|
* bringing in of the extents from disk for a file in b-tree format. If the
|
|
|
|
* inode is in b-tree format, then we need to lock the inode exclusively until
|
|
|
|
* the extents are read in. Locking it exclusively all the time would limit
|
|
|
|
* our parallelism unnecessarily, though. What we do instead is check to see
|
|
|
|
* if the extents have been read in yet, and only lock the inode exclusively
|
|
|
|
* if they have not.
|
2012-10-08 18:56:10 +08:00
|
|
|
*
|
2013-12-18 18:14:39 +08:00
|
|
|
* The functions return a value which should be given to the corresponding
|
2013-12-07 04:30:08 +08:00
|
|
|
* xfs_iunlock() call.
|
2012-10-08 18:56:10 +08:00
|
|
|
*/
|
|
|
|
uint
|
2013-12-07 04:30:09 +08:00
|
|
|
xfs_ilock_data_map_shared(
|
|
|
|
struct xfs_inode *ip)
|
2012-10-08 18:56:10 +08:00
|
|
|
{
|
2013-12-07 04:30:09 +08:00
|
|
|
uint lock_mode = XFS_ILOCK_SHARED;
|
2012-10-08 18:56:10 +08:00
|
|
|
|
2013-12-07 04:30:09 +08:00
|
|
|
if (ip->i_d.di_format == XFS_DINODE_FMT_BTREE &&
|
|
|
|
(ip->i_df.if_flags & XFS_IFEXTENTS) == 0)
|
2012-10-08 18:56:10 +08:00
|
|
|
lock_mode = XFS_ILOCK_EXCL;
|
|
|
|
xfs_ilock(ip, lock_mode);
|
|
|
|
return lock_mode;
|
|
|
|
}
|
|
|
|
|
2013-12-18 18:14:39 +08:00
|
|
|
uint
|
|
|
|
xfs_ilock_attr_map_shared(
|
|
|
|
struct xfs_inode *ip)
|
2012-10-08 18:56:10 +08:00
|
|
|
{
|
2013-12-18 18:14:39 +08:00
|
|
|
uint lock_mode = XFS_ILOCK_SHARED;
|
|
|
|
|
|
|
|
if (ip->i_d.di_aformat == XFS_DINODE_FMT_BTREE &&
|
|
|
|
(ip->i_afp->if_flags & XFS_IFEXTENTS) == 0)
|
|
|
|
lock_mode = XFS_ILOCK_EXCL;
|
|
|
|
xfs_ilock(ip, lock_mode);
|
|
|
|
return lock_mode;
|
2012-10-08 18:56:10 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2015-02-23 18:43:37 +08:00
|
|
|
* The xfs inode contains 3 multi-reader locks: the i_iolock the i_mmap_lock and
|
|
|
|
* the i_lock. This routine allows various combinations of the locks to be
|
|
|
|
* obtained.
|
2012-10-08 18:56:10 +08:00
|
|
|
*
|
2015-02-23 18:43:37 +08:00
|
|
|
* The 3 locks should always be ordered so that the IO lock is obtained first,
|
|
|
|
* the mmap lock second and the ilock last in order to prevent deadlock.
|
2012-10-08 18:56:10 +08:00
|
|
|
*
|
2015-02-23 18:43:37 +08:00
|
|
|
* Basic locking order:
|
|
|
|
*
|
|
|
|
* i_iolock -> i_mmap_lock -> page_lock -> i_ilock
|
|
|
|
*
|
|
|
|
* mmap_sem locking order:
|
|
|
|
*
|
|
|
|
* i_iolock -> page lock -> mmap_sem
|
|
|
|
* mmap_sem -> i_mmap_lock -> page_lock
|
|
|
|
*
|
|
|
|
* The difference in mmap_sem locking order mean that we cannot hold the
|
|
|
|
* i_mmap_lock over syscall based read(2)/write(2) based IO. These IO paths can
|
|
|
|
* fault in pages during copy in/out (for buffered IO) or require the mmap_sem
|
|
|
|
* in get_user_pages() to map the user pages into the kernel address space for
|
|
|
|
* direct IO. Similarly the i_iolock cannot be taken inside a page fault because
|
|
|
|
* page faults already hold the mmap_sem.
|
|
|
|
*
|
|
|
|
* Hence to serialise fully against both syscall and mmap based IO, we need to
|
|
|
|
* take both the i_iolock and the i_mmap_lock. These locks should *only* be both
|
|
|
|
* taken in places where we need to invalidate the page cache in a race
|
|
|
|
* free manner (e.g. truncate, hole punch and other extent manipulation
|
|
|
|
* functions).
|
2012-10-08 18:56:10 +08:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
xfs_ilock(
|
|
|
|
xfs_inode_t *ip,
|
|
|
|
uint lock_flags)
|
|
|
|
{
|
|
|
|
trace_xfs_ilock(ip, lock_flags, _RET_IP_);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* You can't set both SHARED and EXCL for the same lock,
|
|
|
|
* and only XFS_IOLOCK_SHARED, XFS_IOLOCK_EXCL, XFS_ILOCK_SHARED,
|
|
|
|
* and XFS_ILOCK_EXCL are valid values to set in lock_flags.
|
|
|
|
*/
|
|
|
|
ASSERT((lock_flags & (XFS_IOLOCK_SHARED | XFS_IOLOCK_EXCL)) !=
|
|
|
|
(XFS_IOLOCK_SHARED | XFS_IOLOCK_EXCL));
|
2015-02-23 18:43:37 +08:00
|
|
|
ASSERT((lock_flags & (XFS_MMAPLOCK_SHARED | XFS_MMAPLOCK_EXCL)) !=
|
|
|
|
(XFS_MMAPLOCK_SHARED | XFS_MMAPLOCK_EXCL));
|
2012-10-08 18:56:10 +08:00
|
|
|
ASSERT((lock_flags & (XFS_ILOCK_SHARED | XFS_ILOCK_EXCL)) !=
|
|
|
|
(XFS_ILOCK_SHARED | XFS_ILOCK_EXCL));
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
ASSERT((lock_flags & ~(XFS_LOCK_MASK | XFS_LOCK_SUBCLASS_MASK)) == 0);
|
2012-10-08 18:56:10 +08:00
|
|
|
|
|
|
|
if (lock_flags & XFS_IOLOCK_EXCL)
|
|
|
|
mrupdate_nested(&ip->i_iolock, XFS_IOLOCK_DEP(lock_flags));
|
|
|
|
else if (lock_flags & XFS_IOLOCK_SHARED)
|
|
|
|
mraccess_nested(&ip->i_iolock, XFS_IOLOCK_DEP(lock_flags));
|
|
|
|
|
2015-02-23 18:43:37 +08:00
|
|
|
if (lock_flags & XFS_MMAPLOCK_EXCL)
|
|
|
|
mrupdate_nested(&ip->i_mmaplock, XFS_MMAPLOCK_DEP(lock_flags));
|
|
|
|
else if (lock_flags & XFS_MMAPLOCK_SHARED)
|
|
|
|
mraccess_nested(&ip->i_mmaplock, XFS_MMAPLOCK_DEP(lock_flags));
|
|
|
|
|
2012-10-08 18:56:10 +08:00
|
|
|
if (lock_flags & XFS_ILOCK_EXCL)
|
|
|
|
mrupdate_nested(&ip->i_lock, XFS_ILOCK_DEP(lock_flags));
|
|
|
|
else if (lock_flags & XFS_ILOCK_SHARED)
|
|
|
|
mraccess_nested(&ip->i_lock, XFS_ILOCK_DEP(lock_flags));
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This is just like xfs_ilock(), except that the caller
|
|
|
|
* is guaranteed not to sleep. It returns 1 if it gets
|
|
|
|
* the requested locks and 0 otherwise. If the IO lock is
|
|
|
|
* obtained but the inode lock cannot be, then the IO lock
|
|
|
|
* is dropped before returning.
|
|
|
|
*
|
|
|
|
* ip -- the inode being locked
|
|
|
|
* lock_flags -- this parameter indicates the inode's locks to be
|
|
|
|
* to be locked. See the comment for xfs_ilock() for a list
|
|
|
|
* of valid values.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_ilock_nowait(
|
|
|
|
xfs_inode_t *ip,
|
|
|
|
uint lock_flags)
|
|
|
|
{
|
|
|
|
trace_xfs_ilock_nowait(ip, lock_flags, _RET_IP_);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* You can't set both SHARED and EXCL for the same lock,
|
|
|
|
* and only XFS_IOLOCK_SHARED, XFS_IOLOCK_EXCL, XFS_ILOCK_SHARED,
|
|
|
|
* and XFS_ILOCK_EXCL are valid values to set in lock_flags.
|
|
|
|
*/
|
|
|
|
ASSERT((lock_flags & (XFS_IOLOCK_SHARED | XFS_IOLOCK_EXCL)) !=
|
|
|
|
(XFS_IOLOCK_SHARED | XFS_IOLOCK_EXCL));
|
2015-02-23 18:43:37 +08:00
|
|
|
ASSERT((lock_flags & (XFS_MMAPLOCK_SHARED | XFS_MMAPLOCK_EXCL)) !=
|
|
|
|
(XFS_MMAPLOCK_SHARED | XFS_MMAPLOCK_EXCL));
|
2012-10-08 18:56:10 +08:00
|
|
|
ASSERT((lock_flags & (XFS_ILOCK_SHARED | XFS_ILOCK_EXCL)) !=
|
|
|
|
(XFS_ILOCK_SHARED | XFS_ILOCK_EXCL));
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
ASSERT((lock_flags & ~(XFS_LOCK_MASK | XFS_LOCK_SUBCLASS_MASK)) == 0);
|
2012-10-08 18:56:10 +08:00
|
|
|
|
|
|
|
if (lock_flags & XFS_IOLOCK_EXCL) {
|
|
|
|
if (!mrtryupdate(&ip->i_iolock))
|
|
|
|
goto out;
|
|
|
|
} else if (lock_flags & XFS_IOLOCK_SHARED) {
|
|
|
|
if (!mrtryaccess(&ip->i_iolock))
|
|
|
|
goto out;
|
|
|
|
}
|
2015-02-23 18:43:37 +08:00
|
|
|
|
|
|
|
if (lock_flags & XFS_MMAPLOCK_EXCL) {
|
|
|
|
if (!mrtryupdate(&ip->i_mmaplock))
|
|
|
|
goto out_undo_iolock;
|
|
|
|
} else if (lock_flags & XFS_MMAPLOCK_SHARED) {
|
|
|
|
if (!mrtryaccess(&ip->i_mmaplock))
|
|
|
|
goto out_undo_iolock;
|
|
|
|
}
|
|
|
|
|
2012-10-08 18:56:10 +08:00
|
|
|
if (lock_flags & XFS_ILOCK_EXCL) {
|
|
|
|
if (!mrtryupdate(&ip->i_lock))
|
2015-02-23 18:43:37 +08:00
|
|
|
goto out_undo_mmaplock;
|
2012-10-08 18:56:10 +08:00
|
|
|
} else if (lock_flags & XFS_ILOCK_SHARED) {
|
|
|
|
if (!mrtryaccess(&ip->i_lock))
|
2015-02-23 18:43:37 +08:00
|
|
|
goto out_undo_mmaplock;
|
2012-10-08 18:56:10 +08:00
|
|
|
}
|
|
|
|
return 1;
|
|
|
|
|
2015-02-23 18:43:37 +08:00
|
|
|
out_undo_mmaplock:
|
|
|
|
if (lock_flags & XFS_MMAPLOCK_EXCL)
|
|
|
|
mrunlock_excl(&ip->i_mmaplock);
|
|
|
|
else if (lock_flags & XFS_MMAPLOCK_SHARED)
|
|
|
|
mrunlock_shared(&ip->i_mmaplock);
|
|
|
|
out_undo_iolock:
|
2012-10-08 18:56:10 +08:00
|
|
|
if (lock_flags & XFS_IOLOCK_EXCL)
|
|
|
|
mrunlock_excl(&ip->i_iolock);
|
|
|
|
else if (lock_flags & XFS_IOLOCK_SHARED)
|
|
|
|
mrunlock_shared(&ip->i_iolock);
|
2015-02-23 18:43:37 +08:00
|
|
|
out:
|
2012-10-08 18:56:10 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* xfs_iunlock() is used to drop the inode locks acquired with
|
|
|
|
* xfs_ilock() and xfs_ilock_nowait(). The caller must pass
|
|
|
|
* in the flags given to xfs_ilock() or xfs_ilock_nowait() so
|
|
|
|
* that we know which locks to drop.
|
|
|
|
*
|
|
|
|
* ip -- the inode being unlocked
|
|
|
|
* lock_flags -- this parameter indicates the inode's locks to be
|
|
|
|
* to be unlocked. See the comment for xfs_ilock() for a list
|
|
|
|
* of valid values for this parameter.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
xfs_iunlock(
|
|
|
|
xfs_inode_t *ip,
|
|
|
|
uint lock_flags)
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* You can't set both SHARED and EXCL for the same lock,
|
|
|
|
* and only XFS_IOLOCK_SHARED, XFS_IOLOCK_EXCL, XFS_ILOCK_SHARED,
|
|
|
|
* and XFS_ILOCK_EXCL are valid values to set in lock_flags.
|
|
|
|
*/
|
|
|
|
ASSERT((lock_flags & (XFS_IOLOCK_SHARED | XFS_IOLOCK_EXCL)) !=
|
|
|
|
(XFS_IOLOCK_SHARED | XFS_IOLOCK_EXCL));
|
2015-02-23 18:43:37 +08:00
|
|
|
ASSERT((lock_flags & (XFS_MMAPLOCK_SHARED | XFS_MMAPLOCK_EXCL)) !=
|
|
|
|
(XFS_MMAPLOCK_SHARED | XFS_MMAPLOCK_EXCL));
|
2012-10-08 18:56:10 +08:00
|
|
|
ASSERT((lock_flags & (XFS_ILOCK_SHARED | XFS_ILOCK_EXCL)) !=
|
|
|
|
(XFS_ILOCK_SHARED | XFS_ILOCK_EXCL));
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
ASSERT((lock_flags & ~(XFS_LOCK_MASK | XFS_LOCK_SUBCLASS_MASK)) == 0);
|
2012-10-08 18:56:10 +08:00
|
|
|
ASSERT(lock_flags != 0);
|
|
|
|
|
|
|
|
if (lock_flags & XFS_IOLOCK_EXCL)
|
|
|
|
mrunlock_excl(&ip->i_iolock);
|
|
|
|
else if (lock_flags & XFS_IOLOCK_SHARED)
|
|
|
|
mrunlock_shared(&ip->i_iolock);
|
|
|
|
|
2015-02-23 18:43:37 +08:00
|
|
|
if (lock_flags & XFS_MMAPLOCK_EXCL)
|
|
|
|
mrunlock_excl(&ip->i_mmaplock);
|
|
|
|
else if (lock_flags & XFS_MMAPLOCK_SHARED)
|
|
|
|
mrunlock_shared(&ip->i_mmaplock);
|
|
|
|
|
2012-10-08 18:56:10 +08:00
|
|
|
if (lock_flags & XFS_ILOCK_EXCL)
|
|
|
|
mrunlock_excl(&ip->i_lock);
|
|
|
|
else if (lock_flags & XFS_ILOCK_SHARED)
|
|
|
|
mrunlock_shared(&ip->i_lock);
|
|
|
|
|
|
|
|
trace_xfs_iunlock(ip, lock_flags, _RET_IP_);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* give up write locks. the i/o lock cannot be held nested
|
|
|
|
* if it is being demoted.
|
|
|
|
*/
|
|
|
|
void
|
|
|
|
xfs_ilock_demote(
|
|
|
|
xfs_inode_t *ip,
|
|
|
|
uint lock_flags)
|
|
|
|
{
|
2015-02-23 18:43:37 +08:00
|
|
|
ASSERT(lock_flags & (XFS_IOLOCK_EXCL|XFS_MMAPLOCK_EXCL|XFS_ILOCK_EXCL));
|
|
|
|
ASSERT((lock_flags &
|
|
|
|
~(XFS_IOLOCK_EXCL|XFS_MMAPLOCK_EXCL|XFS_ILOCK_EXCL)) == 0);
|
2012-10-08 18:56:10 +08:00
|
|
|
|
|
|
|
if (lock_flags & XFS_ILOCK_EXCL)
|
|
|
|
mrdemote(&ip->i_lock);
|
2015-02-23 18:43:37 +08:00
|
|
|
if (lock_flags & XFS_MMAPLOCK_EXCL)
|
|
|
|
mrdemote(&ip->i_mmaplock);
|
2012-10-08 18:56:10 +08:00
|
|
|
if (lock_flags & XFS_IOLOCK_EXCL)
|
|
|
|
mrdemote(&ip->i_iolock);
|
|
|
|
|
|
|
|
trace_xfs_ilock_demote(ip, lock_flags, _RET_IP_);
|
|
|
|
}
|
|
|
|
|
2013-04-30 19:39:34 +08:00
|
|
|
#if defined(DEBUG) || defined(XFS_WARN)
|
2012-10-08 18:56:10 +08:00
|
|
|
int
|
|
|
|
xfs_isilocked(
|
|
|
|
xfs_inode_t *ip,
|
|
|
|
uint lock_flags)
|
|
|
|
{
|
|
|
|
if (lock_flags & (XFS_ILOCK_EXCL|XFS_ILOCK_SHARED)) {
|
|
|
|
if (!(lock_flags & XFS_ILOCK_SHARED))
|
|
|
|
return !!ip->i_lock.mr_writer;
|
|
|
|
return rwsem_is_locked(&ip->i_lock.mr_lock);
|
|
|
|
}
|
|
|
|
|
2015-02-23 18:43:37 +08:00
|
|
|
if (lock_flags & (XFS_MMAPLOCK_EXCL|XFS_MMAPLOCK_SHARED)) {
|
|
|
|
if (!(lock_flags & XFS_MMAPLOCK_SHARED))
|
|
|
|
return !!ip->i_mmaplock.mr_writer;
|
|
|
|
return rwsem_is_locked(&ip->i_mmaplock.mr_lock);
|
|
|
|
}
|
|
|
|
|
2012-10-08 18:56:10 +08:00
|
|
|
if (lock_flags & (XFS_IOLOCK_EXCL|XFS_IOLOCK_SHARED)) {
|
|
|
|
if (!(lock_flags & XFS_IOLOCK_SHARED))
|
|
|
|
return !!ip->i_iolock.mr_writer;
|
|
|
|
return rwsem_is_locked(&ip->i_iolock.mr_lock);
|
|
|
|
}
|
|
|
|
|
|
|
|
ASSERT(0);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2013-08-12 18:49:45 +08:00
|
|
|
#ifdef DEBUG
|
|
|
|
int xfs_locked_n;
|
|
|
|
int xfs_small_retries;
|
|
|
|
int xfs_middle_retries;
|
|
|
|
int xfs_lots_retries;
|
|
|
|
int xfs_lock_delays;
|
|
|
|
#endif
|
|
|
|
|
2015-08-25 08:05:13 +08:00
|
|
|
/*
|
|
|
|
* xfs_lockdep_subclass_ok() is only used in an ASSERT, so is only called when
|
|
|
|
* DEBUG or XFS_WARN is set. And MAX_LOCKDEP_SUBCLASSES is then only defined
|
|
|
|
* when CONFIG_LOCKDEP is set. Hence the complex define below to avoid build
|
|
|
|
* errors and warnings.
|
|
|
|
*/
|
|
|
|
#if (defined(DEBUG) || defined(XFS_WARN)) && defined(CONFIG_LOCKDEP)
|
2015-08-20 07:27:49 +08:00
|
|
|
static bool
|
|
|
|
xfs_lockdep_subclass_ok(
|
|
|
|
int subclass)
|
|
|
|
{
|
|
|
|
return subclass < MAX_LOCKDEP_SUBCLASSES;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
#define xfs_lockdep_subclass_ok(subclass) (true)
|
|
|
|
#endif
|
|
|
|
|
2013-08-12 18:49:45 +08:00
|
|
|
/*
|
2015-02-23 18:43:37 +08:00
|
|
|
* Bump the subclass so xfs_lock_inodes() acquires each lock with a different
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
* value. This can be called for any type of inode lock combination, including
|
|
|
|
* parent locking. Care must be taken to ensure we don't overrun the subclass
|
|
|
|
* storage fields in the class mask we build.
|
2013-08-12 18:49:45 +08:00
|
|
|
*/
|
|
|
|
static inline int
|
|
|
|
xfs_lock_inumorder(int lock_mode, int subclass)
|
|
|
|
{
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
int class = 0;
|
|
|
|
|
|
|
|
ASSERT(!(lock_mode & (XFS_ILOCK_PARENT | XFS_ILOCK_RTBITMAP |
|
|
|
|
XFS_ILOCK_RTSUM)));
|
2015-08-20 07:27:49 +08:00
|
|
|
ASSERT(xfs_lockdep_subclass_ok(subclass));
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
|
2015-02-23 18:43:37 +08:00
|
|
|
if (lock_mode & (XFS_IOLOCK_SHARED|XFS_IOLOCK_EXCL)) {
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
ASSERT(subclass <= XFS_IOLOCK_MAX_SUBCLASS);
|
2015-08-20 07:27:49 +08:00
|
|
|
ASSERT(xfs_lockdep_subclass_ok(subclass +
|
|
|
|
XFS_IOLOCK_PARENT_VAL));
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
class += subclass << XFS_IOLOCK_SHIFT;
|
|
|
|
if (lock_mode & XFS_IOLOCK_PARENT)
|
|
|
|
class += XFS_IOLOCK_PARENT_VAL << XFS_IOLOCK_SHIFT;
|
2015-02-23 18:43:37 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
if (lock_mode & (XFS_MMAPLOCK_SHARED|XFS_MMAPLOCK_EXCL)) {
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
ASSERT(subclass <= XFS_MMAPLOCK_MAX_SUBCLASS);
|
|
|
|
class += subclass << XFS_MMAPLOCK_SHIFT;
|
2015-02-23 18:43:37 +08:00
|
|
|
}
|
|
|
|
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
if (lock_mode & (XFS_ILOCK_SHARED|XFS_ILOCK_EXCL)) {
|
|
|
|
ASSERT(subclass <= XFS_ILOCK_MAX_SUBCLASS);
|
|
|
|
class += subclass << XFS_ILOCK_SHIFT;
|
|
|
|
}
|
2013-08-12 18:49:45 +08:00
|
|
|
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
return (lock_mode & ~XFS_LOCK_SUBCLASS_MASK) | class;
|
2013-08-12 18:49:45 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2015-03-25 11:03:32 +08:00
|
|
|
* The following routine will lock n inodes in exclusive mode. We assume the
|
|
|
|
* caller calls us with the inodes in i_ino order.
|
2013-08-12 18:49:45 +08:00
|
|
|
*
|
2015-03-25 11:03:32 +08:00
|
|
|
* We need to detect deadlock where an inode that we lock is in the AIL and we
|
|
|
|
* start waiting for another inode that is locked by a thread in a long running
|
|
|
|
* transaction (such as truncate). This can result in deadlock since the long
|
|
|
|
* running trans might need to wait for the inode we just locked in order to
|
|
|
|
* push the tail and free space in the log.
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
*
|
|
|
|
* xfs_lock_inodes() can only be used to lock one type of lock at a time -
|
|
|
|
* the iolock, the mmaplock or the ilock, but not more than one at a time. If we
|
|
|
|
* lock more than one at a time, lockdep will report false positives saying we
|
|
|
|
* have violated locking orders.
|
2013-08-12 18:49:45 +08:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
xfs_lock_inodes(
|
|
|
|
xfs_inode_t **ips,
|
|
|
|
int inodes,
|
|
|
|
uint lock_mode)
|
|
|
|
{
|
|
|
|
int attempts = 0, i, j, try_lock;
|
|
|
|
xfs_log_item_t *lp;
|
|
|
|
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
/*
|
|
|
|
* Currently supports between 2 and 5 inodes with exclusive locking. We
|
|
|
|
* support an arbitrary depth of locking here, but absolute limits on
|
|
|
|
* inodes depend on the the type of locking and the limits placed by
|
|
|
|
* lockdep annotations in xfs_lock_inumorder. These are all checked by
|
|
|
|
* the asserts.
|
|
|
|
*/
|
2015-03-25 11:03:32 +08:00
|
|
|
ASSERT(ips && inodes >= 2 && inodes <= 5);
|
xfs: clean up inode lockdep annotations
Lockdep annotations are a maintenance nightmare. Locking has to be
modified to suit the limitations of the annotations, and we're
always having to fix the annotations because they are unable to
express the complexity of locking heirarchies correctly.
So, next up, we've got more issues with lockdep annotations for
inode locking w.r.t. XFS_LOCK_PARENT:
- lockdep classes are exclusive and can't be ORed together
to form new classes.
- IOLOCK needs multiple PARENT subclasses to express the
changes needed for the readdir locking rework needed to
stop the endless flow of lockdep false positives involving
readdir calling filldir under the ILOCK.
- there are only 8 unique lockdep subclasses available,
so we can't create a generic solution.
IOWs we need to treat the 3-bit space available to each lock type
differently:
- IOLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 IOLOCK subclasses
- at least 2 IOLOCK_PARENT subclasses
- MMAPLOCK uses xfs_lock_two_inodes(), so needs:
- at least 2 MMAPLOCK subclasses
- ILOCK uses xfs_lock_inodes with up to 5 inodes, so needs:
- at least 5 ILOCK subclasses
- one ILOCK_PARENT subclass
- one RTBITMAP subclass
- one RTSUM subclass
For the IOLOCK, split the space into two sets of subclasses.
For the MMAPLOCK, just use half the space for the one subclass to
match the non-parent lock classes of the IOLOCK.
For the ILOCK, use 0-4 as the ILOCK subclasses, 5-7 for the
remaining individual subclasses.
Because they are now all different, modify xfs_lock_inumorder() to
handle the nested subclasses, and to assert fail if passed an
invalid subclass. Further, annotate xfs_lock_inodes() to assert fail
if an invalid combination of lock primitives and inode counts are
passed that would result in a lockdep subclass annotation overflow.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:32:49 +08:00
|
|
|
ASSERT(lock_mode & (XFS_IOLOCK_EXCL | XFS_MMAPLOCK_EXCL |
|
|
|
|
XFS_ILOCK_EXCL));
|
|
|
|
ASSERT(!(lock_mode & (XFS_IOLOCK_SHARED | XFS_MMAPLOCK_SHARED |
|
|
|
|
XFS_ILOCK_SHARED)));
|
|
|
|
ASSERT(!(lock_mode & XFS_IOLOCK_EXCL) ||
|
|
|
|
inodes <= XFS_IOLOCK_MAX_SUBCLASS + 1);
|
|
|
|
ASSERT(!(lock_mode & XFS_MMAPLOCK_EXCL) ||
|
|
|
|
inodes <= XFS_MMAPLOCK_MAX_SUBCLASS + 1);
|
|
|
|
ASSERT(!(lock_mode & XFS_ILOCK_EXCL) ||
|
|
|
|
inodes <= XFS_ILOCK_MAX_SUBCLASS + 1);
|
|
|
|
|
|
|
|
if (lock_mode & XFS_IOLOCK_EXCL) {
|
|
|
|
ASSERT(!(lock_mode & (XFS_MMAPLOCK_EXCL | XFS_ILOCK_EXCL)));
|
|
|
|
} else if (lock_mode & XFS_MMAPLOCK_EXCL)
|
|
|
|
ASSERT(!(lock_mode & XFS_ILOCK_EXCL));
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
try_lock = 0;
|
|
|
|
i = 0;
|
|
|
|
again:
|
|
|
|
for (; i < inodes; i++) {
|
|
|
|
ASSERT(ips[i]);
|
|
|
|
|
2015-03-25 11:03:32 +08:00
|
|
|
if (i && (ips[i] == ips[i - 1])) /* Already locked */
|
2013-08-12 18:49:45 +08:00
|
|
|
continue;
|
|
|
|
|
|
|
|
/*
|
2015-03-25 11:03:32 +08:00
|
|
|
* If try_lock is not set yet, make sure all locked inodes are
|
|
|
|
* not in the AIL. If any are, set try_lock to be used later.
|
2013-08-12 18:49:45 +08:00
|
|
|
*/
|
|
|
|
if (!try_lock) {
|
|
|
|
for (j = (i - 1); j >= 0 && !try_lock; j--) {
|
|
|
|
lp = (xfs_log_item_t *)ips[j]->i_itemp;
|
2015-03-25 11:03:32 +08:00
|
|
|
if (lp && (lp->li_flags & XFS_LI_IN_AIL))
|
2013-08-12 18:49:45 +08:00
|
|
|
try_lock++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If any of the previous locks we have locked is in the AIL,
|
|
|
|
* we must TRY to get the second and subsequent locks. If
|
|
|
|
* we can't get any, we must release all we have
|
|
|
|
* and try again.
|
|
|
|
*/
|
2015-03-25 11:03:32 +08:00
|
|
|
if (!try_lock) {
|
|
|
|
xfs_ilock(ips[i], xfs_lock_inumorder(lock_mode, i));
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* try_lock means we have an inode locked that is in the AIL. */
|
|
|
|
ASSERT(i != 0);
|
|
|
|
if (xfs_ilock_nowait(ips[i], xfs_lock_inumorder(lock_mode, i)))
|
|
|
|
continue;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
2015-03-25 11:03:32 +08:00
|
|
|
/*
|
|
|
|
* Unlock all previous guys and try again. xfs_iunlock will try
|
|
|
|
* to push the tail if the inode is in the AIL.
|
|
|
|
*/
|
|
|
|
attempts++;
|
|
|
|
for (j = i - 1; j >= 0; j--) {
|
2013-08-12 18:49:45 +08:00
|
|
|
/*
|
2015-03-25 11:03:32 +08:00
|
|
|
* Check to see if we've already unlocked this one. Not
|
|
|
|
* the first one going back, and the inode ptr is the
|
|
|
|
* same.
|
2013-08-12 18:49:45 +08:00
|
|
|
*/
|
2015-03-25 11:03:32 +08:00
|
|
|
if (j != (i - 1) && ips[j] == ips[j + 1])
|
|
|
|
continue;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
2015-03-25 11:03:32 +08:00
|
|
|
xfs_iunlock(ips[j], lock_mode);
|
|
|
|
}
|
2013-08-12 18:49:45 +08:00
|
|
|
|
2015-03-25 11:03:32 +08:00
|
|
|
if ((attempts % 5) == 0) {
|
|
|
|
delay(1); /* Don't just spin the CPU */
|
2013-08-12 18:49:45 +08:00
|
|
|
#ifdef DEBUG
|
2015-03-25 11:03:32 +08:00
|
|
|
xfs_lock_delays++;
|
2013-08-12 18:49:45 +08:00
|
|
|
#endif
|
|
|
|
}
|
2015-03-25 11:03:32 +08:00
|
|
|
i = 0;
|
|
|
|
try_lock = 0;
|
|
|
|
goto again;
|
2013-08-12 18:49:45 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef DEBUG
|
|
|
|
if (attempts) {
|
|
|
|
if (attempts < 5) xfs_small_retries++;
|
|
|
|
else if (attempts < 100) xfs_middle_retries++;
|
|
|
|
else xfs_lots_retries++;
|
|
|
|
} else {
|
|
|
|
xfs_locked_n++;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2015-02-23 18:43:37 +08:00
|
|
|
* xfs_lock_two_inodes() can only be used to lock one type of lock at a time -
|
|
|
|
* the iolock, the mmaplock or the ilock, but not more than one at a time. If we
|
|
|
|
* lock more than one at a time, lockdep will report false positives saying we
|
|
|
|
* have violated locking orders.
|
2013-08-12 18:49:45 +08:00
|
|
|
*/
|
|
|
|
void
|
|
|
|
xfs_lock_two_inodes(
|
|
|
|
xfs_inode_t *ip0,
|
|
|
|
xfs_inode_t *ip1,
|
|
|
|
uint lock_mode)
|
|
|
|
{
|
|
|
|
xfs_inode_t *temp;
|
|
|
|
int attempts = 0;
|
|
|
|
xfs_log_item_t *lp;
|
|
|
|
|
2015-02-23 18:43:37 +08:00
|
|
|
if (lock_mode & (XFS_IOLOCK_SHARED|XFS_IOLOCK_EXCL)) {
|
|
|
|
ASSERT(!(lock_mode & (XFS_MMAPLOCK_SHARED|XFS_MMAPLOCK_EXCL)));
|
|
|
|
ASSERT(!(lock_mode & (XFS_ILOCK_SHARED|XFS_ILOCK_EXCL)));
|
|
|
|
} else if (lock_mode & (XFS_MMAPLOCK_SHARED|XFS_MMAPLOCK_EXCL))
|
|
|
|
ASSERT(!(lock_mode & (XFS_ILOCK_SHARED|XFS_ILOCK_EXCL)));
|
|
|
|
|
2013-08-12 18:49:45 +08:00
|
|
|
ASSERT(ip0->i_ino != ip1->i_ino);
|
|
|
|
|
|
|
|
if (ip0->i_ino > ip1->i_ino) {
|
|
|
|
temp = ip0;
|
|
|
|
ip0 = ip1;
|
|
|
|
ip1 = temp;
|
|
|
|
}
|
|
|
|
|
|
|
|
again:
|
|
|
|
xfs_ilock(ip0, xfs_lock_inumorder(lock_mode, 0));
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If the first lock we have locked is in the AIL, we must TRY to get
|
|
|
|
* the second lock. If we can't get it, we must release the first one
|
|
|
|
* and try again.
|
|
|
|
*/
|
|
|
|
lp = (xfs_log_item_t *)ip0->i_itemp;
|
|
|
|
if (lp && (lp->li_flags & XFS_LI_IN_AIL)) {
|
|
|
|
if (!xfs_ilock_nowait(ip1, xfs_lock_inumorder(lock_mode, 1))) {
|
|
|
|
xfs_iunlock(ip0, lock_mode);
|
|
|
|
if ((++attempts % 5) == 0)
|
|
|
|
delay(1); /* Don't just spin the CPU */
|
|
|
|
goto again;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
xfs_ilock(ip1, xfs_lock_inumorder(lock_mode, 1));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2012-10-08 18:56:10 +08:00
|
|
|
void
|
|
|
|
__xfs_iflock(
|
|
|
|
struct xfs_inode *ip)
|
|
|
|
{
|
|
|
|
wait_queue_head_t *wq = bit_waitqueue(&ip->i_flags, __XFS_IFLOCK_BIT);
|
|
|
|
DEFINE_WAIT_BIT(wait, &ip->i_flags, __XFS_IFLOCK_BIT);
|
|
|
|
|
|
|
|
do {
|
|
|
|
prepare_to_wait_exclusive(wq, &wait.wait, TASK_UNINTERRUPTIBLE);
|
|
|
|
if (xfs_isiflocked(ip))
|
|
|
|
io_schedule();
|
|
|
|
} while (!xfs_iflock_nowait(ip));
|
|
|
|
|
|
|
|
finish_wait(wq, &wait.wait);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
STATIC uint
|
|
|
|
_xfs_dic2xflags(
|
|
|
|
__uint16_t di_flags)
|
|
|
|
{
|
|
|
|
uint flags = 0;
|
|
|
|
|
|
|
|
if (di_flags & XFS_DIFLAG_ANY) {
|
|
|
|
if (di_flags & XFS_DIFLAG_REALTIME)
|
|
|
|
flags |= XFS_XFLAG_REALTIME;
|
|
|
|
if (di_flags & XFS_DIFLAG_PREALLOC)
|
|
|
|
flags |= XFS_XFLAG_PREALLOC;
|
|
|
|
if (di_flags & XFS_DIFLAG_IMMUTABLE)
|
|
|
|
flags |= XFS_XFLAG_IMMUTABLE;
|
|
|
|
if (di_flags & XFS_DIFLAG_APPEND)
|
|
|
|
flags |= XFS_XFLAG_APPEND;
|
|
|
|
if (di_flags & XFS_DIFLAG_SYNC)
|
|
|
|
flags |= XFS_XFLAG_SYNC;
|
|
|
|
if (di_flags & XFS_DIFLAG_NOATIME)
|
|
|
|
flags |= XFS_XFLAG_NOATIME;
|
|
|
|
if (di_flags & XFS_DIFLAG_NODUMP)
|
|
|
|
flags |= XFS_XFLAG_NODUMP;
|
|
|
|
if (di_flags & XFS_DIFLAG_RTINHERIT)
|
|
|
|
flags |= XFS_XFLAG_RTINHERIT;
|
|
|
|
if (di_flags & XFS_DIFLAG_PROJINHERIT)
|
|
|
|
flags |= XFS_XFLAG_PROJINHERIT;
|
|
|
|
if (di_flags & XFS_DIFLAG_NOSYMLINKS)
|
|
|
|
flags |= XFS_XFLAG_NOSYMLINKS;
|
2006-01-11 12:28:28 +08:00
|
|
|
if (di_flags & XFS_DIFLAG_EXTSIZE)
|
|
|
|
flags |= XFS_XFLAG_EXTSIZE;
|
|
|
|
if (di_flags & XFS_DIFLAG_EXTSZINHERIT)
|
|
|
|
flags |= XFS_XFLAG_EXTSZINHERIT;
|
2006-06-09 12:54:19 +08:00
|
|
|
if (di_flags & XFS_DIFLAG_NODEFRAG)
|
|
|
|
flags |= XFS_XFLAG_NODEFRAG;
|
2007-07-11 09:09:12 +08:00
|
|
|
if (di_flags & XFS_DIFLAG_FILESTREAM)
|
|
|
|
flags |= XFS_XFLAG_FILESTREAM;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
return flags;
|
|
|
|
}
|
|
|
|
|
|
|
|
uint
|
|
|
|
xfs_ip2xflags(
|
|
|
|
xfs_inode_t *ip)
|
|
|
|
{
|
2007-08-28 11:57:51 +08:00
|
|
|
xfs_icdinode_t *dic = &ip->i_d;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2006-06-09 15:12:17 +08:00
|
|
|
return _xfs_dic2xflags(dic->di_flags) |
|
2007-12-07 11:07:20 +08:00
|
|
|
(XFS_IFORK_Q(ip) ? XFS_XFLAG_HASATTR : 0);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
uint
|
|
|
|
xfs_dic2xflags(
|
2007-12-07 11:07:20 +08:00
|
|
|
xfs_dinode_t *dip)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2008-11-28 11:23:39 +08:00
|
|
|
return _xfs_dic2xflags(be16_to_cpu(dip->di_flags)) |
|
2007-12-07 11:07:20 +08:00
|
|
|
(XFS_DFORK_Q(dip) ? XFS_XFLAG_HASATTR : 0);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2013-08-12 18:49:45 +08:00
|
|
|
/*
|
|
|
|
* Lookups up an inode from "name". If ci_name is not NULL, then a CI match
|
|
|
|
* is allowed, otherwise it has to be an exact match. If a CI match is found,
|
|
|
|
* ci_name->name will point to a the actual name (caller must free) or
|
|
|
|
* will be set to NULL if an exact match is found.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_lookup(
|
|
|
|
xfs_inode_t *dp,
|
|
|
|
struct xfs_name *name,
|
|
|
|
xfs_inode_t **ipp,
|
|
|
|
struct xfs_name *ci_name)
|
|
|
|
{
|
|
|
|
xfs_ino_t inum;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
trace_xfs_lookup(dp, name);
|
|
|
|
|
|
|
|
if (XFS_FORCED_SHUTDOWN(dp->i_mount))
|
2014-06-25 12:58:08 +08:00
|
|
|
return -EIO;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
xfs_ilock(dp, XFS_IOLOCK_SHARED);
|
2013-08-12 18:49:45 +08:00
|
|
|
error = xfs_dir_lookup(NULL, dp, name, &inum, ci_name);
|
|
|
|
if (error)
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
goto out_unlock;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
error = xfs_iget(dp->i_mount, NULL, inum, 0, 0, ipp);
|
|
|
|
if (error)
|
|
|
|
goto out_free_name;
|
|
|
|
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
xfs_iunlock(dp, XFS_IOLOCK_SHARED);
|
2013-08-12 18:49:45 +08:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
out_free_name:
|
|
|
|
if (ci_name)
|
|
|
|
kmem_free(ci_name->name);
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
out_unlock:
|
|
|
|
xfs_iunlock(dp, XFS_IOLOCK_SHARED);
|
2013-08-12 18:49:45 +08:00
|
|
|
*ipp = NULL;
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Allocate an inode on disk and return a copy of its in-core version.
|
|
|
|
* The in-core inode is locked exclusively. Set mode, nlink, and rdev
|
|
|
|
* appropriately within the inode. The uid and gid for the inode are
|
|
|
|
* set according to the contents of the given cred structure.
|
|
|
|
*
|
|
|
|
* Use xfs_dialloc() to allocate the on-disk inode. If xfs_dialloc()
|
2012-10-20 22:08:19 +08:00
|
|
|
* has a free inode available, call xfs_iget() to obtain the in-core
|
|
|
|
* version of the allocated inode. Finally, fill in the inode and
|
|
|
|
* log its initial contents. In this case, ialloc_context would be
|
|
|
|
* set to NULL.
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
2012-10-20 22:08:19 +08:00
|
|
|
* If xfs_dialloc() does not have an available inode, it will replenish
|
|
|
|
* its supply by doing an allocation. Since we can only do one
|
|
|
|
* allocation within a transaction without deadlocks, we must commit
|
|
|
|
* the current transaction before returning the inode itself.
|
|
|
|
* In this case, therefore, we will set ialloc_context and return.
|
2005-04-17 06:20:36 +08:00
|
|
|
* The caller should then commit the current transaction, start a new
|
|
|
|
* transaction, and call xfs_ialloc() again to actually get the inode.
|
|
|
|
*
|
|
|
|
* To ensure that some other process does not grab the inode that
|
|
|
|
* was allocated during the first call to xfs_ialloc(), this routine
|
|
|
|
* also returns the [locked] bp pointing to the head of the freelist
|
|
|
|
* as ialloc_context. The caller should hold this buffer across
|
|
|
|
* the commit and pass it back into this routine on the second call.
|
2007-07-11 09:09:33 +08:00
|
|
|
*
|
|
|
|
* If we are allocating quota inodes, we do not have a parent inode
|
|
|
|
* to attach to or associate with (i.e. pip == NULL) because they
|
|
|
|
* are not linked into the directory structure - they are attached
|
|
|
|
* directly to the superblock - and so have no parent.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_ialloc(
|
|
|
|
xfs_trans_t *tp,
|
|
|
|
xfs_inode_t *pip,
|
2011-07-26 14:50:15 +08:00
|
|
|
umode_t mode,
|
2005-05-06 04:25:00 +08:00
|
|
|
xfs_nlink_t nlink,
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_dev_t rdev,
|
2010-09-26 14:10:18 +08:00
|
|
|
prid_t prid,
|
2005-04-17 06:20:36 +08:00
|
|
|
int okalloc,
|
|
|
|
xfs_buf_t **ialloc_context,
|
|
|
|
xfs_inode_t **ipp)
|
|
|
|
{
|
2013-04-03 13:11:17 +08:00
|
|
|
struct xfs_mount *mp = tp->t_mountp;
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_ino_t ino;
|
|
|
|
xfs_inode_t *ip;
|
|
|
|
uint flags;
|
|
|
|
int error;
|
2014-10-02 07:18:13 +08:00
|
|
|
struct timespec tv;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Call the space management code to pick
|
|
|
|
* the on-disk inode to be allocated.
|
|
|
|
*/
|
2007-07-11 09:09:33 +08:00
|
|
|
error = xfs_dialloc(tp, pip ? pip->i_ino : 0, mode, okalloc,
|
2012-07-04 22:54:47 +08:00
|
|
|
ialloc_context, &ino);
|
2008-10-30 14:36:14 +08:00
|
|
|
if (error)
|
2005-04-17 06:20:36 +08:00
|
|
|
return error;
|
2012-07-04 22:54:47 +08:00
|
|
|
if (*ialloc_context || ino == NULLFSINO) {
|
2005-04-17 06:20:36 +08:00
|
|
|
*ipp = NULL;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
ASSERT(*ialloc_context == NULL);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Get the in-core inode with the lock held exclusively.
|
|
|
|
* This is because we're setting fields here we need
|
|
|
|
* to prevent others from looking at until we're done.
|
|
|
|
*/
|
2013-04-03 13:11:17 +08:00
|
|
|
error = xfs_iget(mp, tp, ino, XFS_IGET_CREATE,
|
2011-02-13 21:26:42 +08:00
|
|
|
XFS_ILOCK_EXCL, &ip);
|
2008-10-30 14:36:14 +08:00
|
|
|
if (error)
|
2005-04-17 06:20:36 +08:00
|
|
|
return error;
|
|
|
|
ASSERT(ip != NULL);
|
|
|
|
|
2014-05-20 05:46:40 +08:00
|
|
|
/*
|
|
|
|
* We always convert v1 inodes to v2 now - we only support filesystems
|
|
|
|
* with >= v2 inode capability, so there is no reason for ever leaving
|
|
|
|
* an inode in v1 format.
|
|
|
|
*/
|
|
|
|
if (ip->i_d.di_version == 1)
|
|
|
|
ip->i_d.di_version = 2;
|
|
|
|
|
2011-07-26 14:50:15 +08:00
|
|
|
ip->i_d.di_mode = mode;
|
2005-04-17 06:20:36 +08:00
|
|
|
ip->i_d.di_onlink = 0;
|
|
|
|
ip->i_d.di_nlink = nlink;
|
|
|
|
ASSERT(ip->i_d.di_nlink == nlink);
|
2013-08-16 02:08:01 +08:00
|
|
|
ip->i_d.di_uid = xfs_kuid_to_uid(current_fsuid());
|
|
|
|
ip->i_d.di_gid = xfs_kgid_to_gid(current_fsgid());
|
2010-09-26 14:10:18 +08:00
|
|
|
xfs_set_projid(ip, prid);
|
2005-04-17 06:20:36 +08:00
|
|
|
memset(&(ip->i_d.di_pad[0]), 0, sizeof(ip->i_d.di_pad));
|
|
|
|
|
2007-08-30 15:21:12 +08:00
|
|
|
if (pip && XFS_INHERIT_GID(pip)) {
|
2005-04-17 06:20:36 +08:00
|
|
|
ip->i_d.di_gid = pip->i_d.di_gid;
|
2011-07-26 14:31:30 +08:00
|
|
|
if ((pip->i_d.di_mode & S_ISGID) && S_ISDIR(mode)) {
|
2005-04-17 06:20:36 +08:00
|
|
|
ip->i_d.di_mode |= S_ISGID;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If the group ID of the new file does not match the effective group
|
|
|
|
* ID or one of the supplementary group IDs, the S_ISGID bit is cleared
|
|
|
|
* (and only if the irix_sgid_inherit compatibility variable is set).
|
|
|
|
*/
|
|
|
|
if ((irix_sgid_inherit) &&
|
|
|
|
(ip->i_d.di_mode & S_ISGID) &&
|
2013-08-16 02:08:01 +08:00
|
|
|
(!in_group_p(xfs_gid_to_kgid(ip->i_d.di_gid)))) {
|
2005-04-17 06:20:36 +08:00
|
|
|
ip->i_d.di_mode &= ~S_ISGID;
|
|
|
|
}
|
|
|
|
|
|
|
|
ip->i_d.di_size = 0;
|
|
|
|
ip->i_d.di_nextents = 0;
|
|
|
|
ASSERT(ip->i_d.di_nblocks == 0);
|
2008-08-13 14:44:15 +08:00
|
|
|
|
2014-10-02 07:18:13 +08:00
|
|
|
tv = current_fs_time(mp->m_super);
|
2008-08-13 14:44:15 +08:00
|
|
|
ip->i_d.di_mtime.t_sec = (__int32_t)tv.tv_sec;
|
|
|
|
ip->i_d.di_mtime.t_nsec = (__int32_t)tv.tv_nsec;
|
|
|
|
ip->i_d.di_atime = ip->i_d.di_mtime;
|
|
|
|
ip->i_d.di_ctime = ip->i_d.di_mtime;
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* di_gen will have been taken care of in xfs_iread.
|
|
|
|
*/
|
|
|
|
ip->i_d.di_extsize = 0;
|
|
|
|
ip->i_d.di_dmevmask = 0;
|
|
|
|
ip->i_d.di_dmstate = 0;
|
|
|
|
ip->i_d.di_flags = 0;
|
2013-04-03 13:11:17 +08:00
|
|
|
|
|
|
|
if (ip->i_d.di_version == 3) {
|
|
|
|
ASSERT(ip->i_d.di_ino == ino);
|
2015-08-19 08:31:18 +08:00
|
|
|
ASSERT(uuid_equal(&ip->i_d.di_uuid, &mp->m_sb.sb_meta_uuid));
|
2013-04-03 13:11:17 +08:00
|
|
|
ip->i_d.di_crc = 0;
|
|
|
|
ip->i_d.di_changecount = 1;
|
|
|
|
ip->i_d.di_lsn = 0;
|
|
|
|
ip->i_d.di_flags2 = 0;
|
|
|
|
memset(&(ip->i_d.di_pad2[0]), 0, sizeof(ip->i_d.di_pad2));
|
|
|
|
ip->i_d.di_crtime = ip->i_d.di_mtime;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
flags = XFS_ILOG_CORE;
|
|
|
|
switch (mode & S_IFMT) {
|
|
|
|
case S_IFIFO:
|
|
|
|
case S_IFCHR:
|
|
|
|
case S_IFBLK:
|
|
|
|
case S_IFSOCK:
|
|
|
|
ip->i_d.di_format = XFS_DINODE_FMT_DEV;
|
|
|
|
ip->i_df.if_u2.if_rdev = rdev;
|
|
|
|
ip->i_df.if_flags = 0;
|
|
|
|
flags |= XFS_ILOG_DEV;
|
|
|
|
break;
|
|
|
|
case S_IFREG:
|
|
|
|
case S_IFDIR:
|
2007-07-11 09:09:33 +08:00
|
|
|
if (pip && (pip->i_d.di_flags & XFS_DIFLAG_ANY)) {
|
2005-06-21 13:39:12 +08:00
|
|
|
uint di_flags = 0;
|
|
|
|
|
2011-07-26 14:31:30 +08:00
|
|
|
if (S_ISDIR(mode)) {
|
2005-06-21 13:39:12 +08:00
|
|
|
if (pip->i_d.di_flags & XFS_DIFLAG_RTINHERIT)
|
|
|
|
di_flags |= XFS_DIFLAG_RTINHERIT;
|
2006-01-11 12:28:28 +08:00
|
|
|
if (pip->i_d.di_flags & XFS_DIFLAG_EXTSZINHERIT) {
|
|
|
|
di_flags |= XFS_DIFLAG_EXTSZINHERIT;
|
|
|
|
ip->i_d.di_extsize = pip->i_d.di_extsize;
|
|
|
|
}
|
2014-10-02 07:18:40 +08:00
|
|
|
if (pip->i_d.di_flags & XFS_DIFLAG_PROJINHERIT)
|
|
|
|
di_flags |= XFS_DIFLAG_PROJINHERIT;
|
2011-07-26 14:31:30 +08:00
|
|
|
} else if (S_ISREG(mode)) {
|
2007-10-11 15:44:08 +08:00
|
|
|
if (pip->i_d.di_flags & XFS_DIFLAG_RTINHERIT)
|
2005-06-21 13:39:12 +08:00
|
|
|
di_flags |= XFS_DIFLAG_REALTIME;
|
2006-01-11 12:28:28 +08:00
|
|
|
if (pip->i_d.di_flags & XFS_DIFLAG_EXTSZINHERIT) {
|
|
|
|
di_flags |= XFS_DIFLAG_EXTSIZE;
|
|
|
|
ip->i_d.di_extsize = pip->i_d.di_extsize;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
if ((pip->i_d.di_flags & XFS_DIFLAG_NOATIME) &&
|
|
|
|
xfs_inherit_noatime)
|
2005-06-21 13:39:12 +08:00
|
|
|
di_flags |= XFS_DIFLAG_NOATIME;
|
2005-04-17 06:20:36 +08:00
|
|
|
if ((pip->i_d.di_flags & XFS_DIFLAG_NODUMP) &&
|
|
|
|
xfs_inherit_nodump)
|
2005-06-21 13:39:12 +08:00
|
|
|
di_flags |= XFS_DIFLAG_NODUMP;
|
2005-04-17 06:20:36 +08:00
|
|
|
if ((pip->i_d.di_flags & XFS_DIFLAG_SYNC) &&
|
|
|
|
xfs_inherit_sync)
|
2005-06-21 13:39:12 +08:00
|
|
|
di_flags |= XFS_DIFLAG_SYNC;
|
2005-04-17 06:20:36 +08:00
|
|
|
if ((pip->i_d.di_flags & XFS_DIFLAG_NOSYMLINKS) &&
|
|
|
|
xfs_inherit_nosymlinks)
|
2005-06-21 13:39:12 +08:00
|
|
|
di_flags |= XFS_DIFLAG_NOSYMLINKS;
|
2006-06-09 12:54:19 +08:00
|
|
|
if ((pip->i_d.di_flags & XFS_DIFLAG_NODEFRAG) &&
|
|
|
|
xfs_inherit_nodefrag)
|
|
|
|
di_flags |= XFS_DIFLAG_NODEFRAG;
|
2007-07-11 09:09:12 +08:00
|
|
|
if (pip->i_d.di_flags & XFS_DIFLAG_FILESTREAM)
|
|
|
|
di_flags |= XFS_DIFLAG_FILESTREAM;
|
2005-06-21 13:39:12 +08:00
|
|
|
ip->i_d.di_flags |= di_flags;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
/* FALLTHROUGH */
|
|
|
|
case S_IFLNK:
|
|
|
|
ip->i_d.di_format = XFS_DINODE_FMT_EXTENTS;
|
|
|
|
ip->i_df.if_flags = XFS_IFEXTENTS;
|
|
|
|
ip->i_df.if_bytes = ip->i_df.if_real_bytes = 0;
|
|
|
|
ip->i_df.if_u1.if_extents = NULL;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
ASSERT(0);
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* Attribute fork settings for new inode.
|
|
|
|
*/
|
|
|
|
ip->i_d.di_aformat = XFS_DINODE_FMT_EXTENTS;
|
|
|
|
ip->i_d.di_anextents = 0;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Log the new values stuffed into the inode.
|
|
|
|
*/
|
2011-09-19 23:00:54 +08:00
|
|
|
xfs_trans_ijoin(tp, ip, XFS_ILOCK_EXCL);
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_trans_log_inode(tp, ip, flags);
|
|
|
|
|
2015-02-23 19:38:08 +08:00
|
|
|
/* now that we have an i_mode we can setup the inode structure */
|
2008-08-13 14:23:13 +08:00
|
|
|
xfs_setup_inode(ip);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
*ipp = ip;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-08-12 18:49:47 +08:00
|
|
|
/*
|
|
|
|
* Allocates a new inode from disk and return a pointer to the
|
|
|
|
* incore copy. This routine will internally commit the current
|
|
|
|
* transaction and allocate a new one if the Space Manager needed
|
|
|
|
* to do an allocation to replenish the inode free-list.
|
|
|
|
*
|
|
|
|
* This routine is designed to be called from xfs_create and
|
|
|
|
* xfs_create_dir.
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_dir_ialloc(
|
|
|
|
xfs_trans_t **tpp, /* input: current transaction;
|
|
|
|
output: may be a new transaction. */
|
|
|
|
xfs_inode_t *dp, /* directory within whose allocate
|
|
|
|
the inode. */
|
|
|
|
umode_t mode,
|
|
|
|
xfs_nlink_t nlink,
|
|
|
|
xfs_dev_t rdev,
|
|
|
|
prid_t prid, /* project id */
|
|
|
|
int okalloc, /* ok to allocate new space */
|
|
|
|
xfs_inode_t **ipp, /* pointer to inode; it will be
|
|
|
|
locked. */
|
|
|
|
int *committed)
|
|
|
|
|
|
|
|
{
|
|
|
|
xfs_trans_t *tp;
|
|
|
|
xfs_inode_t *ip;
|
|
|
|
xfs_buf_t *ialloc_context = NULL;
|
|
|
|
int code;
|
|
|
|
void *dqinfo;
|
|
|
|
uint tflags;
|
|
|
|
|
|
|
|
tp = *tpp;
|
|
|
|
ASSERT(tp->t_flags & XFS_TRANS_PERM_LOG_RES);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* xfs_ialloc will return a pointer to an incore inode if
|
|
|
|
* the Space Manager has an available inode on the free
|
|
|
|
* list. Otherwise, it will do an allocation and replenish
|
|
|
|
* the freelist. Since we can only do one allocation per
|
|
|
|
* transaction without deadlocks, we will need to commit the
|
|
|
|
* current transaction and start a new one. We will then
|
|
|
|
* need to call xfs_ialloc again to get the inode.
|
|
|
|
*
|
|
|
|
* If xfs_ialloc did an allocation to replenish the freelist,
|
|
|
|
* it returns the bp containing the head of the freelist as
|
|
|
|
* ialloc_context. We will hold a lock on it across the
|
|
|
|
* transaction commit so that no other process can steal
|
|
|
|
* the inode(s) that we've just allocated.
|
|
|
|
*/
|
|
|
|
code = xfs_ialloc(tp, dp, mode, nlink, rdev, prid, okalloc,
|
|
|
|
&ialloc_context, &ip);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Return an error if we were unable to allocate a new inode.
|
|
|
|
* This should only happen if we run out of space on disk or
|
|
|
|
* encounter a disk error.
|
|
|
|
*/
|
|
|
|
if (code) {
|
|
|
|
*ipp = NULL;
|
|
|
|
return code;
|
|
|
|
}
|
|
|
|
if (!ialloc_context && !ip) {
|
|
|
|
*ipp = NULL;
|
2014-06-25 12:58:08 +08:00
|
|
|
return -ENOSPC;
|
2013-08-12 18:49:47 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If the AGI buffer is non-NULL, then we were unable to get an
|
|
|
|
* inode in one operation. We need to commit the current
|
|
|
|
* transaction and call xfs_ialloc() again. It is guaranteed
|
|
|
|
* to succeed the second time.
|
|
|
|
*/
|
|
|
|
if (ialloc_context) {
|
|
|
|
/*
|
|
|
|
* Normally, xfs_trans_commit releases all the locks.
|
|
|
|
* We call bhold to hang on to the ialloc_context across
|
|
|
|
* the commit. Holding this buffer prevents any other
|
|
|
|
* processes from doing any allocations in this
|
|
|
|
* allocation group.
|
|
|
|
*/
|
|
|
|
xfs_trans_bhold(tp, ialloc_context);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We want the quota changes to be associated with the next
|
|
|
|
* transaction, NOT this one. So, detach the dqinfo from this
|
|
|
|
* and attach it to the next transaction.
|
|
|
|
*/
|
|
|
|
dqinfo = NULL;
|
|
|
|
tflags = 0;
|
|
|
|
if (tp->t_dqinfo) {
|
|
|
|
dqinfo = (void *)tp->t_dqinfo;
|
|
|
|
tp->t_dqinfo = NULL;
|
|
|
|
tflags = tp->t_flags & XFS_TRANS_DQ_DIRTY;
|
|
|
|
tp->t_flags &= ~(XFS_TRANS_DQ_DIRTY);
|
|
|
|
}
|
|
|
|
|
2015-06-04 11:47:29 +08:00
|
|
|
code = xfs_trans_roll(&tp, 0);
|
|
|
|
if (committed != NULL)
|
2013-08-12 18:49:47 +08:00
|
|
|
*committed = 1;
|
2013-08-12 18:49:59 +08:00
|
|
|
|
2013-08-12 18:49:47 +08:00
|
|
|
/*
|
|
|
|
* Re-attach the quota info that we detached from prev trx.
|
|
|
|
*/
|
|
|
|
if (dqinfo) {
|
|
|
|
tp->t_dqinfo = dqinfo;
|
|
|
|
tp->t_flags |= tflags;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (code) {
|
|
|
|
xfs_buf_relse(ialloc_context);
|
2015-06-04 11:47:29 +08:00
|
|
|
*tpp = tp;
|
2013-08-12 18:49:47 +08:00
|
|
|
*ipp = NULL;
|
|
|
|
return code;
|
|
|
|
}
|
|
|
|
xfs_trans_bjoin(tp, ialloc_context);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Call ialloc again. Since we've locked out all
|
|
|
|
* other allocations in this allocation group,
|
|
|
|
* this call should always succeed.
|
|
|
|
*/
|
|
|
|
code = xfs_ialloc(tp, dp, mode, nlink, rdev, prid,
|
|
|
|
okalloc, &ialloc_context, &ip);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If we get an error at this point, return to the caller
|
|
|
|
* so that the current transaction can be aborted.
|
|
|
|
*/
|
|
|
|
if (code) {
|
|
|
|
*tpp = tp;
|
|
|
|
*ipp = NULL;
|
|
|
|
return code;
|
|
|
|
}
|
|
|
|
ASSERT(!ialloc_context && ip);
|
|
|
|
|
|
|
|
} else {
|
|
|
|
if (committed != NULL)
|
|
|
|
*committed = 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
*ipp = ip;
|
|
|
|
*tpp = tp;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Decrement the link count on an inode & log the change.
|
|
|
|
* If this causes the link count to go to zero, initiate the
|
|
|
|
* logging activity required to truncate a file.
|
|
|
|
*/
|
|
|
|
int /* error */
|
|
|
|
xfs_droplink(
|
|
|
|
xfs_trans_t *tp,
|
|
|
|
xfs_inode_t *ip)
|
|
|
|
{
|
|
|
|
int error;
|
|
|
|
|
|
|
|
xfs_trans_ichgtime(tp, ip, XFS_ICHGTIME_CHG);
|
|
|
|
|
|
|
|
ASSERT (ip->i_d.di_nlink > 0);
|
|
|
|
ip->i_d.di_nlink--;
|
|
|
|
drop_nlink(VFS_I(ip));
|
|
|
|
xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE);
|
|
|
|
|
|
|
|
error = 0;
|
|
|
|
if (ip->i_d.di_nlink == 0) {
|
|
|
|
/*
|
|
|
|
* We're dropping the last link to this file.
|
|
|
|
* Move the on-disk inode to the AGI unlinked list.
|
|
|
|
* From xfs_inactive() we will pull the inode from
|
|
|
|
* the list and free it.
|
|
|
|
*/
|
|
|
|
error = xfs_iunlink(tp, ip);
|
|
|
|
}
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Increment the link count on an inode & log the change.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_bumplink(
|
|
|
|
xfs_trans_t *tp,
|
|
|
|
xfs_inode_t *ip)
|
|
|
|
{
|
|
|
|
xfs_trans_ichgtime(tp, ip, XFS_ICHGTIME_CHG);
|
|
|
|
|
2014-05-20 05:46:40 +08:00
|
|
|
ASSERT(ip->i_d.di_version > 1);
|
2013-12-18 08:22:41 +08:00
|
|
|
ASSERT(ip->i_d.di_nlink > 0 || (VFS_I(ip)->i_state & I_LINKABLE));
|
2013-08-12 18:49:47 +08:00
|
|
|
ip->i_d.di_nlink++;
|
|
|
|
inc_nlink(VFS_I(ip));
|
|
|
|
xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-08-12 18:49:45 +08:00
|
|
|
int
|
|
|
|
xfs_create(
|
|
|
|
xfs_inode_t *dp,
|
|
|
|
struct xfs_name *name,
|
|
|
|
umode_t mode,
|
|
|
|
xfs_dev_t rdev,
|
|
|
|
xfs_inode_t **ipp)
|
|
|
|
{
|
|
|
|
int is_dir = S_ISDIR(mode);
|
|
|
|
struct xfs_mount *mp = dp->i_mount;
|
|
|
|
struct xfs_inode *ip = NULL;
|
|
|
|
struct xfs_trans *tp = NULL;
|
|
|
|
int error;
|
|
|
|
xfs_bmap_free_t free_list;
|
|
|
|
xfs_fsblock_t first_block;
|
|
|
|
bool unlock_dp_on_error = false;
|
|
|
|
int committed;
|
|
|
|
prid_t prid;
|
|
|
|
struct xfs_dquot *udqp = NULL;
|
|
|
|
struct xfs_dquot *gdqp = NULL;
|
|
|
|
struct xfs_dquot *pdqp = NULL;
|
2014-11-28 11:00:16 +08:00
|
|
|
struct xfs_trans_res *tres;
|
2013-08-12 18:49:45 +08:00
|
|
|
uint resblks;
|
|
|
|
|
|
|
|
trace_xfs_create(dp, name);
|
|
|
|
|
|
|
|
if (XFS_FORCED_SHUTDOWN(mp))
|
2014-06-25 12:58:08 +08:00
|
|
|
return -EIO;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
2013-12-18 08:22:39 +08:00
|
|
|
prid = xfs_get_initial_prid(dp);
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Make sure that we have allocated dquot(s) on disk.
|
|
|
|
*/
|
2013-08-16 02:08:01 +08:00
|
|
|
error = xfs_qm_vop_dqalloc(dp, xfs_kuid_to_uid(current_fsuid()),
|
|
|
|
xfs_kgid_to_gid(current_fsgid()), prid,
|
2013-08-12 18:49:45 +08:00
|
|
|
XFS_QMOPT_QUOTALL | XFS_QMOPT_INHERIT,
|
|
|
|
&udqp, &gdqp, &pdqp);
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
|
|
|
|
if (is_dir) {
|
|
|
|
rdev = 0;
|
|
|
|
resblks = XFS_MKDIR_SPACE_RES(mp, name->len);
|
2014-11-28 11:00:16 +08:00
|
|
|
tres = &M_RES(mp)->tr_mkdir;
|
2013-08-12 18:49:45 +08:00
|
|
|
tp = xfs_trans_alloc(mp, XFS_TRANS_MKDIR);
|
|
|
|
} else {
|
|
|
|
resblks = XFS_CREATE_SPACE_RES(mp, name->len);
|
2014-11-28 11:00:16 +08:00
|
|
|
tres = &M_RES(mp)->tr_create;
|
2013-08-12 18:49:45 +08:00
|
|
|
tp = xfs_trans_alloc(mp, XFS_TRANS_CREATE);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Initially assume that the file does not exist and
|
|
|
|
* reserve the resources for that case. If that is not
|
|
|
|
* the case we'll drop the one we have and get a more
|
|
|
|
* appropriate transaction later.
|
|
|
|
*/
|
2014-11-28 11:00:16 +08:00
|
|
|
error = xfs_trans_reserve(tp, tres, resblks, 0);
|
2014-06-25 12:58:08 +08:00
|
|
|
if (error == -ENOSPC) {
|
2013-08-12 18:49:45 +08:00
|
|
|
/* flush outstanding delalloc blocks and retry */
|
|
|
|
xfs_flush_inodes(mp);
|
2014-11-28 11:00:16 +08:00
|
|
|
error = xfs_trans_reserve(tp, tres, resblks, 0);
|
2013-08-12 18:49:45 +08:00
|
|
|
}
|
2014-06-25 12:58:08 +08:00
|
|
|
if (error == -ENOSPC) {
|
2013-08-12 18:49:45 +08:00
|
|
|
/* No space at all so try a "no-allocation" reservation */
|
|
|
|
resblks = 0;
|
2014-11-28 11:00:16 +08:00
|
|
|
error = xfs_trans_reserve(tp, tres, 0, 0);
|
2013-08-12 18:49:45 +08:00
|
|
|
}
|
2015-06-04 11:47:56 +08:00
|
|
|
if (error)
|
2013-08-12 18:49:45 +08:00
|
|
|
goto out_trans_cancel;
|
2015-06-04 11:47:56 +08:00
|
|
|
|
2013-08-12 18:49:45 +08:00
|
|
|
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
xfs_ilock(dp, XFS_IOLOCK_EXCL | XFS_ILOCK_EXCL |
|
|
|
|
XFS_IOLOCK_PARENT | XFS_ILOCK_PARENT);
|
2013-08-12 18:49:45 +08:00
|
|
|
unlock_dp_on_error = true;
|
|
|
|
|
|
|
|
xfs_bmap_init(&free_list, &first_block);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Reserve disk quota and the inode.
|
|
|
|
*/
|
|
|
|
error = xfs_trans_reserve_quota(tp, mp, udqp, gdqp,
|
|
|
|
pdqp, resblks, 1, 0);
|
|
|
|
if (error)
|
|
|
|
goto out_trans_cancel;
|
|
|
|
|
2014-09-09 09:57:52 +08:00
|
|
|
if (!resblks) {
|
|
|
|
error = xfs_dir_canenter(tp, dp, name);
|
|
|
|
if (error)
|
|
|
|
goto out_trans_cancel;
|
|
|
|
}
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* A newly created regular or special file just has one directory
|
|
|
|
* entry pointing to them, but a directory also the "." entry
|
|
|
|
* pointing to itself.
|
|
|
|
*/
|
|
|
|
error = xfs_dir_ialloc(&tp, dp, mode, is_dir ? 2 : 1, rdev,
|
|
|
|
prid, resblks > 0, &ip, &committed);
|
2015-07-29 09:52:08 +08:00
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_trans_cancel;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Now we join the directory inode to the transaction. We do not do it
|
|
|
|
* earlier because xfs_dir_ialloc might commit the previous transaction
|
|
|
|
* (and release all the locks). An error from here on will result in
|
|
|
|
* the transaction cancel unlocking dp so don't do it explicitly in the
|
|
|
|
* error path.
|
|
|
|
*/
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
xfs_trans_ijoin(tp, dp, XFS_IOLOCK_EXCL | XFS_ILOCK_EXCL);
|
2013-08-12 18:49:45 +08:00
|
|
|
unlock_dp_on_error = false;
|
|
|
|
|
|
|
|
error = xfs_dir_createname(tp, dp, name, ip->i_ino,
|
|
|
|
&first_block, &free_list, resblks ?
|
|
|
|
resblks - XFS_IALLOC_SPACE_RES(mp) : 0);
|
|
|
|
if (error) {
|
2014-06-25 12:58:08 +08:00
|
|
|
ASSERT(error != -ENOSPC);
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_trans_cancel;
|
2013-08-12 18:49:45 +08:00
|
|
|
}
|
|
|
|
xfs_trans_ichgtime(tp, dp, XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG);
|
|
|
|
xfs_trans_log_inode(tp, dp, XFS_ILOG_CORE);
|
|
|
|
|
|
|
|
if (is_dir) {
|
|
|
|
error = xfs_dir_init(tp, ip, dp);
|
|
|
|
if (error)
|
|
|
|
goto out_bmap_cancel;
|
|
|
|
|
|
|
|
error = xfs_bumplink(tp, dp);
|
|
|
|
if (error)
|
|
|
|
goto out_bmap_cancel;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If this is a synchronous mount, make sure that the
|
|
|
|
* create transaction goes to disk before returning to
|
|
|
|
* the user.
|
|
|
|
*/
|
|
|
|
if (mp->m_flags & (XFS_MOUNT_WSYNC|XFS_MOUNT_DIRSYNC))
|
|
|
|
xfs_trans_set_sync(tp);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Attach the dquot(s) to the inodes and modify them incore.
|
|
|
|
* These ids of the inode couldn't have changed since the new
|
|
|
|
* inode has been locked ever since it was created.
|
|
|
|
*/
|
|
|
|
xfs_qm_vop_create_dqattach(tp, ip, udqp, gdqp, pdqp);
|
|
|
|
|
|
|
|
error = xfs_bmap_finish(&tp, &free_list, &committed);
|
|
|
|
if (error)
|
|
|
|
goto out_bmap_cancel;
|
|
|
|
|
2015-06-04 11:48:08 +08:00
|
|
|
error = xfs_trans_commit(tp);
|
2013-08-12 18:49:45 +08:00
|
|
|
if (error)
|
|
|
|
goto out_release_inode;
|
|
|
|
|
|
|
|
xfs_qm_dqrele(udqp);
|
|
|
|
xfs_qm_dqrele(gdqp);
|
|
|
|
xfs_qm_dqrele(pdqp);
|
|
|
|
|
|
|
|
*ipp = ip;
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
out_bmap_cancel:
|
|
|
|
xfs_bmap_cancel(&free_list);
|
|
|
|
out_trans_cancel:
|
2015-06-04 11:47:56 +08:00
|
|
|
xfs_trans_cancel(tp);
|
2013-08-12 18:49:45 +08:00
|
|
|
out_release_inode:
|
|
|
|
/*
|
2015-02-23 19:38:08 +08:00
|
|
|
* Wait until after the current transaction is aborted to finish the
|
|
|
|
* setup of the inode and release the inode. This prevents recursive
|
|
|
|
* transactions and deadlocks from xfs_inactive.
|
2013-08-12 18:49:45 +08:00
|
|
|
*/
|
2015-02-23 19:38:08 +08:00
|
|
|
if (ip) {
|
|
|
|
xfs_finish_inode_setup(ip);
|
2013-08-12 18:49:45 +08:00
|
|
|
IRELE(ip);
|
2015-02-23 19:38:08 +08:00
|
|
|
}
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
xfs_qm_dqrele(udqp);
|
|
|
|
xfs_qm_dqrele(gdqp);
|
|
|
|
xfs_qm_dqrele(pdqp);
|
|
|
|
|
|
|
|
if (unlock_dp_on_error)
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
xfs_iunlock(dp, XFS_IOLOCK_EXCL | XFS_ILOCK_EXCL);
|
2013-08-12 18:49:45 +08:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2013-12-18 08:22:40 +08:00
|
|
|
int
|
|
|
|
xfs_create_tmpfile(
|
|
|
|
struct xfs_inode *dp,
|
|
|
|
struct dentry *dentry,
|
2014-04-17 06:15:30 +08:00
|
|
|
umode_t mode,
|
|
|
|
struct xfs_inode **ipp)
|
2013-12-18 08:22:40 +08:00
|
|
|
{
|
|
|
|
struct xfs_mount *mp = dp->i_mount;
|
|
|
|
struct xfs_inode *ip = NULL;
|
|
|
|
struct xfs_trans *tp = NULL;
|
|
|
|
int error;
|
|
|
|
prid_t prid;
|
|
|
|
struct xfs_dquot *udqp = NULL;
|
|
|
|
struct xfs_dquot *gdqp = NULL;
|
|
|
|
struct xfs_dquot *pdqp = NULL;
|
|
|
|
struct xfs_trans_res *tres;
|
|
|
|
uint resblks;
|
|
|
|
|
|
|
|
if (XFS_FORCED_SHUTDOWN(mp))
|
2014-06-25 12:58:08 +08:00
|
|
|
return -EIO;
|
2013-12-18 08:22:40 +08:00
|
|
|
|
|
|
|
prid = xfs_get_initial_prid(dp);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Make sure that we have allocated dquot(s) on disk.
|
|
|
|
*/
|
|
|
|
error = xfs_qm_vop_dqalloc(dp, xfs_kuid_to_uid(current_fsuid()),
|
|
|
|
xfs_kgid_to_gid(current_fsgid()), prid,
|
|
|
|
XFS_QMOPT_QUOTALL | XFS_QMOPT_INHERIT,
|
|
|
|
&udqp, &gdqp, &pdqp);
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
|
|
|
|
resblks = XFS_IALLOC_SPACE_RES(mp);
|
|
|
|
tp = xfs_trans_alloc(mp, XFS_TRANS_CREATE_TMPFILE);
|
|
|
|
|
|
|
|
tres = &M_RES(mp)->tr_create_tmpfile;
|
|
|
|
error = xfs_trans_reserve(tp, tres, resblks, 0);
|
2014-06-25 12:58:08 +08:00
|
|
|
if (error == -ENOSPC) {
|
2013-12-18 08:22:40 +08:00
|
|
|
/* No space at all so try a "no-allocation" reservation */
|
|
|
|
resblks = 0;
|
|
|
|
error = xfs_trans_reserve(tp, tres, 0, 0);
|
|
|
|
}
|
2015-06-04 11:47:56 +08:00
|
|
|
if (error)
|
2013-12-18 08:22:40 +08:00
|
|
|
goto out_trans_cancel;
|
|
|
|
|
|
|
|
error = xfs_trans_reserve_quota(tp, mp, udqp, gdqp,
|
|
|
|
pdqp, resblks, 1, 0);
|
|
|
|
if (error)
|
|
|
|
goto out_trans_cancel;
|
|
|
|
|
|
|
|
error = xfs_dir_ialloc(&tp, dp, mode, 1, 0,
|
|
|
|
prid, resblks > 0, &ip, NULL);
|
2015-07-29 09:52:08 +08:00
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_trans_cancel;
|
2013-12-18 08:22:40 +08:00
|
|
|
|
|
|
|
if (mp->m_flags & XFS_MOUNT_WSYNC)
|
|
|
|
xfs_trans_set_sync(tp);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Attach the dquot(s) to the inodes and modify them incore.
|
|
|
|
* These ids of the inode couldn't have changed since the new
|
|
|
|
* inode has been locked ever since it was created.
|
|
|
|
*/
|
|
|
|
xfs_qm_vop_create_dqattach(tp, ip, udqp, gdqp, pdqp);
|
|
|
|
|
|
|
|
ip->i_d.di_nlink--;
|
|
|
|
error = xfs_iunlink(tp, ip);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_trans_cancel;
|
2013-12-18 08:22:40 +08:00
|
|
|
|
2015-06-04 11:48:08 +08:00
|
|
|
error = xfs_trans_commit(tp);
|
2013-12-18 08:22:40 +08:00
|
|
|
if (error)
|
|
|
|
goto out_release_inode;
|
|
|
|
|
|
|
|
xfs_qm_dqrele(udqp);
|
|
|
|
xfs_qm_dqrele(gdqp);
|
|
|
|
xfs_qm_dqrele(pdqp);
|
|
|
|
|
2014-04-17 06:15:30 +08:00
|
|
|
*ipp = ip;
|
2013-12-18 08:22:40 +08:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
out_trans_cancel:
|
2015-06-04 11:47:56 +08:00
|
|
|
xfs_trans_cancel(tp);
|
2013-12-18 08:22:40 +08:00
|
|
|
out_release_inode:
|
|
|
|
/*
|
2015-02-23 19:38:08 +08:00
|
|
|
* Wait until after the current transaction is aborted to finish the
|
|
|
|
* setup of the inode and release the inode. This prevents recursive
|
|
|
|
* transactions and deadlocks from xfs_inactive.
|
2013-12-18 08:22:40 +08:00
|
|
|
*/
|
2015-02-23 19:38:08 +08:00
|
|
|
if (ip) {
|
|
|
|
xfs_finish_inode_setup(ip);
|
2013-12-18 08:22:40 +08:00
|
|
|
IRELE(ip);
|
2015-02-23 19:38:08 +08:00
|
|
|
}
|
2013-12-18 08:22:40 +08:00
|
|
|
|
|
|
|
xfs_qm_dqrele(udqp);
|
|
|
|
xfs_qm_dqrele(gdqp);
|
|
|
|
xfs_qm_dqrele(pdqp);
|
|
|
|
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2013-08-12 18:49:45 +08:00
|
|
|
int
|
|
|
|
xfs_link(
|
|
|
|
xfs_inode_t *tdp,
|
|
|
|
xfs_inode_t *sip,
|
|
|
|
struct xfs_name *target_name)
|
|
|
|
{
|
|
|
|
xfs_mount_t *mp = tdp->i_mount;
|
|
|
|
xfs_trans_t *tp;
|
|
|
|
int error;
|
|
|
|
xfs_bmap_free_t free_list;
|
|
|
|
xfs_fsblock_t first_block;
|
|
|
|
int committed;
|
|
|
|
int resblks;
|
|
|
|
|
|
|
|
trace_xfs_link(tdp, target_name);
|
|
|
|
|
|
|
|
ASSERT(!S_ISDIR(sip->i_d.di_mode));
|
|
|
|
|
|
|
|
if (XFS_FORCED_SHUTDOWN(mp))
|
2014-06-25 12:58:08 +08:00
|
|
|
return -EIO;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
error = xfs_qm_dqattach(sip, 0);
|
|
|
|
if (error)
|
|
|
|
goto std_return;
|
|
|
|
|
|
|
|
error = xfs_qm_dqattach(tdp, 0);
|
|
|
|
if (error)
|
|
|
|
goto std_return;
|
|
|
|
|
|
|
|
tp = xfs_trans_alloc(mp, XFS_TRANS_LINK);
|
|
|
|
resblks = XFS_LINK_SPACE_RES(mp, target_name->len);
|
2013-08-12 18:49:59 +08:00
|
|
|
error = xfs_trans_reserve(tp, &M_RES(mp)->tr_link, resblks, 0);
|
2014-06-25 12:58:08 +08:00
|
|
|
if (error == -ENOSPC) {
|
2013-08-12 18:49:45 +08:00
|
|
|
resblks = 0;
|
2013-08-12 18:49:59 +08:00
|
|
|
error = xfs_trans_reserve(tp, &M_RES(mp)->tr_link, 0, 0);
|
2013-08-12 18:49:45 +08:00
|
|
|
}
|
2015-06-04 11:47:56 +08:00
|
|
|
if (error)
|
2013-08-12 18:49:45 +08:00
|
|
|
goto error_return;
|
|
|
|
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
xfs_ilock(tdp, XFS_IOLOCK_EXCL | XFS_IOLOCK_PARENT);
|
2013-08-12 18:49:45 +08:00
|
|
|
xfs_lock_two_inodes(sip, tdp, XFS_ILOCK_EXCL);
|
|
|
|
|
|
|
|
xfs_trans_ijoin(tp, sip, XFS_ILOCK_EXCL);
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
xfs_trans_ijoin(tp, tdp, XFS_IOLOCK_EXCL | XFS_ILOCK_EXCL);
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If we are using project inheritance, we only allow hard link
|
|
|
|
* creation in our tree when the project IDs are the same; else
|
|
|
|
* the tree quota mechanism could be circumvented.
|
|
|
|
*/
|
|
|
|
if (unlikely((tdp->i_d.di_flags & XFS_DIFLAG_PROJINHERIT) &&
|
|
|
|
(xfs_get_projid(tdp) != xfs_get_projid(sip)))) {
|
2014-06-25 12:58:08 +08:00
|
|
|
error = -EXDEV;
|
2013-08-12 18:49:45 +08:00
|
|
|
goto error_return;
|
|
|
|
}
|
|
|
|
|
2014-09-09 09:57:52 +08:00
|
|
|
if (!resblks) {
|
|
|
|
error = xfs_dir_canenter(tp, tdp, target_name);
|
|
|
|
if (error)
|
|
|
|
goto error_return;
|
|
|
|
}
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
xfs_bmap_init(&free_list, &first_block);
|
|
|
|
|
2013-12-18 08:22:41 +08:00
|
|
|
if (sip->i_d.di_nlink == 0) {
|
|
|
|
error = xfs_iunlink_remove(tp, sip);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto error_return;
|
2013-12-18 08:22:41 +08:00
|
|
|
}
|
|
|
|
|
2013-08-12 18:49:45 +08:00
|
|
|
error = xfs_dir_createname(tp, tdp, target_name, sip->i_ino,
|
|
|
|
&first_block, &free_list, resblks);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto error_return;
|
2013-08-12 18:49:45 +08:00
|
|
|
xfs_trans_ichgtime(tp, tdp, XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG);
|
|
|
|
xfs_trans_log_inode(tp, tdp, XFS_ILOG_CORE);
|
|
|
|
|
|
|
|
error = xfs_bumplink(tp, sip);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto error_return;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If this is a synchronous mount, make sure that the
|
|
|
|
* link transaction goes to disk before returning to
|
|
|
|
* the user.
|
|
|
|
*/
|
|
|
|
if (mp->m_flags & (XFS_MOUNT_WSYNC|XFS_MOUNT_DIRSYNC)) {
|
|
|
|
xfs_trans_set_sync(tp);
|
|
|
|
}
|
|
|
|
|
|
|
|
error = xfs_bmap_finish (&tp, &free_list, &committed);
|
|
|
|
if (error) {
|
|
|
|
xfs_bmap_cancel(&free_list);
|
2015-06-04 11:47:56 +08:00
|
|
|
goto error_return;
|
2013-08-12 18:49:45 +08:00
|
|
|
}
|
|
|
|
|
2015-06-04 11:48:08 +08:00
|
|
|
return xfs_trans_commit(tp);
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
error_return:
|
2015-06-04 11:47:56 +08:00
|
|
|
xfs_trans_cancel(tp);
|
2013-08-12 18:49:45 +08:00
|
|
|
std_return:
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2011-07-08 20:34:34 +08:00
|
|
|
* Free up the underlying blocks past new_size. The new size must be smaller
|
|
|
|
* than the current size. This routine can be used both for the attribute and
|
|
|
|
* data fork, and does not modify the inode size, which is left to the caller.
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
2008-04-17 14:50:04 +08:00
|
|
|
* The transaction passed to this routine must have made a permanent log
|
|
|
|
* reservation of at least XFS_ITRUNCATE_LOG_RES. This routine may commit the
|
|
|
|
* given transaction and start new ones, so make sure everything involved in
|
|
|
|
* the transaction is tidy before calling here. Some transaction will be
|
|
|
|
* returned to the caller to be committed. The incoming transaction must
|
|
|
|
* already include the inode, and both inode locks must be held exclusively.
|
|
|
|
* The inode must also be "held" within the transaction. On return the inode
|
|
|
|
* will be "held" within the returned transaction. This routine does NOT
|
|
|
|
* require any disk space to be reserved for it within the transaction.
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
2008-04-17 14:50:04 +08:00
|
|
|
* If we get an error, we must return with the inode locked and linked into the
|
|
|
|
* current transaction. This keeps things simple for the higher level code,
|
|
|
|
* because it always knows that the inode is locked and held in the transaction
|
|
|
|
* that returns to it whether errors occur or not. We don't mark the inode
|
|
|
|
* dirty on error so that transactions can be easily aborted if possible.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
|
|
|
int
|
2011-07-08 20:34:34 +08:00
|
|
|
xfs_itruncate_extents(
|
|
|
|
struct xfs_trans **tpp,
|
|
|
|
struct xfs_inode *ip,
|
|
|
|
int whichfork,
|
|
|
|
xfs_fsize_t new_size)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2011-07-08 20:34:34 +08:00
|
|
|
struct xfs_mount *mp = ip->i_mount;
|
|
|
|
struct xfs_trans *tp = *tpp;
|
|
|
|
xfs_bmap_free_t free_list;
|
|
|
|
xfs_fsblock_t first_block;
|
|
|
|
xfs_fileoff_t first_unmap_block;
|
|
|
|
xfs_fileoff_t last_block;
|
|
|
|
xfs_filblks_t unmap_len;
|
|
|
|
int committed;
|
|
|
|
int error = 0;
|
|
|
|
int done = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-07-04 23:13:31 +08:00
|
|
|
ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL));
|
|
|
|
ASSERT(!atomic_read(&VFS_I(ip)->i_count) ||
|
|
|
|
xfs_isilocked(ip, XFS_IOLOCK_EXCL));
|
2011-12-19 04:00:11 +08:00
|
|
|
ASSERT(new_size <= XFS_ISIZE(ip));
|
2011-07-08 20:34:34 +08:00
|
|
|
ASSERT(tp->t_flags & XFS_TRANS_PERM_LOG_RES);
|
2005-04-17 06:20:36 +08:00
|
|
|
ASSERT(ip->i_itemp != NULL);
|
2010-06-24 09:36:58 +08:00
|
|
|
ASSERT(ip->i_itemp->ili_lock_flags == 0);
|
2011-07-08 20:34:34 +08:00
|
|
|
ASSERT(!XFS_NOT_DQATTACHED(mp, ip));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-12-19 04:00:04 +08:00
|
|
|
trace_xfs_itruncate_extents_start(ip, new_size);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Since it is possible for space to become allocated beyond
|
|
|
|
* the end of the file (in a crash where the space is allocated
|
|
|
|
* but the inode size is not yet updated), simply remove any
|
|
|
|
* blocks which show up between the new EOF and the maximum
|
|
|
|
* possible file size. If the first block to be removed is
|
|
|
|
* beyond the maximum file size (ie it is the same as last_block),
|
|
|
|
* then there is nothing to do.
|
|
|
|
*/
|
2011-07-08 20:34:34 +08:00
|
|
|
first_unmap_block = XFS_B_TO_FSB(mp, (xfs_ufsize_t)new_size);
|
2012-06-08 13:44:54 +08:00
|
|
|
last_block = XFS_B_TO_FSB(mp, mp->m_super->s_maxbytes);
|
2011-07-08 20:34:34 +08:00
|
|
|
if (first_unmap_block == last_block)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
ASSERT(first_unmap_block < last_block);
|
|
|
|
unmap_len = last_block - first_unmap_block + 1;
|
2005-04-17 06:20:36 +08:00
|
|
|
while (!done) {
|
2009-01-15 13:22:07 +08:00
|
|
|
xfs_bmap_init(&free_list, &first_block);
|
2011-07-08 20:34:34 +08:00
|
|
|
error = xfs_bunmapi(tp, ip,
|
2006-06-09 12:48:12 +08:00
|
|
|
first_unmap_block, unmap_len,
|
2011-07-08 20:34:34 +08:00
|
|
|
xfs_bmapi_aflag(whichfork),
|
2005-04-17 06:20:36 +08:00
|
|
|
XFS_ITRUNC_MAX_EXTENTS,
|
2006-06-09 12:48:12 +08:00
|
|
|
&first_block, &free_list,
|
2010-06-23 16:11:15 +08:00
|
|
|
&done);
|
2011-07-08 20:34:34 +08:00
|
|
|
if (error)
|
|
|
|
goto out_bmap_cancel;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Duplicate the transaction that has the permanent
|
|
|
|
* reservation and commit the old transaction.
|
|
|
|
*/
|
2011-07-08 20:34:34 +08:00
|
|
|
error = xfs_bmap_finish(&tp, &free_list, &committed);
|
2010-06-24 09:36:58 +08:00
|
|
|
if (committed)
|
2011-09-19 23:00:54 +08:00
|
|
|
xfs_trans_ijoin(tp, ip, 0);
|
2011-07-08 20:34:34 +08:00
|
|
|
if (error)
|
|
|
|
goto out_bmap_cancel;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2015-06-04 11:47:29 +08:00
|
|
|
error = xfs_trans_roll(&tp, ip);
|
2008-04-17 14:50:04 +08:00
|
|
|
if (error)
|
2011-07-08 20:34:34 +08:00
|
|
|
goto out;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2011-07-08 20:34:34 +08:00
|
|
|
|
2011-12-19 04:00:04 +08:00
|
|
|
/*
|
|
|
|
* Always re-log the inode so that our permanent transaction can keep
|
|
|
|
* on rolling it forward in the log.
|
|
|
|
*/
|
|
|
|
xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE);
|
|
|
|
|
|
|
|
trace_xfs_itruncate_extents_end(ip, new_size);
|
|
|
|
|
2011-07-08 20:34:34 +08:00
|
|
|
out:
|
|
|
|
*tpp = tp;
|
|
|
|
return error;
|
|
|
|
out_bmap_cancel:
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2011-07-08 20:34:34 +08:00
|
|
|
* If the bunmapi call encounters an error, return to the caller where
|
|
|
|
* the transaction can be properly aborted. We just need to make sure
|
|
|
|
* we're not holding any resources that we were not when we came in.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2011-07-08 20:34:34 +08:00
|
|
|
xfs_bmap_cancel(&free_list);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2013-08-12 18:49:45 +08:00
|
|
|
int
|
|
|
|
xfs_release(
|
|
|
|
xfs_inode_t *ip)
|
|
|
|
{
|
|
|
|
xfs_mount_t *mp = ip->i_mount;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
if (!S_ISREG(ip->i_d.di_mode) || (ip->i_d.di_mode == 0))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
/* If this is a read-only mount, don't do this (would generate I/O) */
|
|
|
|
if (mp->m_flags & XFS_MOUNT_RDONLY)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (!XFS_FORCED_SHUTDOWN(mp)) {
|
|
|
|
int truncated;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If we previously truncated this file and removed old data
|
|
|
|
* in the process, we want to initiate "early" writeout on
|
|
|
|
* the last close. This is an attempt to combat the notorious
|
|
|
|
* NULL files problem which is particularly noticeable from a
|
|
|
|
* truncate down, buffered (re-)write (delalloc), followed by
|
|
|
|
* a crash. What we are effectively doing here is
|
|
|
|
* significantly reducing the time window where we'd otherwise
|
|
|
|
* be exposed to that problem.
|
|
|
|
*/
|
|
|
|
truncated = xfs_iflags_test_and_clear(ip, XFS_ITRUNCATED);
|
|
|
|
if (truncated) {
|
|
|
|
xfs_iflags_clear(ip, XFS_IDIRTY_RELEASE);
|
2014-08-04 11:22:49 +08:00
|
|
|
if (ip->i_delayed_blks > 0) {
|
2014-06-25 12:58:08 +08:00
|
|
|
error = filemap_flush(VFS_I(ip)->i_mapping);
|
2013-08-12 18:49:45 +08:00
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ip->i_d.di_nlink == 0)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (xfs_can_free_eofblocks(ip, false)) {
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If we can't get the iolock just skip truncating the blocks
|
|
|
|
* past EOF because we could deadlock with the mmap_sem
|
|
|
|
* otherwise. We'll get another chance to drop them once the
|
|
|
|
* last reference to the inode is dropped, so we'll never leak
|
|
|
|
* blocks permanently.
|
|
|
|
*
|
|
|
|
* Further, check if the inode is being opened, written and
|
|
|
|
* closed frequently and we have delayed allocation blocks
|
|
|
|
* outstanding (e.g. streaming writes from the NFS server),
|
|
|
|
* truncating the blocks past EOF will cause fragmentation to
|
|
|
|
* occur.
|
|
|
|
*
|
|
|
|
* In this case don't do the truncation, either, but we have to
|
|
|
|
* be careful how we detect this case. Blocks beyond EOF show
|
|
|
|
* up as i_delayed_blks even when the inode is clean, so we
|
|
|
|
* need to truncate them away first before checking for a dirty
|
|
|
|
* release. Hence on the first dirty close we will still remove
|
|
|
|
* the speculative allocation, but after that we will leave it
|
|
|
|
* in place.
|
|
|
|
*/
|
|
|
|
if (xfs_iflags_test(ip, XFS_IDIRTY_RELEASE))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
error = xfs_free_eofblocks(mp, ip, true);
|
2014-06-25 12:58:08 +08:00
|
|
|
if (error && error != -EAGAIN)
|
2013-08-12 18:49:45 +08:00
|
|
|
return error;
|
|
|
|
|
|
|
|
/* delalloc blocks after truncation means it really is dirty */
|
|
|
|
if (ip->i_delayed_blks)
|
|
|
|
xfs_iflags_set(ip, XFS_IDIRTY_RELEASE);
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-09-20 23:06:10 +08:00
|
|
|
/*
|
|
|
|
* xfs_inactive_truncate
|
|
|
|
*
|
|
|
|
* Called to perform a truncate when an inode becomes unlinked.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_inactive_truncate(
|
|
|
|
struct xfs_inode *ip)
|
|
|
|
{
|
|
|
|
struct xfs_mount *mp = ip->i_mount;
|
|
|
|
struct xfs_trans *tp;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
tp = xfs_trans_alloc(mp, XFS_TRANS_INACTIVE);
|
|
|
|
error = xfs_trans_reserve(tp, &M_RES(mp)->tr_itruncate, 0, 0);
|
|
|
|
if (error) {
|
|
|
|
ASSERT(XFS_FORCED_SHUTDOWN(mp));
|
2015-06-04 11:47:56 +08:00
|
|
|
xfs_trans_cancel(tp);
|
2013-09-20 23:06:10 +08:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
xfs_ilock(ip, XFS_ILOCK_EXCL);
|
|
|
|
xfs_trans_ijoin(tp, ip, 0);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Log the inode size first to prevent stale data exposure in the event
|
|
|
|
* of a system crash before the truncate completes. See the related
|
|
|
|
* comment in xfs_setattr_size() for details.
|
|
|
|
*/
|
|
|
|
ip->i_d.di_size = 0;
|
|
|
|
xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE);
|
|
|
|
|
|
|
|
error = xfs_itruncate_extents(&tp, ip, XFS_DATA_FORK, 0);
|
|
|
|
if (error)
|
|
|
|
goto error_trans_cancel;
|
|
|
|
|
|
|
|
ASSERT(ip->i_d.di_nextents == 0);
|
|
|
|
|
2015-06-04 11:48:08 +08:00
|
|
|
error = xfs_trans_commit(tp);
|
2013-09-20 23:06:10 +08:00
|
|
|
if (error)
|
|
|
|
goto error_unlock;
|
|
|
|
|
|
|
|
xfs_iunlock(ip, XFS_ILOCK_EXCL);
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
error_trans_cancel:
|
2015-06-04 11:47:56 +08:00
|
|
|
xfs_trans_cancel(tp);
|
2013-09-20 23:06:10 +08:00
|
|
|
error_unlock:
|
|
|
|
xfs_iunlock(ip, XFS_ILOCK_EXCL);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2013-09-20 23:06:11 +08:00
|
|
|
/*
|
|
|
|
* xfs_inactive_ifree()
|
|
|
|
*
|
|
|
|
* Perform the inode free when an inode is unlinked.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_inactive_ifree(
|
|
|
|
struct xfs_inode *ip)
|
|
|
|
{
|
|
|
|
xfs_bmap_free_t free_list;
|
|
|
|
xfs_fsblock_t first_block;
|
|
|
|
int committed;
|
|
|
|
struct xfs_mount *mp = ip->i_mount;
|
|
|
|
struct xfs_trans *tp;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
tp = xfs_trans_alloc(mp, XFS_TRANS_INACTIVE);
|
2014-04-24 14:00:52 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* The ifree transaction might need to allocate blocks for record
|
|
|
|
* insertion to the finobt. We don't want to fail here at ENOSPC, so
|
|
|
|
* allow ifree to dip into the reserved block pool if necessary.
|
|
|
|
*
|
|
|
|
* Freeing large sets of inodes generally means freeing inode chunks,
|
|
|
|
* directory and file data blocks, so this should be relatively safe.
|
|
|
|
* Only under severe circumstances should it be possible to free enough
|
|
|
|
* inodes to exhaust the reserve block pool via finobt expansion while
|
|
|
|
* at the same time not creating free space in the filesystem.
|
|
|
|
*
|
|
|
|
* Send a warning if the reservation does happen to fail, as the inode
|
|
|
|
* now remains allocated and sits on the unlinked list until the fs is
|
|
|
|
* repaired.
|
|
|
|
*/
|
|
|
|
tp->t_flags |= XFS_TRANS_RESERVE;
|
|
|
|
error = xfs_trans_reserve(tp, &M_RES(mp)->tr_ifree,
|
|
|
|
XFS_IFREE_SPACE_RES(mp), 0);
|
2013-09-20 23:06:11 +08:00
|
|
|
if (error) {
|
2014-06-25 12:58:08 +08:00
|
|
|
if (error == -ENOSPC) {
|
2014-04-24 14:00:52 +08:00
|
|
|
xfs_warn_ratelimited(mp,
|
|
|
|
"Failed to remove inode(s) from unlinked list. "
|
|
|
|
"Please free space, unmount and run xfs_repair.");
|
|
|
|
} else {
|
|
|
|
ASSERT(XFS_FORCED_SHUTDOWN(mp));
|
|
|
|
}
|
2015-06-04 11:47:56 +08:00
|
|
|
xfs_trans_cancel(tp);
|
2013-09-20 23:06:11 +08:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
xfs_ilock(ip, XFS_ILOCK_EXCL);
|
|
|
|
xfs_trans_ijoin(tp, ip, 0);
|
|
|
|
|
|
|
|
xfs_bmap_init(&free_list, &first_block);
|
|
|
|
error = xfs_ifree(tp, ip, &free_list);
|
|
|
|
if (error) {
|
|
|
|
/*
|
|
|
|
* If we fail to free the inode, shut down. The cancel
|
|
|
|
* might do that, we need to make sure. Otherwise the
|
|
|
|
* inode might be lost for a long time or forever.
|
|
|
|
*/
|
|
|
|
if (!XFS_FORCED_SHUTDOWN(mp)) {
|
|
|
|
xfs_notice(mp, "%s: xfs_ifree returned error %d",
|
|
|
|
__func__, error);
|
|
|
|
xfs_force_shutdown(mp, SHUTDOWN_META_IO_ERROR);
|
|
|
|
}
|
2015-06-04 11:47:56 +08:00
|
|
|
xfs_trans_cancel(tp);
|
2013-09-20 23:06:11 +08:00
|
|
|
xfs_iunlock(ip, XFS_ILOCK_EXCL);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Credit the quota account(s). The inode is gone.
|
|
|
|
*/
|
|
|
|
xfs_trans_mod_dquot_byino(tp, ip, XFS_TRANS_DQ_ICOUNT, -1);
|
|
|
|
|
|
|
|
/*
|
2015-08-19 08:01:40 +08:00
|
|
|
* Just ignore errors at this point. There is nothing we can do except
|
|
|
|
* to try to keep going. Make sure it's not a silent error.
|
2013-09-20 23:06:11 +08:00
|
|
|
*/
|
|
|
|
error = xfs_bmap_finish(&tp, &free_list, &committed);
|
2015-08-19 08:01:40 +08:00
|
|
|
if (error) {
|
2013-09-20 23:06:11 +08:00
|
|
|
xfs_notice(mp, "%s: xfs_bmap_finish returned error %d",
|
|
|
|
__func__, error);
|
2015-08-19 08:01:40 +08:00
|
|
|
xfs_bmap_cancel(&free_list);
|
|
|
|
}
|
2015-06-04 11:48:08 +08:00
|
|
|
error = xfs_trans_commit(tp);
|
2013-09-20 23:06:11 +08:00
|
|
|
if (error)
|
|
|
|
xfs_notice(mp, "%s: xfs_trans_commit returned error %d",
|
|
|
|
__func__, error);
|
|
|
|
|
|
|
|
xfs_iunlock(ip, XFS_ILOCK_EXCL);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-08-12 18:49:45 +08:00
|
|
|
/*
|
|
|
|
* xfs_inactive
|
|
|
|
*
|
|
|
|
* This is called when the vnode reference count for the vnode
|
|
|
|
* goes to zero. If the file has been unlinked, then it must
|
|
|
|
* now be truncated. Also, we clear all of the read-ahead state
|
|
|
|
* kept for the inode here since the file is now closed.
|
|
|
|
*/
|
2013-09-20 23:06:12 +08:00
|
|
|
void
|
2013-08-12 18:49:45 +08:00
|
|
|
xfs_inactive(
|
|
|
|
xfs_inode_t *ip)
|
|
|
|
{
|
2013-08-12 18:49:59 +08:00
|
|
|
struct xfs_mount *mp;
|
|
|
|
int error;
|
|
|
|
int truncate = 0;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If the inode is already free, then there can be nothing
|
|
|
|
* to clean up here.
|
|
|
|
*/
|
2013-09-11 07:11:22 +08:00
|
|
|
if (ip->i_d.di_mode == 0) {
|
2013-08-12 18:49:45 +08:00
|
|
|
ASSERT(ip->i_df.if_real_bytes == 0);
|
|
|
|
ASSERT(ip->i_df.if_broot_bytes == 0);
|
2013-09-20 23:06:12 +08:00
|
|
|
return;
|
2013-08-12 18:49:45 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
mp = ip->i_mount;
|
|
|
|
|
|
|
|
/* If this is a read-only mount, don't do this (would generate I/O) */
|
|
|
|
if (mp->m_flags & XFS_MOUNT_RDONLY)
|
2013-09-20 23:06:12 +08:00
|
|
|
return;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
if (ip->i_d.di_nlink != 0) {
|
|
|
|
/*
|
|
|
|
* force is true because we are evicting an inode from the
|
|
|
|
* cache. Post-eof blocks must be freed, lest we end up with
|
|
|
|
* broken free space accounting.
|
|
|
|
*/
|
2013-09-20 23:06:12 +08:00
|
|
|
if (xfs_can_free_eofblocks(ip, true))
|
|
|
|
xfs_free_eofblocks(mp, ip, false);
|
|
|
|
|
|
|
|
return;
|
2013-08-12 18:49:45 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
if (S_ISREG(ip->i_d.di_mode) &&
|
|
|
|
(ip->i_d.di_size != 0 || XFS_ISIZE(ip) != 0 ||
|
|
|
|
ip->i_d.di_nextents > 0 || ip->i_delayed_blks > 0))
|
|
|
|
truncate = 1;
|
|
|
|
|
|
|
|
error = xfs_qm_dqattach(ip, 0);
|
|
|
|
if (error)
|
2013-09-20 23:06:12 +08:00
|
|
|
return;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
2013-09-20 23:06:10 +08:00
|
|
|
if (S_ISLNK(ip->i_d.di_mode))
|
2013-09-20 23:06:09 +08:00
|
|
|
error = xfs_inactive_symlink(ip);
|
2013-09-20 23:06:10 +08:00
|
|
|
else if (truncate)
|
|
|
|
error = xfs_inactive_truncate(ip);
|
|
|
|
if (error)
|
2013-09-20 23:06:12 +08:00
|
|
|
return;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If there are attributes associated with the file then blow them away
|
|
|
|
* now. The code calls a routine that recursively deconstructs the
|
2015-05-29 05:40:08 +08:00
|
|
|
* attribute fork. If also blows away the in-core attribute fork.
|
2013-08-12 18:49:45 +08:00
|
|
|
*/
|
2015-05-29 05:40:08 +08:00
|
|
|
if (XFS_IFORK_Q(ip)) {
|
2013-08-12 18:49:45 +08:00
|
|
|
error = xfs_attr_inactive(ip);
|
|
|
|
if (error)
|
2013-09-20 23:06:12 +08:00
|
|
|
return;
|
2013-08-12 18:49:45 +08:00
|
|
|
}
|
|
|
|
|
2015-05-29 05:40:08 +08:00
|
|
|
ASSERT(!ip->i_afp);
|
2013-08-12 18:49:45 +08:00
|
|
|
ASSERT(ip->i_d.di_anextents == 0);
|
2015-05-29 05:40:08 +08:00
|
|
|
ASSERT(ip->i_d.di_forkoff == 0);
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Free the inode.
|
|
|
|
*/
|
2013-09-20 23:06:11 +08:00
|
|
|
error = xfs_inactive_ifree(ip);
|
|
|
|
if (error)
|
2013-09-20 23:06:12 +08:00
|
|
|
return;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Release the dquots held by inode, if any.
|
|
|
|
*/
|
|
|
|
xfs_qm_dqdetach(ip);
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* This is called when the inode's link count goes to 0.
|
|
|
|
* We place the on-disk inode on a list in the AGI. It
|
|
|
|
* will be pulled from this list when the inode is freed.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_iunlink(
|
|
|
|
xfs_trans_t *tp,
|
|
|
|
xfs_inode_t *ip)
|
|
|
|
{
|
|
|
|
xfs_mount_t *mp;
|
|
|
|
xfs_agi_t *agi;
|
|
|
|
xfs_dinode_t *dip;
|
|
|
|
xfs_buf_t *agibp;
|
|
|
|
xfs_buf_t *ibp;
|
|
|
|
xfs_agino_t agino;
|
|
|
|
short bucket_index;
|
|
|
|
int offset;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
ASSERT(ip->i_d.di_nlink == 0);
|
|
|
|
ASSERT(ip->i_d.di_mode != 0);
|
|
|
|
|
|
|
|
mp = tp->t_mountp;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Get the agi buffer first. It ensures lock ordering
|
|
|
|
* on the list.
|
|
|
|
*/
|
2008-11-28 11:23:37 +08:00
|
|
|
error = xfs_read_agi(mp, tp, XFS_INO_TO_AGNO(mp, ip->i_ino), &agibp);
|
2007-10-11 15:44:18 +08:00
|
|
|
if (error)
|
2005-04-17 06:20:36 +08:00
|
|
|
return error;
|
|
|
|
agi = XFS_BUF_TO_AGI(agibp);
|
2008-11-28 11:23:37 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Get the index into the agi hash table for the
|
|
|
|
* list this inode will go on.
|
|
|
|
*/
|
|
|
|
agino = XFS_INO_TO_AGINO(mp, ip->i_ino);
|
|
|
|
ASSERT(agino != 0);
|
|
|
|
bucket_index = agino % XFS_AGI_UNLINKED_BUCKETS;
|
|
|
|
ASSERT(agi->agi_unlinked[bucket_index]);
|
2005-11-02 12:11:25 +08:00
|
|
|
ASSERT(be32_to_cpu(agi->agi_unlinked[bucket_index]) != agino);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-07-08 20:36:05 +08:00
|
|
|
if (agi->agi_unlinked[bucket_index] != cpu_to_be32(NULLAGINO)) {
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* There is already another inode in the bucket we need
|
|
|
|
* to add ourselves to. Add us at the front of the list.
|
|
|
|
* Here we put the head pointer into our next pointer,
|
|
|
|
* and then we fall through to point the head at us.
|
|
|
|
*/
|
2012-07-04 00:21:22 +08:00
|
|
|
error = xfs_imap_to_bp(mp, tp, &ip->i_imap, &dip, &ibp,
|
|
|
|
0, 0);
|
2007-11-23 13:27:51 +08:00
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
|
2011-07-08 20:36:05 +08:00
|
|
|
ASSERT(dip->di_next_unlinked == cpu_to_be32(NULLAGINO));
|
2005-04-17 06:20:36 +08:00
|
|
|
dip->di_next_unlinked = agi->agi_unlinked[bucket_index];
|
2008-11-28 11:23:41 +08:00
|
|
|
offset = ip->i_imap.im_boffset +
|
2005-04-17 06:20:36 +08:00
|
|
|
offsetof(xfs_dinode_t, di_next_unlinked);
|
2013-06-05 10:09:08 +08:00
|
|
|
|
|
|
|
/* need to recalc the inode CRC if appropriate */
|
|
|
|
xfs_dinode_calc_crc(mp, dip);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_trans_inode_buf(tp, ibp);
|
|
|
|
xfs_trans_log_buf(tp, ibp, offset,
|
|
|
|
(offset + sizeof(xfs_agino_t) - 1));
|
|
|
|
xfs_inobp_check(mp, ibp);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Point the bucket head pointer at the inode being inserted.
|
|
|
|
*/
|
|
|
|
ASSERT(agino != 0);
|
2005-11-02 12:11:25 +08:00
|
|
|
agi->agi_unlinked[bucket_index] = cpu_to_be32(agino);
|
2005-04-17 06:20:36 +08:00
|
|
|
offset = offsetof(xfs_agi_t, agi_unlinked) +
|
|
|
|
(sizeof(xfs_agino_t) * bucket_index);
|
2015-01-22 06:29:40 +08:00
|
|
|
xfs_trans_buf_set_type(tp, agibp, XFS_BLFT_AGI_BUF);
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_trans_log_buf(tp, agibp, offset,
|
|
|
|
(offset + sizeof(xfs_agino_t) - 1));
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Pull the on-disk inode from the AGI unlinked list.
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_iunlink_remove(
|
|
|
|
xfs_trans_t *tp,
|
|
|
|
xfs_inode_t *ip)
|
|
|
|
{
|
|
|
|
xfs_ino_t next_ino;
|
|
|
|
xfs_mount_t *mp;
|
|
|
|
xfs_agi_t *agi;
|
|
|
|
xfs_dinode_t *dip;
|
|
|
|
xfs_buf_t *agibp;
|
|
|
|
xfs_buf_t *ibp;
|
|
|
|
xfs_agnumber_t agno;
|
|
|
|
xfs_agino_t agino;
|
|
|
|
xfs_agino_t next_agino;
|
|
|
|
xfs_buf_t *last_ibp;
|
2006-06-28 08:13:52 +08:00
|
|
|
xfs_dinode_t *last_dip = NULL;
|
2005-04-17 06:20:36 +08:00
|
|
|
short bucket_index;
|
2006-06-28 08:13:52 +08:00
|
|
|
int offset, last_offset = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
int error;
|
|
|
|
|
|
|
|
mp = tp->t_mountp;
|
|
|
|
agno = XFS_INO_TO_AGNO(mp, ip->i_ino);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Get the agi buffer first. It ensures lock ordering
|
|
|
|
* on the list.
|
|
|
|
*/
|
2008-11-28 11:23:37 +08:00
|
|
|
error = xfs_read_agi(mp, tp, agno, &agibp);
|
|
|
|
if (error)
|
2005-04-17 06:20:36 +08:00
|
|
|
return error;
|
2008-11-28 11:23:37 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
agi = XFS_BUF_TO_AGI(agibp);
|
2008-11-28 11:23:37 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Get the index into the agi hash table for the
|
|
|
|
* list this inode will go on.
|
|
|
|
*/
|
|
|
|
agino = XFS_INO_TO_AGINO(mp, ip->i_ino);
|
|
|
|
ASSERT(agino != 0);
|
|
|
|
bucket_index = agino % XFS_AGI_UNLINKED_BUCKETS;
|
2011-07-08 20:36:05 +08:00
|
|
|
ASSERT(agi->agi_unlinked[bucket_index] != cpu_to_be32(NULLAGINO));
|
2005-04-17 06:20:36 +08:00
|
|
|
ASSERT(agi->agi_unlinked[bucket_index]);
|
|
|
|
|
2005-11-02 12:11:25 +08:00
|
|
|
if (be32_to_cpu(agi->agi_unlinked[bucket_index]) == agino) {
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2012-07-04 00:21:22 +08:00
|
|
|
* We're at the head of the list. Get the inode's on-disk
|
|
|
|
* buffer to see if there is anyone after us on the list.
|
|
|
|
* Only modify our next pointer if it is not already NULLAGINO.
|
|
|
|
* This saves us the overhead of dealing with the buffer when
|
|
|
|
* there is no need to change it.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2012-07-04 00:21:22 +08:00
|
|
|
error = xfs_imap_to_bp(mp, tp, &ip->i_imap, &dip, &ibp,
|
|
|
|
0, 0);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (error) {
|
2012-07-04 00:21:22 +08:00
|
|
|
xfs_warn(mp, "%s: xfs_imap_to_bp returned error %d.",
|
2011-03-07 07:08:35 +08:00
|
|
|
__func__, error);
|
2005-04-17 06:20:36 +08:00
|
|
|
return error;
|
|
|
|
}
|
2007-08-28 11:57:51 +08:00
|
|
|
next_agino = be32_to_cpu(dip->di_next_unlinked);
|
2005-04-17 06:20:36 +08:00
|
|
|
ASSERT(next_agino != 0);
|
|
|
|
if (next_agino != NULLAGINO) {
|
2007-08-28 11:57:51 +08:00
|
|
|
dip->di_next_unlinked = cpu_to_be32(NULLAGINO);
|
2008-11-28 11:23:41 +08:00
|
|
|
offset = ip->i_imap.im_boffset +
|
2005-04-17 06:20:36 +08:00
|
|
|
offsetof(xfs_dinode_t, di_next_unlinked);
|
2013-06-05 10:09:08 +08:00
|
|
|
|
|
|
|
/* need to recalc the inode CRC if appropriate */
|
|
|
|
xfs_dinode_calc_crc(mp, dip);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_trans_inode_buf(tp, ibp);
|
|
|
|
xfs_trans_log_buf(tp, ibp, offset,
|
|
|
|
(offset + sizeof(xfs_agino_t) - 1));
|
|
|
|
xfs_inobp_check(mp, ibp);
|
|
|
|
} else {
|
|
|
|
xfs_trans_brelse(tp, ibp);
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* Point the bucket head pointer at the next inode.
|
|
|
|
*/
|
|
|
|
ASSERT(next_agino != 0);
|
|
|
|
ASSERT(next_agino != agino);
|
2005-11-02 12:11:25 +08:00
|
|
|
agi->agi_unlinked[bucket_index] = cpu_to_be32(next_agino);
|
2005-04-17 06:20:36 +08:00
|
|
|
offset = offsetof(xfs_agi_t, agi_unlinked) +
|
|
|
|
(sizeof(xfs_agino_t) * bucket_index);
|
2015-01-22 06:29:40 +08:00
|
|
|
xfs_trans_buf_set_type(tp, agibp, XFS_BLFT_AGI_BUF);
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_trans_log_buf(tp, agibp, offset,
|
|
|
|
(offset + sizeof(xfs_agino_t) - 1));
|
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* We need to search the list for the inode being freed.
|
|
|
|
*/
|
2005-11-02 12:11:25 +08:00
|
|
|
next_agino = be32_to_cpu(agi->agi_unlinked[bucket_index]);
|
2005-04-17 06:20:36 +08:00
|
|
|
last_ibp = NULL;
|
|
|
|
while (next_agino != agino) {
|
2012-07-04 00:21:51 +08:00
|
|
|
struct xfs_imap imap;
|
|
|
|
|
|
|
|
if (last_ibp)
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_trans_brelse(tp, last_ibp);
|
2012-07-04 00:21:51 +08:00
|
|
|
|
|
|
|
imap.im_blkno = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
next_ino = XFS_AGINO_TO_INO(mp, agno, next_agino);
|
2012-07-04 00:21:51 +08:00
|
|
|
|
|
|
|
error = xfs_imap(mp, tp, next_ino, &imap, 0);
|
|
|
|
if (error) {
|
|
|
|
xfs_warn(mp,
|
|
|
|
"%s: xfs_imap returned error %d.",
|
|
|
|
__func__, error);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
|
|
|
error = xfs_imap_to_bp(mp, tp, &imap, &last_dip,
|
|
|
|
&last_ibp, 0, 0);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (error) {
|
2011-03-07 07:08:35 +08:00
|
|
|
xfs_warn(mp,
|
2012-07-04 00:21:51 +08:00
|
|
|
"%s: xfs_imap_to_bp returned error %d.",
|
2011-03-07 07:08:35 +08:00
|
|
|
__func__, error);
|
2005-04-17 06:20:36 +08:00
|
|
|
return error;
|
|
|
|
}
|
2012-07-04 00:21:51 +08:00
|
|
|
|
|
|
|
last_offset = imap.im_boffset;
|
2007-08-28 11:57:51 +08:00
|
|
|
next_agino = be32_to_cpu(last_dip->di_next_unlinked);
|
2005-04-17 06:20:36 +08:00
|
|
|
ASSERT(next_agino != NULLAGINO);
|
|
|
|
ASSERT(next_agino != 0);
|
|
|
|
}
|
2012-07-04 00:21:22 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2012-07-04 00:21:22 +08:00
|
|
|
* Now last_ibp points to the buffer previous to us on the
|
|
|
|
* unlinked list. Pull us from the list.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2012-07-04 00:21:22 +08:00
|
|
|
error = xfs_imap_to_bp(mp, tp, &ip->i_imap, &dip, &ibp,
|
|
|
|
0, 0);
|
2005-04-17 06:20:36 +08:00
|
|
|
if (error) {
|
2012-07-04 00:21:22 +08:00
|
|
|
xfs_warn(mp, "%s: xfs_imap_to_bp(2) returned error %d.",
|
2011-03-07 07:08:35 +08:00
|
|
|
__func__, error);
|
2005-04-17 06:20:36 +08:00
|
|
|
return error;
|
|
|
|
}
|
2007-08-28 11:57:51 +08:00
|
|
|
next_agino = be32_to_cpu(dip->di_next_unlinked);
|
2005-04-17 06:20:36 +08:00
|
|
|
ASSERT(next_agino != 0);
|
|
|
|
ASSERT(next_agino != agino);
|
|
|
|
if (next_agino != NULLAGINO) {
|
2007-08-28 11:57:51 +08:00
|
|
|
dip->di_next_unlinked = cpu_to_be32(NULLAGINO);
|
2008-11-28 11:23:41 +08:00
|
|
|
offset = ip->i_imap.im_boffset +
|
2005-04-17 06:20:36 +08:00
|
|
|
offsetof(xfs_dinode_t, di_next_unlinked);
|
2013-06-05 10:09:08 +08:00
|
|
|
|
|
|
|
/* need to recalc the inode CRC if appropriate */
|
|
|
|
xfs_dinode_calc_crc(mp, dip);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_trans_inode_buf(tp, ibp);
|
|
|
|
xfs_trans_log_buf(tp, ibp, offset,
|
|
|
|
(offset + sizeof(xfs_agino_t) - 1));
|
|
|
|
xfs_inobp_check(mp, ibp);
|
|
|
|
} else {
|
|
|
|
xfs_trans_brelse(tp, ibp);
|
|
|
|
}
|
|
|
|
/*
|
|
|
|
* Point the previous inode on the list to the next inode.
|
|
|
|
*/
|
2007-08-28 11:57:51 +08:00
|
|
|
last_dip->di_next_unlinked = cpu_to_be32(next_agino);
|
2005-04-17 06:20:36 +08:00
|
|
|
ASSERT(next_agino != 0);
|
|
|
|
offset = last_offset + offsetof(xfs_dinode_t, di_next_unlinked);
|
2013-06-05 10:09:08 +08:00
|
|
|
|
|
|
|
/* need to recalc the inode CRC if appropriate */
|
|
|
|
xfs_dinode_calc_crc(mp, last_dip);
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_trans_inode_buf(tp, last_ibp);
|
|
|
|
xfs_trans_log_buf(tp, last_ibp, offset,
|
|
|
|
(offset + sizeof(xfs_agino_t) - 1));
|
|
|
|
xfs_inobp_check(mp, last_ibp);
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2010-08-24 09:42:41 +08:00
|
|
|
/*
|
2013-08-12 11:14:59 +08:00
|
|
|
* A big issue when freeing the inode cluster is that we _cannot_ skip any
|
2010-08-24 09:42:41 +08:00
|
|
|
* inodes that are in memory - they all must be marked stale and attached to
|
|
|
|
* the cluster buffer.
|
|
|
|
*/
|
2011-09-20 21:56:55 +08:00
|
|
|
STATIC int
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_ifree_cluster(
|
2015-05-29 07:26:03 +08:00
|
|
|
xfs_inode_t *free_ip,
|
|
|
|
xfs_trans_t *tp,
|
|
|
|
struct xfs_icluster *xic)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
|
|
|
xfs_mount_t *mp = free_ip->i_mount;
|
|
|
|
int blks_per_cluster;
|
2013-12-13 12:51:49 +08:00
|
|
|
int inodes_per_cluster;
|
2005-04-17 06:20:36 +08:00
|
|
|
int nbufs;
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
int i, j;
|
2015-06-04 11:03:34 +08:00
|
|
|
int ioffset;
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_daddr_t blkno;
|
|
|
|
xfs_buf_t *bp;
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
xfs_inode_t *ip;
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_inode_log_item_t *iip;
|
|
|
|
xfs_log_item_t *lip;
|
2010-01-11 19:47:40 +08:00
|
|
|
struct xfs_perag *pag;
|
2015-05-29 07:26:03 +08:00
|
|
|
xfs_ino_t inum;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2015-05-29 07:26:03 +08:00
|
|
|
inum = xic->first_ino;
|
2010-01-11 19:47:40 +08:00
|
|
|
pag = xfs_perag_get(mp, XFS_INO_TO_AGNO(mp, inum));
|
2013-12-13 12:51:49 +08:00
|
|
|
blks_per_cluster = xfs_icluster_size_fsb(mp);
|
|
|
|
inodes_per_cluster = blks_per_cluster << mp->m_sb.sb_inopblog;
|
|
|
|
nbufs = mp->m_ialloc_blks / blks_per_cluster;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-12-13 12:51:49 +08:00
|
|
|
for (j = 0; j < nbufs; j++, inum += inodes_per_cluster) {
|
2015-05-29 07:26:03 +08:00
|
|
|
/*
|
|
|
|
* The allocation bitmap tells us which inodes of the chunk were
|
|
|
|
* physically allocated. Skip the cluster if an inode falls into
|
|
|
|
* a sparse region.
|
|
|
|
*/
|
2015-06-04 11:03:34 +08:00
|
|
|
ioffset = inum - xic->first_ino;
|
|
|
|
if ((xic->alloc & XFS_INOBT_MASK(ioffset)) == 0) {
|
|
|
|
ASSERT(do_mod(ioffset, inodes_per_cluster) == 0);
|
2015-05-29 07:26:03 +08:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
blkno = XFS_AGB_TO_DADDR(mp, XFS_INO_TO_AGNO(mp, inum),
|
|
|
|
XFS_INO_TO_AGBNO(mp, inum));
|
|
|
|
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
/*
|
|
|
|
* We obtain and lock the backing buffer first in the process
|
|
|
|
* here, as we have to ensure that any dirty inode that we
|
|
|
|
* can't get the flush lock on is attached to the buffer.
|
|
|
|
* If we scan the in-memory inodes first, then buffer IO can
|
|
|
|
* complete before we get a lock on it, and hence we may fail
|
|
|
|
* to mark all the active inodes on the buffer stale.
|
|
|
|
*/
|
|
|
|
bp = xfs_trans_get_buf(tp, mp->m_ddev_targp, blkno,
|
2012-11-02 08:38:42 +08:00
|
|
|
mp->m_bsize * blks_per_cluster,
|
|
|
|
XBF_UNMAPPED);
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
|
2011-09-20 21:56:55 +08:00
|
|
|
if (!bp)
|
2014-06-25 12:58:08 +08:00
|
|
|
return -ENOMEM;
|
2012-11-14 14:53:49 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* This buffer may not have been correctly initialised as we
|
|
|
|
* didn't read it from disk. That's not important because we are
|
|
|
|
* only using to mark the buffer as stale in the log, and to
|
|
|
|
* attach stale cached inodes on it. That means it will never be
|
|
|
|
* dispatched for IO. If it is, we want to know about it, and we
|
|
|
|
* want it to fail. We can acheive this by adding a write
|
|
|
|
* verifier to the buffer.
|
|
|
|
*/
|
2012-11-14 14:54:40 +08:00
|
|
|
bp->b_ops = &xfs_inode_buf_ops;
|
2012-11-14 14:53:49 +08:00
|
|
|
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
/*
|
|
|
|
* Walk the inodes already attached to the buffer and mark them
|
|
|
|
* stale. These will all have the flush locks held, so an
|
2010-08-24 09:42:41 +08:00
|
|
|
* in-memory inode walk can't lock them. By marking them all
|
|
|
|
* stale first, we will not attempt to lock them in the loop
|
|
|
|
* below as the XFS_ISTALE flag will be set.
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
*/
|
2011-07-13 19:43:49 +08:00
|
|
|
lip = bp->b_fspriv;
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
while (lip) {
|
|
|
|
if (lip->li_type == XFS_LI_INODE) {
|
|
|
|
iip = (xfs_inode_log_item_t *)lip;
|
|
|
|
ASSERT(iip->ili_logged == 1);
|
2010-06-23 16:11:15 +08:00
|
|
|
lip->li_cb = xfs_istale_done;
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
xfs_trans_ail_copy_lsn(mp->m_ail,
|
|
|
|
&iip->ili_flush_lsn,
|
|
|
|
&iip->ili_item.li_lsn);
|
|
|
|
xfs_iflags_set(iip->ili_inode, XFS_ISTALE);
|
|
|
|
}
|
|
|
|
lip = lip->li_bio_list;
|
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-08-24 09:42:41 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
* For each inode in memory attempt to add it to the inode
|
|
|
|
* buffer and set it up for being staled on buffer IO
|
|
|
|
* completion. This is safe as we've locked out tail pushing
|
|
|
|
* and flushing by locking the buffer.
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
* We have already marked every inode that was part of a
|
|
|
|
* transaction stale above, which means there is no point in
|
|
|
|
* even trying to lock them.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2013-12-13 12:51:49 +08:00
|
|
|
for (i = 0; i < inodes_per_cluster; i++) {
|
2010-08-24 09:42:41 +08:00
|
|
|
retry:
|
2010-12-17 14:29:43 +08:00
|
|
|
rcu_read_lock();
|
2007-08-28 12:00:13 +08:00
|
|
|
ip = radix_tree_lookup(&pag->pag_ici_root,
|
|
|
|
XFS_INO_TO_AGINO(mp, (inum + i)));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-12-17 14:29:43 +08:00
|
|
|
/* Inode not in memory, nothing to do */
|
|
|
|
if (!ip) {
|
|
|
|
rcu_read_unlock();
|
2005-04-17 06:20:36 +08:00
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2010-12-17 14:29:43 +08:00
|
|
|
/*
|
|
|
|
* because this is an RCU protected lookup, we could
|
|
|
|
* find a recently freed or even reallocated inode
|
|
|
|
* during the lookup. We need to check under the
|
|
|
|
* i_flags_lock for a valid inode here. Skip it if it
|
|
|
|
* is not valid, the wrong inode or stale.
|
|
|
|
*/
|
|
|
|
spin_lock(&ip->i_flags_lock);
|
|
|
|
if (ip->i_ino != inum + i ||
|
|
|
|
__xfs_iflags_test(ip, XFS_ISTALE)) {
|
|
|
|
spin_unlock(&ip->i_flags_lock);
|
|
|
|
rcu_read_unlock();
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
spin_unlock(&ip->i_flags_lock);
|
|
|
|
|
2010-08-24 09:42:41 +08:00
|
|
|
/*
|
|
|
|
* Don't try to lock/unlock the current inode, but we
|
|
|
|
* _cannot_ skip the other inodes that we did not find
|
|
|
|
* in the list attached to the buffer and are not
|
|
|
|
* already marked stale. If we can't lock it, back off
|
|
|
|
* and retry.
|
|
|
|
*/
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
if (ip != free_ip &&
|
|
|
|
!xfs_ilock_nowait(ip, XFS_ILOCK_EXCL)) {
|
2010-12-17 14:29:43 +08:00
|
|
|
rcu_read_unlock();
|
2010-08-24 09:42:41 +08:00
|
|
|
delay(1);
|
|
|
|
goto retry;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
2010-12-17 14:29:43 +08:00
|
|
|
rcu_read_unlock();
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-08-24 09:42:41 +08:00
|
|
|
xfs_iflock(ip);
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
xfs_iflags_set(ip, XFS_ISTALE);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-08-24 09:42:41 +08:00
|
|
|
/*
|
|
|
|
* we don't need to attach clean inodes or those only
|
|
|
|
* with unlogged changes (which we throw away, anyway).
|
|
|
|
*/
|
2005-04-17 06:20:36 +08:00
|
|
|
iip = ip->i_itemp;
|
2010-08-24 09:42:41 +08:00
|
|
|
if (!iip || xfs_inode_clean(ip)) {
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
ASSERT(ip != free_ip);
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_ifunlock(ip);
|
|
|
|
xfs_iunlock(ip, XFS_ILOCK_EXCL);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
2012-02-29 17:53:54 +08:00
|
|
|
iip->ili_last_fields = iip->ili_fields;
|
|
|
|
iip->ili_fields = 0;
|
xfs: optimise away log forces on timestamp updates for fdatasync
xfs: timestamp updates cause excessive fdatasync log traffic
Sage Weil reported that a ceph test workload was writing to the
log on every fdatasync during an overwrite workload. Event tracing
showed that the only metadata modification being made was the
timestamp updates during the write(2) syscall, but fdatasync(2)
is supposed to ignore them. The key observation was that the
transactions in the log all looked like this:
INODE: #regs: 4 ino: 0x8b flags: 0x45 dsize: 32
And contained a flags field of 0x45 or 0x85, and had data and
attribute forks following the inode core. This means that the
timestamp updates were triggering dirty relogging of previously
logged parts of the inode that hadn't yet been flushed back to
disk.
There are two parts to this problem. The first is that XFS relogs
dirty regions in subsequent transactions, so it carries around the
fields that have been dirtied since the last time the inode was
written back to disk, not since the last time the inode was forced
into the log.
The second part is that on v5 filesystems, the inode change count
update during inode dirtying also sets the XFS_ILOG_CORE flag, so
on v5 filesystems this makes a timestamp update dirty the entire
inode.
As a result when fdatasync is run, it looks at the dirty fields in
the inode, and sees more than just the timestamp flag, even though
the only metadata change since the last fdatasync was just the
timestamps. Hence we force the log on every subsequent fdatasync
even though it is not needed.
To fix this, add a new field to the inode log item that tracks
changes since the last time fsync/fdatasync forced the log to flush
the changes to the journal. This flag is updated when we dirty the
inode, but we do it before updating the change count so it does not
carry the "core dirty" flag from timestamp updates. The fields are
zeroed when the inode is marked clean (due to writeback/freeing) or
when an fsync/datasync forces the log. Hence if we only dirty the
timestamps on the inode between fsync/fdatasync calls, the fdatasync
will not trigger another log force.
Over 100 runs of the test program:
Ext4 baseline:
runtime: 1.63s +/- 0.24s
avg lat: 1.59ms +/- 0.24ms
iops: ~2000
XFS, vanilla kernel:
runtime: 2.45s +/- 0.18s
avg lat: 2.39ms +/- 0.18ms
log forces: ~400/s
iops: ~1000
XFS, patched kernel:
runtime: 1.49s +/- 0.26s
avg lat: 1.46ms +/- 0.25ms
log forces: ~30/s
iops: ~1500
Reported-by: Sage Weil <sage@redhat.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-11-03 10:14:59 +08:00
|
|
|
iip->ili_fsync_fields = 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
iip->ili_logged = 1;
|
2008-10-30 14:39:12 +08:00
|
|
|
xfs_trans_ail_copy_lsn(mp->m_ail, &iip->ili_flush_lsn,
|
|
|
|
&iip->ili_item.li_lsn);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-06-23 16:11:15 +08:00
|
|
|
xfs_buf_attach_iodone(bp, xfs_istale_done,
|
|
|
|
&iip->ili_item);
|
xfs: fix race in inode cluster freeing failing to stale inodes
When an inode cluster is freed, it needs to mark all inodes in memory as
XFS_ISTALE before marking the buffer as stale. This is eeded because the inodes
have a different life cycle to the buffer, and once the buffer is torn down
during transaction completion, we must ensure none of the inodes get written
back (which is what XFS_ISTALE does).
Unfortunately, xfs_ifree_cluster() has some bugs that lead to inodes not being
marked with XFS_ISTALE. This shows up when xfs_iflush() is called on these
inodes either during inode reclaim or tail pushing on the AIL. The buffer is
read back, but no longer contains inodes and so triggers assert failures and
shutdowns. This was reproducable with at run.dbench10 invocation from xfstests.
There are two main causes of xfs_ifree_cluster() failing. The first is simple -
it checks in-memory inodes it finds in the per-ag icache to see if they are
clean without holding the flush lock. if they are clean it skips them
completely. However, If an inode is flushed delwri, it will
appear clean, but is not guaranteed to be written back until the flush lock has
been dropped. Hence we may have raced on the clean check and the inode may
actually be dirty. Hence always mark inodes found in memory stale before we
check properly if they are clean.
The second is more complex, and makes the first problem easier to hit.
Basically the in-memory inode scan is done with full knowledge it can be racing
with inode flushing and AIl tail pushing, which means that inodes that it can't
get the flush lock on might not be attached to the buffer after then in-memory
inode scan due to IO completion occurring. This is actually documented in the
code as "needs better interlocking". i.e. this is a zero-day bug.
Effectively, the in-memory scan must be done while the inode buffer is locked
and Io cannot be issued on it while we do the in-memory inode scan. This
ensures that inodes we couldn't get the flush lock on are guaranteed to be
attached to the cluster buffer, so we can then catch all in-memory inodes and
mark them stale.
Now that the inode cluster buffer is locked before the in-memory scan is done,
there is no need for the two-phase update of the in-memory inodes, so simplify
the code into two loops and remove the allocation of the temporary buffer used
to hold locked inodes across the phases.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2010-06-03 14:22:29 +08:00
|
|
|
|
|
|
|
if (ip != free_ip)
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_iunlock(ip, XFS_ILOCK_EXCL);
|
|
|
|
}
|
|
|
|
|
2010-08-24 09:42:41 +08:00
|
|
|
xfs_trans_stale_inode_buf(tp, bp);
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_trans_binval(tp, bp);
|
|
|
|
}
|
|
|
|
|
2010-01-11 19:47:40 +08:00
|
|
|
xfs_perag_put(pag);
|
2011-09-20 21:56:55 +08:00
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This is called to return an inode to the inode free list.
|
|
|
|
* The inode should already be truncated to 0 length and have
|
|
|
|
* no pages associated with it. This routine also assumes that
|
|
|
|
* the inode is already a part of the transaction.
|
|
|
|
*
|
|
|
|
* The on-disk copy of the inode will have been added to the list
|
|
|
|
* of unlinked inodes in the AGI. We need to remove the inode from
|
|
|
|
* that list atomically with respect to freeing it here.
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_ifree(
|
|
|
|
xfs_trans_t *tp,
|
|
|
|
xfs_inode_t *ip,
|
|
|
|
xfs_bmap_free_t *flist)
|
|
|
|
{
|
|
|
|
int error;
|
2015-05-29 07:26:03 +08:00
|
|
|
struct xfs_icluster xic = { 0 };
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-04-22 15:34:00 +08:00
|
|
|
ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL));
|
2005-04-17 06:20:36 +08:00
|
|
|
ASSERT(ip->i_d.di_nlink == 0);
|
|
|
|
ASSERT(ip->i_d.di_nextents == 0);
|
|
|
|
ASSERT(ip->i_d.di_anextents == 0);
|
2011-12-19 04:00:11 +08:00
|
|
|
ASSERT(ip->i_d.di_size == 0 || !S_ISREG(ip->i_d.di_mode));
|
2005-04-17 06:20:36 +08:00
|
|
|
ASSERT(ip->i_d.di_nblocks == 0);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Pull the on-disk inode from the AGI unlinked list.
|
|
|
|
*/
|
|
|
|
error = xfs_iunlink_remove(tp, ip);
|
2013-06-27 14:04:50 +08:00
|
|
|
if (error)
|
2005-04-17 06:20:36 +08:00
|
|
|
return error;
|
|
|
|
|
2015-05-29 07:26:03 +08:00
|
|
|
error = xfs_difree(tp, ip->i_ino, flist, &xic);
|
2013-06-27 14:04:50 +08:00
|
|
|
if (error)
|
2005-04-17 06:20:36 +08:00
|
|
|
return error;
|
2013-06-27 14:04:50 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
ip->i_d.di_mode = 0; /* mark incore inode as free */
|
|
|
|
ip->i_d.di_flags = 0;
|
|
|
|
ip->i_d.di_dmevmask = 0;
|
|
|
|
ip->i_d.di_forkoff = 0; /* mark the attr fork not in use */
|
|
|
|
ip->i_d.di_format = XFS_DINODE_FMT_EXTENTS;
|
|
|
|
ip->i_d.di_aformat = XFS_DINODE_FMT_EXTENTS;
|
|
|
|
/*
|
|
|
|
* Bump the generation count so no one will be confused
|
|
|
|
* by reincarnations of this inode.
|
|
|
|
*/
|
|
|
|
ip->i_d.di_gen++;
|
|
|
|
xfs_trans_log_inode(tp, ip, XFS_ILOG_CORE);
|
|
|
|
|
2015-05-29 07:26:03 +08:00
|
|
|
if (xic.deleted)
|
|
|
|
error = xfs_ifree_cluster(ip, tp, &xic);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-09-20 21:56:55 +08:00
|
|
|
return error;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
2010-02-18 03:43:56 +08:00
|
|
|
* This is called to unpin an inode. The caller must have the inode locked
|
|
|
|
* in at least shared mode so that the buffer cannot be subsequently pinned
|
|
|
|
* once someone is waiting for it to be unpinned.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2010-02-18 03:43:56 +08:00
|
|
|
static void
|
2011-12-19 04:00:10 +08:00
|
|
|
xfs_iunpin(
|
2010-02-18 03:43:56 +08:00
|
|
|
struct xfs_inode *ip)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2008-04-22 15:34:00 +08:00
|
|
|
ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL|XFS_ILOCK_SHARED));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2010-03-08 08:24:07 +08:00
|
|
|
trace_xfs_inode_unpin_nowait(ip, _RET_IP_);
|
|
|
|
|
2008-03-06 10:43:42 +08:00
|
|
|
/* Give the log a push to start the unpinning I/O */
|
2010-02-18 03:43:56 +08:00
|
|
|
xfs_log_force_lsn(ip->i_mount, ip->i_itemp->ili_last_lsn, 0);
|
2010-01-19 17:56:46 +08:00
|
|
|
|
2008-03-06 10:43:42 +08:00
|
|
|
}
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-12-19 04:00:10 +08:00
|
|
|
static void
|
|
|
|
__xfs_iunpin_wait(
|
|
|
|
struct xfs_inode *ip)
|
|
|
|
{
|
|
|
|
wait_queue_head_t *wq = bit_waitqueue(&ip->i_flags, __XFS_IPINNED_BIT);
|
|
|
|
DEFINE_WAIT_BIT(wait, &ip->i_flags, __XFS_IPINNED_BIT);
|
|
|
|
|
|
|
|
xfs_iunpin(ip);
|
|
|
|
|
|
|
|
do {
|
|
|
|
prepare_to_wait(wq, &wait.wait, TASK_UNINTERRUPTIBLE);
|
|
|
|
if (xfs_ipincount(ip))
|
|
|
|
io_schedule();
|
|
|
|
} while (xfs_ipincount(ip));
|
|
|
|
finish_wait(wq, &wait.wait);
|
|
|
|
}
|
|
|
|
|
2010-02-06 09:37:26 +08:00
|
|
|
void
|
2008-03-06 10:43:42 +08:00
|
|
|
xfs_iunpin_wait(
|
2010-02-18 03:43:56 +08:00
|
|
|
struct xfs_inode *ip)
|
2008-03-06 10:43:42 +08:00
|
|
|
{
|
2011-12-19 04:00:10 +08:00
|
|
|
if (xfs_ipincount(ip))
|
|
|
|
__xfs_iunpin_wait(ip);
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2013-10-29 19:11:44 +08:00
|
|
|
/*
|
|
|
|
* Removing an inode from the namespace involves removing the directory entry
|
|
|
|
* and dropping the link count on the inode. Removing the directory entry can
|
|
|
|
* result in locking an AGF (directory blocks were freed) and removing a link
|
|
|
|
* count can result in placing the inode on an unlinked list which results in
|
|
|
|
* locking an AGI.
|
|
|
|
*
|
|
|
|
* The big problem here is that we have an ordering constraint on AGF and AGI
|
|
|
|
* locking - inode allocation locks the AGI, then can allocate a new extent for
|
|
|
|
* new inodes, locking the AGF after the AGI. Similarly, freeing the inode
|
|
|
|
* removes the inode from the unlinked list, requiring that we lock the AGI
|
|
|
|
* first, and then freeing the inode can result in an inode chunk being freed
|
|
|
|
* and hence freeing disk space requiring that we lock an AGF.
|
|
|
|
*
|
|
|
|
* Hence the ordering that is imposed by other parts of the code is AGI before
|
|
|
|
* AGF. This means we cannot remove the directory entry before we drop the inode
|
|
|
|
* reference count and put it on the unlinked list as this results in a lock
|
|
|
|
* order of AGF then AGI, and this can deadlock against inode allocation and
|
|
|
|
* freeing. Therefore we must drop the link counts before we remove the
|
|
|
|
* directory entry.
|
|
|
|
*
|
|
|
|
* This is still safe from a transactional point of view - it is not until we
|
|
|
|
* get to xfs_bmap_finish() that we have the possibility of multiple
|
|
|
|
* transactions in this operation. Hence as long as we remove the directory
|
|
|
|
* entry and drop the link count in the first transaction of the remove
|
|
|
|
* operation, there are no transactional constraints on the ordering here.
|
|
|
|
*/
|
2013-08-12 18:49:45 +08:00
|
|
|
int
|
|
|
|
xfs_remove(
|
|
|
|
xfs_inode_t *dp,
|
|
|
|
struct xfs_name *name,
|
|
|
|
xfs_inode_t *ip)
|
|
|
|
{
|
|
|
|
xfs_mount_t *mp = dp->i_mount;
|
|
|
|
xfs_trans_t *tp = NULL;
|
|
|
|
int is_dir = S_ISDIR(ip->i_d.di_mode);
|
|
|
|
int error = 0;
|
|
|
|
xfs_bmap_free_t free_list;
|
|
|
|
xfs_fsblock_t first_block;
|
|
|
|
int committed;
|
|
|
|
uint resblks;
|
|
|
|
|
|
|
|
trace_xfs_remove(dp, name);
|
|
|
|
|
|
|
|
if (XFS_FORCED_SHUTDOWN(mp))
|
2014-06-25 12:58:08 +08:00
|
|
|
return -EIO;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
|
|
|
error = xfs_qm_dqattach(dp, 0);
|
|
|
|
if (error)
|
|
|
|
goto std_return;
|
|
|
|
|
|
|
|
error = xfs_qm_dqattach(ip, 0);
|
|
|
|
if (error)
|
|
|
|
goto std_return;
|
|
|
|
|
2014-12-04 06:43:17 +08:00
|
|
|
if (is_dir)
|
2013-08-12 18:49:45 +08:00
|
|
|
tp = xfs_trans_alloc(mp, XFS_TRANS_RMDIR);
|
2014-12-04 06:43:17 +08:00
|
|
|
else
|
2013-08-12 18:49:45 +08:00
|
|
|
tp = xfs_trans_alloc(mp, XFS_TRANS_REMOVE);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We try to get the real space reservation first,
|
|
|
|
* allowing for directory btree deletion(s) implying
|
|
|
|
* possible bmap insert(s). If we can't get the space
|
|
|
|
* reservation then we use 0 instead, and avoid the bmap
|
|
|
|
* btree insert(s) in the directory code by, if the bmap
|
|
|
|
* insert tries to happen, instead trimming the LAST
|
|
|
|
* block from the directory.
|
|
|
|
*/
|
|
|
|
resblks = XFS_REMOVE_SPACE_RES(mp);
|
2013-08-12 18:49:59 +08:00
|
|
|
error = xfs_trans_reserve(tp, &M_RES(mp)->tr_remove, resblks, 0);
|
2014-06-25 12:58:08 +08:00
|
|
|
if (error == -ENOSPC) {
|
2013-08-12 18:49:45 +08:00
|
|
|
resblks = 0;
|
2013-08-12 18:49:59 +08:00
|
|
|
error = xfs_trans_reserve(tp, &M_RES(mp)->tr_remove, 0, 0);
|
2013-08-12 18:49:45 +08:00
|
|
|
}
|
|
|
|
if (error) {
|
2014-06-25 12:58:08 +08:00
|
|
|
ASSERT(error != -ENOSPC);
|
2013-08-12 18:49:45 +08:00
|
|
|
goto out_trans_cancel;
|
|
|
|
}
|
|
|
|
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
xfs_ilock(dp, XFS_IOLOCK_EXCL | XFS_IOLOCK_PARENT);
|
2013-08-12 18:49:45 +08:00
|
|
|
xfs_lock_two_inodes(dp, ip, XFS_ILOCK_EXCL);
|
|
|
|
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
xfs_trans_ijoin(tp, dp, XFS_IOLOCK_EXCL | XFS_ILOCK_EXCL);
|
2013-08-12 18:49:45 +08:00
|
|
|
xfs_trans_ijoin(tp, ip, XFS_ILOCK_EXCL);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If we're removing a directory perform some additional validation.
|
|
|
|
*/
|
|
|
|
if (is_dir) {
|
|
|
|
ASSERT(ip->i_d.di_nlink >= 2);
|
|
|
|
if (ip->i_d.di_nlink != 2) {
|
2014-06-25 12:58:08 +08:00
|
|
|
error = -ENOTEMPTY;
|
2013-08-12 18:49:45 +08:00
|
|
|
goto out_trans_cancel;
|
|
|
|
}
|
|
|
|
if (!xfs_dir_isempty(ip)) {
|
2014-06-25 12:58:08 +08:00
|
|
|
error = -ENOTEMPTY;
|
2013-08-12 18:49:45 +08:00
|
|
|
goto out_trans_cancel;
|
|
|
|
}
|
|
|
|
|
2013-10-29 19:11:44 +08:00
|
|
|
/* Drop the link from ip's "..". */
|
2013-08-12 18:49:45 +08:00
|
|
|
error = xfs_droplink(tp, dp);
|
|
|
|
if (error)
|
2013-10-29 19:11:44 +08:00
|
|
|
goto out_trans_cancel;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
2013-10-29 19:11:44 +08:00
|
|
|
/* Drop the "." link from ip to self. */
|
2013-08-12 18:49:45 +08:00
|
|
|
error = xfs_droplink(tp, ip);
|
|
|
|
if (error)
|
2013-10-29 19:11:44 +08:00
|
|
|
goto out_trans_cancel;
|
2013-08-12 18:49:45 +08:00
|
|
|
} else {
|
|
|
|
/*
|
|
|
|
* When removing a non-directory we need to log the parent
|
|
|
|
* inode here. For a directory this is done implicitly
|
|
|
|
* by the xfs_droplink call for the ".." entry.
|
|
|
|
*/
|
|
|
|
xfs_trans_log_inode(tp, dp, XFS_ILOG_CORE);
|
|
|
|
}
|
2013-10-29 19:11:44 +08:00
|
|
|
xfs_trans_ichgtime(tp, dp, XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG);
|
2013-08-12 18:49:45 +08:00
|
|
|
|
2013-10-29 19:11:44 +08:00
|
|
|
/* Drop the link from dp to ip. */
|
2013-08-12 18:49:45 +08:00
|
|
|
error = xfs_droplink(tp, ip);
|
|
|
|
if (error)
|
2013-10-29 19:11:44 +08:00
|
|
|
goto out_trans_cancel;
|
2013-08-12 18:49:45 +08:00
|
|
|
|
2013-10-29 19:11:44 +08:00
|
|
|
xfs_bmap_init(&free_list, &first_block);
|
|
|
|
error = xfs_dir_removename(tp, dp, name, ip->i_ino,
|
|
|
|
&first_block, &free_list, resblks);
|
|
|
|
if (error) {
|
2014-06-25 12:58:08 +08:00
|
|
|
ASSERT(error != -ENOENT);
|
2013-10-29 19:11:44 +08:00
|
|
|
goto out_bmap_cancel;
|
|
|
|
}
|
|
|
|
|
2013-08-12 18:49:45 +08:00
|
|
|
/*
|
|
|
|
* If this is a synchronous mount, make sure that the
|
|
|
|
* remove transaction goes to disk before returning to
|
|
|
|
* the user.
|
|
|
|
*/
|
|
|
|
if (mp->m_flags & (XFS_MOUNT_WSYNC|XFS_MOUNT_DIRSYNC))
|
|
|
|
xfs_trans_set_sync(tp);
|
|
|
|
|
|
|
|
error = xfs_bmap_finish(&tp, &free_list, &committed);
|
|
|
|
if (error)
|
|
|
|
goto out_bmap_cancel;
|
|
|
|
|
2015-06-04 11:48:08 +08:00
|
|
|
error = xfs_trans_commit(tp);
|
2013-08-12 18:49:45 +08:00
|
|
|
if (error)
|
|
|
|
goto std_return;
|
|
|
|
|
2014-04-23 05:11:51 +08:00
|
|
|
if (is_dir && xfs_inode_is_filestream(ip))
|
2013-08-12 18:49:45 +08:00
|
|
|
xfs_filestream_deassociate(ip);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
out_bmap_cancel:
|
|
|
|
xfs_bmap_cancel(&free_list);
|
|
|
|
out_trans_cancel:
|
2015-06-04 11:47:56 +08:00
|
|
|
xfs_trans_cancel(tp);
|
2013-08-12 18:49:45 +08:00
|
|
|
std_return:
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2013-08-12 18:49:46 +08:00
|
|
|
/*
|
|
|
|
* Enter all inodes for a rename transaction into a sorted array.
|
|
|
|
*/
|
2015-03-25 11:03:32 +08:00
|
|
|
#define __XFS_SORT_INODES 5
|
2013-08-12 18:49:46 +08:00
|
|
|
STATIC void
|
|
|
|
xfs_sort_for_rename(
|
2015-03-25 11:03:32 +08:00
|
|
|
struct xfs_inode *dp1, /* in: old (source) directory inode */
|
|
|
|
struct xfs_inode *dp2, /* in: new (target) directory inode */
|
|
|
|
struct xfs_inode *ip1, /* in: inode of old entry */
|
|
|
|
struct xfs_inode *ip2, /* in: inode of new entry */
|
|
|
|
struct xfs_inode *wip, /* in: whiteout inode */
|
|
|
|
struct xfs_inode **i_tab,/* out: sorted array of inodes */
|
|
|
|
int *num_inodes) /* in/out: inodes in array */
|
2013-08-12 18:49:46 +08:00
|
|
|
{
|
|
|
|
int i, j;
|
|
|
|
|
2015-03-25 11:03:32 +08:00
|
|
|
ASSERT(*num_inodes == __XFS_SORT_INODES);
|
|
|
|
memset(i_tab, 0, *num_inodes * sizeof(struct xfs_inode *));
|
|
|
|
|
2013-08-12 18:49:46 +08:00
|
|
|
/*
|
|
|
|
* i_tab contains a list of pointers to inodes. We initialize
|
|
|
|
* the table here & we'll sort it. We will then use it to
|
|
|
|
* order the acquisition of the inode locks.
|
|
|
|
*
|
|
|
|
* Note that the table may contain duplicates. e.g., dp1 == dp2.
|
|
|
|
*/
|
2015-03-25 11:03:32 +08:00
|
|
|
i = 0;
|
|
|
|
i_tab[i++] = dp1;
|
|
|
|
i_tab[i++] = dp2;
|
|
|
|
i_tab[i++] = ip1;
|
|
|
|
if (ip2)
|
|
|
|
i_tab[i++] = ip2;
|
|
|
|
if (wip)
|
|
|
|
i_tab[i++] = wip;
|
|
|
|
*num_inodes = i;
|
2013-08-12 18:49:46 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Sort the elements via bubble sort. (Remember, there are at
|
2015-03-25 11:03:32 +08:00
|
|
|
* most 5 elements to sort, so this is adequate.)
|
2013-08-12 18:49:46 +08:00
|
|
|
*/
|
|
|
|
for (i = 0; i < *num_inodes; i++) {
|
|
|
|
for (j = 1; j < *num_inodes; j++) {
|
|
|
|
if (i_tab[j]->i_ino < i_tab[j-1]->i_ino) {
|
2015-03-25 11:03:32 +08:00
|
|
|
struct xfs_inode *temp = i_tab[j];
|
2013-08-12 18:49:46 +08:00
|
|
|
i_tab[j] = i_tab[j-1];
|
|
|
|
i_tab[j-1] = temp;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-03-25 11:06:07 +08:00
|
|
|
static int
|
|
|
|
xfs_finish_rename(
|
|
|
|
struct xfs_trans *tp,
|
|
|
|
struct xfs_bmap_free *free_list)
|
|
|
|
{
|
|
|
|
int committed = 0;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* If this is a synchronous mount, make sure that the rename transaction
|
|
|
|
* goes to disk before returning to the user.
|
|
|
|
*/
|
|
|
|
if (tp->t_mountp->m_flags & (XFS_MOUNT_WSYNC|XFS_MOUNT_DIRSYNC))
|
|
|
|
xfs_trans_set_sync(tp);
|
|
|
|
|
|
|
|
error = xfs_bmap_finish(&tp, free_list, &committed);
|
|
|
|
if (error) {
|
|
|
|
xfs_bmap_cancel(free_list);
|
2015-06-04 11:47:56 +08:00
|
|
|
xfs_trans_cancel(tp);
|
2015-03-25 11:06:07 +08:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2015-06-04 11:48:08 +08:00
|
|
|
return xfs_trans_commit(tp);
|
2015-03-25 11:06:07 +08:00
|
|
|
}
|
|
|
|
|
2014-12-24 05:51:42 +08:00
|
|
|
/*
|
|
|
|
* xfs_cross_rename()
|
|
|
|
*
|
|
|
|
* responsible for handling RENAME_EXCHANGE flag in renameat2() sytemcall
|
|
|
|
*/
|
|
|
|
STATIC int
|
|
|
|
xfs_cross_rename(
|
|
|
|
struct xfs_trans *tp,
|
|
|
|
struct xfs_inode *dp1,
|
|
|
|
struct xfs_name *name1,
|
|
|
|
struct xfs_inode *ip1,
|
|
|
|
struct xfs_inode *dp2,
|
|
|
|
struct xfs_name *name2,
|
|
|
|
struct xfs_inode *ip2,
|
|
|
|
struct xfs_bmap_free *free_list,
|
|
|
|
xfs_fsblock_t *first_block,
|
|
|
|
int spaceres)
|
|
|
|
{
|
|
|
|
int error = 0;
|
|
|
|
int ip1_flags = 0;
|
|
|
|
int ip2_flags = 0;
|
|
|
|
int dp2_flags = 0;
|
|
|
|
|
|
|
|
/* Swap inode number for dirent in first parent */
|
|
|
|
error = xfs_dir_replace(tp, dp1, name1,
|
|
|
|
ip2->i_ino,
|
|
|
|
first_block, free_list, spaceres);
|
|
|
|
if (error)
|
2015-03-25 11:08:07 +08:00
|
|
|
goto out_trans_abort;
|
2014-12-24 05:51:42 +08:00
|
|
|
|
|
|
|
/* Swap inode number for dirent in second parent */
|
|
|
|
error = xfs_dir_replace(tp, dp2, name2,
|
|
|
|
ip1->i_ino,
|
|
|
|
first_block, free_list, spaceres);
|
|
|
|
if (error)
|
2015-03-25 11:08:07 +08:00
|
|
|
goto out_trans_abort;
|
2014-12-24 05:51:42 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If we're renaming one or more directories across different parents,
|
|
|
|
* update the respective ".." entries (and link counts) to match the new
|
|
|
|
* parents.
|
|
|
|
*/
|
|
|
|
if (dp1 != dp2) {
|
|
|
|
dp2_flags = XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG;
|
|
|
|
|
|
|
|
if (S_ISDIR(ip2->i_d.di_mode)) {
|
|
|
|
error = xfs_dir_replace(tp, ip2, &xfs_name_dotdot,
|
|
|
|
dp1->i_ino, first_block,
|
|
|
|
free_list, spaceres);
|
|
|
|
if (error)
|
2015-03-25 11:08:07 +08:00
|
|
|
goto out_trans_abort;
|
2014-12-24 05:51:42 +08:00
|
|
|
|
|
|
|
/* transfer ip2 ".." reference to dp1 */
|
|
|
|
if (!S_ISDIR(ip1->i_d.di_mode)) {
|
|
|
|
error = xfs_droplink(tp, dp2);
|
|
|
|
if (error)
|
2015-03-25 11:08:07 +08:00
|
|
|
goto out_trans_abort;
|
2014-12-24 05:51:42 +08:00
|
|
|
error = xfs_bumplink(tp, dp1);
|
|
|
|
if (error)
|
2015-03-25 11:08:07 +08:00
|
|
|
goto out_trans_abort;
|
2014-12-24 05:51:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Although ip1 isn't changed here, userspace needs
|
|
|
|
* to be warned about the change, so that applications
|
|
|
|
* relying on it (like backup ones), will properly
|
|
|
|
* notify the change
|
|
|
|
*/
|
|
|
|
ip1_flags |= XFS_ICHGTIME_CHG;
|
|
|
|
ip2_flags |= XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (S_ISDIR(ip1->i_d.di_mode)) {
|
|
|
|
error = xfs_dir_replace(tp, ip1, &xfs_name_dotdot,
|
|
|
|
dp2->i_ino, first_block,
|
|
|
|
free_list, spaceres);
|
|
|
|
if (error)
|
2015-03-25 11:08:07 +08:00
|
|
|
goto out_trans_abort;
|
2014-12-24 05:51:42 +08:00
|
|
|
|
|
|
|
/* transfer ip1 ".." reference to dp2 */
|
|
|
|
if (!S_ISDIR(ip2->i_d.di_mode)) {
|
|
|
|
error = xfs_droplink(tp, dp1);
|
|
|
|
if (error)
|
2015-03-25 11:08:07 +08:00
|
|
|
goto out_trans_abort;
|
2014-12-24 05:51:42 +08:00
|
|
|
error = xfs_bumplink(tp, dp2);
|
|
|
|
if (error)
|
2015-03-25 11:08:07 +08:00
|
|
|
goto out_trans_abort;
|
2014-12-24 05:51:42 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Although ip2 isn't changed here, userspace needs
|
|
|
|
* to be warned about the change, so that applications
|
|
|
|
* relying on it (like backup ones), will properly
|
|
|
|
* notify the change
|
|
|
|
*/
|
|
|
|
ip1_flags |= XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG;
|
|
|
|
ip2_flags |= XFS_ICHGTIME_CHG;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ip1_flags) {
|
|
|
|
xfs_trans_ichgtime(tp, ip1, ip1_flags);
|
|
|
|
xfs_trans_log_inode(tp, ip1, XFS_ILOG_CORE);
|
|
|
|
}
|
|
|
|
if (ip2_flags) {
|
|
|
|
xfs_trans_ichgtime(tp, ip2, ip2_flags);
|
|
|
|
xfs_trans_log_inode(tp, ip2, XFS_ILOG_CORE);
|
|
|
|
}
|
|
|
|
if (dp2_flags) {
|
|
|
|
xfs_trans_ichgtime(tp, dp2, dp2_flags);
|
|
|
|
xfs_trans_log_inode(tp, dp2, XFS_ILOG_CORE);
|
|
|
|
}
|
|
|
|
xfs_trans_ichgtime(tp, dp1, XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG);
|
|
|
|
xfs_trans_log_inode(tp, dp1, XFS_ILOG_CORE);
|
2015-03-25 11:08:07 +08:00
|
|
|
return xfs_finish_rename(tp, free_list);
|
|
|
|
|
|
|
|
out_trans_abort:
|
|
|
|
xfs_bmap_cancel(free_list);
|
2015-06-04 11:47:56 +08:00
|
|
|
xfs_trans_cancel(tp);
|
2014-12-24 05:51:42 +08:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
/*
|
|
|
|
* xfs_rename_alloc_whiteout()
|
|
|
|
*
|
|
|
|
* Return a referenced, unlinked, unlocked inode that that can be used as a
|
|
|
|
* whiteout in a rename transaction. We use a tmpfile inode here so that if we
|
|
|
|
* crash between allocating the inode and linking it into the rename transaction
|
|
|
|
* recovery will free the inode and we won't leak it.
|
|
|
|
*/
|
|
|
|
static int
|
|
|
|
xfs_rename_alloc_whiteout(
|
|
|
|
struct xfs_inode *dp,
|
|
|
|
struct xfs_inode **wip)
|
|
|
|
{
|
|
|
|
struct xfs_inode *tmpfile;
|
|
|
|
int error;
|
|
|
|
|
|
|
|
error = xfs_create_tmpfile(dp, NULL, S_IFCHR | WHITEOUT_MODE, &tmpfile);
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
|
2015-05-29 06:14:55 +08:00
|
|
|
/*
|
|
|
|
* Prepare the tmpfile inode as if it were created through the VFS.
|
|
|
|
* Otherwise, the link increment paths will complain about nlink 0->1.
|
|
|
|
* Drop the link count as done by d_tmpfile(), complete the inode setup
|
|
|
|
* and flag it as linkable.
|
|
|
|
*/
|
|
|
|
drop_nlink(VFS_I(tmpfile));
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
xfs_finish_inode_setup(tmpfile);
|
|
|
|
VFS_I(tmpfile)->i_state |= I_LINKABLE;
|
|
|
|
|
|
|
|
*wip = tmpfile;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2013-08-12 18:49:46 +08:00
|
|
|
/*
|
|
|
|
* xfs_rename
|
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_rename(
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
struct xfs_inode *src_dp,
|
|
|
|
struct xfs_name *src_name,
|
|
|
|
struct xfs_inode *src_ip,
|
|
|
|
struct xfs_inode *target_dp,
|
|
|
|
struct xfs_name *target_name,
|
|
|
|
struct xfs_inode *target_ip,
|
|
|
|
unsigned int flags)
|
2013-08-12 18:49:46 +08:00
|
|
|
{
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
struct xfs_mount *mp = src_dp->i_mount;
|
|
|
|
struct xfs_trans *tp;
|
|
|
|
struct xfs_bmap_free free_list;
|
|
|
|
xfs_fsblock_t first_block;
|
|
|
|
struct xfs_inode *wip = NULL; /* whiteout inode */
|
|
|
|
struct xfs_inode *inodes[__XFS_SORT_INODES];
|
|
|
|
int num_inodes = __XFS_SORT_INODES;
|
2015-03-25 12:12:30 +08:00
|
|
|
bool new_parent = (src_dp != target_dp);
|
|
|
|
bool src_is_directory = S_ISDIR(src_ip->i_d.di_mode);
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
int spaceres;
|
|
|
|
int error;
|
2013-08-12 18:49:46 +08:00
|
|
|
|
|
|
|
trace_xfs_rename(src_dp, target_dp, src_name, target_name);
|
|
|
|
|
2015-03-25 11:08:07 +08:00
|
|
|
if ((flags & RENAME_EXCHANGE) && !target_ip)
|
|
|
|
return -EINVAL;
|
|
|
|
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
/*
|
|
|
|
* If we are doing a whiteout operation, allocate the whiteout inode
|
|
|
|
* we will be placing at the target and ensure the type is set
|
|
|
|
* appropriately.
|
|
|
|
*/
|
|
|
|
if (flags & RENAME_WHITEOUT) {
|
|
|
|
ASSERT(!(flags & (RENAME_NOREPLACE | RENAME_EXCHANGE)));
|
|
|
|
error = xfs_rename_alloc_whiteout(target_dp, &wip);
|
|
|
|
if (error)
|
|
|
|
return error;
|
|
|
|
|
|
|
|
/* setup target dirent info as whiteout */
|
|
|
|
src_name->type = XFS_DIR3_FT_CHRDEV;
|
|
|
|
}
|
2013-08-12 18:49:46 +08:00
|
|
|
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
xfs_sort_for_rename(src_dp, target_dp, src_ip, target_ip, wip,
|
2013-08-12 18:49:46 +08:00
|
|
|
inodes, &num_inodes);
|
|
|
|
|
|
|
|
tp = xfs_trans_alloc(mp, XFS_TRANS_RENAME);
|
|
|
|
spaceres = XFS_RENAME_SPACE_RES(mp, target_name->len);
|
2013-08-12 18:49:59 +08:00
|
|
|
error = xfs_trans_reserve(tp, &M_RES(mp)->tr_rename, spaceres, 0);
|
2014-06-25 12:58:08 +08:00
|
|
|
if (error == -ENOSPC) {
|
2013-08-12 18:49:46 +08:00
|
|
|
spaceres = 0;
|
2013-08-12 18:49:59 +08:00
|
|
|
error = xfs_trans_reserve(tp, &M_RES(mp)->tr_rename, 0, 0);
|
2013-08-12 18:49:46 +08:00
|
|
|
}
|
2015-03-25 11:05:43 +08:00
|
|
|
if (error)
|
|
|
|
goto out_trans_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Attach the dquots to the inodes
|
|
|
|
*/
|
|
|
|
error = xfs_qm_vop_rename_dqattach(inodes);
|
2015-03-25 11:05:43 +08:00
|
|
|
if (error)
|
|
|
|
goto out_trans_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Lock all the participating inodes. Depending upon whether
|
|
|
|
* the target_name exists in the target directory, and
|
|
|
|
* whether the target directory is the same as the source
|
|
|
|
* directory, we can lock from 2 to 4 inodes.
|
|
|
|
*/
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
if (!new_parent)
|
|
|
|
xfs_ilock(src_dp, XFS_IOLOCK_EXCL | XFS_IOLOCK_PARENT);
|
|
|
|
else
|
|
|
|
xfs_lock_two_inodes(src_dp, target_dp,
|
|
|
|
XFS_IOLOCK_EXCL | XFS_IOLOCK_PARENT);
|
|
|
|
|
2013-08-12 18:49:46 +08:00
|
|
|
xfs_lock_inodes(inodes, num_inodes, XFS_ILOCK_EXCL);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Join all the inodes to the transaction. From this point on,
|
|
|
|
* we can rely on either trans_commit or trans_cancel to unlock
|
|
|
|
* them.
|
|
|
|
*/
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
xfs_trans_ijoin(tp, src_dp, XFS_IOLOCK_EXCL | XFS_ILOCK_EXCL);
|
2013-08-12 18:49:46 +08:00
|
|
|
if (new_parent)
|
xfs: stop holding ILOCK over filldir callbacks
The recent change to the readdir locking made in 40194ec ("xfs:
reinstate the ilock in xfs_readdir") for CXFS directory sanity was
probably the wrong thing to do. Deep in the readdir code we
can take page faults in the filldir callback, and so taking a page
fault while holding an inode ilock creates a new set of locking
issues that lockdep warns all over the place about.
The locking order for regular inodes w.r.t. page faults is io_lock
-> pagefault -> mmap_sem -> ilock. The directory readdir code now
triggers ilock -> page fault -> mmap_sem. While we cannot deadlock
at this point, it inverts all the locking patterns that lockdep
normally sees on XFS inodes, and so triggers lockdep. We worked
around this with commit 93a8614 ("xfs: fix directory inode iolock
lockdep false positive"), but that then just moved the lockdep
warning to deeper in the page fault path and triggered on security
inode locks. Fixing the shmem issue there just moved the lockdep
reports somewhere else, and now we are getting false positives from
filesystem freezing annotations getting confused.
Further, if we enter memory reclaim in a readdir path, we now get
lockdep warning about potential deadlocks because the ilock is held
when we enter reclaim. This, again, is different to a regular file
in that we never allow memory reclaim to run while holding the ilock
for regular files. Hence lockdep now throws
ilock->kmalloc->reclaim->ilock warnings.
Basically, the problem is that the ilock is being used to protect
the directory data and the inode metadata, whereas for a regular
file the iolock protects the data and the ilock protects the
metadata. From the VFS perspective, the i_mutex serialises all
accesses to the directory data, and so not holding the ilock for
readdir doesn't matter. The issue is that CXFS doesn't access
directory data via the VFS, so it has no "data serialisaton"
mechanism. Hence we need to hold the IOLOCK in the correct places to
provide this low level directory data access serialisation.
The ilock can then be used just when the extent list needs to be
read, just like we do for regular files. The directory modification
code can take the iolock exclusive when the ilock is also taken,
and this then ensures that readdir is correct excluded while
modifications are in progress.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-08-19 08:33:00 +08:00
|
|
|
xfs_trans_ijoin(tp, target_dp, XFS_IOLOCK_EXCL | XFS_ILOCK_EXCL);
|
2013-08-12 18:49:46 +08:00
|
|
|
xfs_trans_ijoin(tp, src_ip, XFS_ILOCK_EXCL);
|
|
|
|
if (target_ip)
|
|
|
|
xfs_trans_ijoin(tp, target_ip, XFS_ILOCK_EXCL);
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
if (wip)
|
|
|
|
xfs_trans_ijoin(tp, wip, XFS_ILOCK_EXCL);
|
2013-08-12 18:49:46 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* If we are using project inheritance, we only allow renames
|
|
|
|
* into our tree when the project IDs are the same; else the
|
|
|
|
* tree quota mechanism would be circumvented.
|
|
|
|
*/
|
|
|
|
if (unlikely((target_dp->i_d.di_flags & XFS_DIFLAG_PROJINHERIT) &&
|
|
|
|
(xfs_get_projid(target_dp) != xfs_get_projid(src_ip)))) {
|
2014-06-25 12:58:08 +08:00
|
|
|
error = -EXDEV;
|
2015-03-25 11:05:43 +08:00
|
|
|
goto out_trans_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
}
|
|
|
|
|
2015-03-25 11:05:43 +08:00
|
|
|
xfs_bmap_init(&free_list, &first_block);
|
|
|
|
|
2015-03-25 11:08:07 +08:00
|
|
|
/* RENAME_EXCHANGE is unique from here on. */
|
|
|
|
if (flags & RENAME_EXCHANGE)
|
|
|
|
return xfs_cross_rename(tp, src_dp, src_name, src_ip,
|
|
|
|
target_dp, target_name, target_ip,
|
|
|
|
&free_list, &first_block, spaceres);
|
2014-12-24 05:51:42 +08:00
|
|
|
|
2013-08-12 18:49:46 +08:00
|
|
|
/*
|
|
|
|
* Set up the target.
|
|
|
|
*/
|
|
|
|
if (target_ip == NULL) {
|
|
|
|
/*
|
|
|
|
* If there's no space reservation, check the entry will
|
|
|
|
* fit before actually inserting it.
|
|
|
|
*/
|
2014-09-09 09:57:52 +08:00
|
|
|
if (!spaceres) {
|
|
|
|
error = xfs_dir_canenter(tp, target_dp, target_name);
|
|
|
|
if (error)
|
2015-03-25 11:05:43 +08:00
|
|
|
goto out_trans_cancel;
|
2014-09-09 09:57:52 +08:00
|
|
|
}
|
2013-08-12 18:49:46 +08:00
|
|
|
/*
|
|
|
|
* If target does not exist and the rename crosses
|
|
|
|
* directories, adjust the target directory link count
|
|
|
|
* to account for the ".." reference from the new entry.
|
|
|
|
*/
|
|
|
|
error = xfs_dir_createname(tp, target_dp, target_name,
|
|
|
|
src_ip->i_ino, &first_block,
|
|
|
|
&free_list, spaceres);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_bmap_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
|
|
|
|
xfs_trans_ichgtime(tp, target_dp,
|
|
|
|
XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG);
|
|
|
|
|
|
|
|
if (new_parent && src_is_directory) {
|
|
|
|
error = xfs_bumplink(tp, target_dp);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_bmap_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
}
|
|
|
|
} else { /* target_ip != NULL */
|
|
|
|
/*
|
|
|
|
* If target exists and it's a directory, check that both
|
|
|
|
* target and source are directories and that target can be
|
|
|
|
* destroyed, or that neither is a directory.
|
|
|
|
*/
|
|
|
|
if (S_ISDIR(target_ip->i_d.di_mode)) {
|
|
|
|
/*
|
|
|
|
* Make sure target dir is empty.
|
|
|
|
*/
|
|
|
|
if (!(xfs_dir_isempty(target_ip)) ||
|
|
|
|
(target_ip->i_d.di_nlink > 2)) {
|
2014-06-25 12:58:08 +08:00
|
|
|
error = -EEXIST;
|
2015-03-25 11:05:43 +08:00
|
|
|
goto out_trans_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Link the source inode under the target name.
|
|
|
|
* If the source inode is a directory and we are moving
|
|
|
|
* it across directories, its ".." entry will be
|
|
|
|
* inconsistent until we replace that down below.
|
|
|
|
*
|
|
|
|
* In case there is already an entry with the same
|
|
|
|
* name at the destination directory, remove it first.
|
|
|
|
*/
|
|
|
|
error = xfs_dir_replace(tp, target_dp, target_name,
|
|
|
|
src_ip->i_ino,
|
|
|
|
&first_block, &free_list, spaceres);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_bmap_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
|
|
|
|
xfs_trans_ichgtime(tp, target_dp,
|
|
|
|
XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Decrement the link count on the target since the target
|
|
|
|
* dir no longer points to it.
|
|
|
|
*/
|
|
|
|
error = xfs_droplink(tp, target_ip);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_bmap_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
|
|
|
|
if (src_is_directory) {
|
|
|
|
/*
|
|
|
|
* Drop the link from the old "." entry.
|
|
|
|
*/
|
|
|
|
error = xfs_droplink(tp, target_ip);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_bmap_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
}
|
|
|
|
} /* target_ip != NULL */
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Remove the source.
|
|
|
|
*/
|
|
|
|
if (new_parent && src_is_directory) {
|
|
|
|
/*
|
|
|
|
* Rewrite the ".." entry to point to the new
|
|
|
|
* directory.
|
|
|
|
*/
|
|
|
|
error = xfs_dir_replace(tp, src_ip, &xfs_name_dotdot,
|
|
|
|
target_dp->i_ino,
|
|
|
|
&first_block, &free_list, spaceres);
|
2014-06-25 12:58:08 +08:00
|
|
|
ASSERT(error != -EEXIST);
|
2013-08-12 18:49:46 +08:00
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_bmap_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* We always want to hit the ctime on the source inode.
|
|
|
|
*
|
|
|
|
* This isn't strictly required by the standards since the source
|
|
|
|
* inode isn't really being changed, but old unix file systems did
|
|
|
|
* it and some incremental backup programs won't work without it.
|
|
|
|
*/
|
|
|
|
xfs_trans_ichgtime(tp, src_ip, XFS_ICHGTIME_CHG);
|
|
|
|
xfs_trans_log_inode(tp, src_ip, XFS_ILOG_CORE);
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Adjust the link count on src_dp. This is necessary when
|
|
|
|
* renaming a directory, either within one parent when
|
|
|
|
* the target existed, or across two parent directories.
|
|
|
|
*/
|
|
|
|
if (src_is_directory && (new_parent || target_ip != NULL)) {
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Decrement link count on src_directory since the
|
|
|
|
* entry that's moved no longer points to it.
|
|
|
|
*/
|
|
|
|
error = xfs_droplink(tp, src_dp);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_bmap_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
}
|
|
|
|
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
/*
|
|
|
|
* For whiteouts, we only need to update the source dirent with the
|
|
|
|
* inode number of the whiteout inode rather than removing it
|
|
|
|
* altogether.
|
|
|
|
*/
|
|
|
|
if (wip) {
|
|
|
|
error = xfs_dir_replace(tp, src_dp, src_name, wip->i_ino,
|
2013-08-12 18:49:46 +08:00
|
|
|
&first_block, &free_list, spaceres);
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
} else
|
|
|
|
error = xfs_dir_removename(tp, src_dp, src_name, src_ip->i_ino,
|
|
|
|
&first_block, &free_list, spaceres);
|
2013-08-12 18:49:46 +08:00
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_bmap_cancel;
|
2013-08-12 18:49:46 +08:00
|
|
|
|
|
|
|
/*
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
* For whiteouts, we need to bump the link count on the whiteout inode.
|
|
|
|
* This means that failures all the way up to this point leave the inode
|
|
|
|
* on the unlinked list and so cleanup is a simple matter of dropping
|
|
|
|
* the remaining reference to it. If we fail here after bumping the link
|
|
|
|
* count, we're shutting down the filesystem so we'll never see the
|
|
|
|
* intermediate state on disk.
|
2013-08-12 18:49:46 +08:00
|
|
|
*/
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
if (wip) {
|
2015-05-29 06:14:55 +08:00
|
|
|
ASSERT(VFS_I(wip)->i_nlink == 0 && wip->i_d.di_nlink == 0);
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
error = xfs_bumplink(tp, wip);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_bmap_cancel;
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
error = xfs_iunlink_remove(tp, wip);
|
|
|
|
if (error)
|
2015-06-04 11:47:56 +08:00
|
|
|
goto out_bmap_cancel;
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
xfs_trans_log_inode(tp, wip, XFS_ILOG_CORE);
|
2013-08-12 18:49:46 +08:00
|
|
|
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
/*
|
|
|
|
* Now we have a real link, clear the "I'm a tmpfile" state
|
|
|
|
* flag from the inode so it doesn't accidentally get misused in
|
|
|
|
* future.
|
|
|
|
*/
|
|
|
|
VFS_I(wip)->i_state &= ~I_LINKABLE;
|
2013-08-12 18:49:46 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
xfs_trans_ichgtime(tp, src_dp, XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG);
|
|
|
|
xfs_trans_log_inode(tp, src_dp, XFS_ILOG_CORE);
|
|
|
|
if (new_parent)
|
|
|
|
xfs_trans_log_inode(tp, target_dp, XFS_ILOG_CORE);
|
|
|
|
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
error = xfs_finish_rename(tp, &free_list);
|
|
|
|
if (wip)
|
|
|
|
IRELE(wip);
|
|
|
|
return error;
|
2013-08-12 18:49:46 +08:00
|
|
|
|
2015-03-25 11:05:43 +08:00
|
|
|
out_bmap_cancel:
|
2013-08-12 18:49:46 +08:00
|
|
|
xfs_bmap_cancel(&free_list);
|
2015-03-25 11:05:43 +08:00
|
|
|
out_trans_cancel:
|
2015-06-04 11:47:56 +08:00
|
|
|
xfs_trans_cancel(tp);
|
xfs: add RENAME_WHITEOUT support
Whiteouts are used by overlayfs - it has a crazy convention that a
whiteout is a character device inode with a major:minor of 0:0.
Because it's not documented anywhere, here's an example of what
RENAME_WHITEOUT does on ext4:
# echo foo > /mnt/scratch/foo
# echo bar > /mnt/scratch/bar
# ls -l /mnt/scratch
total 24
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
-rw-r--r-- 1 root root 4 Feb 11 20:22 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# src/renameat2 -w /mnt/scratch/foo /mnt/scratch/bar
# ls -l /mnt/scratch
total 20
-rw-r--r-- 1 root root 4 Feb 11 20:22 bar
c--------- 1 root root 0, 0 Feb 11 20:23 foo
drwx------ 2 root root 16384 Feb 11 20:18 lost+found
# cat /mnt/scratch/bar
foo
#
In XFS rename terms, the operation that has been done is that source
(foo) has been moved to the target (bar), which is like a nomal
rename operation, but rather than the source being removed, it have
been replaced with a whiteout.
We can't allocate whiteout inodes within the rename transaction due
to allocation being a multi-commit transaction: rename needs to
be a single, atomic commit. Hence we have several options here, form
most efficient to least efficient:
- use DT_WHT in the target dirent and do no whiteout inode
allocation. The main issue with this approach is that we need
hooks in lookup to create a virtual chardev inode to present
to userspace and in places where we might need to modify the
dirent e.g. unlink. Overlayfs also needs to be taught about
DT_WHT. Most invasive change, lowest overhead.
- create a special whiteout inode in the root directory (e.g. a
".wino" dirent) and then hardlink every new whiteout to it.
This means we only need to create a single whiteout inode, and
rename simply creates a hardlink to it. We can use DT_WHT for
these, though using DT_CHR means we won't have to modify
overlayfs, nor anything in userspace. Downside is we have to
look up the whiteout inode on every operation and create it if
it doesn't exist.
- copy ext4: create a special whiteout chardev inode for every
whiteout. This is more complex than the above options because
of the lack of atomicity between inode creation and the rename
operation, requiring us to create a tmpfile inode and then
linking it into the directory structure during the rename. At
least with a tmpfile inode crashes between the create and
rename doesn't leave unreferenced inodes or directory
pollution around.
By far the simplest thing to do in the short term is to copy ext4.
While it is the most inefficient way of supporting whiteouts, but as
an initial implementation we can simply reuse existing functions and
add a small amount of extra code the the rename operation.
When we get full whiteout support in the VFS (via the dentry cache)
we can then look to supporting DT_WHT method outlined as the first
method of supporting whiteouts. But until then, we'll stick with
what overlayfs expects us to be: dumb and stupid.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
2015-03-25 11:08:08 +08:00
|
|
|
if (wip)
|
|
|
|
IRELE(wip);
|
2013-08-12 18:49:46 +08:00
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2013-08-12 18:49:33 +08:00
|
|
|
STATIC int
|
|
|
|
xfs_iflush_cluster(
|
|
|
|
xfs_inode_t *ip,
|
|
|
|
xfs_buf_t *bp)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2013-08-12 18:49:33 +08:00
|
|
|
xfs_mount_t *mp = ip->i_mount;
|
|
|
|
struct xfs_perag *pag;
|
|
|
|
unsigned long first_index, mask;
|
|
|
|
unsigned long inodes_per_cluster;
|
|
|
|
int ilist_size;
|
|
|
|
xfs_inode_t **ilist;
|
|
|
|
xfs_inode_t *iq;
|
|
|
|
int nr_found;
|
|
|
|
int clcount = 0;
|
|
|
|
int bufwasdelwri;
|
2005-04-17 06:20:36 +08:00
|
|
|
int i;
|
|
|
|
|
2013-08-12 18:49:33 +08:00
|
|
|
pag = xfs_perag_get(mp, XFS_INO_TO_AGNO(mp, ip->i_ino));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-12-13 12:51:48 +08:00
|
|
|
inodes_per_cluster = mp->m_inode_cluster_size >> mp->m_sb.sb_inodelog;
|
2013-08-12 18:49:33 +08:00
|
|
|
ilist_size = inodes_per_cluster * sizeof(xfs_inode_t *);
|
|
|
|
ilist = kmem_alloc(ilist_size, KM_MAYFAIL|KM_NOFS);
|
|
|
|
if (!ilist)
|
|
|
|
goto out_put;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-12-13 12:51:48 +08:00
|
|
|
mask = ~(((mp->m_inode_cluster_size >> mp->m_sb.sb_inodelog)) - 1);
|
2013-08-12 18:49:33 +08:00
|
|
|
first_index = XFS_INO_TO_AGINO(mp, ip->i_ino) & mask;
|
|
|
|
rcu_read_lock();
|
|
|
|
/* really need a gang lookup range call here */
|
|
|
|
nr_found = radix_tree_gang_lookup(&pag->pag_ici_root, (void**)ilist,
|
|
|
|
first_index, inodes_per_cluster);
|
|
|
|
if (nr_found == 0)
|
|
|
|
goto out_free;
|
|
|
|
|
|
|
|
for (i = 0; i < nr_found; i++) {
|
|
|
|
iq = ilist[i];
|
|
|
|
if (iq == ip)
|
2008-03-06 10:43:49 +08:00
|
|
|
continue;
|
2010-12-17 14:29:43 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* because this is an RCU protected lookup, we could find a
|
|
|
|
* recently freed or even reallocated inode during the lookup.
|
|
|
|
* We need to check under the i_flags_lock for a valid inode
|
|
|
|
* here. Skip it if it is not valid or the wrong inode.
|
|
|
|
*/
|
|
|
|
spin_lock(&ip->i_flags_lock);
|
|
|
|
if (!ip->i_ino ||
|
|
|
|
(XFS_INO_TO_AGINO(mp, iq->i_ino) & mask) != first_index) {
|
|
|
|
spin_unlock(&ip->i_flags_lock);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
spin_unlock(&ip->i_flags_lock);
|
|
|
|
|
2008-03-06 10:43:49 +08:00
|
|
|
/*
|
|
|
|
* Do an un-protected check to see if the inode is dirty and
|
|
|
|
* is a candidate for flushing. These checks will be repeated
|
|
|
|
* later after the appropriate locks are acquired.
|
|
|
|
*/
|
2008-03-06 10:43:59 +08:00
|
|
|
if (xfs_inode_clean(iq) && xfs_ipincount(iq) == 0)
|
2008-03-06 10:43:49 +08:00
|
|
|
continue;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Try to get locks. If any are unavailable or it is pinned,
|
|
|
|
* then this inode cannot be flushed and is skipped.
|
|
|
|
*/
|
|
|
|
|
|
|
|
if (!xfs_ilock_nowait(iq, XFS_ILOCK_SHARED))
|
|
|
|
continue;
|
|
|
|
if (!xfs_iflock_nowait(iq)) {
|
|
|
|
xfs_iunlock(iq, XFS_ILOCK_SHARED);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if (xfs_ipincount(iq)) {
|
|
|
|
xfs_ifunlock(iq);
|
|
|
|
xfs_iunlock(iq, XFS_ILOCK_SHARED);
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* arriving here means that this inode can be flushed. First
|
|
|
|
* re-check that it's dirty before flushing.
|
|
|
|
*/
|
2008-03-06 10:43:59 +08:00
|
|
|
if (!xfs_inode_clean(iq)) {
|
|
|
|
int error;
|
2008-03-06 10:43:49 +08:00
|
|
|
error = xfs_iflush_int(iq, bp);
|
|
|
|
if (error) {
|
|
|
|
xfs_iunlock(iq, XFS_ILOCK_SHARED);
|
|
|
|
goto cluster_corrupt_out;
|
|
|
|
}
|
|
|
|
clcount++;
|
|
|
|
} else {
|
|
|
|
xfs_ifunlock(iq);
|
|
|
|
}
|
|
|
|
xfs_iunlock(iq, XFS_ILOCK_SHARED);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (clcount) {
|
2015-10-12 15:21:22 +08:00
|
|
|
XFS_STATS_INC(mp, xs_icluster_flushcnt);
|
|
|
|
XFS_STATS_ADD(mp, xs_icluster_flushinode, clcount);
|
2008-03-06 10:43:49 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
out_free:
|
2010-12-17 14:29:43 +08:00
|
|
|
rcu_read_unlock();
|
2008-05-19 14:31:57 +08:00
|
|
|
kmem_free(ilist);
|
2010-01-11 19:47:43 +08:00
|
|
|
out_put:
|
|
|
|
xfs_perag_put(pag);
|
2008-03-06 10:43:49 +08:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
|
|
cluster_corrupt_out:
|
|
|
|
/*
|
|
|
|
* Corruption detected in the clustering loop. Invalidate the
|
|
|
|
* inode buffer and shut down the filesystem.
|
|
|
|
*/
|
2010-12-17 14:29:43 +08:00
|
|
|
rcu_read_unlock();
|
2008-03-06 10:43:49 +08:00
|
|
|
/*
|
xfs: on-stack delayed write buffer lists
Queue delwri buffers on a local on-stack list instead of a per-buftarg one,
and write back the buffers per-process instead of by waking up xfsbufd.
This is now easily doable given that we have very few places left that write
delwri buffers:
- log recovery:
Only done at mount time, and already forcing out the buffers
synchronously using xfs_flush_buftarg
- quotacheck:
Same story.
- dquot reclaim:
Writes out dirty dquots on the LRU under memory pressure. We might
want to look into doing more of this via xfsaild, but it's already
more optimal than the synchronous inode reclaim that writes each
buffer synchronously.
- xfsaild:
This is the main beneficiary of the change. By keeping a local list
of buffers to write we reduce latency of writing out buffers, and
more importably we can remove all the delwri list promotions which
were hitting the buffer cache hard under sustained metadata loads.
The implementation is very straight forward - xfs_buf_delwri_queue now gets
a new list_head pointer that it adds the delwri buffers to, and all callers
need to eventually submit the list using xfs_buf_delwi_submit or
xfs_buf_delwi_submit_nowait. Buffers that already are on a delwri list are
skipped in xfs_buf_delwri_queue, assuming they already are on another delwri
list. The biggest change to pass down the buffer list was done to the AIL
pushing. Now that we operate on buffers the trylock, push and pushbuf log
item methods are merged into a single push routine, which tries to lock the
item, and if possible add the buffer that needs writeback to the buffer list.
This leads to much simpler code than the previous split but requires the
individual IOP_PUSH instances to unlock and reacquire the AIL around calls
to blocking routines.
Given that xfsailds now also handle writing out buffers, the conditions for
log forcing and the sleep times needed some small changes. The most
important one is that we consider an AIL busy as long we still have buffers
to push, and the other one is that we do increment the pushed LSN for
buffers that are under flushing at this moment, but still count them towards
the stuck items for restart purposes. Without this we could hammer on stuck
items without ever forcing the log and not make progress under heavy random
delete workloads on fast flash storage devices.
[ Dave Chinner:
- rebase on previous patches.
- improved comments for XBF_DELWRI_Q handling
- fix XBF_ASYNC handling in queue submission (test 106 failure)
- rename delwri submit function buffer list parameters for clarity
- xfs_efd_item_push() should return XFS_ITEM_PINNED ]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Mark Tinguely <tinguely@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
2012-04-23 13:58:39 +08:00
|
|
|
* Clean up the buffer. If it was delwri, just release it --
|
2008-03-06 10:43:49 +08:00
|
|
|
* brelse can handle it with no problems. If not, shut down the
|
|
|
|
* filesystem before releasing the buffer.
|
|
|
|
*/
|
xfs: on-stack delayed write buffer lists
Queue delwri buffers on a local on-stack list instead of a per-buftarg one,
and write back the buffers per-process instead of by waking up xfsbufd.
This is now easily doable given that we have very few places left that write
delwri buffers:
- log recovery:
Only done at mount time, and already forcing out the buffers
synchronously using xfs_flush_buftarg
- quotacheck:
Same story.
- dquot reclaim:
Writes out dirty dquots on the LRU under memory pressure. We might
want to look into doing more of this via xfsaild, but it's already
more optimal than the synchronous inode reclaim that writes each
buffer synchronously.
- xfsaild:
This is the main beneficiary of the change. By keeping a local list
of buffers to write we reduce latency of writing out buffers, and
more importably we can remove all the delwri list promotions which
were hitting the buffer cache hard under sustained metadata loads.
The implementation is very straight forward - xfs_buf_delwri_queue now gets
a new list_head pointer that it adds the delwri buffers to, and all callers
need to eventually submit the list using xfs_buf_delwi_submit or
xfs_buf_delwi_submit_nowait. Buffers that already are on a delwri list are
skipped in xfs_buf_delwri_queue, assuming they already are on another delwri
list. The biggest change to pass down the buffer list was done to the AIL
pushing. Now that we operate on buffers the trylock, push and pushbuf log
item methods are merged into a single push routine, which tries to lock the
item, and if possible add the buffer that needs writeback to the buffer list.
This leads to much simpler code than the previous split but requires the
individual IOP_PUSH instances to unlock and reacquire the AIL around calls
to blocking routines.
Given that xfsailds now also handle writing out buffers, the conditions for
log forcing and the sleep times needed some small changes. The most
important one is that we consider an AIL busy as long we still have buffers
to push, and the other one is that we do increment the pushed LSN for
buffers that are under flushing at this moment, but still count them towards
the stuck items for restart purposes. Without this we could hammer on stuck
items without ever forcing the log and not make progress under heavy random
delete workloads on fast flash storage devices.
[ Dave Chinner:
- rebase on previous patches.
- improved comments for XBF_DELWRI_Q handling
- fix XBF_ASYNC handling in queue submission (test 106 failure)
- rename delwri submit function buffer list parameters for clarity
- xfs_efd_item_push() should return XFS_ITEM_PINNED ]
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Mark Tinguely <tinguely@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
2012-04-23 13:58:39 +08:00
|
|
|
bufwasdelwri = (bp->b_flags & _XBF_DELWRI_Q);
|
2008-03-06 10:43:49 +08:00
|
|
|
if (bufwasdelwri)
|
|
|
|
xfs_buf_relse(bp);
|
|
|
|
|
|
|
|
xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
|
|
|
|
|
|
|
|
if (!bufwasdelwri) {
|
|
|
|
/*
|
|
|
|
* Just like incore_relse: if we have b_iodone functions,
|
|
|
|
* mark the buffer as an error and call them. Otherwise
|
|
|
|
* mark it as stale and brelse.
|
|
|
|
*/
|
2011-07-13 19:43:49 +08:00
|
|
|
if (bp->b_iodone) {
|
2008-03-06 10:43:49 +08:00
|
|
|
XFS_BUF_UNDONE(bp);
|
2011-10-11 00:52:46 +08:00
|
|
|
xfs_buf_stale(bp);
|
2014-06-25 12:58:08 +08:00
|
|
|
xfs_buf_ioerror(bp, -EIO);
|
2014-10-02 07:04:22 +08:00
|
|
|
xfs_buf_ioend(bp);
|
2008-03-06 10:43:49 +08:00
|
|
|
} else {
|
2011-10-11 00:52:46 +08:00
|
|
|
xfs_buf_stale(bp);
|
2008-03-06 10:43:49 +08:00
|
|
|
xfs_buf_relse(bp);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Unlocks the flush lock
|
|
|
|
*/
|
2012-04-23 13:58:41 +08:00
|
|
|
xfs_iflush_abort(iq, false);
|
2008-05-19 14:31:57 +08:00
|
|
|
kmem_free(ilist);
|
2010-01-11 19:47:43 +08:00
|
|
|
xfs_perag_put(pag);
|
2014-06-25 12:58:08 +08:00
|
|
|
return -EFSCORRUPTED;
|
2008-03-06 10:43:49 +08:00
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2012-04-23 13:58:36 +08:00
|
|
|
* Flush dirty inode metadata into the backing buffer.
|
|
|
|
*
|
|
|
|
* The caller must have the inode lock and the inode flush lock held. The
|
|
|
|
* inode lock will still be held upon return to the caller, and the inode
|
|
|
|
* flush lock will be released after the inode has reached the disk.
|
|
|
|
*
|
|
|
|
* The caller must write out the buffer returned in *bpp and release it.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
|
|
|
int
|
|
|
|
xfs_iflush(
|
2012-04-23 13:58:36 +08:00
|
|
|
struct xfs_inode *ip,
|
|
|
|
struct xfs_buf **bpp)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2012-04-23 13:58:36 +08:00
|
|
|
struct xfs_mount *mp = ip->i_mount;
|
|
|
|
struct xfs_buf *bp;
|
|
|
|
struct xfs_dinode *dip;
|
2005-04-17 06:20:36 +08:00
|
|
|
int error;
|
|
|
|
|
2015-10-12 15:21:22 +08:00
|
|
|
XFS_STATS_INC(mp, xs_iflush_count);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-04-22 15:34:00 +08:00
|
|
|
ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL|XFS_ILOCK_SHARED));
|
2011-12-19 04:00:09 +08:00
|
|
|
ASSERT(xfs_isiflocked(ip));
|
2005-04-17 06:20:36 +08:00
|
|
|
ASSERT(ip->i_d.di_format != XFS_DINODE_FMT_BTREE ||
|
2011-12-19 04:00:07 +08:00
|
|
|
ip->i_d.di_nextents > XFS_IFORK_MAXEXT(ip, XFS_DATA_FORK));
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-04-23 13:58:36 +08:00
|
|
|
*bpp = NULL;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
xfs_iunpin_wait(ip);
|
|
|
|
|
2010-01-11 19:45:21 +08:00
|
|
|
/*
|
|
|
|
* For stale inodes we cannot rely on the backing buffer remaining
|
|
|
|
* stale in cache for the remaining life of the stale inode and so
|
2012-07-04 00:21:22 +08:00
|
|
|
* xfs_imap_to_bp() below may give us a buffer that no longer contains
|
2010-01-11 19:45:21 +08:00
|
|
|
* inodes below. We have to check this after ensuring the inode is
|
|
|
|
* unpinned so that it is safe to reclaim the stale inode after the
|
|
|
|
* flush call.
|
|
|
|
*/
|
|
|
|
if (xfs_iflags_test(ip, XFS_ISTALE)) {
|
|
|
|
xfs_ifunlock(ip);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* This may have been unpinned because the filesystem is shutting
|
|
|
|
* down forcibly. If that's the case we must not write this inode
|
2012-04-23 13:58:32 +08:00
|
|
|
* to disk, because the log record didn't make it to disk.
|
|
|
|
*
|
|
|
|
* We also have to remove the log item from the AIL in this case,
|
|
|
|
* as we wait for an empty AIL as part of the unmount process.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
|
|
|
if (XFS_FORCED_SHUTDOWN(mp)) {
|
2014-06-25 12:58:08 +08:00
|
|
|
error = -EIO;
|
2012-04-23 13:58:32 +08:00
|
|
|
goto abort_out;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
2008-03-06 10:43:42 +08:00
|
|
|
/*
|
|
|
|
* Get the buffer containing the on-disk inode.
|
|
|
|
*/
|
2012-07-04 00:21:22 +08:00
|
|
|
error = xfs_imap_to_bp(mp, NULL, &ip->i_imap, &dip, &bp, XBF_TRYLOCK,
|
|
|
|
0);
|
2008-03-06 10:43:42 +08:00
|
|
|
if (error || !bp) {
|
|
|
|
xfs_ifunlock(ip);
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* First flush out the inode that xfs_iflush was called with.
|
|
|
|
*/
|
|
|
|
error = xfs_iflush_int(ip, bp);
|
2008-03-06 10:43:49 +08:00
|
|
|
if (error)
|
2005-04-17 06:20:36 +08:00
|
|
|
goto corrupt_out;
|
|
|
|
|
2008-03-06 10:43:42 +08:00
|
|
|
/*
|
|
|
|
* If the buffer is pinned then push on the log now so we won't
|
|
|
|
* get stuck waiting in the write for too long.
|
|
|
|
*/
|
2011-07-23 07:40:27 +08:00
|
|
|
if (xfs_buf_ispinned(bp))
|
2010-01-19 17:56:46 +08:00
|
|
|
xfs_log_force(mp, 0);
|
2008-03-06 10:43:42 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* inode clustering:
|
|
|
|
* see if other inodes can be gathered into this write
|
|
|
|
*/
|
2008-03-06 10:43:49 +08:00
|
|
|
error = xfs_iflush_cluster(ip, bp);
|
|
|
|
if (error)
|
|
|
|
goto cluster_corrupt_out;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2012-04-23 13:58:36 +08:00
|
|
|
*bpp = bp;
|
|
|
|
return 0;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
corrupt_out:
|
|
|
|
xfs_buf_relse(bp);
|
2006-06-09 12:58:38 +08:00
|
|
|
xfs_force_shutdown(mp, SHUTDOWN_CORRUPT_INCORE);
|
2005-04-17 06:20:36 +08:00
|
|
|
cluster_corrupt_out:
|
2014-06-25 12:58:08 +08:00
|
|
|
error = -EFSCORRUPTED;
|
2012-04-23 13:58:32 +08:00
|
|
|
abort_out:
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
|
|
|
* Unlocks the flush lock
|
|
|
|
*/
|
2012-04-23 13:58:41 +08:00
|
|
|
xfs_iflush_abort(ip, false);
|
2012-04-23 13:58:32 +08:00
|
|
|
return error;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
STATIC int
|
|
|
|
xfs_iflush_int(
|
2013-04-03 13:11:17 +08:00
|
|
|
struct xfs_inode *ip,
|
|
|
|
struct xfs_buf *bp)
|
2005-04-17 06:20:36 +08:00
|
|
|
{
|
2013-04-03 13:11:17 +08:00
|
|
|
struct xfs_inode_log_item *iip = ip->i_itemp;
|
|
|
|
struct xfs_dinode *dip;
|
|
|
|
struct xfs_mount *mp = ip->i_mount;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2008-04-22 15:34:00 +08:00
|
|
|
ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL|XFS_ILOCK_SHARED));
|
2011-12-19 04:00:09 +08:00
|
|
|
ASSERT(xfs_isiflocked(ip));
|
2005-04-17 06:20:36 +08:00
|
|
|
ASSERT(ip->i_d.di_format != XFS_DINODE_FMT_BTREE ||
|
2011-12-19 04:00:07 +08:00
|
|
|
ip->i_d.di_nextents > XFS_IFORK_MAXEXT(ip, XFS_DATA_FORK));
|
2013-04-03 13:11:17 +08:00
|
|
|
ASSERT(iip != NULL && iip->ili_fields != 0);
|
2014-05-20 05:46:40 +08:00
|
|
|
ASSERT(ip->i_d.di_version > 1);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* set *dip = inode's place in the buffer */
|
2015-06-22 07:44:29 +08:00
|
|
|
dip = xfs_buf_offset(bp, ip->i_imap.im_boffset);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2011-07-08 20:36:05 +08:00
|
|
|
if (XFS_TEST_ERROR(dip->di_magic != cpu_to_be16(XFS_DINODE_MAGIC),
|
2005-04-17 06:20:36 +08:00
|
|
|
mp, XFS_ERRTAG_IFLUSH_1, XFS_RANDOM_IFLUSH_1)) {
|
2011-03-07 07:02:35 +08:00
|
|
|
xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
|
|
|
|
"%s: Bad inode %Lu magic number 0x%x, ptr 0x%p",
|
|
|
|
__func__, ip->i_ino, be16_to_cpu(dip->di_magic), dip);
|
2005-04-17 06:20:36 +08:00
|
|
|
goto corrupt_out;
|
|
|
|
}
|
|
|
|
if (XFS_TEST_ERROR(ip->i_d.di_magic != XFS_DINODE_MAGIC,
|
|
|
|
mp, XFS_ERRTAG_IFLUSH_2, XFS_RANDOM_IFLUSH_2)) {
|
2011-03-07 07:02:35 +08:00
|
|
|
xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
|
|
|
|
"%s: Bad inode %Lu, ptr 0x%p, magic number 0x%x",
|
|
|
|
__func__, ip->i_ino, ip, ip->i_d.di_magic);
|
2005-04-17 06:20:36 +08:00
|
|
|
goto corrupt_out;
|
|
|
|
}
|
2011-07-26 14:31:30 +08:00
|
|
|
if (S_ISREG(ip->i_d.di_mode)) {
|
2005-04-17 06:20:36 +08:00
|
|
|
if (XFS_TEST_ERROR(
|
|
|
|
(ip->i_d.di_format != XFS_DINODE_FMT_EXTENTS) &&
|
|
|
|
(ip->i_d.di_format != XFS_DINODE_FMT_BTREE),
|
|
|
|
mp, XFS_ERRTAG_IFLUSH_3, XFS_RANDOM_IFLUSH_3)) {
|
2011-03-07 07:02:35 +08:00
|
|
|
xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
|
|
|
|
"%s: Bad regular inode %Lu, ptr 0x%p",
|
|
|
|
__func__, ip->i_ino, ip);
|
2005-04-17 06:20:36 +08:00
|
|
|
goto corrupt_out;
|
|
|
|
}
|
2011-07-26 14:31:30 +08:00
|
|
|
} else if (S_ISDIR(ip->i_d.di_mode)) {
|
2005-04-17 06:20:36 +08:00
|
|
|
if (XFS_TEST_ERROR(
|
|
|
|
(ip->i_d.di_format != XFS_DINODE_FMT_EXTENTS) &&
|
|
|
|
(ip->i_d.di_format != XFS_DINODE_FMT_BTREE) &&
|
|
|
|
(ip->i_d.di_format != XFS_DINODE_FMT_LOCAL),
|
|
|
|
mp, XFS_ERRTAG_IFLUSH_4, XFS_RANDOM_IFLUSH_4)) {
|
2011-03-07 07:02:35 +08:00
|
|
|
xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
|
|
|
|
"%s: Bad directory inode %Lu, ptr 0x%p",
|
|
|
|
__func__, ip->i_ino, ip);
|
2005-04-17 06:20:36 +08:00
|
|
|
goto corrupt_out;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (XFS_TEST_ERROR(ip->i_d.di_nextents + ip->i_d.di_anextents >
|
|
|
|
ip->i_d.di_nblocks, mp, XFS_ERRTAG_IFLUSH_5,
|
|
|
|
XFS_RANDOM_IFLUSH_5)) {
|
2011-03-07 07:02:35 +08:00
|
|
|
xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
|
|
|
|
"%s: detected corrupt incore inode %Lu, "
|
|
|
|
"total extents = %d, nblocks = %Ld, ptr 0x%p",
|
|
|
|
__func__, ip->i_ino,
|
2005-04-17 06:20:36 +08:00
|
|
|
ip->i_d.di_nextents + ip->i_d.di_anextents,
|
2011-03-07 07:02:35 +08:00
|
|
|
ip->i_d.di_nblocks, ip);
|
2005-04-17 06:20:36 +08:00
|
|
|
goto corrupt_out;
|
|
|
|
}
|
|
|
|
if (XFS_TEST_ERROR(ip->i_d.di_forkoff > mp->m_sb.sb_inodesize,
|
|
|
|
mp, XFS_ERRTAG_IFLUSH_6, XFS_RANDOM_IFLUSH_6)) {
|
2011-03-07 07:02:35 +08:00
|
|
|
xfs_alert_tag(mp, XFS_PTAG_IFLUSH,
|
|
|
|
"%s: bad inode %Lu, forkoff 0x%x, ptr 0x%p",
|
|
|
|
__func__, ip->i_ino, ip->i_d.di_forkoff, ip);
|
2005-04-17 06:20:36 +08:00
|
|
|
goto corrupt_out;
|
|
|
|
}
|
xfs: di_flushiter considered harmful
When we made all inode updates transactional, we no longer needed
the log recovery detection for inodes being newer on disk than the
transaction being replayed - it was redundant as replay of the log
would always result in the latest version of the inode would be on
disk. It was redundant, but left in place because it wasn't
considered to be a problem.
However, with the new "don't read inodes on create" optimisation,
flushiter has come back to bite us. Essentially, the optimisation
made always initialises flushiter to zero in the create transaction,
and so if we then crash and run recovery and the inode already on
disk has a non-zero flushiter it will skip recovery of that inode.
As a result, log recovery does the wrong thing and we end up with a
corrupt filesystem.
Because we have to support old kernel to new kernel upgrades, we
can't just get rid of the flushiter support in log recovery as we
might be upgrading from a kernel that doesn't have fully transactional
inode updates. Unfortunately, for v4 superblocks there is no way to
guarantee that log recovery knows about this fact.
We cannot add a new inode format flag to say it's a "special inode
create" because it won't be understood by older kernels and so
recovery could do the wrong thing on downgrade. We cannot specially
detect the combination of zero mode/non-zero flushiter on disk to
non-zero mode, zero flushiter in the log item during recovery
because wrapping of the flushiter can result in false detection.
Hence that makes this "don't use flushiter" optimisation limited to
a disk format that guarantees that we don't need it. And that means
the only fix here is to limit the "no read IO on create"
optimisation to version 5 superblocks....
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Mark Tinguely <tinguely@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
2013-07-24 13:47:30 +08:00
|
|
|
|
2005-04-17 06:20:36 +08:00
|
|
|
/*
|
2014-05-20 05:46:40 +08:00
|
|
|
* Inode item log recovery for v2 inodes are dependent on the
|
xfs: di_flushiter considered harmful
When we made all inode updates transactional, we no longer needed
the log recovery detection for inodes being newer on disk than the
transaction being replayed - it was redundant as replay of the log
would always result in the latest version of the inode would be on
disk. It was redundant, but left in place because it wasn't
considered to be a problem.
However, with the new "don't read inodes on create" optimisation,
flushiter has come back to bite us. Essentially, the optimisation
made always initialises flushiter to zero in the create transaction,
and so if we then crash and run recovery and the inode already on
disk has a non-zero flushiter it will skip recovery of that inode.
As a result, log recovery does the wrong thing and we end up with a
corrupt filesystem.
Because we have to support old kernel to new kernel upgrades, we
can't just get rid of the flushiter support in log recovery as we
might be upgrading from a kernel that doesn't have fully transactional
inode updates. Unfortunately, for v4 superblocks there is no way to
guarantee that log recovery knows about this fact.
We cannot add a new inode format flag to say it's a "special inode
create" because it won't be understood by older kernels and so
recovery could do the wrong thing on downgrade. We cannot specially
detect the combination of zero mode/non-zero flushiter on disk to
non-zero mode, zero flushiter in the log item during recovery
because wrapping of the flushiter can result in false detection.
Hence that makes this "don't use flushiter" optimisation limited to
a disk format that guarantees that we don't need it. And that means
the only fix here is to limit the "no read IO on create"
optimisation to version 5 superblocks....
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Mark Tinguely <tinguely@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
2013-07-24 13:47:30 +08:00
|
|
|
* di_flushiter count for correct sequencing. We bump the flush
|
|
|
|
* iteration count so we can detect flushes which postdate a log record
|
|
|
|
* during recovery. This is redundant as we now log every change and
|
|
|
|
* hence this can't happen but we need to still do it to ensure
|
|
|
|
* backwards compatibility with old kernels that predate logging all
|
|
|
|
* inode changes.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
xfs: di_flushiter considered harmful
When we made all inode updates transactional, we no longer needed
the log recovery detection for inodes being newer on disk than the
transaction being replayed - it was redundant as replay of the log
would always result in the latest version of the inode would be on
disk. It was redundant, but left in place because it wasn't
considered to be a problem.
However, with the new "don't read inodes on create" optimisation,
flushiter has come back to bite us. Essentially, the optimisation
made always initialises flushiter to zero in the create transaction,
and so if we then crash and run recovery and the inode already on
disk has a non-zero flushiter it will skip recovery of that inode.
As a result, log recovery does the wrong thing and we end up with a
corrupt filesystem.
Because we have to support old kernel to new kernel upgrades, we
can't just get rid of the flushiter support in log recovery as we
might be upgrading from a kernel that doesn't have fully transactional
inode updates. Unfortunately, for v4 superblocks there is no way to
guarantee that log recovery knows about this fact.
We cannot add a new inode format flag to say it's a "special inode
create" because it won't be understood by older kernels and so
recovery could do the wrong thing on downgrade. We cannot specially
detect the combination of zero mode/non-zero flushiter on disk to
non-zero mode, zero flushiter in the log item during recovery
because wrapping of the flushiter can result in false detection.
Hence that makes this "don't use flushiter" optimisation limited to
a disk format that guarantees that we don't need it. And that means
the only fix here is to limit the "no read IO on create"
optimisation to version 5 superblocks....
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Mark Tinguely <tinguely@sgi.com>
Signed-off-by: Ben Myers <bpm@sgi.com>
2013-07-24 13:47:30 +08:00
|
|
|
if (ip->i_d.di_version < 3)
|
|
|
|
ip->i_d.di_flushiter++;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Copy the dirty parts of the inode into the on-disk
|
|
|
|
* inode. We always copy out the core of the inode,
|
|
|
|
* because if the inode is dirty at all the core must
|
|
|
|
* be.
|
|
|
|
*/
|
2008-11-28 11:23:39 +08:00
|
|
|
xfs_dinode_to_disk(dip, &ip->i_d);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
|
|
|
/* Wrap, we never let the log put out DI_MAX_FLUSH */
|
|
|
|
if (ip->i_d.di_flushiter == DI_MAX_FLUSH)
|
|
|
|
ip->i_d.di_flushiter = 0;
|
|
|
|
|
2014-04-14 17:04:46 +08:00
|
|
|
xfs_iflush_fork(ip, dip, iip, XFS_DATA_FORK);
|
2008-04-10 10:23:58 +08:00
|
|
|
if (XFS_IFORK_Q(ip))
|
2014-04-14 17:04:46 +08:00
|
|
|
xfs_iflush_fork(ip, dip, iip, XFS_ATTR_FORK);
|
2005-04-17 06:20:36 +08:00
|
|
|
xfs_inobp_check(mp, bp);
|
|
|
|
|
|
|
|
/*
|
2012-02-29 17:53:54 +08:00
|
|
|
* We've recorded everything logged in the inode, so we'd like to clear
|
|
|
|
* the ili_fields bits so we don't log and flush things unnecessarily.
|
|
|
|
* However, we can't stop logging all this information until the data
|
|
|
|
* we've copied into the disk buffer is written to disk. If we did we
|
|
|
|
* might overwrite the copy of the inode in the log with all the data
|
|
|
|
* after re-logging only part of it, and in the face of a crash we
|
|
|
|
* wouldn't have all the data we need to recover.
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
2012-02-29 17:53:54 +08:00
|
|
|
* What we do is move the bits to the ili_last_fields field. When
|
|
|
|
* logging the inode, these bits are moved back to the ili_fields field.
|
|
|
|
* In the xfs_iflush_done() routine we clear ili_last_fields, since we
|
|
|
|
* know that the information those bits represent is permanently on
|
|
|
|
* disk. As long as the flush completes before the inode is logged
|
|
|
|
* again, then both ili_fields and ili_last_fields will be cleared.
|
2005-04-17 06:20:36 +08:00
|
|
|
*
|
2012-02-29 17:53:54 +08:00
|
|
|
* We can play with the ili_fields bits here, because the inode lock
|
|
|
|
* must be held exclusively in order to set bits there and the flush
|
|
|
|
* lock protects the ili_last_fields bits. Set ili_logged so the flush
|
|
|
|
* done routine can tell whether or not to look in the AIL. Also, store
|
|
|
|
* the current LSN of the inode so that we can tell whether the item has
|
|
|
|
* moved in the AIL from xfs_iflush_done(). In order to read the lsn we
|
|
|
|
* need the AIL lock, because it is a 64 bit value that cannot be read
|
|
|
|
* atomically.
|
2005-04-17 06:20:36 +08:00
|
|
|
*/
|
2013-04-03 13:11:17 +08:00
|
|
|
iip->ili_last_fields = iip->ili_fields;
|
|
|
|
iip->ili_fields = 0;
|
xfs: optimise away log forces on timestamp updates for fdatasync
xfs: timestamp updates cause excessive fdatasync log traffic
Sage Weil reported that a ceph test workload was writing to the
log on every fdatasync during an overwrite workload. Event tracing
showed that the only metadata modification being made was the
timestamp updates during the write(2) syscall, but fdatasync(2)
is supposed to ignore them. The key observation was that the
transactions in the log all looked like this:
INODE: #regs: 4 ino: 0x8b flags: 0x45 dsize: 32
And contained a flags field of 0x45 or 0x85, and had data and
attribute forks following the inode core. This means that the
timestamp updates were triggering dirty relogging of previously
logged parts of the inode that hadn't yet been flushed back to
disk.
There are two parts to this problem. The first is that XFS relogs
dirty regions in subsequent transactions, so it carries around the
fields that have been dirtied since the last time the inode was
written back to disk, not since the last time the inode was forced
into the log.
The second part is that on v5 filesystems, the inode change count
update during inode dirtying also sets the XFS_ILOG_CORE flag, so
on v5 filesystems this makes a timestamp update dirty the entire
inode.
As a result when fdatasync is run, it looks at the dirty fields in
the inode, and sees more than just the timestamp flag, even though
the only metadata change since the last fdatasync was just the
timestamps. Hence we force the log on every subsequent fdatasync
even though it is not needed.
To fix this, add a new field to the inode log item that tracks
changes since the last time fsync/fdatasync forced the log to flush
the changes to the journal. This flag is updated when we dirty the
inode, but we do it before updating the change count so it does not
carry the "core dirty" flag from timestamp updates. The fields are
zeroed when the inode is marked clean (due to writeback/freeing) or
when an fsync/datasync forces the log. Hence if we only dirty the
timestamps on the inode between fsync/fdatasync calls, the fdatasync
will not trigger another log force.
Over 100 runs of the test program:
Ext4 baseline:
runtime: 1.63s +/- 0.24s
avg lat: 1.59ms +/- 0.24ms
iops: ~2000
XFS, vanilla kernel:
runtime: 2.45s +/- 0.18s
avg lat: 2.39ms +/- 0.18ms
log forces: ~400/s
iops: ~1000
XFS, patched kernel:
runtime: 1.49s +/- 0.26s
avg lat: 1.46ms +/- 0.25ms
log forces: ~30/s
iops: ~1500
Reported-by: Sage Weil <sage@redhat.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2015-11-03 10:14:59 +08:00
|
|
|
iip->ili_fsync_fields = 0;
|
2013-04-03 13:11:17 +08:00
|
|
|
iip->ili_logged = 1;
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-04-03 13:11:17 +08:00
|
|
|
xfs_trans_ail_copy_lsn(mp->m_ail, &iip->ili_flush_lsn,
|
|
|
|
&iip->ili_item.li_lsn);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-04-03 13:11:17 +08:00
|
|
|
/*
|
|
|
|
* Attach the function xfs_iflush_done to the inode's
|
|
|
|
* buffer. This will remove the inode from the AIL
|
|
|
|
* and unlock the inode's flush lock when the inode is
|
|
|
|
* completely written to disk.
|
|
|
|
*/
|
|
|
|
xfs_buf_attach_iodone(bp, xfs_iflush_done, &iip->ili_item);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-04-03 13:11:17 +08:00
|
|
|
/* update the lsn in the on disk inode if required */
|
|
|
|
if (ip->i_d.di_version == 3)
|
|
|
|
dip->di_lsn = cpu_to_be64(iip->ili_item.li_lsn);
|
|
|
|
|
|
|
|
/* generate the checksum. */
|
|
|
|
xfs_dinode_calc_crc(mp, dip);
|
2005-04-17 06:20:36 +08:00
|
|
|
|
2013-04-03 13:11:17 +08:00
|
|
|
ASSERT(bp->b_fspriv != NULL);
|
|
|
|
ASSERT(bp->b_iodone != NULL);
|
2005-04-17 06:20:36 +08:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
corrupt_out:
|
2014-06-25 12:58:08 +08:00
|
|
|
return -EFSCORRUPTED;
|
2005-04-17 06:20:36 +08:00
|
|
|
}
|