On Thu, May 11, 2017 at 03:57:33PM +0200, Carlos Maiolino wrote:
> +xfs_inode_item_error(
> + struct xfs_log_item *lip,
> + unsigned int bflags)
> +{
> +
> + /*
> + * The buffer writeback containing this inode has been failed
> + * mark it as failed and unlock the flush lock, so it can be retried
> + * again
> + */
> + if (bflags & XBF_WRITE_FAIL)
> + lip->li_flags |= XFS_LI_FAILED;
> +}
I'm pretty sure we can't modify the log item state like this in
IO context because the parent object is not locked by this context.
We can modify the state during IO submission because we hold the
parent object lock, but we don't hold it here.
i.e. we can race with other log item state changes done during a
concurrent transaction (e.g. marking the log item dirty in
xfs_trans_log_inode()).
> +
> STATIC uint
> xfs_inode_item_push(
> struct xfs_log_item *lip,
> @@ -517,8 +532,44 @@ xfs_inode_item_push(
> * the AIL.
> */
> if (!xfs_iflock_nowait(ip)) {
> + if (lip->li_flags & XFS_LI_FAILED) {
> +
> + struct xfs_dinode *dip;
> + struct xfs_log_item *next;
> + int error;
> +
> + error = xfs_imap_to_bp(ip->i_mount, NULL, &ip->i_imap,
> + &dip, &bp, XBF_TRYLOCK, 0);
> +
> + if (error) {
> + rval = XFS_ITEM_FLUSHING;
> + goto out_unlock;
> + }
> +
> + if (!(bp->b_flags & XBF_WRITE_FAIL)) {
> + rval = XFS_ITEM_FLUSHING;
> + xfs_buf_relse(bp);
> + goto out_unlock;
> + }
> +
> + while (lip != NULL) {
> + next = lip->li_bio_list;
> +
> + if (lip->li_flags & XFS_LI_FAILED)
> + lip->li_flags &= XFS_LI_FAILED;
> + lip = next;
> + }
Same race here - we hold the lock for this inode, but not all the
other inodes linked to the buffer.
This implies that lip->li_flags needs to use atomic bit updates so
there are no RMW update races like this.
Cheers,
Dave.
--
Dave Chinner
david@xxxxxxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
