License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which
makes it harder for compliance tools to determine the correct license.
By default all files without license information are under the default
license of the kernel, which is GPL version 2.
Update the files which contain no license information with the 'GPL-2.0'
SPDX license identifier. The SPDX identifier is a legally binding
shorthand, which can be used instead of the full boiler plate text.
This patch is based on work done by Thomas Gleixner and Kate Stewart and
Philippe Ombredanne.
How this work was done:
Patches were generated and checked against linux-4.14-rc6 for a subset of
the use cases:
- file had no licensing information it it.
- file was a */uapi/* one with no licensing information in it,
- file was a */uapi/* one with existing licensing information,
Further patches will be generated in subsequent months to fix up cases
where non-standard license headers were used, and references to license
had to be inferred by heuristics based on keywords.
The analysis to determine which SPDX License Identifier to be applied to
a file was done in a spreadsheet of side by side results from of the
output of two independent scanners (ScanCode & Windriver) producing SPDX
tag:value files created by Philippe Ombredanne. Philippe prepared the
base worksheet, and did an initial spot review of a few 1000 files.
The 4.13 kernel was the starting point of the analysis with 60,537 files
assessed. Kate Stewart did a file by file comparison of the scanner
results in the spreadsheet to determine which SPDX license identifier(s)
to be applied to the file. She confirmed any determination that was not
immediately clear with lawyers working with the Linux Foundation.
Criteria used to select files for SPDX license identifier tagging was:
- Files considered eligible had to be source code files.
- Make and config files were included as candidates if they contained >5
lines of source
- File already had some variant of a license header in it (even if <5
lines).
All documentation files were explicitly excluded.
The following heuristics were used to determine which SPDX license
identifiers to apply.
- when both scanners couldn't find any license traces, file was
considered to have no license information in it, and the top level
COPYING file license applied.
For non */uapi/* files that summary was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 11139
and resulted in the first patch in this series.
If that file was a */uapi/* path one, it was "GPL-2.0 WITH
Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was:
SPDX license identifier # files
---------------------------------------------------|-------
GPL-2.0 WITH Linux-syscall-note 930
and resulted in the second patch in this series.
- if a file had some form of licensing information in it, and was one
of the */uapi/* ones, it was denoted with the Linux-syscall-note if
any GPL family license was found in the file or had no licensing in
it (per prior point). Results summary:
SPDX license identifier # files
---------------------------------------------------|------
GPL-2.0 WITH Linux-syscall-note 270
GPL-2.0+ WITH Linux-syscall-note 169
((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21
((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17
LGPL-2.1+ WITH Linux-syscall-note 15
GPL-1.0+ WITH Linux-syscall-note 14
((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5
LGPL-2.0+ WITH Linux-syscall-note 4
LGPL-2.1 WITH Linux-syscall-note 3
((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3
((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1
and that resulted in the third patch in this series.
- when the two scanners agreed on the detected license(s), that became
the concluded license(s).
- when there was disagreement between the two scanners (one detected a
license but the other didn't, or they both detected different
licenses) a manual inspection of the file occurred.
- In most cases a manual inspection of the information in the file
resulted in a clear resolution of the license that should apply (and
which scanner probably needed to revisit its heuristics).
- When it was not immediately clear, the license identifier was
confirmed with lawyers working with the Linux Foundation.
- If there was any question as to the appropriate license identifier,
the file was flagged for further research and to be revisited later
in time.
In total, over 70 hours of logged manual review was done on the
spreadsheet to determine the SPDX license identifiers to apply to the
source files by Kate, Philippe, Thomas and, in some cases, confirmation
by lawyers working with the Linux Foundation.
Kate also obtained a third independent scan of the 4.13 code base from
FOSSology, and compared selected files where the other two scanners
disagreed against that SPDX file, to see if there was new insights. The
Windriver scanner is based on an older version of FOSSology in part, so
they are related.
Thomas did random spot checks in about 500 files from the spreadsheets
for the uapi headers and agreed with SPDX license identifier in the
files he inspected. For the non-uapi files Thomas did random spot checks
in about 15000 files.
In initial set of patches against 4.14-rc6, 3 files were found to have
copy/paste license identifier errors, and have been fixed to reflect the
correct identifier.
Additionally Philippe spent 10 hours this week doing a detailed manual
inspection and review of the 12,461 patched files from the initial patch
version early this week with:
- a full scancode scan run, collecting the matched texts, detected
license ids and scores
- reviewing anything where there was a license detected (about 500+
files) to ensure that the applied SPDX license was correct
- reviewing anything where there was no detection but the patch license
was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied
SPDX license was correct
This produced a worksheet with 20 files needing minor correction. This
worksheet was then exported into 3 different .csv files for the
different types of files to be modified.
These .csv files were then reviewed by Greg. Thomas wrote a script to
parse the csv files and add the proper SPDX tag to the file, in the
format that the file expected. This script was further refined by Greg
based on the output to detect more types of files automatically and to
distinguish between header and source .c files (which need different
comment types.) Finally Greg ran the script using the .csv files to
generate the patches.
Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org>
Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2017-11-01 17:07:57 +03:00
// SPDX-License-Identifier: GPL-2.0
2005-04-17 02:20:36 +04:00
/*
* linux / fs / super . c
*
* Copyright ( C ) 1991 , 1992 Linus Torvalds
*
* super . c contains code to handle : - mount structures
* - super - block tables
* - filesystem drivers list
* - mount system call
* - umount system call
* - ustat system call
*
* GK 2 / 5 / 95 - Changed to support mounting the root fs via NFS
*
* Added kerneld support : Jacques Gelinas and Bjorn Ekwall
* Added change_root : Werner Almesberger & Hans Lermen , Feb ' 96
* Added options to / proc / mounts :
2007-10-20 01:21:04 +04:00
* Torbjörn Lindh ( torbjorn . lindh @ gopta . se ) , April 14 , 1996.
2005-04-17 02:20:36 +04:00
* Added devfs support : Richard Gooch < rgooch @ atnf . csiro . au > , 13 - JAN - 1998
* Heavily rewritten for ' one fs - one tree ' dcache architecture . AV , Mar 2000
*/
2011-11-17 08:57:37 +04:00
# include <linux/export.h>
2005-04-17 02:20:36 +04:00
# include <linux/slab.h>
# include <linux/blkdev.h>
# include <linux/mount.h>
# include <linux/security.h>
# include <linux/writeback.h> /* for the emergency remount stuff */
# include <linux/idr.h>
2006-03-26 13:37:12 +04:00
# include <linux/mutex.h>
2010-04-29 22:33:35 +04:00
# include <linux/backing-dev.h>
2011-01-07 09:50:05 +03:00
# include <linux/rculist_bl.h>
fscrypt: add FS_IOC_ADD_ENCRYPTION_KEY ioctl
Add a new fscrypt ioctl, FS_IOC_ADD_ENCRYPTION_KEY. This ioctl adds an
encryption key to the filesystem's fscrypt keyring ->s_master_keys,
making any files encrypted with that key appear "unlocked".
Why we need this
~~~~~~~~~~~~~~~~
The main problem is that the "locked/unlocked" (ciphertext/plaintext)
status of encrypted files is global, but the fscrypt keys are not.
fscrypt only looks for keys in the keyring(s) the process accessing the
filesystem is subscribed to: the thread keyring, process keyring, and
session keyring, where the session keyring may contain the user keyring.
Therefore, userspace has to put fscrypt keys in the keyrings for
individual users or sessions. But this means that when a process with a
different keyring tries to access encrypted files, whether they appear
"unlocked" or not is nondeterministic. This is because it depends on
whether the files are currently present in the inode cache.
Fixing this by consistently providing each process its own view of the
filesystem depending on whether it has the key or not isn't feasible due
to how the VFS caches work. Furthermore, while sometimes users expect
this behavior, it is misguided for two reasons. First, it would be an
OS-level access control mechanism largely redundant with existing access
control mechanisms such as UNIX file permissions, ACLs, LSMs, etc.
Encryption is actually for protecting the data at rest.
Second, almost all users of fscrypt actually do need the keys to be
global. The largest users of fscrypt, Android and Chromium OS, achieve
this by having PID 1 create a "session keyring" that is inherited by
every process. This works, but it isn't scalable because it prevents
session keyrings from being used for any other purpose.
On general-purpose Linux distros, the 'fscrypt' userspace tool [1] can't
similarly abuse the session keyring, so to make 'sudo' work on all
systems it has to link all the user keyrings into root's user keyring
[2]. This is ugly and raises security concerns. Moreover it can't make
the keys available to system services, such as sshd trying to access the
user's '~/.ssh' directory (see [3], [4]) or NetworkManager trying to
read certificates from the user's home directory (see [5]); or to Docker
containers (see [6], [7]).
By having an API to add a key to the *filesystem* we'll be able to fix
the above bugs, remove userspace workarounds, and clearly express the
intended semantics: the locked/unlocked status of an encrypted directory
is global, and encryption is orthogonal to OS-level access control.
Why not use the add_key() syscall
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
We use an ioctl for this API rather than the existing add_key() system
call because the ioctl gives us the flexibility needed to implement
fscrypt-specific semantics that will be introduced in later patches:
- Supporting key removal with the semantics such that the secret is
removed immediately and any unused inodes using the key are evicted;
also, the eviction of any in-use inodes can be retried.
- Calculating a key-dependent cryptographic identifier and returning it
to userspace.
- Allowing keys to be added and removed by non-root users, but only keys
for v2 encryption policies; and to prevent denial-of-service attacks,
users can only remove keys they themselves have added, and a key is
only really removed after all users who added it have removed it.
Trying to shoehorn these semantics into the keyrings syscalls would be
very difficult, whereas the ioctls make things much easier.
However, to reuse code the implementation still uses the keyrings
service internally. Thus we get lockless RCU-mode key lookups without
having to re-implement it, and the keys automatically show up in
/proc/keys for debugging purposes.
References:
[1] https://github.com/google/fscrypt
[2] https://goo.gl/55cCrI#heading=h.vf09isp98isb
[3] https://github.com/google/fscrypt/issues/111#issuecomment-444347939
[4] https://github.com/google/fscrypt/issues/116
[5] https://bugs.launchpad.net/ubuntu/+source/fscrypt/+bug/1770715
[6] https://github.com/google/fscrypt/issues/128
[7] https://askubuntu.com/questions/1130306/cannot-run-docker-on-an-encrypted-filesystem
Reviewed-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Eric Biggers <ebiggers@google.com>
2019-08-05 05:35:46 +03:00
# include <linux/fscrypt.h>
2012-02-13 07:58:52 +04:00
# include <linux/fsnotify.h>
2012-06-12 18:20:34 +04:00
# include <linux/lockdep.h>
2016-05-24 17:29:01 +03:00
# include <linux/user_namespace.h>
2018-11-04 11:19:03 +03:00
# include <linux/fs_context.h>
2018-11-02 02:07:23 +03:00
# include <uapi/linux/mount.h>
2008-03-22 22:48:17 +03:00
# include "internal.h"
2005-04-17 02:20:36 +04:00
2023-07-17 19:00:09 +03:00
static int thaw_super_locked ( struct super_block * sb , enum freeze_holder who ) ;
2005-04-17 02:20:36 +04:00
2015-02-02 20:07:59 +03:00
static LIST_HEAD ( super_blocks ) ;
static DEFINE_SPINLOCK ( sb_lock ) ;
2005-04-17 02:20:36 +04:00
2012-06-12 18:20:34 +04:00
static char * sb_writers_name [ SB_FREEZE_LEVELS ] = {
" sb_writers " ,
" sb_pagefaults " ,
" sb_internal " ,
} ;
2023-08-18 17:00:50 +03:00
static inline void __super_lock ( struct super_block * sb , bool excl )
2023-08-18 17:00:48 +03:00
{
if ( excl )
down_write ( & sb - > s_umount ) ;
else
down_read ( & sb - > s_umount ) ;
}
static inline void super_unlock ( struct super_block * sb , bool excl )
{
if ( excl )
up_write ( & sb - > s_umount ) ;
else
up_read ( & sb - > s_umount ) ;
}
2023-08-18 17:00:50 +03:00
static inline void __super_lock_excl ( struct super_block * sb )
2023-08-18 17:00:48 +03:00
{
2023-08-18 17:00:50 +03:00
__super_lock ( sb , true ) ;
2023-08-18 17:00:48 +03:00
}
static inline void super_unlock_excl ( struct super_block * sb )
{
super_unlock ( sb , true ) ;
}
static inline void super_unlock_shared ( struct super_block * sb )
{
super_unlock ( sb , false ) ;
}
2023-11-27 14:51:30 +03:00
static bool super_flags ( const struct super_block * sb , unsigned int flags )
2023-08-18 17:00:50 +03:00
{
/*
* Pairs with smp_store_release ( ) in super_wake ( ) and ensures
2023-11-27 14:51:30 +03:00
* that we see @ flags after we ' re woken .
2023-08-18 17:00:50 +03:00
*/
2023-11-27 14:51:30 +03:00
return smp_load_acquire ( & sb - > s_flags ) & flags ;
2023-08-18 17:00:50 +03:00
}
/**
* super_lock - wait for superblock to become ready and lock it
* @ sb : superblock to wait for
* @ excl : whether exclusive access is required
*
* If the superblock has neither passed through vfs_get_tree ( ) or
* generic_shutdown_super ( ) yet wait for it to happen . Either superblock
* creation will succeed and SB_BORN is set by vfs_get_tree ( ) or we ' re
* woken and we ' ll see SB_DYING .
*
* The caller must have acquired a temporary reference on @ sb - > s_count .
*
2023-10-24 16:01:07 +03:00
* Return : The function returns true if SB_BORN was set and with
* s_umount held . The function returns false if SB_DYING was
* set and without s_umount held .
2023-08-18 17:00:50 +03:00
*/
static __must_check bool super_lock ( struct super_block * sb , bool excl )
{
lockdep_assert_not_held ( & sb - > s_umount ) ;
2023-11-27 14:51:30 +03:00
/* wait until the superblock is ready or dying */
wait_var_event ( & sb - > s_flags , super_flags ( sb , SB_BORN | SB_DYING ) ) ;
/* Don't pointlessly acquire s_umount. */
if ( super_flags ( sb , SB_DYING ) )
return false ;
2023-08-18 17:00:50 +03:00
__super_lock ( sb , excl ) ;
/*
* Has gone through generic_shutdown_super ( ) in the meantime .
* @ sb - > s_root is NULL and @ sb - > s_active is 0. No one needs to
* grab a reference to this . Tell them so .
*/
2023-10-24 16:01:07 +03:00
if ( sb - > s_flags & SB_DYING ) {
super_unlock ( sb , excl ) ;
2023-08-18 17:00:50 +03:00
return false ;
2023-10-24 16:01:07 +03:00
}
2023-08-18 17:00:50 +03:00
2023-11-27 14:51:30 +03:00
WARN_ON_ONCE ( ! ( sb - > s_flags & SB_BORN ) ) ;
return true ;
2023-08-18 17:00:50 +03:00
}
2023-10-24 16:01:07 +03:00
/* wait and try to acquire read-side of @sb->s_umount */
2023-08-18 17:00:50 +03:00
static inline bool super_lock_shared ( struct super_block * sb )
{
return super_lock ( sb , false ) ;
}
2023-10-24 16:01:07 +03:00
/* wait and try to acquire write-side of @sb->s_umount */
2023-08-18 17:00:50 +03:00
static inline bool super_lock_excl ( struct super_block * sb )
{
return super_lock ( sb , true ) ;
}
/* wake waiters */
2023-08-18 17:00:51 +03:00
# define SUPER_WAKE_FLAGS (SB_BORN | SB_DYING | SB_DEAD)
2023-08-18 17:00:50 +03:00
static void super_wake ( struct super_block * sb , unsigned int flag )
{
WARN_ON_ONCE ( ( flag & ~ SUPER_WAKE_FLAGS ) ) ;
WARN_ON_ONCE ( hweight32 ( flag & SUPER_WAKE_FLAGS ) > 1 ) ;
/*
* Pairs with smp_load_acquire ( ) in super_lock ( ) to make sure
* all initializations in the superblock are seen by the user
* seeing SB_BORN sent .
*/
smp_store_release ( & sb - > s_flags , sb - > s_flags | flag ) ;
/*
* Pairs with the barrier in prepare_to_wait_event ( ) to make sure
* ___wait_var_event ( ) either sees SB_BORN set or
* waitqueue_active ( ) check in wake_up_var ( ) sees the waiter .
*/
smp_mb ( ) ;
wake_up_var ( & sb - > s_flags ) ;
}
2011-07-08 08:14:42 +04:00
/*
* One thing we have to be careful of with a per - sb shrinker is that we don ' t
* drop the last active reference to the superblock from within the shrinker .
* If that happens we could trigger unregistering the shrinker from within the
2023-09-11 12:44:44 +03:00
* shrinker path and that leads to deadlock on the shrinker_mutex . Hence we
2011-07-08 08:14:42 +04:00
* take a passive reference to the superblock to avoid this from occurring .
*/
2013-08-28 04:17:57 +04:00
static unsigned long super_cache_scan ( struct shrinker * shrink ,
struct shrink_control * sc )
2011-07-08 08:14:42 +04:00
{
struct super_block * sb ;
2013-08-28 04:17:57 +04:00
long fs_objects = 0 ;
long total_objects ;
long freed = 0 ;
long dentries ;
long inodes ;
2011-07-08 08:14:42 +04:00
2023-09-11 12:44:37 +03:00
sb = shrink - > private_data ;
2011-07-08 08:14:42 +04:00
/*
* Deadlock avoidance . We may hold various FS locks , and we don ' t want
* to recurse into the FS that called us in clear_inode ( ) and friends . .
*/
2013-08-28 04:17:57 +04:00
if ( ! ( sc - > gfp_mask & __GFP_FS ) )
return SHRINK_STOP ;
2011-07-08 08:14:42 +04:00
2023-08-18 17:00:49 +03:00
if ( ! super_trylock_shared ( sb ) )
2013-08-28 04:17:57 +04:00
return SHRINK_STOP ;
2011-07-08 08:14:42 +04:00
2013-07-19 21:12:31 +04:00
if ( sb - > s_op - > nr_cached_objects )
2015-02-13 01:58:51 +03:00
fs_objects = sb - > s_op - > nr_cached_objects ( sb , sc ) ;
2011-07-08 08:14:44 +04:00
list_lru: introduce list_lru_shrink_{count,walk}
Kmem accounting of memcg is unusable now, because it lacks slab shrinker
support. That means when we hit the limit we will get ENOMEM w/o any
chance to recover. What we should do then is to call shrink_slab, which
would reclaim old inode/dentry caches from this cgroup. This is what
this patch set is intended to do.
Basically, it does two things. First, it introduces the notion of
per-memcg slab shrinker. A shrinker that wants to reclaim objects per
cgroup should mark itself as SHRINKER_MEMCG_AWARE. Then it will be
passed the memory cgroup to scan from in shrink_control->memcg. For
such shrinkers shrink_slab iterates over the whole cgroup subtree under
the target cgroup and calls the shrinker for each kmem-active memory
cgroup.
Secondly, this patch set makes the list_lru structure per-memcg. It's
done transparently to list_lru users - everything they have to do is to
tell list_lru_init that they want memcg-aware list_lru. Then the
list_lru will automatically distribute objects among per-memcg lists
basing on which cgroup the object is accounted to. This way to make FS
shrinkers (icache, dcache) memcg-aware we only need to make them use
memcg-aware list_lru, and this is what this patch set does.
As before, this patch set only enables per-memcg kmem reclaim when the
pressure goes from memory.limit, not from memory.kmem.limit. Handling
memory.kmem.limit is going to be tricky due to GFP_NOFS allocations, and
it is still unclear whether we will have this knob in the unified
hierarchy.
This patch (of 9):
NUMA aware slab shrinkers use the list_lru structure to distribute
objects coming from different NUMA nodes to different lists. Whenever
such a shrinker needs to count or scan objects from a particular node,
it issues commands like this:
count = list_lru_count_node(lru, sc->nid);
freed = list_lru_walk_node(lru, sc->nid, isolate_func,
isolate_arg, &sc->nr_to_scan);
where sc is an instance of the shrink_control structure passed to it
from vmscan.
To simplify this, let's add special list_lru functions to be used by
shrinkers, list_lru_shrink_count() and list_lru_shrink_walk(), which
consolidate the nid and nr_to_scan arguments in the shrink_control
structure.
This will also allow us to avoid patching shrinkers that use list_lru
when we make shrink_slab() per-memcg - all we will have to do is extend
the shrink_control structure to include the target memcg and make
list_lru_shrink_{count,walk} handle this appropriately.
Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
Suggested-by: Dave Chinner <david@fromorbit.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Greg Thelen <gthelen@google.com>
Cc: Glauber Costa <glommer@gmail.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-02-13 01:58:47 +03:00
inodes = list_lru_shrink_count ( & sb - > s_inode_lru , sc ) ;
dentries = list_lru_shrink_count ( & sb - > s_dentry_lru , sc ) ;
2013-08-28 04:18:00 +04:00
total_objects = dentries + inodes + fs_objects + 1 ;
2014-05-17 15:56:38 +04:00
if ( ! total_objects )
total_objects = 1 ;
2011-07-08 08:14:44 +04:00
2013-08-28 04:17:57 +04:00
/* proportion the scan between the caches */
2013-08-28 04:18:00 +04:00
dentries = mult_frac ( sc - > nr_to_scan , dentries , total_objects ) ;
2013-08-28 04:17:58 +04:00
inodes = mult_frac ( sc - > nr_to_scan , inodes , total_objects ) ;
list_lru: introduce list_lru_shrink_{count,walk}
Kmem accounting of memcg is unusable now, because it lacks slab shrinker
support. That means when we hit the limit we will get ENOMEM w/o any
chance to recover. What we should do then is to call shrink_slab, which
would reclaim old inode/dentry caches from this cgroup. This is what
this patch set is intended to do.
Basically, it does two things. First, it introduces the notion of
per-memcg slab shrinker. A shrinker that wants to reclaim objects per
cgroup should mark itself as SHRINKER_MEMCG_AWARE. Then it will be
passed the memory cgroup to scan from in shrink_control->memcg. For
such shrinkers shrink_slab iterates over the whole cgroup subtree under
the target cgroup and calls the shrinker for each kmem-active memory
cgroup.
Secondly, this patch set makes the list_lru structure per-memcg. It's
done transparently to list_lru users - everything they have to do is to
tell list_lru_init that they want memcg-aware list_lru. Then the
list_lru will automatically distribute objects among per-memcg lists
basing on which cgroup the object is accounted to. This way to make FS
shrinkers (icache, dcache) memcg-aware we only need to make them use
memcg-aware list_lru, and this is what this patch set does.
As before, this patch set only enables per-memcg kmem reclaim when the
pressure goes from memory.limit, not from memory.kmem.limit. Handling
memory.kmem.limit is going to be tricky due to GFP_NOFS allocations, and
it is still unclear whether we will have this knob in the unified
hierarchy.
This patch (of 9):
NUMA aware slab shrinkers use the list_lru structure to distribute
objects coming from different NUMA nodes to different lists. Whenever
such a shrinker needs to count or scan objects from a particular node,
it issues commands like this:
count = list_lru_count_node(lru, sc->nid);
freed = list_lru_walk_node(lru, sc->nid, isolate_func,
isolate_arg, &sc->nr_to_scan);
where sc is an instance of the shrink_control structure passed to it
from vmscan.
To simplify this, let's add special list_lru functions to be used by
shrinkers, list_lru_shrink_count() and list_lru_shrink_walk(), which
consolidate the nid and nr_to_scan arguments in the shrink_control
structure.
This will also allow us to avoid patching shrinkers that use list_lru
when we make shrink_slab() per-memcg - all we will have to do is extend
the shrink_control structure to include the target memcg and make
list_lru_shrink_{count,walk} handle this appropriately.
Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
Suggested-by: Dave Chinner <david@fromorbit.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Greg Thelen <gthelen@google.com>
Cc: Glauber Costa <glommer@gmail.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-02-13 01:58:47 +03:00
fs_objects = mult_frac ( sc - > nr_to_scan , fs_objects , total_objects ) ;
2011-07-08 08:14:42 +04:00
2013-08-28 04:17:57 +04:00
/*
* prune the dcache first as the icache is pinned by it , then
* prune the icache , followed by the filesystem specific caches
2015-02-13 01:59:17 +03:00
*
* Ensure that we always scan at least one object - memcg kmem
* accounting uses this to fully empty the caches .
2013-08-28 04:17:57 +04:00
*/
2015-02-13 01:59:17 +03:00
sc - > nr_to_scan = dentries + 1 ;
list_lru: introduce list_lru_shrink_{count,walk}
Kmem accounting of memcg is unusable now, because it lacks slab shrinker
support. That means when we hit the limit we will get ENOMEM w/o any
chance to recover. What we should do then is to call shrink_slab, which
would reclaim old inode/dentry caches from this cgroup. This is what
this patch set is intended to do.
Basically, it does two things. First, it introduces the notion of
per-memcg slab shrinker. A shrinker that wants to reclaim objects per
cgroup should mark itself as SHRINKER_MEMCG_AWARE. Then it will be
passed the memory cgroup to scan from in shrink_control->memcg. For
such shrinkers shrink_slab iterates over the whole cgroup subtree under
the target cgroup and calls the shrinker for each kmem-active memory
cgroup.
Secondly, this patch set makes the list_lru structure per-memcg. It's
done transparently to list_lru users - everything they have to do is to
tell list_lru_init that they want memcg-aware list_lru. Then the
list_lru will automatically distribute objects among per-memcg lists
basing on which cgroup the object is accounted to. This way to make FS
shrinkers (icache, dcache) memcg-aware we only need to make them use
memcg-aware list_lru, and this is what this patch set does.
As before, this patch set only enables per-memcg kmem reclaim when the
pressure goes from memory.limit, not from memory.kmem.limit. Handling
memory.kmem.limit is going to be tricky due to GFP_NOFS allocations, and
it is still unclear whether we will have this knob in the unified
hierarchy.
This patch (of 9):
NUMA aware slab shrinkers use the list_lru structure to distribute
objects coming from different NUMA nodes to different lists. Whenever
such a shrinker needs to count or scan objects from a particular node,
it issues commands like this:
count = list_lru_count_node(lru, sc->nid);
freed = list_lru_walk_node(lru, sc->nid, isolate_func,
isolate_arg, &sc->nr_to_scan);
where sc is an instance of the shrink_control structure passed to it
from vmscan.
To simplify this, let's add special list_lru functions to be used by
shrinkers, list_lru_shrink_count() and list_lru_shrink_walk(), which
consolidate the nid and nr_to_scan arguments in the shrink_control
structure.
This will also allow us to avoid patching shrinkers that use list_lru
when we make shrink_slab() per-memcg - all we will have to do is extend
the shrink_control structure to include the target memcg and make
list_lru_shrink_{count,walk} handle this appropriately.
Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
Suggested-by: Dave Chinner <david@fromorbit.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Greg Thelen <gthelen@google.com>
Cc: Glauber Costa <glommer@gmail.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-02-13 01:58:47 +03:00
freed = prune_dcache_sb ( sb , sc ) ;
2015-02-13 01:59:17 +03:00
sc - > nr_to_scan = inodes + 1 ;
list_lru: introduce list_lru_shrink_{count,walk}
Kmem accounting of memcg is unusable now, because it lacks slab shrinker
support. That means when we hit the limit we will get ENOMEM w/o any
chance to recover. What we should do then is to call shrink_slab, which
would reclaim old inode/dentry caches from this cgroup. This is what
this patch set is intended to do.
Basically, it does two things. First, it introduces the notion of
per-memcg slab shrinker. A shrinker that wants to reclaim objects per
cgroup should mark itself as SHRINKER_MEMCG_AWARE. Then it will be
passed the memory cgroup to scan from in shrink_control->memcg. For
such shrinkers shrink_slab iterates over the whole cgroup subtree under
the target cgroup and calls the shrinker for each kmem-active memory
cgroup.
Secondly, this patch set makes the list_lru structure per-memcg. It's
done transparently to list_lru users - everything they have to do is to
tell list_lru_init that they want memcg-aware list_lru. Then the
list_lru will automatically distribute objects among per-memcg lists
basing on which cgroup the object is accounted to. This way to make FS
shrinkers (icache, dcache) memcg-aware we only need to make them use
memcg-aware list_lru, and this is what this patch set does.
As before, this patch set only enables per-memcg kmem reclaim when the
pressure goes from memory.limit, not from memory.kmem.limit. Handling
memory.kmem.limit is going to be tricky due to GFP_NOFS allocations, and
it is still unclear whether we will have this knob in the unified
hierarchy.
This patch (of 9):
NUMA aware slab shrinkers use the list_lru structure to distribute
objects coming from different NUMA nodes to different lists. Whenever
such a shrinker needs to count or scan objects from a particular node,
it issues commands like this:
count = list_lru_count_node(lru, sc->nid);
freed = list_lru_walk_node(lru, sc->nid, isolate_func,
isolate_arg, &sc->nr_to_scan);
where sc is an instance of the shrink_control structure passed to it
from vmscan.
To simplify this, let's add special list_lru functions to be used by
shrinkers, list_lru_shrink_count() and list_lru_shrink_walk(), which
consolidate the nid and nr_to_scan arguments in the shrink_control
structure.
This will also allow us to avoid patching shrinkers that use list_lru
when we make shrink_slab() per-memcg - all we will have to do is extend
the shrink_control structure to include the target memcg and make
list_lru_shrink_{count,walk} handle this appropriately.
Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
Suggested-by: Dave Chinner <david@fromorbit.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Greg Thelen <gthelen@google.com>
Cc: Glauber Costa <glommer@gmail.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-02-13 01:58:47 +03:00
freed + = prune_icache_sb ( sb , sc ) ;
2013-08-28 04:17:57 +04:00
if ( fs_objects ) {
2015-02-13 01:59:17 +03:00
sc - > nr_to_scan = fs_objects + 1 ;
2015-02-13 01:58:51 +03:00
freed + = sb - > s_op - > free_cached_objects ( sb , sc ) ;
2011-07-08 08:14:42 +04:00
}
2023-08-18 17:00:48 +03:00
super_unlock_shared ( sb ) ;
2013-08-28 04:17:57 +04:00
return freed ;
}
static unsigned long super_cache_count ( struct shrinker * shrink ,
struct shrink_control * sc )
{
struct super_block * sb ;
long total_objects = 0 ;
2023-09-11 12:44:37 +03:00
sb = shrink - > private_data ;
2013-08-28 04:17:57 +04:00
2014-06-05 03:10:47 +04:00
/*
2023-08-18 17:00:49 +03:00
* We don ' t call super_trylock_shared ( ) here as it is a scalability
* bottleneck , so we ' re exposed to partial setup state . The shrinker
* rwsem does not protect filesystem operations backing
* list_lru_shrink_count ( ) or s_op - > nr_cached_objects ( ) . Counts can
* change between super_cache_count and super_cache_scan , so we really
* don ' t need locks here .
2018-05-11 04:20:57 +03:00
*
* However , if we are currently mounting the superblock , the underlying
* filesystem might be in a state of partial construction and hence it
2023-08-18 17:00:49 +03:00
* is dangerous to access it . super_trylock_shared ( ) uses a SB_BORN check
* to avoid this situation , so do the same here . The memory barrier is
2018-05-11 04:20:57 +03:00
* matched with the one in mount_fs ( ) as we don ' t hold locks here .
2014-06-05 03:10:47 +04:00
*/
2018-05-11 04:20:57 +03:00
if ( ! ( sb - > s_flags & SB_BORN ) )
return 0 ;
smp_rmb ( ) ;
2013-08-28 04:17:57 +04:00
if ( sb - > s_op & & sb - > s_op - > nr_cached_objects )
2015-02-13 01:58:51 +03:00
total_objects = sb - > s_op - > nr_cached_objects ( sb , sc ) ;
2013-08-28 04:17:57 +04:00
list_lru: introduce list_lru_shrink_{count,walk}
Kmem accounting of memcg is unusable now, because it lacks slab shrinker
support. That means when we hit the limit we will get ENOMEM w/o any
chance to recover. What we should do then is to call shrink_slab, which
would reclaim old inode/dentry caches from this cgroup. This is what
this patch set is intended to do.
Basically, it does two things. First, it introduces the notion of
per-memcg slab shrinker. A shrinker that wants to reclaim objects per
cgroup should mark itself as SHRINKER_MEMCG_AWARE. Then it will be
passed the memory cgroup to scan from in shrink_control->memcg. For
such shrinkers shrink_slab iterates over the whole cgroup subtree under
the target cgroup and calls the shrinker for each kmem-active memory
cgroup.
Secondly, this patch set makes the list_lru structure per-memcg. It's
done transparently to list_lru users - everything they have to do is to
tell list_lru_init that they want memcg-aware list_lru. Then the
list_lru will automatically distribute objects among per-memcg lists
basing on which cgroup the object is accounted to. This way to make FS
shrinkers (icache, dcache) memcg-aware we only need to make them use
memcg-aware list_lru, and this is what this patch set does.
As before, this patch set only enables per-memcg kmem reclaim when the
pressure goes from memory.limit, not from memory.kmem.limit. Handling
memory.kmem.limit is going to be tricky due to GFP_NOFS allocations, and
it is still unclear whether we will have this knob in the unified
hierarchy.
This patch (of 9):
NUMA aware slab shrinkers use the list_lru structure to distribute
objects coming from different NUMA nodes to different lists. Whenever
such a shrinker needs to count or scan objects from a particular node,
it issues commands like this:
count = list_lru_count_node(lru, sc->nid);
freed = list_lru_walk_node(lru, sc->nid, isolate_func,
isolate_arg, &sc->nr_to_scan);
where sc is an instance of the shrink_control structure passed to it
from vmscan.
To simplify this, let's add special list_lru functions to be used by
shrinkers, list_lru_shrink_count() and list_lru_shrink_walk(), which
consolidate the nid and nr_to_scan arguments in the shrink_control
structure.
This will also allow us to avoid patching shrinkers that use list_lru
when we make shrink_slab() per-memcg - all we will have to do is extend
the shrink_control structure to include the target memcg and make
list_lru_shrink_{count,walk} handle this appropriately.
Signed-off-by: Vladimir Davydov <vdavydov@parallels.com>
Suggested-by: Dave Chinner <david@fromorbit.com>
Cc: Johannes Weiner <hannes@cmpxchg.org>
Cc: Michal Hocko <mhocko@suse.cz>
Cc: Greg Thelen <gthelen@google.com>
Cc: Glauber Costa <glommer@gmail.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Christoph Lameter <cl@linux.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: David Rientjes <rientjes@google.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Tejun Heo <tj@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2015-02-13 01:58:47 +03:00
total_objects + = list_lru_shrink_count ( & sb - > s_dentry_lru , sc ) ;
total_objects + = list_lru_shrink_count ( & sb - > s_inode_lru , sc ) ;
2013-08-28 04:17:57 +04:00
2018-08-18 01:48:21 +03:00
if ( ! total_objects )
return SHRINK_EMPTY ;
2013-08-28 04:17:53 +04:00
total_objects = vfs_pressure_ratio ( total_objects ) ;
2011-07-08 08:14:44 +04:00
return total_objects ;
2011-07-08 08:14:42 +04:00
}
2015-07-22 21:21:13 +03:00
static void destroy_super_work ( struct work_struct * work )
{
struct super_block * s = container_of ( work , struct super_block ,
destroy_work ) ;
2024-02-02 05:10:01 +03:00
security_sb_free ( s ) ;
put_user_ns ( s - > s_user_ns ) ;
kfree ( s - > s_subtype ) ;
for ( int i = 0 ; i < SB_FREEZE_LEVELS ; i + + )
2015-08-11 18:05:04 +03:00
percpu_free_rwsem ( & s - > s_writers . rw_sem [ i ] ) ;
2015-07-22 21:21:13 +03:00
kfree ( s ) ;
}
static void destroy_super_rcu ( struct rcu_head * head )
{
struct super_block * s = container_of ( head , struct super_block , rcu ) ;
INIT_WORK ( & s - > destroy_work , destroy_super_work ) ;
schedule_work ( & s - > destroy_work ) ;
}
2017-10-11 20:48:55 +03:00
/* Free a superblock that has never been seen by anyone */
static void destroy_unused_super ( struct super_block * s )
2012-06-12 18:20:34 +04:00
{
2017-10-11 20:48:55 +03:00
if ( ! s )
return ;
2023-08-18 17:00:48 +03:00
super_unlock_excl ( s ) ;
2013-10-01 23:09:58 +04:00
list_lru_destroy ( & s - > s_dentry_lru ) ;
list_lru_destroy ( & s - > s_inode_lru ) ;
2023-09-11 12:44:37 +03:00
shrinker_free ( s - > s_shrink ) ;
2017-10-11 20:48:55 +03:00
/* no delays needed */
destroy_super_work ( & s - > destroy_work ) ;
2012-06-12 18:20:34 +04:00
}
2005-04-17 02:20:36 +04:00
/**
* alloc_super - create new superblock
2006-09-06 11:03:41 +04:00
* @ type : filesystem type superblock should belong to
2012-06-25 15:55:37 +04:00
* @ flags : the mount flags
2016-05-24 17:29:01 +03:00
* @ user_ns : User namespace for the super_block
2005-04-17 02:20:36 +04:00
*
* Allocates and initializes a new & struct super_block . alloc_super ( )
* returns a pointer new superblock or % NULL if allocation had failed .
*/
2016-05-24 17:29:01 +03:00
static struct super_block * alloc_super ( struct file_system_type * type , int flags ,
struct user_namespace * user_ns )
2005-04-17 02:20:36 +04:00
{
2023-12-08 18:10:22 +03:00
struct super_block * s = kzalloc ( sizeof ( struct super_block ) , GFP_KERNEL ) ;
2009-09-22 04:01:09 +04:00
static const struct super_operations default_op ;
2013-10-01 23:09:58 +04:00
int i ;
if ( ! s )
return NULL ;
2005-04-17 02:20:36 +04:00
2014-01-22 03:48:45 +04:00
INIT_LIST_HEAD ( & s - > s_mounts ) ;
2016-05-24 17:29:01 +03:00
s - > s_user_ns = get_user_ns ( user_ns ) ;
2017-12-05 17:32:25 +03:00
init_rwsem ( & s - > s_umount ) ;
lockdep_set_class ( & s - > s_umount , & type - > s_umount_key ) ;
/*
* sget ( ) can have s_umount recursion .
*
* When it cannot find a suitable sb , it allocates a new
* one ( this one ) , and tries again to find a suitable old
* one .
*
* In case that succeeds , it will acquire the s_umount
* lock of the old one . Since these are clearly distrinct
* locks , and this object isn ' t exposed yet , there ' s no
* risk of deadlocks .
*
* Annotate this by putting this lock in a different
* subclass .
*/
down_write_nested ( & s - > s_umount , SINGLE_DEPTH_NESTING ) ;
2014-01-22 03:48:45 +04:00
2013-10-01 23:09:58 +04:00
if ( security_sb_alloc ( s ) )
goto fail ;
2013-09-04 17:04:39 +04:00
2013-10-01 23:09:58 +04:00
for ( i = 0 ; i < SB_FREEZE_LEVELS ; i + + ) {
2015-08-11 18:05:04 +03:00
if ( __percpu_init_rwsem ( & s - > s_writers . rw_sem [ i ] ,
sb_writers_name [ i ] ,
& type - > s_writers_key [ i ] ) )
2013-10-01 23:09:58 +04:00
goto fail ;
2005-04-17 02:20:36 +04:00
}
2015-01-14 12:42:41 +03:00
s - > s_bdi = & noop_backing_dev_info ;
2013-10-01 23:09:58 +04:00
s - > s_flags = flags ;
2016-06-09 23:44:48 +03:00
if ( s - > s_user_ns ! = & init_user_ns )
2016-05-18 21:50:06 +03:00
s - > s_iflags | = SB_I_NODEV ;
2013-10-01 23:09:58 +04:00
INIT_HLIST_NODE ( & s - > s_instances ) ;
VFS: don't keep disconnected dentries on d_anon
The original purpose of the per-superblock d_anon list was to
keep disconnected dentries in the cache between consecutive
requests to the NFS server. Dentries can be disconnected if
a client holds a file open and repeatedly performs IO on it,
and if the server drops the dentry, whether due to memory
pressure, server restart, or "echo 3 > /proc/sys/vm/drop_caches".
This purpose was thwarted by commit 75a6f82a0d10 ("freeing unlinked
file indefinitely delayed") which caused disconnected dentries
to be freed as soon as their refcount reached zero.
This means that, when a dentry being used by nfsd gets disconnected, a
new one needs to be allocated for every request (unless requests
overlap). As the dentry has no name, no parent, and no children,
there is little of value to cache. As small memory allocations are
typically fast (from per-cpu free lists) this likely has little cost.
This means that the original purpose of s_anon is no longer relevant:
there is no longer any need to keep disconnected dentries on a list so
they appear to be hashed.
However, s_anon now has a new use. When you mount an NFS filesystem,
the dentry stored in s_root is just a placebo. The "real" root dentry
is allocated using d_obtain_root() and so it kept on the s_anon list.
I don't know the reason for this, but suspect it related to NFSv4
where a mount of "server:/some/path" require NFS to look up the root
filehandle on the server, then walk down "/some" and "/path" to get
the filehandle to mount.
Whatever the reason, NFS depends on the s_anon list and on
shrink_dcache_for_umount() pruning all dentries on this list. So we
cannot simply remove s_anon.
We could just leave the code unchanged, but apart from that being
potentially confusing, the (unfair) bit-spin-lock which protects
s_anon can become a bottle neck when lots of disconnected dentries are
being created.
So this patch renames s_anon to s_roots, and stops storing
disconnected dentries on the list. Only dentries obtained with
d_obtain_root() are now stored on this list. There are many fewer of
these (only NFS and NILFS2 use the call, and only during filesystem
mount) so contention on the bit-lock will not be a problem.
Possibly an alternate solution should be found for NFS and NILFS2, but
that would require understanding their needs first.
Signed-off-by: NeilBrown <neilb@suse.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-12-21 01:45:40 +03:00
INIT_HLIST_BL_HEAD ( & s - > s_roots ) ;
2015-03-04 21:40:00 +03:00
mutex_init ( & s - > s_sync_lock ) ;
2013-10-01 23:09:58 +04:00
INIT_LIST_HEAD ( & s - > s_inodes ) ;
2015-03-04 20:37:22 +03:00
spin_lock_init ( & s - > s_inode_list_lock ) ;
2016-07-27 01:21:50 +03:00
INIT_LIST_HEAD ( & s - > s_inodes_wb ) ;
spin_lock_init ( & s - > s_inode_wblist_lock ) ;
2013-10-01 23:09:58 +04:00
s - > s_count = 1 ;
atomic_set ( & s - > s_active , 1 ) ;
mutex_init ( & s - > s_vfs_rename_mutex ) ;
lockdep_set_class ( & s - > s_vfs_rename_mutex , & type - > s_vfs_rename_key ) ;
2017-06-08 15:39:48 +03:00
init_rwsem ( & s - > s_dquot . dqio_sem ) ;
2013-10-01 23:09:58 +04:00
s - > s_maxbytes = MAX_NON_LFS ;
s - > s_op = & default_op ;
s - > s_time_gran = 1000000000 ;
2018-01-22 05:04:23 +03:00
s - > s_time_min = TIME64_MIN ;
s - > s_time_max = TIME64_MAX ;
2013-10-01 23:09:58 +04:00
2023-09-11 12:44:37 +03:00
s - > s_shrink = shrinker_alloc ( SHRINKER_NUMA_AWARE | SHRINKER_MEMCG_AWARE ,
" sb-%s " , type - > name ) ;
if ( ! s - > s_shrink )
2018-04-04 13:53:07 +03:00
goto fail ;
2023-09-11 12:44:37 +03:00
s - > s_shrink - > scan_objects = super_cache_scan ;
s - > s_shrink - > count_objects = super_cache_count ;
s - > s_shrink - > batch = 1024 ;
s - > s_shrink - > private_data = s ;
if ( list_lru_init_memcg ( & s - > s_dentry_lru , s - > s_shrink ) )
2018-08-18 01:47:45 +03:00
goto fail ;
2023-09-11 12:44:37 +03:00
if ( list_lru_init_memcg ( & s - > s_inode_lru , s - > s_shrink ) )
2018-08-18 01:47:45 +03:00
goto fail ;
2005-04-17 02:20:36 +04:00
return s ;
2013-08-28 04:18:18 +04:00
2013-10-01 23:09:58 +04:00
fail :
2017-10-11 20:48:55 +03:00
destroy_unused_super ( s ) ;
2013-10-01 23:09:58 +04:00
return NULL ;
2005-04-17 02:20:36 +04:00
}
/* Superblock refcounting */
/*
2010-03-23 04:13:53 +03:00
* Drop a superblock ' s refcount . The caller must hold sb_lock .
2005-04-17 02:20:36 +04:00
*/
2017-10-11 20:48:55 +03:00
static void __put_super ( struct super_block * s )
2005-04-17 02:20:36 +04:00
{
2017-10-11 20:48:55 +03:00
if ( ! - - s - > s_count ) {
list_del_init ( & s - > s_list ) ;
WARN_ON ( s - > s_dentry_lru . node ) ;
WARN_ON ( s - > s_inode_lru . node ) ;
WARN_ON ( ! list_empty ( & s - > s_mounts ) ) ;
call_rcu ( & s - > rcu , destroy_super_rcu ) ;
2005-04-17 02:20:36 +04:00
}
}
/**
* put_super - drop a temporary reference to superblock
* @ sb : superblock in question
*
* Drops a temporary reference , frees superblock if there ' s no
* references left .
*/
2020-11-16 17:21:18 +03:00
void put_super ( struct super_block * sb )
2005-04-17 02:20:36 +04:00
{
spin_lock ( & sb_lock ) ;
__put_super ( sb ) ;
spin_unlock ( & sb_lock ) ;
}
2023-08-28 14:26:24 +03:00
static void kill_super_notify ( struct super_block * sb )
{
lockdep_assert_not_held ( & sb - > s_umount ) ;
/* already notified earlier */
if ( sb - > s_flags & SB_DEAD )
return ;
/*
* Remove it from @ fs_supers so it isn ' t found by new
* sget { _fc } ( ) walkers anymore . Any concurrent mounter still
* managing to grab a temporary reference is guaranteed to
* already see SB_DYING and will wait until we notify them about
* SB_DEAD .
*/
spin_lock ( & sb_lock ) ;
hlist_del_init ( & sb - > s_instances ) ;
spin_unlock ( & sb_lock ) ;
/*
* Let concurrent mounts know that this thing is really dead .
* We don ' t need @ sb - > s_umount here as every concurrent caller
* will see SB_DYING and either discard the superblock or wait
* for SB_DEAD .
*/
super_wake ( sb , SB_DEAD ) ;
}
2005-04-17 02:20:36 +04:00
/**
2010-03-22 22:22:31 +03:00
* deactivate_locked_super - drop an active reference to superblock
2005-04-17 02:20:36 +04:00
* @ s : superblock to deactivate
*
2016-02-02 16:31:06 +03:00
* Drops an active reference to superblock , converting it into a temporary
2010-03-22 22:22:31 +03:00
* one if there is no other active references left . In that case we
2005-04-17 02:20:36 +04:00
* tell fs driver to shut it down and drop the temporary reference we
* had just acquired .
2010-03-22 22:22:31 +03:00
*
* Caller holds exclusive lock on superblock ; that lock is released .
2005-04-17 02:20:36 +04:00
*/
2010-03-22 22:22:31 +03:00
void deactivate_locked_super ( struct super_block * s )
2005-04-17 02:20:36 +04:00
{
struct file_system_type * fs = s - > s_type ;
2010-03-22 15:53:19 +03:00
if ( atomic_dec_and_test ( & s - > s_active ) ) {
2023-09-11 12:44:37 +03:00
shrinker_free ( s - > s_shrink ) ;
2014-06-05 03:10:46 +04:00
fs - > kill_sb ( s ) ;
2013-08-28 04:18:18 +04:00
2023-08-28 14:26:24 +03:00
kill_super_notify ( s ) ;
2015-02-13 01:59:07 +03:00
/*
* Since list_lru_destroy ( ) may sleep , we cannot call it from
* put_super ( ) , where we hold the sb_lock . Therefore we destroy
* the lru lists right now .
*/
list_lru_destroy ( & s - > s_dentry_lru ) ;
list_lru_destroy ( & s - > s_inode_lru ) ;
2005-04-17 02:20:36 +04:00
put_filesystem ( fs ) ;
put_super ( s ) ;
2010-03-22 22:22:31 +03:00
} else {
2023-08-18 17:00:48 +03:00
super_unlock_excl ( s ) ;
2005-04-17 02:20:36 +04:00
}
}
2010-03-22 22:22:31 +03:00
EXPORT_SYMBOL ( deactivate_locked_super ) ;
2005-04-17 02:20:36 +04:00
2009-05-06 09:07:50 +04:00
/**
2010-03-22 22:22:31 +03:00
* deactivate_super - drop an active reference to superblock
2009-05-06 09:07:50 +04:00
* @ s : superblock to deactivate
*
2010-03-22 22:22:31 +03:00
* Variant of deactivate_locked_super ( ) , except that superblock is * not *
* locked by caller . If we are going to drop the final active reference ,
* lock will be acquired prior to that .
2009-05-06 09:07:50 +04:00
*/
2010-03-22 22:22:31 +03:00
void deactivate_super ( struct super_block * s )
2009-05-06 09:07:50 +04:00
{
2020-03-05 11:06:39 +03:00
if ( ! atomic_add_unless ( & s - > s_active , - 1 , 1 ) ) {
2023-08-18 17:00:50 +03:00
__super_lock_excl ( s ) ;
2010-03-22 22:22:31 +03:00
deactivate_locked_super ( s ) ;
2009-05-06 09:07:50 +04:00
}
}
2010-03-22 22:22:31 +03:00
EXPORT_SYMBOL ( deactivate_super ) ;
2009-05-06 09:07:50 +04:00
2005-04-17 02:20:36 +04:00
/**
2023-10-24 16:01:14 +03:00
* grab_super - acquire an active reference to a superblock
2023-08-18 17:00:51 +03:00
* @ sb : superblock to acquire
*
* Acquire a temporary reference on a superblock and try to trade it for
* an active reference . This is used in sget { _fc } ( ) to wait for a
* superblock to either become SB_BORN or for it to pass through
* sb - > kill ( ) and be marked as SB_DEAD .
*
* Return : This returns true if an active reference could be acquired ,
* false if not .
*/
2023-10-24 16:01:14 +03:00
static bool grab_super ( struct super_block * sb )
2023-08-18 17:00:51 +03:00
{
2023-10-24 16:01:14 +03:00
bool locked ;
2023-08-18 17:00:51 +03:00
sb - > s_count + + ;
2023-10-24 16:01:14 +03:00
spin_unlock ( & sb_lock ) ;
locked = super_lock_excl ( sb ) ;
if ( locked ) {
if ( atomic_inc_not_zero ( & sb - > s_active ) ) {
put_super ( sb ) ;
return true ;
}
super_unlock_excl ( sb ) ;
2023-08-18 17:00:51 +03:00
}
2023-11-27 14:51:30 +03:00
wait_var_event ( & sb - > s_flags , super_flags ( sb , SB_DEAD ) ) ;
2023-08-28 14:26:23 +03:00
put_super ( sb ) ;
2023-08-18 17:00:51 +03:00
return false ;
}
2011-07-08 08:14:41 +04:00
/*
2023-08-18 17:00:49 +03:00
* super_trylock_shared - try to grab - > s_umount shared
2012-06-09 07:10:55 +04:00
* @ sb : reference we are trying to grab
2011-07-08 08:14:41 +04:00
*
2015-02-19 20:19:35 +03:00
* Try to prevent fs shutdown . This is used in places where we
2011-07-08 08:14:41 +04:00
* cannot take an active reference but we need to ensure that the
2015-02-19 20:19:35 +03:00
* filesystem is not shut down while we are working on it . It returns
* false if we cannot acquire s_umount or if we lose the race and
* filesystem already got into shutdown , and returns true with the s_umount
* lock held in read mode in case of success . On successful return ,
* the caller must drop the s_umount lock when done .
*
* Note that unlike get_super ( ) et . al . this one does * not * bump - > s_count .
* The reason why it ' s safe is that we are OK with doing trylock instead
* of down_read ( ) . There ' s a couple of places that are OK with that , but
* it ' s very much not a general - purpose interface .
2011-07-08 08:14:41 +04:00
*/
2023-08-18 17:00:49 +03:00
bool super_trylock_shared ( struct super_block * sb )
2011-07-08 08:14:41 +04:00
{
if ( down_read_trylock ( & sb - > s_umount ) ) {
2023-08-18 17:00:50 +03:00
if ( ! ( sb - > s_flags & SB_DYING ) & & sb - > s_root & &
( sb - > s_flags & SB_BORN ) )
2011-07-08 08:14:41 +04:00
return true ;
2023-08-18 17:00:48 +03:00
super_unlock_shared ( sb ) ;
2011-07-08 08:14:41 +04:00
}
return false ;
}
2022-07-27 09:44:24 +03:00
/**
* retire_super - prevents superblock from being reused
* @ sb : superblock to retire
*
* The function marks superblock to be ignored in superblock test , which
* prevents it from being reused for any new mounts . If the superblock has
* a private bdi , it also unregisters it , but doesn ' t reduce the refcount
* of the superblock to prevent potential races . The refcount is reduced
* by generic_shutdown_super ( ) . The function can not be called
* concurrently with generic_shutdown_super ( ) . It is safe to call the
* function multiple times , subsequent calls have no effect .
*
* The marker will affect the re - use only for block - device - based
* superblocks . Other superblocks will still get marked if this function
* is used , but that will not affect their reusability .
*/
void retire_super ( struct super_block * sb )
{
WARN_ON ( ! sb - > s_bdev ) ;
2023-08-18 17:00:50 +03:00
__super_lock_excl ( sb ) ;
2022-07-27 09:44:24 +03:00
if ( sb - > s_iflags & SB_I_PERSB_BDI ) {
bdi_unregister ( sb - > s_bdi ) ;
sb - > s_iflags & = ~ SB_I_PERSB_BDI ;
}
sb - > s_iflags | = SB_I_RETIRED ;
2023-08-18 17:00:48 +03:00
super_unlock_excl ( sb ) ;
2022-07-27 09:44:24 +03:00
}
EXPORT_SYMBOL ( retire_super ) ;
2005-04-17 02:20:36 +04:00
/**
* generic_shutdown_super - common helper for - > kill_sb ( )
* @ sb : superblock to kill
*
* generic_shutdown_super ( ) does all fs - independent work on superblock
* shutdown . Typical - > kill_sb ( ) should pick all fs - specific objects
* that need destruction out of superblock , call generic_shutdown_super ( )
* and release aforementioned objects . Note : dentries and inodes _are_
* taken care of and do not need specific handling .
2006-10-11 12:22:19 +04:00
*
* Upon calling this function , the filesystem may no longer alter or
* rearrange the set of dentries belonging to this super_block , nor may it
* change the attachments of dentries to inodes .
2005-04-17 02:20:36 +04:00
*/
void generic_shutdown_super ( struct super_block * sb )
{
2007-02-12 11:55:41 +03:00
const struct super_operations * sop = sb - > s_op ;
2005-04-17 02:20:36 +04:00
2006-10-11 12:22:19 +04:00
if ( sb - > s_root ) {
shrink_dcache_for_umount ( sb ) ;
2009-04-27 18:43:53 +04:00
sync_filesystem ( sb ) ;
2017-07-17 10:45:35 +03:00
sb - > s_flags & = ~ SB_ACTIVE ;
2009-01-06 18:20:54 +03:00
2016-03-01 02:28:53 +03:00
cgroup_writeback_umount ( ) ;
2010-10-26 04:49:35 +04:00
2023-03-14 01:12:29 +03:00
/* Evict all inodes with zero refcount. */
2010-10-26 04:49:35 +04:00
evict_inodes ( sb ) ;
2023-03-14 01:12:29 +03:00
/*
* Clean up and evict any inodes that still have references due
* to fsnotify or the security policy .
*/
2019-12-06 19:55:59 +03:00
fsnotify_sb_delete ( sb ) ;
2021-04-22 18:41:16 +03:00
security_sb_delete ( sb ) ;
2005-04-17 02:20:36 +04:00
2013-09-04 17:04:39 +04:00
if ( sb - > s_dio_done_wq ) {
destroy_workqueue ( sb - > s_dio_done_wq ) ;
sb - > s_dio_done_wq = NULL ;
}
2005-04-17 02:20:36 +04:00
if ( sop - > put_super )
sop - > put_super ( sb ) ;
2023-12-27 20:14:29 +03:00
/*
* Now that all potentially - encrypted inodes have been evicted ,
* the fscrypt keyring can be destroyed .
*/
fscrypt_destroy_keyring ( sb ) ;
2023-01-16 22:14:25 +03:00
if ( CHECK_DATA_CORRUPTION ( ! list_empty ( & sb - > s_inodes ) ,
" VFS: Busy inodes after unmount of %s (%s) " ,
sb - > s_id , sb - > s_type - > name ) ) {
/*
* Adding a proper bailout path here would be hard , but
* we can at least make it more likely that a later
* iput_final ( ) or such crashes cleanly .
*/
struct inode * inode ;
spin_lock ( & sb - > s_inode_list_lock ) ;
list_for_each_entry ( inode , & sb - > s_inodes , i_sb_list ) {
inode - > i_op = VFS_PTR_POISON ;
inode - > i_sb = VFS_PTR_POISON ;
inode - > i_mapping = VFS_PTR_POISON ;
}
spin_unlock ( & sb - > s_inode_list_lock ) ;
2005-04-17 02:20:36 +04:00
}
}
2023-08-18 17:00:50 +03:00
/*
* Broadcast to everyone that grabbed a temporary reference to this
* superblock before we removed it from @ fs_supers that the superblock
* is dying . Every walker of @ fs_supers outside of sget { _fc } ( ) will now
* discard this superblock and treat it as dead .
2023-08-18 17:00:51 +03:00
*
* We leave the superblock on @ fs_supers so it can be found by
* sget { _fc } ( ) until we passed sb - > kill_sb ( ) .
2023-08-18 17:00:50 +03:00
*/
super_wake ( sb , SB_DYING ) ;
2023-08-18 17:00:48 +03:00
super_unlock_excl ( sb ) ;
2017-04-12 13:24:47 +03:00
if ( sb - > s_bdi ! = & noop_backing_dev_info ) {
2021-11-05 23:36:58 +03:00
if ( sb - > s_iflags & SB_I_PERSB_BDI )
bdi_unregister ( sb - > s_bdi ) ;
2017-04-12 13:24:28 +03:00
bdi_put ( sb - > s_bdi ) ;
sb - > s_bdi = & noop_backing_dev_info ;
}
2005-04-17 02:20:36 +04:00
}
EXPORT_SYMBOL ( generic_shutdown_super ) ;
2019-05-13 00:31:45 +03:00
bool mount_capable ( struct fs_context * fc )
2019-05-12 22:42:48 +03:00
{
2019-05-13 00:31:45 +03:00
if ( ! ( fc - > fs_type - > fs_flags & FS_USERNS_MOUNT ) )
2019-05-12 22:42:48 +03:00
return capable ( CAP_SYS_ADMIN ) ;
else
2019-07-27 15:29:57 +03:00
return ns_capable ( fc - > user_ns , CAP_SYS_ADMIN ) ;
2019-05-12 22:42:48 +03:00
}
2018-12-24 01:25:47 +03:00
/**
* sget_fc - Find or create a superblock
* @ fc : Filesystem context .
* @ test : Comparison callback
* @ set : Setup callback
*
fs: add FSCONFIG_CMD_CREATE_EXCL
Summary
=======
This introduces FSCONFIG_CMD_CREATE_EXCL which will allows userspace to
implement something like mount -t ext4 --exclusive /dev/sda /B which
fails if a superblock for the requested filesystem does already exist:
Before this patch
-----------------
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /A
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /B
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
After this patch with --exclusive as a switch for FSCONFIG_CMD_CREATE_EXCL
--------------------------------------------------------------------------
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /A
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /B
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
Device or resource busy | move-mount.c: 300: do_fsconfig: i xfs: reusing existing filesystem not allowed
Details
=======
As mentioned on the list (cf. [1]-[3]) mount requests like
mount -t ext4 /dev/sda /A are ambigous for userspace. Either a new
superblock has been created and mounted or an existing superblock has
been reused and a bind-mount has been created.
This becomes clear in the following example where two processes create
the same mount for the same block device:
P1 P2
fd_fs = fsopen("ext4"); fd_fs = fsopen("ext4");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "dax", "always"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "resuid", "1000");
// wins and creates superblock
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
// finds compatible superblock of P1
// spins until P1 sets SB_BORN and grabs a reference
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
fd_mnt1 = fsmount(fd_fs); fd_mnt2 = fsmount(fd_fs);
move_mount(fd_mnt1, "/A") move_mount(fd_mnt2, "/B")
Not just does P2 get a bind-mount but the mount options that P2
requestes are silently ignored. The VFS itself doesn't, can't and
shouldn't enforce filesystem specific mount option compatibility. It
only enforces incompatibility for read-only <-> read-write transitions:
mount -t ext4 /dev/sda /A
mount -t ext4 -o ro /dev/sda /B
The read-only request will fail with EBUSY as the VFS can't just
silently transition a superblock from read-write to read-only or vica
versa without risking security issues.
To userspace this silent superblock reuse can become a security issue in
because there is currently no straightforward way for userspace to know
that they did indeed manage to create a new superblock and didn't just
reuse an existing one.
This adds a new FSCONFIG_CMD_CREATE_EXCL command to fsconfig() that
returns EBUSY if an existing superblock would be reused. Userspace that
needs to be sure that it did create a new superblock with the requested
mount options can request superblock creation using this command. If the
command succeeds they can be sure that they did create a new superblock
with the requested mount options.
This requires the new mount api. With the old mount api it would be
necessary to plumb this through every legacy filesystem's
file_system_type->mount() method. If they want this feature they are
most welcome to switch to the new mount api.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
each high-level superblock creation helper:
(1) get_tree_nodev()
Always allocate new superblock. Hence, FSCONFIG_CMD_CREATE and
FSCONFIG_CMD_CREATE_EXCL are equivalent.
The binderfs or overlayfs filesystems are examples.
(4) get_tree_keyed()
Finds an existing superblock based on sb->s_fs_info. Hence,
FSCONFIG_CMD_CREATE would reuse an existing superblock whereas
FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The mqueue or nfsd filesystems are examples.
(2) get_tree_bdev()
This effectively works like get_tree_keyed().
The ext4 or xfs filesystems are examples.
(3) get_tree_single()
Only one superblock of this filesystem type can ever exist.
Hence, FSCONFIG_CMD_CREATE would reuse an existing superblock
whereas FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The securityfs or configfs filesystems are examples.
Note that some single-instance filesystems never destroy the
superblock once it has been created during the first mount. For
example, if securityfs has been mounted at least onces then the
created superblock will never be destroyed again as long as there is
still an LSM making use it. Consequently, even if securityfs is
unmounted and the superblock seemingly destroyed it really isn't
which means that FSCONFIG_CMD_CREATE_EXCL will continue rejecting
reusing an existing superblock.
This is acceptable thugh since special purpose filesystems such as
this shouldn't have a need to use FSCONFIG_CMD_CREATE_EXCL anyway
and if they do it's probably to make sure that mount options aren't
ignored.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
filesystems that make use of the low-level sget_fc() helper directly.
They're all effectively variants on get_tree_keyed(), get_tree_bdev(),
or get_tree_nodev():
(5) mtd_get_sb()
Similar logic to get_tree_keyed().
(6) afs_get_tree()
Similar logic to get_tree_keyed().
(7) ceph_get_tree()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via CEPH_OPT_NOSHARE. This turns it into get_tree_nodev().
(8) fuse_get_tree_submount()
Similar logic to get_tree_nodev().
(9) fuse_get_tree()
Forces reuse of existing FUSE superblock.
Forces reuse of existing superblock if passed in file refers to an
existing FUSE connection.
If FSCONFIG_CMD_CREATE_EXCL is specified together with an fd
referring to an existing FUSE connections this would cause the
superblock reusal to fail. If reusing is the intent then
FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(10) fuse_get_tree()
-> get_tree_nodev()
Same logic as in get_tree_nodev().
(11) fuse_get_tree()
-> get_tree_bdev()
Same logic as in get_tree_bdev().
(12) virtio_fs_get_tree()
Same logic as get_tree_keyed().
(13) gfs2_meta_get_tree()
Forces reuse of existing gfs2 superblock.
Mounting gfs2meta enforces that a gf2s superblock must already
exist. If not, it will error out. Consequently, mounting gfs2meta
with FSCONFIG_CMD_CREATE_EXCL would always fail. If reusing is the
intent then FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(14) kernfs_get_tree()
Similar logic to get_tree_keyed().
(15) nfs_get_tree_common()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via NFS_MOUNT_UNSHARED. This effectively turns it into
get_tree_nodev().
Link: [1] https://lore.kernel.org/linux-block/20230704-fasching-wertarbeit-7c6ffb01c83d@brauner
Link: [2] https://lore.kernel.org/linux-block/20230705-pumpwerk-vielversprechend-a4b1fd947b65@brauner
Link: [3] https://lore.kernel.org/linux-fsdevel/20230725-einnahmen-warnschilder-17779aec0a97@brauner
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
Message-Id: <20230802-vfs-super-exclusive-v2-4-95dc4e41b870@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-08-02 14:57:06 +03:00
* Create a new superblock or find an existing one .
2018-12-24 01:25:47 +03:00
*
fs: add FSCONFIG_CMD_CREATE_EXCL
Summary
=======
This introduces FSCONFIG_CMD_CREATE_EXCL which will allows userspace to
implement something like mount -t ext4 --exclusive /dev/sda /B which
fails if a superblock for the requested filesystem does already exist:
Before this patch
-----------------
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /A
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /B
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
After this patch with --exclusive as a switch for FSCONFIG_CMD_CREATE_EXCL
--------------------------------------------------------------------------
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /A
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /B
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
Device or resource busy | move-mount.c: 300: do_fsconfig: i xfs: reusing existing filesystem not allowed
Details
=======
As mentioned on the list (cf. [1]-[3]) mount requests like
mount -t ext4 /dev/sda /A are ambigous for userspace. Either a new
superblock has been created and mounted or an existing superblock has
been reused and a bind-mount has been created.
This becomes clear in the following example where two processes create
the same mount for the same block device:
P1 P2
fd_fs = fsopen("ext4"); fd_fs = fsopen("ext4");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "dax", "always"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "resuid", "1000");
// wins and creates superblock
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
// finds compatible superblock of P1
// spins until P1 sets SB_BORN and grabs a reference
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
fd_mnt1 = fsmount(fd_fs); fd_mnt2 = fsmount(fd_fs);
move_mount(fd_mnt1, "/A") move_mount(fd_mnt2, "/B")
Not just does P2 get a bind-mount but the mount options that P2
requestes are silently ignored. The VFS itself doesn't, can't and
shouldn't enforce filesystem specific mount option compatibility. It
only enforces incompatibility for read-only <-> read-write transitions:
mount -t ext4 /dev/sda /A
mount -t ext4 -o ro /dev/sda /B
The read-only request will fail with EBUSY as the VFS can't just
silently transition a superblock from read-write to read-only or vica
versa without risking security issues.
To userspace this silent superblock reuse can become a security issue in
because there is currently no straightforward way for userspace to know
that they did indeed manage to create a new superblock and didn't just
reuse an existing one.
This adds a new FSCONFIG_CMD_CREATE_EXCL command to fsconfig() that
returns EBUSY if an existing superblock would be reused. Userspace that
needs to be sure that it did create a new superblock with the requested
mount options can request superblock creation using this command. If the
command succeeds they can be sure that they did create a new superblock
with the requested mount options.
This requires the new mount api. With the old mount api it would be
necessary to plumb this through every legacy filesystem's
file_system_type->mount() method. If they want this feature they are
most welcome to switch to the new mount api.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
each high-level superblock creation helper:
(1) get_tree_nodev()
Always allocate new superblock. Hence, FSCONFIG_CMD_CREATE and
FSCONFIG_CMD_CREATE_EXCL are equivalent.
The binderfs or overlayfs filesystems are examples.
(4) get_tree_keyed()
Finds an existing superblock based on sb->s_fs_info. Hence,
FSCONFIG_CMD_CREATE would reuse an existing superblock whereas
FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The mqueue or nfsd filesystems are examples.
(2) get_tree_bdev()
This effectively works like get_tree_keyed().
The ext4 or xfs filesystems are examples.
(3) get_tree_single()
Only one superblock of this filesystem type can ever exist.
Hence, FSCONFIG_CMD_CREATE would reuse an existing superblock
whereas FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The securityfs or configfs filesystems are examples.
Note that some single-instance filesystems never destroy the
superblock once it has been created during the first mount. For
example, if securityfs has been mounted at least onces then the
created superblock will never be destroyed again as long as there is
still an LSM making use it. Consequently, even if securityfs is
unmounted and the superblock seemingly destroyed it really isn't
which means that FSCONFIG_CMD_CREATE_EXCL will continue rejecting
reusing an existing superblock.
This is acceptable thugh since special purpose filesystems such as
this shouldn't have a need to use FSCONFIG_CMD_CREATE_EXCL anyway
and if they do it's probably to make sure that mount options aren't
ignored.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
filesystems that make use of the low-level sget_fc() helper directly.
They're all effectively variants on get_tree_keyed(), get_tree_bdev(),
or get_tree_nodev():
(5) mtd_get_sb()
Similar logic to get_tree_keyed().
(6) afs_get_tree()
Similar logic to get_tree_keyed().
(7) ceph_get_tree()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via CEPH_OPT_NOSHARE. This turns it into get_tree_nodev().
(8) fuse_get_tree_submount()
Similar logic to get_tree_nodev().
(9) fuse_get_tree()
Forces reuse of existing FUSE superblock.
Forces reuse of existing superblock if passed in file refers to an
existing FUSE connection.
If FSCONFIG_CMD_CREATE_EXCL is specified together with an fd
referring to an existing FUSE connections this would cause the
superblock reusal to fail. If reusing is the intent then
FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(10) fuse_get_tree()
-> get_tree_nodev()
Same logic as in get_tree_nodev().
(11) fuse_get_tree()
-> get_tree_bdev()
Same logic as in get_tree_bdev().
(12) virtio_fs_get_tree()
Same logic as get_tree_keyed().
(13) gfs2_meta_get_tree()
Forces reuse of existing gfs2 superblock.
Mounting gfs2meta enforces that a gf2s superblock must already
exist. If not, it will error out. Consequently, mounting gfs2meta
with FSCONFIG_CMD_CREATE_EXCL would always fail. If reusing is the
intent then FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(14) kernfs_get_tree()
Similar logic to get_tree_keyed().
(15) nfs_get_tree_common()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via NFS_MOUNT_UNSHARED. This effectively turns it into
get_tree_nodev().
Link: [1] https://lore.kernel.org/linux-block/20230704-fasching-wertarbeit-7c6ffb01c83d@brauner
Link: [2] https://lore.kernel.org/linux-block/20230705-pumpwerk-vielversprechend-a4b1fd947b65@brauner
Link: [3] https://lore.kernel.org/linux-fsdevel/20230725-einnahmen-warnschilder-17779aec0a97@brauner
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
Message-Id: <20230802-vfs-super-exclusive-v2-4-95dc4e41b870@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-08-02 14:57:06 +03:00
* The @ test callback is used to find a matching existing superblock .
* Whether or not the requested parameters in @ fc are taken into account
* is specific to the @ test callback that is used . They may even be
* completely ignored .
*
* If an extant superblock is matched , it will be returned unless :
*
* ( 1 ) the namespace the filesystem context @ fc and the extant
* superblock ' s namespace differ
*
* ( 2 ) the filesystem context @ fc has requested that reusing an extant
* superblock is not allowed
*
* In both cases EBUSY will be returned .
2018-12-24 01:25:47 +03:00
*
* If no match is made , a new superblock will be allocated and basic
fs: add FSCONFIG_CMD_CREATE_EXCL
Summary
=======
This introduces FSCONFIG_CMD_CREATE_EXCL which will allows userspace to
implement something like mount -t ext4 --exclusive /dev/sda /B which
fails if a superblock for the requested filesystem does already exist:
Before this patch
-----------------
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /A
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /B
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
After this patch with --exclusive as a switch for FSCONFIG_CMD_CREATE_EXCL
--------------------------------------------------------------------------
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /A
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /B
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
Device or resource busy | move-mount.c: 300: do_fsconfig: i xfs: reusing existing filesystem not allowed
Details
=======
As mentioned on the list (cf. [1]-[3]) mount requests like
mount -t ext4 /dev/sda /A are ambigous for userspace. Either a new
superblock has been created and mounted or an existing superblock has
been reused and a bind-mount has been created.
This becomes clear in the following example where two processes create
the same mount for the same block device:
P1 P2
fd_fs = fsopen("ext4"); fd_fs = fsopen("ext4");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "dax", "always"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "resuid", "1000");
// wins and creates superblock
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
// finds compatible superblock of P1
// spins until P1 sets SB_BORN and grabs a reference
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
fd_mnt1 = fsmount(fd_fs); fd_mnt2 = fsmount(fd_fs);
move_mount(fd_mnt1, "/A") move_mount(fd_mnt2, "/B")
Not just does P2 get a bind-mount but the mount options that P2
requestes are silently ignored. The VFS itself doesn't, can't and
shouldn't enforce filesystem specific mount option compatibility. It
only enforces incompatibility for read-only <-> read-write transitions:
mount -t ext4 /dev/sda /A
mount -t ext4 -o ro /dev/sda /B
The read-only request will fail with EBUSY as the VFS can't just
silently transition a superblock from read-write to read-only or vica
versa without risking security issues.
To userspace this silent superblock reuse can become a security issue in
because there is currently no straightforward way for userspace to know
that they did indeed manage to create a new superblock and didn't just
reuse an existing one.
This adds a new FSCONFIG_CMD_CREATE_EXCL command to fsconfig() that
returns EBUSY if an existing superblock would be reused. Userspace that
needs to be sure that it did create a new superblock with the requested
mount options can request superblock creation using this command. If the
command succeeds they can be sure that they did create a new superblock
with the requested mount options.
This requires the new mount api. With the old mount api it would be
necessary to plumb this through every legacy filesystem's
file_system_type->mount() method. If they want this feature they are
most welcome to switch to the new mount api.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
each high-level superblock creation helper:
(1) get_tree_nodev()
Always allocate new superblock. Hence, FSCONFIG_CMD_CREATE and
FSCONFIG_CMD_CREATE_EXCL are equivalent.
The binderfs or overlayfs filesystems are examples.
(4) get_tree_keyed()
Finds an existing superblock based on sb->s_fs_info. Hence,
FSCONFIG_CMD_CREATE would reuse an existing superblock whereas
FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The mqueue or nfsd filesystems are examples.
(2) get_tree_bdev()
This effectively works like get_tree_keyed().
The ext4 or xfs filesystems are examples.
(3) get_tree_single()
Only one superblock of this filesystem type can ever exist.
Hence, FSCONFIG_CMD_CREATE would reuse an existing superblock
whereas FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The securityfs or configfs filesystems are examples.
Note that some single-instance filesystems never destroy the
superblock once it has been created during the first mount. For
example, if securityfs has been mounted at least onces then the
created superblock will never be destroyed again as long as there is
still an LSM making use it. Consequently, even if securityfs is
unmounted and the superblock seemingly destroyed it really isn't
which means that FSCONFIG_CMD_CREATE_EXCL will continue rejecting
reusing an existing superblock.
This is acceptable thugh since special purpose filesystems such as
this shouldn't have a need to use FSCONFIG_CMD_CREATE_EXCL anyway
and if they do it's probably to make sure that mount options aren't
ignored.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
filesystems that make use of the low-level sget_fc() helper directly.
They're all effectively variants on get_tree_keyed(), get_tree_bdev(),
or get_tree_nodev():
(5) mtd_get_sb()
Similar logic to get_tree_keyed().
(6) afs_get_tree()
Similar logic to get_tree_keyed().
(7) ceph_get_tree()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via CEPH_OPT_NOSHARE. This turns it into get_tree_nodev().
(8) fuse_get_tree_submount()
Similar logic to get_tree_nodev().
(9) fuse_get_tree()
Forces reuse of existing FUSE superblock.
Forces reuse of existing superblock if passed in file refers to an
existing FUSE connection.
If FSCONFIG_CMD_CREATE_EXCL is specified together with an fd
referring to an existing FUSE connections this would cause the
superblock reusal to fail. If reusing is the intent then
FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(10) fuse_get_tree()
-> get_tree_nodev()
Same logic as in get_tree_nodev().
(11) fuse_get_tree()
-> get_tree_bdev()
Same logic as in get_tree_bdev().
(12) virtio_fs_get_tree()
Same logic as get_tree_keyed().
(13) gfs2_meta_get_tree()
Forces reuse of existing gfs2 superblock.
Mounting gfs2meta enforces that a gf2s superblock must already
exist. If not, it will error out. Consequently, mounting gfs2meta
with FSCONFIG_CMD_CREATE_EXCL would always fail. If reusing is the
intent then FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(14) kernfs_get_tree()
Similar logic to get_tree_keyed().
(15) nfs_get_tree_common()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via NFS_MOUNT_UNSHARED. This effectively turns it into
get_tree_nodev().
Link: [1] https://lore.kernel.org/linux-block/20230704-fasching-wertarbeit-7c6ffb01c83d@brauner
Link: [2] https://lore.kernel.org/linux-block/20230705-pumpwerk-vielversprechend-a4b1fd947b65@brauner
Link: [3] https://lore.kernel.org/linux-fsdevel/20230725-einnahmen-warnschilder-17779aec0a97@brauner
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
Message-Id: <20230802-vfs-super-exclusive-v2-4-95dc4e41b870@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-08-02 14:57:06 +03:00
* initialisation will be performed ( s_type , s_fs_info and s_id will be
* set and the @ set callback will be invoked ) , the superblock will be
* published and it will be returned in a partially constructed state
* with SB_BORN and SB_ACTIVE as yet unset .
*
* Return : On success , an extant or newly created superblock is
* returned . On failure an error pointer is returned .
2018-12-24 01:25:47 +03:00
*/
struct super_block * sget_fc ( struct fs_context * fc ,
int ( * test ) ( struct super_block * , struct fs_context * ) ,
int ( * set ) ( struct super_block * , struct fs_context * ) )
{
struct super_block * s = NULL ;
struct super_block * old ;
struct user_namespace * user_ns = fc - > global ? & init_user_ns : fc - > user_ns ;
int err ;
retry :
spin_lock ( & sb_lock ) ;
if ( test ) {
hlist_for_each_entry ( old , & fc - > fs_type - > fs_supers , s_instances ) {
if ( test ( old , fc ) )
goto share_extant_sb ;
}
}
if ( ! s ) {
spin_unlock ( & sb_lock ) ;
s = alloc_super ( fc - > fs_type , fc - > sb_flags , user_ns ) ;
if ( ! s )
return ERR_PTR ( - ENOMEM ) ;
goto retry ;
}
s - > s_fs_info = fc - > s_fs_info ;
err = set ( s , fc ) ;
if ( err ) {
s - > s_fs_info = NULL ;
spin_unlock ( & sb_lock ) ;
destroy_unused_super ( s ) ;
return ERR_PTR ( err ) ;
}
fc - > s_fs_info = NULL ;
s - > s_type = fc - > fs_type ;
2019-03-25 19:38:23 +03:00
s - > s_iflags | = fc - > s_iflags ;
2023-05-11 01:11:19 +03:00
strscpy ( s - > s_id , s - > s_type - > name , sizeof ( s - > s_id ) ) ;
2023-08-18 17:00:50 +03:00
/*
* Make the superblock visible on @ super_blocks and @ fs_supers .
* It ' s in a nascent state and users should wait on SB_BORN or
* SB_DYING to be set .
*/
2018-12-24 01:25:47 +03:00
list_add_tail ( & s - > s_list , & super_blocks ) ;
hlist_add_head ( & s - > s_instances , & s - > s_type - > fs_supers ) ;
spin_unlock ( & sb_lock ) ;
get_filesystem ( s - > s_type ) ;
2023-09-11 12:44:37 +03:00
shrinker_register ( s - > s_shrink ) ;
2018-12-24 01:25:47 +03:00
return s ;
share_extant_sb :
fs: add FSCONFIG_CMD_CREATE_EXCL
Summary
=======
This introduces FSCONFIG_CMD_CREATE_EXCL which will allows userspace to
implement something like mount -t ext4 --exclusive /dev/sda /B which
fails if a superblock for the requested filesystem does already exist:
Before this patch
-----------------
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /A
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /B
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
After this patch with --exclusive as a switch for FSCONFIG_CMD_CREATE_EXCL
--------------------------------------------------------------------------
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /A
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /B
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
Device or resource busy | move-mount.c: 300: do_fsconfig: i xfs: reusing existing filesystem not allowed
Details
=======
As mentioned on the list (cf. [1]-[3]) mount requests like
mount -t ext4 /dev/sda /A are ambigous for userspace. Either a new
superblock has been created and mounted or an existing superblock has
been reused and a bind-mount has been created.
This becomes clear in the following example where two processes create
the same mount for the same block device:
P1 P2
fd_fs = fsopen("ext4"); fd_fs = fsopen("ext4");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "dax", "always"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "resuid", "1000");
// wins and creates superblock
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
// finds compatible superblock of P1
// spins until P1 sets SB_BORN and grabs a reference
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
fd_mnt1 = fsmount(fd_fs); fd_mnt2 = fsmount(fd_fs);
move_mount(fd_mnt1, "/A") move_mount(fd_mnt2, "/B")
Not just does P2 get a bind-mount but the mount options that P2
requestes are silently ignored. The VFS itself doesn't, can't and
shouldn't enforce filesystem specific mount option compatibility. It
only enforces incompatibility for read-only <-> read-write transitions:
mount -t ext4 /dev/sda /A
mount -t ext4 -o ro /dev/sda /B
The read-only request will fail with EBUSY as the VFS can't just
silently transition a superblock from read-write to read-only or vica
versa without risking security issues.
To userspace this silent superblock reuse can become a security issue in
because there is currently no straightforward way for userspace to know
that they did indeed manage to create a new superblock and didn't just
reuse an existing one.
This adds a new FSCONFIG_CMD_CREATE_EXCL command to fsconfig() that
returns EBUSY if an existing superblock would be reused. Userspace that
needs to be sure that it did create a new superblock with the requested
mount options can request superblock creation using this command. If the
command succeeds they can be sure that they did create a new superblock
with the requested mount options.
This requires the new mount api. With the old mount api it would be
necessary to plumb this through every legacy filesystem's
file_system_type->mount() method. If they want this feature they are
most welcome to switch to the new mount api.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
each high-level superblock creation helper:
(1) get_tree_nodev()
Always allocate new superblock. Hence, FSCONFIG_CMD_CREATE and
FSCONFIG_CMD_CREATE_EXCL are equivalent.
The binderfs or overlayfs filesystems are examples.
(4) get_tree_keyed()
Finds an existing superblock based on sb->s_fs_info. Hence,
FSCONFIG_CMD_CREATE would reuse an existing superblock whereas
FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The mqueue or nfsd filesystems are examples.
(2) get_tree_bdev()
This effectively works like get_tree_keyed().
The ext4 or xfs filesystems are examples.
(3) get_tree_single()
Only one superblock of this filesystem type can ever exist.
Hence, FSCONFIG_CMD_CREATE would reuse an existing superblock
whereas FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The securityfs or configfs filesystems are examples.
Note that some single-instance filesystems never destroy the
superblock once it has been created during the first mount. For
example, if securityfs has been mounted at least onces then the
created superblock will never be destroyed again as long as there is
still an LSM making use it. Consequently, even if securityfs is
unmounted and the superblock seemingly destroyed it really isn't
which means that FSCONFIG_CMD_CREATE_EXCL will continue rejecting
reusing an existing superblock.
This is acceptable thugh since special purpose filesystems such as
this shouldn't have a need to use FSCONFIG_CMD_CREATE_EXCL anyway
and if they do it's probably to make sure that mount options aren't
ignored.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
filesystems that make use of the low-level sget_fc() helper directly.
They're all effectively variants on get_tree_keyed(), get_tree_bdev(),
or get_tree_nodev():
(5) mtd_get_sb()
Similar logic to get_tree_keyed().
(6) afs_get_tree()
Similar logic to get_tree_keyed().
(7) ceph_get_tree()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via CEPH_OPT_NOSHARE. This turns it into get_tree_nodev().
(8) fuse_get_tree_submount()
Similar logic to get_tree_nodev().
(9) fuse_get_tree()
Forces reuse of existing FUSE superblock.
Forces reuse of existing superblock if passed in file refers to an
existing FUSE connection.
If FSCONFIG_CMD_CREATE_EXCL is specified together with an fd
referring to an existing FUSE connections this would cause the
superblock reusal to fail. If reusing is the intent then
FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(10) fuse_get_tree()
-> get_tree_nodev()
Same logic as in get_tree_nodev().
(11) fuse_get_tree()
-> get_tree_bdev()
Same logic as in get_tree_bdev().
(12) virtio_fs_get_tree()
Same logic as get_tree_keyed().
(13) gfs2_meta_get_tree()
Forces reuse of existing gfs2 superblock.
Mounting gfs2meta enforces that a gf2s superblock must already
exist. If not, it will error out. Consequently, mounting gfs2meta
with FSCONFIG_CMD_CREATE_EXCL would always fail. If reusing is the
intent then FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(14) kernfs_get_tree()
Similar logic to get_tree_keyed().
(15) nfs_get_tree_common()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via NFS_MOUNT_UNSHARED. This effectively turns it into
get_tree_nodev().
Link: [1] https://lore.kernel.org/linux-block/20230704-fasching-wertarbeit-7c6ffb01c83d@brauner
Link: [2] https://lore.kernel.org/linux-block/20230705-pumpwerk-vielversprechend-a4b1fd947b65@brauner
Link: [3] https://lore.kernel.org/linux-fsdevel/20230725-einnahmen-warnschilder-17779aec0a97@brauner
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
Message-Id: <20230802-vfs-super-exclusive-v2-4-95dc4e41b870@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-08-02 14:57:06 +03:00
if ( user_ns ! = old - > s_user_ns | | fc - > exclusive ) {
2018-12-24 01:25:47 +03:00
spin_unlock ( & sb_lock ) ;
destroy_unused_super ( s ) ;
fs: add FSCONFIG_CMD_CREATE_EXCL
Summary
=======
This introduces FSCONFIG_CMD_CREATE_EXCL which will allows userspace to
implement something like mount -t ext4 --exclusive /dev/sda /B which
fails if a superblock for the requested filesystem does already exist:
Before this patch
-----------------
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /A
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs -o source=/dev/sda4 /B
Requesting filesystem type xfs
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
After this patch with --exclusive as a switch for FSCONFIG_CMD_CREATE_EXCL
--------------------------------------------------------------------------
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /A
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /A
Moving single attached mount
Setting key(source) with val(/dev/sda4)
$ sudo ./move-mount -f xfs --exclusive -o source=/dev/sda4 /B
Requesting filesystem type xfs
Request exclusive superblock creation
Mount options requested: source=/dev/sda4
Attaching mount at /B
Moving single attached mount
Setting key(source) with val(/dev/sda4)
Device or resource busy | move-mount.c: 300: do_fsconfig: i xfs: reusing existing filesystem not allowed
Details
=======
As mentioned on the list (cf. [1]-[3]) mount requests like
mount -t ext4 /dev/sda /A are ambigous for userspace. Either a new
superblock has been created and mounted or an existing superblock has
been reused and a bind-mount has been created.
This becomes clear in the following example where two processes create
the same mount for the same block device:
P1 P2
fd_fs = fsopen("ext4"); fd_fs = fsopen("ext4");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "source", "/dev/sda");
fsconfig(fd_fs, FSCONFIG_SET_STRING, "dax", "always"); fsconfig(fd_fs, FSCONFIG_SET_STRING, "resuid", "1000");
// wins and creates superblock
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
// finds compatible superblock of P1
// spins until P1 sets SB_BORN and grabs a reference
fsconfig(fd_fs, FSCONFIG_CMD_CREATE, ...)
fd_mnt1 = fsmount(fd_fs); fd_mnt2 = fsmount(fd_fs);
move_mount(fd_mnt1, "/A") move_mount(fd_mnt2, "/B")
Not just does P2 get a bind-mount but the mount options that P2
requestes are silently ignored. The VFS itself doesn't, can't and
shouldn't enforce filesystem specific mount option compatibility. It
only enforces incompatibility for read-only <-> read-write transitions:
mount -t ext4 /dev/sda /A
mount -t ext4 -o ro /dev/sda /B
The read-only request will fail with EBUSY as the VFS can't just
silently transition a superblock from read-write to read-only or vica
versa without risking security issues.
To userspace this silent superblock reuse can become a security issue in
because there is currently no straightforward way for userspace to know
that they did indeed manage to create a new superblock and didn't just
reuse an existing one.
This adds a new FSCONFIG_CMD_CREATE_EXCL command to fsconfig() that
returns EBUSY if an existing superblock would be reused. Userspace that
needs to be sure that it did create a new superblock with the requested
mount options can request superblock creation using this command. If the
command succeeds they can be sure that they did create a new superblock
with the requested mount options.
This requires the new mount api. With the old mount api it would be
necessary to plumb this through every legacy filesystem's
file_system_type->mount() method. If they want this feature they are
most welcome to switch to the new mount api.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
each high-level superblock creation helper:
(1) get_tree_nodev()
Always allocate new superblock. Hence, FSCONFIG_CMD_CREATE and
FSCONFIG_CMD_CREATE_EXCL are equivalent.
The binderfs or overlayfs filesystems are examples.
(4) get_tree_keyed()
Finds an existing superblock based on sb->s_fs_info. Hence,
FSCONFIG_CMD_CREATE would reuse an existing superblock whereas
FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The mqueue or nfsd filesystems are examples.
(2) get_tree_bdev()
This effectively works like get_tree_keyed().
The ext4 or xfs filesystems are examples.
(3) get_tree_single()
Only one superblock of this filesystem type can ever exist.
Hence, FSCONFIG_CMD_CREATE would reuse an existing superblock
whereas FSCONFIG_CMD_CREATE_EXCL would reject it with EBUSY.
The securityfs or configfs filesystems are examples.
Note that some single-instance filesystems never destroy the
superblock once it has been created during the first mount. For
example, if securityfs has been mounted at least onces then the
created superblock will never be destroyed again as long as there is
still an LSM making use it. Consequently, even if securityfs is
unmounted and the superblock seemingly destroyed it really isn't
which means that FSCONFIG_CMD_CREATE_EXCL will continue rejecting
reusing an existing superblock.
This is acceptable thugh since special purpose filesystems such as
this shouldn't have a need to use FSCONFIG_CMD_CREATE_EXCL anyway
and if they do it's probably to make sure that mount options aren't
ignored.
Following is an analysis of the effect of FSCONFIG_CMD_CREATE_EXCL on
filesystems that make use of the low-level sget_fc() helper directly.
They're all effectively variants on get_tree_keyed(), get_tree_bdev(),
or get_tree_nodev():
(5) mtd_get_sb()
Similar logic to get_tree_keyed().
(6) afs_get_tree()
Similar logic to get_tree_keyed().
(7) ceph_get_tree()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via CEPH_OPT_NOSHARE. This turns it into get_tree_nodev().
(8) fuse_get_tree_submount()
Similar logic to get_tree_nodev().
(9) fuse_get_tree()
Forces reuse of existing FUSE superblock.
Forces reuse of existing superblock if passed in file refers to an
existing FUSE connection.
If FSCONFIG_CMD_CREATE_EXCL is specified together with an fd
referring to an existing FUSE connections this would cause the
superblock reusal to fail. If reusing is the intent then
FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(10) fuse_get_tree()
-> get_tree_nodev()
Same logic as in get_tree_nodev().
(11) fuse_get_tree()
-> get_tree_bdev()
Same logic as in get_tree_bdev().
(12) virtio_fs_get_tree()
Same logic as get_tree_keyed().
(13) gfs2_meta_get_tree()
Forces reuse of existing gfs2 superblock.
Mounting gfs2meta enforces that a gf2s superblock must already
exist. If not, it will error out. Consequently, mounting gfs2meta
with FSCONFIG_CMD_CREATE_EXCL would always fail. If reusing is the
intent then FSCONFIG_CMD_CREATE_EXCL shouldn't be specified.
(14) kernfs_get_tree()
Similar logic to get_tree_keyed().
(15) nfs_get_tree_common()
Similar logic to get_tree_keyed().
Already explicitly allows forcing the allocation of a new superblock
via NFS_MOUNT_UNSHARED. This effectively turns it into
get_tree_nodev().
Link: [1] https://lore.kernel.org/linux-block/20230704-fasching-wertarbeit-7c6ffb01c83d@brauner
Link: [2] https://lore.kernel.org/linux-block/20230705-pumpwerk-vielversprechend-a4b1fd947b65@brauner
Link: [3] https://lore.kernel.org/linux-fsdevel/20230725-einnahmen-warnschilder-17779aec0a97@brauner
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Aleksa Sarai <cyphar@cyphar.com>
Message-Id: <20230802-vfs-super-exclusive-v2-4-95dc4e41b870@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-08-02 14:57:06 +03:00
if ( fc - > exclusive )
warnfc ( fc , " reusing existing filesystem not allowed " ) ;
else
warnfc ( fc , " reusing existing filesystem in another namespace not allowed " ) ;
2018-12-24 01:25:47 +03:00
return ERR_PTR ( - EBUSY ) ;
}
2023-10-24 16:01:14 +03:00
if ( ! grab_super ( old ) )
2018-12-24 01:25:47 +03:00
goto retry ;
destroy_unused_super ( s ) ;
return old ;
}
EXPORT_SYMBOL ( sget_fc ) ;
2005-04-17 02:20:36 +04:00
/**
2019-03-25 19:38:28 +03:00
* sget - find or create a superblock
* @ type : filesystem type superblock should belong to
* @ test : comparison callback
* @ set : setup callback
* @ flags : mount flags
* @ data : argument to each of them
2005-04-17 02:20:36 +04:00
*/
2019-03-25 19:38:28 +03:00
struct super_block * sget ( struct file_system_type * type ,
2005-04-17 02:20:36 +04:00
int ( * test ) ( struct super_block * , void * ) ,
int ( * set ) ( struct super_block * , void * ) ,
2019-03-25 19:38:28 +03:00
int flags ,
2005-04-17 02:20:36 +04:00
void * data )
{
2019-03-25 19:38:28 +03:00
struct user_namespace * user_ns = current_user_ns ( ) ;
2005-04-17 02:20:36 +04:00
struct super_block * s = NULL ;
2007-10-19 10:39:57 +04:00
struct super_block * old ;
2005-04-17 02:20:36 +04:00
int err ;
2019-03-25 19:38:28 +03:00
/* We don't yet pass the user namespace of the parent
* mount through to here so always use & init_user_ns
* until that changes .
*/
if ( flags & SB_SUBMOUNT )
user_ns = & init_user_ns ;
2005-04-17 02:20:36 +04:00
retry :
spin_lock ( & sb_lock ) ;
2007-10-19 10:39:57 +04:00
if ( test ) {
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 05:06:00 +04:00
hlist_for_each_entry ( old , & type - > fs_supers , s_instances ) {
2007-10-19 10:39:57 +04:00
if ( ! test ( old , data ) )
continue ;
2016-05-24 17:29:01 +03:00
if ( user_ns ! = old - > s_user_ns ) {
spin_unlock ( & sb_lock ) ;
2017-10-11 20:48:55 +03:00
destroy_unused_super ( s ) ;
2016-05-24 17:29:01 +03:00
return ERR_PTR ( - EBUSY ) ;
}
2023-10-24 16:01:14 +03:00
if ( ! grab_super ( old ) )
2007-10-19 10:39:57 +04:00
goto retry ;
2017-10-11 20:48:55 +03:00
destroy_unused_super ( s ) ;
2007-10-19 10:39:57 +04:00
return old ;
}
2005-04-17 02:20:36 +04:00
}
if ( ! s ) {
spin_unlock ( & sb_lock ) ;
2017-07-17 10:45:35 +03:00
s = alloc_super ( type , ( flags & ~ SB_SUBMOUNT ) , user_ns ) ;
2005-04-17 02:20:36 +04:00
if ( ! s )
return ERR_PTR ( - ENOMEM ) ;
goto retry ;
}
2017-07-04 19:25:09 +03:00
2005-04-17 02:20:36 +04:00
err = set ( s , data ) ;
if ( err ) {
spin_unlock ( & sb_lock ) ;
2017-10-11 20:48:55 +03:00
destroy_unused_super ( s ) ;
2005-04-17 02:20:36 +04:00
return ERR_PTR ( err ) ;
}
s - > s_type = type ;
2023-05-11 01:11:19 +03:00
strscpy ( s - > s_id , type - > name , sizeof ( s - > s_id ) ) ;
2005-04-17 02:20:36 +04:00
list_add_tail ( & s - > s_list , & super_blocks ) ;
2011-12-13 07:53:00 +04:00
hlist_add_head ( & s - > s_instances , & type - > fs_supers ) ;
2005-04-17 02:20:36 +04:00
spin_unlock ( & sb_lock ) ;
get_filesystem ( type ) ;
2023-09-11 12:44:37 +03:00
shrinker_register ( s - > s_shrink ) ;
2005-04-17 02:20:36 +04:00
return s ;
}
EXPORT_SYMBOL ( sget ) ;
void drop_super ( struct super_block * sb )
{
2023-08-18 17:00:48 +03:00
super_unlock_shared ( sb ) ;
2005-04-17 02:20:36 +04:00
put_super ( sb ) ;
}
EXPORT_SYMBOL ( drop_super ) ;
2016-11-23 14:53:00 +03:00
void drop_super_exclusive ( struct super_block * sb )
{
2023-08-18 17:00:48 +03:00
super_unlock_excl ( sb ) ;
2016-11-23 14:53:00 +03:00
put_super ( sb ) ;
}
EXPORT_SYMBOL ( drop_super_exclusive ) ;
2017-10-03 19:17:40 +03:00
static void __iterate_supers ( void ( * f ) ( struct super_block * ) )
{
struct super_block * sb , * p = NULL ;
spin_lock ( & sb_lock ) ;
list_for_each_entry ( sb , & super_blocks , s_list ) {
2023-11-27 14:51:30 +03:00
if ( super_flags ( sb , SB_DYING ) )
2017-10-03 19:17:40 +03:00
continue ;
sb - > s_count + + ;
spin_unlock ( & sb_lock ) ;
f ( sb ) ;
spin_lock ( & sb_lock ) ;
if ( p )
__put_super ( p ) ;
p = sb ;
}
if ( p )
__put_super ( p ) ;
spin_unlock ( & sb_lock ) ;
}
2010-03-23 13:06:58 +03:00
/**
* iterate_supers - call function for all active superblocks
* @ f : function to call
* @ arg : argument to pass to it
*
* Scans the superblock list and calls given function , passing it
* locked superblock and given argument .
*/
void iterate_supers ( void ( * f ) ( struct super_block * , void * ) , void * arg )
{
2010-07-25 02:31:46 +04:00
struct super_block * sb , * p = NULL ;
2010-03-23 13:06:58 +03:00
spin_lock ( & sb_lock ) ;
2010-07-25 02:31:46 +04:00
list_for_each_entry ( sb , & super_blocks , s_list ) {
2023-10-24 16:01:07 +03:00
bool locked ;
2023-08-18 17:00:50 +03:00
2010-03-23 13:06:58 +03:00
sb - > s_count + + ;
spin_unlock ( & sb_lock ) ;
2023-10-24 16:01:07 +03:00
locked = super_lock_shared ( sb ) ;
if ( locked ) {
if ( sb - > s_root )
f ( sb , arg ) ;
super_unlock_shared ( sb ) ;
}
2010-03-23 13:06:58 +03:00
spin_lock ( & sb_lock ) ;
2010-07-25 02:31:46 +04:00
if ( p )
__put_super ( p ) ;
p = sb ;
2010-03-23 13:06:58 +03:00
}
2010-07-25 02:31:46 +04:00
if ( p )
__put_super ( p ) ;
2010-03-23 13:06:58 +03:00
spin_unlock ( & sb_lock ) ;
}
2011-06-04 04:16:57 +04:00
/**
* iterate_supers_type - call function for superblocks of given type
* @ type : fs type
* @ f : function to call
* @ arg : argument to pass to it
*
* Scans the superblock list and calls given function , passing it
* locked superblock and given argument .
*/
void iterate_supers_type ( struct file_system_type * type ,
void ( * f ) ( struct super_block * , void * ) , void * arg )
{
struct super_block * sb , * p = NULL ;
spin_lock ( & sb_lock ) ;
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 05:06:00 +04:00
hlist_for_each_entry ( sb , & type - > fs_supers , s_instances ) {
2023-10-24 16:01:07 +03:00
bool locked ;
2023-08-18 17:00:50 +03:00
2011-06-04 04:16:57 +04:00
sb - > s_count + + ;
spin_unlock ( & sb_lock ) ;
2023-10-24 16:01:07 +03:00
locked = super_lock_shared ( sb ) ;
if ( locked ) {
if ( sb - > s_root )
f ( sb , arg ) ;
super_unlock_shared ( sb ) ;
}
2011-06-04 04:16:57 +04:00
spin_lock ( & sb_lock ) ;
if ( p )
__put_super ( p ) ;
p = sb ;
}
if ( p )
__put_super ( p ) ;
spin_unlock ( & sb_lock ) ;
}
EXPORT_SYMBOL ( iterate_supers_type ) ;
2020-11-23 15:38:40 +03:00
struct super_block * user_get_super ( dev_t dev , bool excl )
2005-04-17 02:20:36 +04:00
{
2005-06-23 11:09:54 +04:00
struct super_block * sb ;
2005-04-17 02:20:36 +04:00
spin_lock ( & sb_lock ) ;
2005-06-23 11:09:54 +04:00
list_for_each_entry ( sb , & super_blocks , s_list ) {
if ( sb - > s_dev = = dev ) {
2023-10-24 16:01:07 +03:00
bool locked ;
2023-08-18 17:00:50 +03:00
2005-06-23 11:09:54 +04:00
sb - > s_count + + ;
2005-04-17 02:20:36 +04:00
spin_unlock ( & sb_lock ) ;
2010-03-23 03:23:25 +03:00
/* still alive? */
2023-10-24 16:01:07 +03:00
locked = super_lock ( sb , excl ) ;
if ( locked ) {
if ( sb - > s_root )
return sb ;
super_unlock ( sb , excl ) ;
}
2010-03-23 03:23:25 +03:00
/* nope, got unmounted */
2005-06-23 11:09:54 +04:00
spin_lock ( & sb_lock ) ;
2010-03-23 03:23:25 +03:00
__put_super ( sb ) ;
2023-08-18 17:00:50 +03:00
break ;
2005-04-17 02:20:36 +04:00
}
}
spin_unlock ( & sb_lock ) ;
return NULL ;
}
/**
2018-11-04 17:28:36 +03:00
* reconfigure_super - asks filesystem to change superblock parameters
* @ fc : The superblock and configuration
2005-04-17 02:20:36 +04:00
*
2018-11-04 17:28:36 +03:00
* Alters the configuration parameters of a live superblock .
2005-04-17 02:20:36 +04:00
*/
2018-11-04 17:28:36 +03:00
int reconfigure_super ( struct fs_context * fc )
2005-04-17 02:20:36 +04:00
{
2018-11-04 17:28:36 +03:00
struct super_block * sb = fc - > root - > d_sb ;
2005-04-17 02:20:36 +04:00
int retval ;
2018-11-04 17:28:36 +03:00
bool remount_ro = false ;
2023-06-15 14:38:48 +03:00
bool remount_rw = false ;
2018-11-04 17:28:36 +03:00
bool force = fc - > sb_flags & SB_FORCE ;
2009-08-04 01:28:35 +04:00
2018-11-04 17:28:36 +03:00
if ( fc - > sb_flags_mask & ~ MS_RMT_MASK )
return - EINVAL ;
2012-06-12 18:20:34 +04:00
if ( sb - > s_writers . frozen ! = SB_UNFROZEN )
2009-08-04 01:28:35 +04:00
return - EBUSY ;
2018-11-04 17:28:36 +03:00
retval = security_sb_remount ( sb , fc - > security ) ;
if ( retval )
return retval ;
if ( fc - > sb_flags_mask & SB_RDONLY ) {
[PATCH] BLOCK: Make it possible to disable the block layer [try #6]
Make it possible to disable the block layer. Not all embedded devices require
it, some can make do with just JFFS2, NFS, ramfs, etc - none of which require
the block layer to be present.
This patch does the following:
(*) Introduces CONFIG_BLOCK to disable the block layer, buffering and blockdev
support.
(*) Adds dependencies on CONFIG_BLOCK to any configuration item that controls
an item that uses the block layer. This includes:
(*) Block I/O tracing.
(*) Disk partition code.
(*) All filesystems that are block based, eg: Ext3, ReiserFS, ISOFS.
(*) The SCSI layer. As far as I can tell, even SCSI chardevs use the
block layer to do scheduling. Some drivers that use SCSI facilities -
such as USB storage - end up disabled indirectly from this.
(*) Various block-based device drivers, such as IDE and the old CDROM
drivers.
(*) MTD blockdev handling and FTL.
(*) JFFS - which uses set_bdev_super(), something it could avoid doing by
taking a leaf out of JFFS2's book.
(*) Makes most of the contents of linux/blkdev.h, linux/buffer_head.h and
linux/elevator.h contingent on CONFIG_BLOCK being set. sector_div() is,
however, still used in places, and so is still available.
(*) Also made contingent are the contents of linux/mpage.h, linux/genhd.h and
parts of linux/fs.h.
(*) Makes a number of files in fs/ contingent on CONFIG_BLOCK.
(*) Makes mm/bounce.c (bounce buffering) contingent on CONFIG_BLOCK.
(*) set_page_dirty() doesn't call __set_page_dirty_buffers() if CONFIG_BLOCK
is not enabled.
(*) fs/no-block.c is created to hold out-of-line stubs and things that are
required when CONFIG_BLOCK is not set:
(*) Default blockdev file operations (to give error ENODEV on opening).
(*) Makes some /proc changes:
(*) /proc/devices does not list any blockdevs.
(*) /proc/diskstats and /proc/partitions are contingent on CONFIG_BLOCK.
(*) Makes some compat ioctl handling contingent on CONFIG_BLOCK.
(*) If CONFIG_BLOCK is not defined, makes sys_quotactl() return -ENODEV if
given command other than Q_SYNC or if a special device is specified.
(*) In init/do_mounts.c, no reference is made to the blockdev routines if
CONFIG_BLOCK is not defined. This does not prohibit NFS roots or JFFS2.
(*) The bdflush, ioprio_set and ioprio_get syscalls can now be absent (return
error ENOSYS by way of cond_syscall if so).
(*) The seclvl_bd_claim() and seclvl_bd_release() security calls do nothing if
CONFIG_BLOCK is not set, since they can't then happen.
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2006-09-30 22:45:40 +04:00
# ifdef CONFIG_BLOCK
2021-01-09 13:42:50 +03:00
if ( ! ( fc - > sb_flags & SB_RDONLY ) & & sb - > s_bdev & &
bdev_read_only ( sb - > s_bdev ) )
2018-11-04 17:28:36 +03:00
return - EACCES ;
[PATCH] BLOCK: Make it possible to disable the block layer [try #6]
Make it possible to disable the block layer. Not all embedded devices require
it, some can make do with just JFFS2, NFS, ramfs, etc - none of which require
the block layer to be present.
This patch does the following:
(*) Introduces CONFIG_BLOCK to disable the block layer, buffering and blockdev
support.
(*) Adds dependencies on CONFIG_BLOCK to any configuration item that controls
an item that uses the block layer. This includes:
(*) Block I/O tracing.
(*) Disk partition code.
(*) All filesystems that are block based, eg: Ext3, ReiserFS, ISOFS.
(*) The SCSI layer. As far as I can tell, even SCSI chardevs use the
block layer to do scheduling. Some drivers that use SCSI facilities -
such as USB storage - end up disabled indirectly from this.
(*) Various block-based device drivers, such as IDE and the old CDROM
drivers.
(*) MTD blockdev handling and FTL.
(*) JFFS - which uses set_bdev_super(), something it could avoid doing by
taking a leaf out of JFFS2's book.
(*) Makes most of the contents of linux/blkdev.h, linux/buffer_head.h and
linux/elevator.h contingent on CONFIG_BLOCK being set. sector_div() is,
however, still used in places, and so is still available.
(*) Also made contingent are the contents of linux/mpage.h, linux/genhd.h and
parts of linux/fs.h.
(*) Makes a number of files in fs/ contingent on CONFIG_BLOCK.
(*) Makes mm/bounce.c (bounce buffering) contingent on CONFIG_BLOCK.
(*) set_page_dirty() doesn't call __set_page_dirty_buffers() if CONFIG_BLOCK
is not enabled.
(*) fs/no-block.c is created to hold out-of-line stubs and things that are
required when CONFIG_BLOCK is not set:
(*) Default blockdev file operations (to give error ENODEV on opening).
(*) Makes some /proc changes:
(*) /proc/devices does not list any blockdevs.
(*) /proc/diskstats and /proc/partitions are contingent on CONFIG_BLOCK.
(*) Makes some compat ioctl handling contingent on CONFIG_BLOCK.
(*) If CONFIG_BLOCK is not defined, makes sys_quotactl() return -ENODEV if
given command other than Q_SYNC or if a special device is specified.
(*) In init/do_mounts.c, no reference is made to the blockdev routines if
CONFIG_BLOCK is not defined. This does not prohibit NFS roots or JFFS2.
(*) The bdflush, ioprio_set and ioprio_get syscalls can now be absent (return
error ENOSYS by way of cond_syscall if so).
(*) The seclvl_bd_claim() and seclvl_bd_release() security calls do nothing if
CONFIG_BLOCK is not set, since they can't then happen.
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2006-09-30 22:45:40 +04:00
# endif
2023-06-15 14:38:48 +03:00
remount_rw = ! ( fc - > sb_flags & SB_RDONLY ) & & sb_rdonly ( sb ) ;
2018-11-04 17:28:36 +03:00
remount_ro = ( fc - > sb_flags & SB_RDONLY ) & & ! sb_rdonly ( sb ) ;
}
2009-12-22 03:28:53 +03:00
2014-08-07 15:32:06 +04:00
if ( remount_ro ) {
2015-01-11 18:57:27 +03:00
if ( ! hlist_empty ( & sb - > s_pins ) ) {
2023-08-18 17:00:48 +03:00
super_unlock_excl ( sb ) ;
2015-01-11 18:57:27 +03:00
group_pin_kill ( & sb - > s_pins ) ;
2023-08-18 17:00:50 +03:00
__super_lock_excl ( sb ) ;
2014-08-07 15:32:06 +04:00
if ( ! sb - > s_root )
return 0 ;
if ( sb - > s_writers . frozen ! = SB_UNFROZEN )
return - EBUSY ;
2018-11-04 17:28:36 +03:00
remount_ro = ! sb_rdonly ( sb ) ;
2014-08-07 15:32:06 +04:00
}
}
shrink_dcache_sb ( sb ) ;
2018-11-04 17:28:36 +03:00
/* If we are reconfiguring to RDONLY and current sb is read/write,
* make sure there are no files open for writing .
*/
2009-12-22 03:28:53 +03:00
if ( remount_ro ) {
2011-11-21 15:11:31 +04:00
if ( force ) {
2023-06-20 14:28:32 +03:00
sb_start_ro_state_change ( sb ) ;
2011-11-21 15:11:31 +04:00
} else {
retval = sb_prepare_remount_readonly ( sb ) ;
if ( retval )
return retval ;
}
2023-06-15 14:38:48 +03:00
} else if ( remount_rw ) {
/*
2023-06-20 14:28:32 +03:00
* Protect filesystem ' s reconfigure code from writes from
* userspace until reconfigure finishes .
2023-06-15 14:38:48 +03:00
*/
2023-06-20 14:28:32 +03:00
sb_start_ro_state_change ( sb ) ;
2005-04-17 02:20:36 +04:00
}
2018-12-24 02:55:56 +03:00
if ( fc - > ops - > reconfigure ) {
retval = fc - > ops - > reconfigure ( fc ) ;
if ( retval ) {
if ( ! force )
goto cancel_readonly ;
/* If forced remount, go ahead despite any errors */
WARN ( 1 , " forced remount of a %s fs returned %i \n " ,
sb - > s_type - > name , retval ) ;
}
2005-04-17 02:20:36 +04:00
}
2018-11-04 17:28:36 +03:00
WRITE_ONCE ( sb - > s_flags , ( ( sb - > s_flags & ~ fc - > sb_flags_mask ) |
( fc - > sb_flags & fc - > sb_flags_mask ) ) ) ;
2023-06-20 14:28:32 +03:00
sb_end_ro_state_change ( sb ) ;
2010-05-19 15:16:40 +04:00
2009-12-22 03:28:53 +03:00
/*
* Some filesystems modify their metadata via some other path than the
* bdev buffer cache ( eg . use a private mapping , or directories in
* pagecache , etc ) . Also file data modifications go via their own
* mappings . So If we try to mount readonly then copy the filesystem
* from bdev , we could get stale data , so invalidate it to give a best
* effort at coherency .
*/
if ( remount_ro & & sb - > s_bdev )
invalidate_bdev ( sb - > s_bdev ) ;
2005-04-17 02:20:36 +04:00
return 0 ;
2011-11-21 15:11:31 +04:00
cancel_readonly :
2023-06-20 14:28:32 +03:00
sb_end_ro_state_change ( sb ) ;
2011-11-21 15:11:31 +04:00
return retval ;
2005-04-17 02:20:36 +04:00
}
2017-10-03 19:17:40 +03:00
static void do_emergency_remount_callback ( struct super_block * sb )
2005-04-17 02:20:36 +04:00
{
2023-10-24 16:01:07 +03:00
bool locked = super_lock_excl ( sb ) ;
2023-08-18 17:00:50 +03:00
2023-10-24 16:01:07 +03:00
if ( locked & & sb - > s_root & & sb - > s_bdev & & ! sb_rdonly ( sb ) ) {
2018-11-04 17:28:36 +03:00
struct fs_context * fc ;
fc = fs_context_for_reconfigure ( sb - > s_root ,
SB_RDONLY | SB_FORCE , SB_RDONLY ) ;
if ( ! IS_ERR ( fc ) ) {
if ( parse_monolithic_mount_data ( fc , NULL ) = = 0 )
( void ) reconfigure_super ( fc ) ;
put_fs_context ( fc ) ;
}
2005-04-17 02:20:36 +04:00
}
2023-10-24 16:01:07 +03:00
if ( locked )
super_unlock_excl ( sb ) ;
2017-10-03 19:17:40 +03:00
}
static void do_emergency_remount ( struct work_struct * work )
{
__iterate_supers ( do_emergency_remount_callback ) ;
2009-03-17 11:38:40 +03:00
kfree ( work ) ;
2005-04-17 02:20:36 +04:00
printk ( " Emergency Remount complete \n " ) ;
}
void emergency_remount ( void )
{
2009-03-17 11:38:40 +03:00
struct work_struct * work ;
work = kmalloc ( sizeof ( * work ) , GFP_ATOMIC ) ;
if ( work ) {
INIT_WORK ( work , do_emergency_remount ) ;
schedule_work ( work ) ;
}
2005-04-17 02:20:36 +04:00
}
2017-10-03 19:17:41 +03:00
static void do_thaw_all_callback ( struct super_block * sb )
{
2023-10-24 16:01:07 +03:00
bool locked = super_lock_excl ( sb ) ;
2023-08-18 17:00:50 +03:00
2023-10-24 16:01:07 +03:00
if ( locked & & sb - > s_root ) {
2023-08-01 20:21:56 +03:00
if ( IS_ENABLED ( CONFIG_BLOCK ) )
2023-10-24 16:01:08 +03:00
while ( sb - > s_bdev & & ! bdev_thaw ( sb - > s_bdev ) )
2023-08-01 20:21:56 +03:00
pr_warn ( " Emergency Thaw on %pg \n " , sb - > s_bdev ) ;
2023-07-17 19:00:09 +03:00
thaw_super_locked ( sb , FREEZE_HOLDER_USERSPACE ) ;
2023-10-24 16:01:07 +03:00
return ;
2017-10-03 19:17:41 +03:00
}
2023-10-24 16:01:07 +03:00
if ( locked )
super_unlock_excl ( sb ) ;
2017-10-03 19:17:41 +03:00
}
static void do_thaw_all ( struct work_struct * work )
{
__iterate_supers ( do_thaw_all_callback ) ;
kfree ( work ) ;
printk ( KERN_WARNING " Emergency Thaw complete \n " ) ;
}
/**
* emergency_thaw_all - - forcibly thaw every frozen filesystem
*
* Used for emergency unfreeze of all filesystems via SysRq
*/
void emergency_thaw_all ( void )
{
struct work_struct * work ;
work = kmalloc ( sizeof ( * work ) , GFP_ATOMIC ) ;
if ( work ) {
INIT_WORK ( work , do_thaw_all ) ;
schedule_work ( work ) ;
}
}
2008-08-28 06:26:23 +04:00
static DEFINE_IDA ( unnamed_dev_ida ) ;
2005-04-17 02:20:36 +04:00
2018-06-11 19:03:31 +03:00
/**
* get_anon_bdev - Allocate a block device for filesystems which don ' t have one .
* @ p : Pointer to a dev_t .
*
* Filesystems which don ' t use real block devices can call this function
* to allocate a virtual block device .
*
* Context : Any context . Frequently called while holding sb_lock .
* Return : 0 on success , - EMFILE if there are no anonymous bdevs left
* or - ENOMEM if memory allocation failed .
*/
2011-07-07 23:44:25 +04:00
int get_anon_bdev ( dev_t * p )
2005-04-17 02:20:36 +04:00
{
int dev ;
2018-06-11 19:03:31 +03:00
/*
* Many userspace utilities consider an FSID of 0 invalid .
* Always return at least 1 from get_anon_bdev .
*/
dev = ida_alloc_range ( & unnamed_dev_ida , 1 , ( 1 < < MINORBITS ) - 1 ,
GFP_ATOMIC ) ;
if ( dev = = - ENOSPC )
dev = - EMFILE ;
if ( dev < 0 )
return dev ;
* p = MKDEV ( 0 , dev ) ;
2005-04-17 02:20:36 +04:00
return 0 ;
}
2011-07-07 23:44:25 +04:00
EXPORT_SYMBOL ( get_anon_bdev ) ;
2005-04-17 02:20:36 +04:00
2011-07-07 23:44:25 +04:00
void free_anon_bdev ( dev_t dev )
2005-04-17 02:20:36 +04:00
{
2018-06-11 19:03:31 +03:00
ida_free ( & unnamed_dev_ida , MINOR ( dev ) ) ;
2005-04-17 02:20:36 +04:00
}
2011-07-07 23:44:25 +04:00
EXPORT_SYMBOL ( free_anon_bdev ) ;
int set_anon_super ( struct super_block * s , void * data )
{
2015-01-14 12:42:41 +03:00
return get_anon_bdev ( & s - > s_dev ) ;
2011-07-07 23:44:25 +04:00
}
EXPORT_SYMBOL ( set_anon_super ) ;
void kill_anon_super ( struct super_block * sb )
{
dev_t dev = sb - > s_dev ;
generic_shutdown_super ( sb ) ;
2023-08-28 14:26:24 +03:00
kill_super_notify ( sb ) ;
2011-07-07 23:44:25 +04:00
free_anon_bdev ( dev ) ;
}
2005-04-17 02:20:36 +04:00
EXPORT_SYMBOL ( kill_anon_super ) ;
void kill_litter_super ( struct super_block * sb )
{
if ( sb - > s_root )
d_genocide ( sb - > s_root ) ;
kill_anon_super ( sb ) ;
}
EXPORT_SYMBOL ( kill_litter_super ) ;
2018-12-24 01:25:47 +03:00
int set_anon_super_fc ( struct super_block * sb , struct fs_context * fc )
{
return set_anon_super ( sb , NULL ) ;
}
EXPORT_SYMBOL ( set_anon_super_fc ) ;
static int test_keyed_super ( struct super_block * sb , struct fs_context * fc )
{
return sb - > s_fs_info = = fc - > s_fs_info ;
}
static int test_single_super ( struct super_block * s , struct fs_context * fc )
{
return 1 ;
}
2023-08-02 14:57:03 +03:00
static int vfs_get_super ( struct fs_context * fc ,
2022-10-31 15:46:26 +03:00
int ( * test ) ( struct super_block * , struct fs_context * ) ,
int ( * fill_super ) ( struct super_block * sb ,
struct fs_context * fc ) )
2018-12-24 01:25:47 +03:00
{
struct super_block * sb ;
2019-03-21 12:22:36 +03:00
int err ;
2018-12-24 01:25:47 +03:00
sb = sget_fc ( fc , test , set_anon_super_fc ) ;
if ( IS_ERR ( sb ) )
return PTR_ERR ( sb ) ;
if ( ! sb - > s_root ) {
2019-03-21 12:22:36 +03:00
err = fill_super ( sb , fc ) ;
if ( err )
goto error ;
2018-12-24 01:25:47 +03:00
sb - > s_flags | = SB_ACTIVE ;
}
2023-08-02 14:57:03 +03:00
fc - > root = dget ( sb - > s_root ) ;
2018-12-24 01:25:47 +03:00
return 0 ;
2019-03-21 12:22:36 +03:00
error :
deactivate_locked_super ( sb ) ;
return err ;
2018-12-24 01:25:47 +03:00
}
2019-06-02 03:48:55 +03:00
int get_tree_nodev ( struct fs_context * fc ,
int ( * fill_super ) ( struct super_block * sb ,
struct fs_context * fc ) )
{
2023-08-02 14:57:03 +03:00
return vfs_get_super ( fc , NULL , fill_super ) ;
2019-06-02 03:48:55 +03:00
}
EXPORT_SYMBOL ( get_tree_nodev ) ;
2019-05-23 04:23:39 +03:00
int get_tree_single ( struct fs_context * fc ,
int ( * fill_super ) ( struct super_block * sb ,
struct fs_context * fc ) )
{
2023-08-02 14:57:03 +03:00
return vfs_get_super ( fc , test_single_super , fill_super ) ;
2019-05-23 04:23:39 +03:00
}
EXPORT_SYMBOL ( get_tree_single ) ;
2019-09-04 02:05:48 +03:00
int get_tree_keyed ( struct fs_context * fc ,
int ( * fill_super ) ( struct super_block * sb ,
struct fs_context * fc ) ,
void * key )
{
fc - > s_fs_info = key ;
2023-08-02 14:57:03 +03:00
return vfs_get_super ( fc , test_keyed_super , fill_super ) ;
2019-09-04 02:05:48 +03:00
}
EXPORT_SYMBOL ( get_tree_keyed ) ;
2023-08-29 18:23:56 +03:00
static int set_bdev_super ( struct super_block * s , void * data )
{
s - > s_dev = * ( dev_t * ) data ;
return 0 ;
}
static int super_s_dev_set ( struct super_block * s , struct fs_context * fc )
{
return set_bdev_super ( s , fc - > sget_key ) ;
}
static int super_s_dev_test ( struct super_block * s , struct fs_context * fc )
{
return ! ( s - > s_iflags & SB_I_RETIRED ) & &
s - > s_dev = = * ( dev_t * ) fc - > sget_key ;
}
/**
* sget_dev - Find or create a superblock by device number
* @ fc : Filesystem context .
* @ dev : device number
*
* Find or create a superblock using the provided device number that
* will be stored in fc - > sget_key .
*
* If an extant superblock is matched , then that will be returned with
* an elevated reference count that the caller must transfer or discard .
*
* If no match is made , a new superblock will be allocated and basic
* initialisation will be performed ( s_type , s_fs_info , s_id , s_dev will
* be set ) . The superblock will be published and it will be returned in
* a partially constructed state with SB_BORN and SB_ACTIVE as yet
* unset .
*
* Return : an existing or newly created superblock on success , an error
* pointer on failure .
*/
struct super_block * sget_dev ( struct fs_context * fc , dev_t dev )
{
fc - > sget_key = & dev ;
return sget_fc ( fc , super_s_dev_test , super_s_dev_set ) ;
}
EXPORT_SYMBOL ( sget_dev ) ;
[PATCH] BLOCK: Make it possible to disable the block layer [try #6]
Make it possible to disable the block layer. Not all embedded devices require
it, some can make do with just JFFS2, NFS, ramfs, etc - none of which require
the block layer to be present.
This patch does the following:
(*) Introduces CONFIG_BLOCK to disable the block layer, buffering and blockdev
support.
(*) Adds dependencies on CONFIG_BLOCK to any configuration item that controls
an item that uses the block layer. This includes:
(*) Block I/O tracing.
(*) Disk partition code.
(*) All filesystems that are block based, eg: Ext3, ReiserFS, ISOFS.
(*) The SCSI layer. As far as I can tell, even SCSI chardevs use the
block layer to do scheduling. Some drivers that use SCSI facilities -
such as USB storage - end up disabled indirectly from this.
(*) Various block-based device drivers, such as IDE and the old CDROM
drivers.
(*) MTD blockdev handling and FTL.
(*) JFFS - which uses set_bdev_super(), something it could avoid doing by
taking a leaf out of JFFS2's book.
(*) Makes most of the contents of linux/blkdev.h, linux/buffer_head.h and
linux/elevator.h contingent on CONFIG_BLOCK being set. sector_div() is,
however, still used in places, and so is still available.
(*) Also made contingent are the contents of linux/mpage.h, linux/genhd.h and
parts of linux/fs.h.
(*) Makes a number of files in fs/ contingent on CONFIG_BLOCK.
(*) Makes mm/bounce.c (bounce buffering) contingent on CONFIG_BLOCK.
(*) set_page_dirty() doesn't call __set_page_dirty_buffers() if CONFIG_BLOCK
is not enabled.
(*) fs/no-block.c is created to hold out-of-line stubs and things that are
required when CONFIG_BLOCK is not set:
(*) Default blockdev file operations (to give error ENODEV on opening).
(*) Makes some /proc changes:
(*) /proc/devices does not list any blockdevs.
(*) /proc/diskstats and /proc/partitions are contingent on CONFIG_BLOCK.
(*) Makes some compat ioctl handling contingent on CONFIG_BLOCK.
(*) If CONFIG_BLOCK is not defined, makes sys_quotactl() return -ENODEV if
given command other than Q_SYNC or if a special device is specified.
(*) In init/do_mounts.c, no reference is made to the blockdev routines if
CONFIG_BLOCK is not defined. This does not prohibit NFS roots or JFFS2.
(*) The bdflush, ioprio_set and ioprio_get syscalls can now be absent (return
error ENOSYS by way of cond_syscall if so).
(*) The seclvl_bd_claim() and seclvl_bd_release() security calls do nothing if
CONFIG_BLOCK is not set, since they can't then happen.
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2006-09-30 22:45:40 +04:00
# ifdef CONFIG_BLOCK
2023-08-02 18:41:26 +03:00
/*
2023-10-18 18:29:24 +03:00
* Lock the superblock that is holder of the bdev . Returns the superblock
* pointer if we successfully locked the superblock and it is alive . Otherwise
* we return NULL and just unlock bdev - > bd_holder_lock .
2023-08-02 18:41:26 +03:00
*
2023-10-18 18:29:24 +03:00
* The function must be called with bdev - > bd_holder_lock and releases it .
2023-08-02 18:41:26 +03:00
*/
2023-09-27 16:21:16 +03:00
static struct super_block * bdev_super_lock ( struct block_device * bdev , bool excl )
2023-10-18 18:29:24 +03:00
__releases ( & bdev - > bd_holder_lock )
2023-06-01 12:44:54 +03:00
{
2023-10-18 18:29:24 +03:00
struct super_block * sb = bdev - > bd_holder ;
2023-10-24 16:01:07 +03:00
bool locked ;
2023-10-18 18:29:24 +03:00
lockdep_assert_held ( & bdev - > bd_holder_lock ) ;
lockdep_assert_not_held ( & sb - > s_umount ) ;
2023-10-17 21:48:23 +03:00
lockdep_assert_not_held ( & bdev - > bd_disk - > open_mutex ) ;
2023-10-18 18:29:24 +03:00
/* Make sure sb doesn't go away from under us */
spin_lock ( & sb_lock ) ;
sb - > s_count + + ;
spin_unlock ( & sb_lock ) ;
2023-09-27 16:21:16 +03:00
2023-10-18 18:29:24 +03:00
mutex_unlock ( & bdev - > bd_holder_lock ) ;
2023-06-01 12:44:54 +03:00
2023-09-27 16:21:16 +03:00
locked = super_lock ( sb , excl ) ;
2023-10-18 18:29:24 +03:00
/*
2023-09-27 16:21:16 +03:00
* If the superblock wasn ' t already SB_DYING then we hold
* s_umount and can safely drop our temporary reference .
*/
2023-10-18 18:29:24 +03:00
put_super ( sb ) ;
2023-09-27 16:21:16 +03:00
if ( ! locked )
return NULL ;
if ( ! sb - > s_root | | ! ( sb - > s_flags & SB_ACTIVE ) ) {
super_unlock ( sb , excl ) ;
return NULL ;
}
2023-10-18 18:29:24 +03:00
return sb ;
2023-08-02 18:41:26 +03:00
}
2023-08-11 13:08:25 +03:00
static void fs_bdev_mark_dead ( struct block_device * bdev , bool surprise )
2023-06-01 12:44:54 +03:00
{
2023-10-18 18:29:24 +03:00
struct super_block * sb ;
2023-08-02 18:41:26 +03:00
2023-09-27 16:21:16 +03:00
sb = bdev_super_lock ( bdev , false ) ;
2023-10-18 18:29:24 +03:00
if ( ! sb )
2023-06-01 12:44:54 +03:00
return ;
2023-08-11 13:08:25 +03:00
if ( ! surprise )
sync_filesystem ( sb ) ;
shrink_dcache_sb ( sb ) ;
2023-08-11 13:08:28 +03:00
invalidate_inodes ( sb ) ;
2023-06-01 12:44:54 +03:00
if ( sb - > s_op - > shutdown )
sb - > s_op - > shutdown ( sb ) ;
2023-08-02 18:41:26 +03:00
2023-08-18 17:00:48 +03:00
super_unlock_shared ( sb ) ;
2023-06-01 12:44:54 +03:00
}
2023-08-11 13:08:26 +03:00
static void fs_bdev_sync ( struct block_device * bdev )
{
2023-10-18 18:29:24 +03:00
struct super_block * sb ;
2023-08-11 13:08:26 +03:00
2023-09-27 16:21:16 +03:00
sb = bdev_super_lock ( bdev , false ) ;
2023-10-18 18:29:24 +03:00
if ( ! sb )
2023-08-11 13:08:26 +03:00
return ;
2023-09-27 16:21:16 +03:00
2023-08-11 13:08:26 +03:00
sync_filesystem ( sb ) ;
2023-08-18 17:00:48 +03:00
super_unlock_shared ( sb ) ;
2023-08-11 13:08:26 +03:00
}
2023-09-27 16:21:16 +03:00
static struct super_block * get_bdev_super ( struct block_device * bdev )
{
bool active = false ;
struct super_block * sb ;
sb = bdev_super_lock ( bdev , true ) ;
if ( sb ) {
active = atomic_inc_not_zero ( & sb - > s_active ) ;
super_unlock_excl ( sb ) ;
}
if ( ! active )
return NULL ;
return sb ;
}
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
/**
* fs_bdev_freeze - freeze owning filesystem of block device
* @ bdev : block device
*
* Freeze the filesystem that owns this block device if it is still
* active .
*
* A filesystem that owns multiple block devices may be frozen from each
* block device and won ' t be unfrozen until all block devices are
* unfrozen . Each block device can only freeze the filesystem once as we
* nest freezes for block devices in the block layer .
*
* Return : If the freeze was successful zero is returned . If the freeze
* failed a negative error code is returned .
*/
2023-09-27 16:21:16 +03:00
static int fs_bdev_freeze ( struct block_device * bdev )
{
struct super_block * sb ;
int error = 0 ;
lockdep_assert_held ( & bdev - > bd_fsfreeze_mutex ) ;
sb = get_bdev_super ( bdev ) ;
if ( ! sb )
return - EINVAL ;
if ( sb - > s_op - > freeze_super )
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
error = sb - > s_op - > freeze_super ( sb ,
FREEZE_MAY_NEST | FREEZE_HOLDER_USERSPACE ) ;
2023-09-27 16:21:16 +03:00
else
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
error = freeze_super ( sb ,
FREEZE_MAY_NEST | FREEZE_HOLDER_USERSPACE ) ;
2023-09-27 16:21:16 +03:00
if ( ! error )
error = sync_blockdev ( bdev ) ;
deactivate_super ( sb ) ;
return error ;
}
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
/**
* fs_bdev_thaw - thaw owning filesystem of block device
* @ bdev : block device
*
* Thaw the filesystem that owns this block device .
*
* A filesystem that owns multiple block devices may be frozen from each
* block device and won ' t be unfrozen until all block devices are
* unfrozen . Each block device can only freeze the filesystem once as we
* nest freezes for block devices in the block layer .
*
* Return : If the thaw was successful zero is returned . If the thaw
* failed a negative error code is returned . If this function
* returns zero it doesn ' t mean that the filesystem is unfrozen
* as it may have been frozen multiple times ( kernel may hold a
* freeze or might be frozen from other block devices ) .
*/
2023-09-27 16:21:16 +03:00
static int fs_bdev_thaw ( struct block_device * bdev )
{
struct super_block * sb ;
int error ;
lockdep_assert_held ( & bdev - > bd_fsfreeze_mutex ) ;
sb = get_bdev_super ( bdev ) ;
if ( WARN_ON_ONCE ( ! sb ) )
return - EINVAL ;
if ( sb - > s_op - > thaw_super )
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
error = sb - > s_op - > thaw_super ( sb ,
FREEZE_MAY_NEST | FREEZE_HOLDER_USERSPACE ) ;
2023-09-27 16:21:16 +03:00
else
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
error = thaw_super ( sb ,
FREEZE_MAY_NEST | FREEZE_HOLDER_USERSPACE ) ;
2023-09-27 16:21:16 +03:00
deactivate_super ( sb ) ;
return error ;
}
2024-03-14 17:24:13 +03:00
static void fs_bdev_super_get ( void * data )
{
struct super_block * sb = data ;
spin_lock ( & sb_lock ) ;
sb - > s_count + + ;
spin_unlock ( & sb_lock ) ;
}
static void fs_bdev_super_put ( void * data )
{
struct super_block * sb = data ;
put_super ( sb ) ;
}
2023-08-02 18:41:27 +03:00
const struct blk_holder_ops fs_holder_ops = {
2023-08-11 13:08:25 +03:00
. mark_dead = fs_bdev_mark_dead ,
2023-08-11 13:08:26 +03:00
. sync = fs_bdev_sync ,
2023-09-27 16:21:16 +03:00
. freeze = fs_bdev_freeze ,
. thaw = fs_bdev_thaw ,
2024-03-14 17:24:13 +03:00
. get_holder = fs_bdev_super_get ,
. put_holder = fs_bdev_super_put ,
2023-06-01 12:44:54 +03:00
} ;
2023-08-02 18:41:27 +03:00
EXPORT_SYMBOL_GPL ( fs_holder_ops ) ;
2019-03-27 17:15:16 +03:00
2023-08-02 18:41:20 +03:00
int setup_bdev_super ( struct super_block * sb , int sb_flags ,
2023-07-24 20:51:45 +03:00
struct fs_context * fc )
{
blk_mode_t mode = sb_open_mode ( sb_flags ) ;
2024-02-08 20:47:35 +03:00
struct file * bdev_file ;
2023-07-24 20:51:45 +03:00
struct block_device * bdev ;
2024-02-08 20:47:35 +03:00
bdev_file = bdev_file_open_by_dev ( sb - > s_dev , mode , sb , & fs_holder_ops ) ;
if ( IS_ERR ( bdev_file ) ) {
2023-07-24 20:51:45 +03:00
if ( fc )
errorf ( fc , " %s: Can't open blockdev " , fc - > source ) ;
2024-02-08 20:47:35 +03:00
return PTR_ERR ( bdev_file ) ;
2023-07-24 20:51:45 +03:00
}
2024-02-08 20:47:35 +03:00
bdev = file_bdev ( bdev_file ) ;
2023-07-24 20:51:45 +03:00
/*
* This really should be in blkdev_get_by_dev , but right now can ' t due
* to legacy issues that require us to allow opening a block device node
* writable from userspace even for a read - only block device .
*/
if ( ( mode & BLK_OPEN_WRITE ) & & bdev_read_only ( bdev ) ) {
2024-02-08 20:47:35 +03:00
fput ( bdev_file ) ;
2023-07-24 20:51:45 +03:00
return - EACCES ;
}
/*
2023-09-27 16:21:16 +03:00
* It is enough to check bdev was not frozen before we set
* s_bdev as freezing will wait until SB_BORN is set .
2023-07-24 20:51:45 +03:00
*/
2023-09-27 16:21:16 +03:00
if ( atomic_read ( & bdev - > bd_fsfreeze_count ) > 0 ) {
2023-07-24 20:51:45 +03:00
if ( fc )
warnf ( fc , " %pg: Can't mount, blockdev is frozen " , bdev ) ;
2024-02-08 20:47:35 +03:00
fput ( bdev_file ) ;
2023-07-24 20:51:45 +03:00
return - EBUSY ;
}
spin_lock ( & sb_lock ) ;
2024-02-08 20:47:35 +03:00
sb - > s_bdev_file = bdev_file ;
2023-07-24 20:51:45 +03:00
sb - > s_bdev = bdev ;
sb - > s_bdi = bdi_get ( bdev - > bd_disk - > bdi ) ;
if ( bdev_stable_writes ( bdev ) )
sb - > s_iflags | = SB_I_STABLE_WRITES ;
spin_unlock ( & sb_lock ) ;
snprintf ( sb - > s_id , sizeof ( sb - > s_id ) , " %pg " , bdev ) ;
2023-09-11 12:44:37 +03:00
shrinker_debugfs_rename ( sb - > s_shrink , " sb-%s:%s " , sb - > s_type - > name ,
2023-07-24 20:51:45 +03:00
sb - > s_id ) ;
sb_set_blocksize ( sb , block_size ( bdev ) ) ;
return 0 ;
2019-03-27 17:15:16 +03:00
}
2023-08-02 18:41:20 +03:00
EXPORT_SYMBOL_GPL ( setup_bdev_super ) ;
2019-03-27 17:15:16 +03:00
/**
* get_tree_bdev - Get a superblock based on a single block device
* @ fc : The filesystem context holding the parameters
* @ fill_super : Helper to initialise a new superblock
*/
int get_tree_bdev ( struct fs_context * fc ,
int ( * fill_super ) ( struct super_block * ,
struct fs_context * ) )
{
struct super_block * s ;
int error = 0 ;
2023-07-24 20:51:45 +03:00
dev_t dev ;
2019-03-27 17:15:16 +03:00
if ( ! fc - > source )
return invalf ( fc , " No source specified " ) ;
2023-07-24 20:51:45 +03:00
error = lookup_bdev ( fc - > source , & dev ) ;
if ( error ) {
errorf ( fc , " %s: Can't lookup blockdev " , fc - > source ) ;
return error ;
2019-03-27 17:15:16 +03:00
}
fc - > sb_flags | = SB_NOSEC ;
2023-08-29 18:23:56 +03:00
s = sget_dev ( fc , dev ) ;
2023-07-24 20:51:45 +03:00
if ( IS_ERR ( s ) )
2019-03-27 17:15:16 +03:00
return PTR_ERR ( s ) ;
if ( s - > s_root ) {
/* Don't summarily change the RO/RW state. */
if ( ( fc - > sb_flags ^ s - > s_flags ) & SB_RDONLY ) {
2023-07-24 20:51:45 +03:00
warnf ( fc , " %pg: Can't mount, would change RO state " , s - > s_bdev ) ;
2019-03-27 17:15:16 +03:00
deactivate_locked_super ( s ) ;
return - EBUSY ;
}
2023-07-24 20:51:45 +03:00
} else {
error = setup_bdev_super ( s , fc - > sb_flags , fc ) ;
if ( ! error )
error = fill_super ( s , fc ) ;
2019-03-27 17:15:16 +03:00
if ( error ) {
deactivate_locked_super ( s ) ;
return error ;
}
s - > s_flags | = SB_ACTIVE ;
}
BUG_ON ( fc - > root ) ;
fc - > root = dget ( s - > s_root ) ;
return 0 ;
}
EXPORT_SYMBOL ( get_tree_bdev ) ;
2005-04-17 02:20:36 +04:00
static int test_bdev_super ( struct super_block * s , void * data )
{
2023-07-24 20:51:45 +03:00
return ! ( s - > s_iflags & SB_I_RETIRED ) & & s - > s_dev = = * ( dev_t * ) data ;
2005-04-17 02:20:36 +04:00
}
2010-07-25 00:46:55 +04:00
struct dentry * mount_bdev ( struct file_system_type * fs_type ,
2005-04-17 02:20:36 +04:00
int flags , const char * dev_name , void * data ,
2010-07-25 00:46:55 +04:00
int ( * fill_super ) ( struct super_block * , void * , int ) )
2005-04-17 02:20:36 +04:00
{
struct super_block * s ;
2023-07-24 20:51:45 +03:00
int error ;
dev_t dev ;
2005-04-17 02:20:36 +04:00
2023-07-24 20:51:45 +03:00
error = lookup_bdev ( dev_name , & dev ) ;
if ( error )
return ERR_PTR ( error ) ;
2005-04-17 02:20:36 +04:00
2023-07-24 20:51:45 +03:00
flags | = SB_NOSEC ;
s = sget ( fs_type , test_bdev_super , set_bdev_super , flags , & dev ) ;
2005-04-17 02:20:36 +04:00
if ( IS_ERR ( s ) )
2023-07-24 20:51:45 +03:00
return ERR_CAST ( s ) ;
2005-04-17 02:20:36 +04:00
if ( s - > s_root ) {
2017-07-17 10:45:35 +03:00
if ( ( flags ^ s - > s_flags ) & SB_RDONLY ) {
2009-05-06 09:07:50 +04:00
deactivate_locked_super ( s ) ;
2023-07-24 20:51:45 +03:00
return ERR_PTR ( - EBUSY ) ;
2005-04-17 02:20:36 +04:00
}
2023-07-24 20:51:45 +03:00
} else {
error = setup_bdev_super ( s , flags , NULL ) ;
if ( ! error )
error = fill_super ( s , data , flags & SB_SILENT ? 1 : 0 ) ;
2005-04-17 02:20:36 +04:00
if ( error ) {
2009-05-06 09:07:50 +04:00
deactivate_locked_super ( s ) ;
2023-07-24 20:51:45 +03:00
return ERR_PTR ( error ) ;
2006-02-22 20:39:02 +03:00
}
[PATCH] VFS: Permit filesystem to override root dentry on mount
Extend the get_sb() filesystem operation to take an extra argument that
permits the VFS to pass in the target vfsmount that defines the mountpoint.
The filesystem is then required to manually set the superblock and root dentry
pointers. For most filesystems, this should be done with simple_set_mnt()
which will set the superblock pointer and then set the root dentry to the
superblock's s_root (as per the old default behaviour).
The get_sb() op now returns an integer as there's now no need to return the
superblock pointer.
This patch permits a superblock to be implicitly shared amongst several mount
points, such as can be done with NFS to avoid potential inode aliasing. In
such a case, simple_set_mnt() would not be called, and instead the mnt_root
and mnt_sb would be set directly.
The patch also makes the following changes:
(*) the get_sb_*() convenience functions in the core kernel now take a vfsmount
pointer argument and return an integer, so most filesystems have to change
very little.
(*) If one of the convenience function is not used, then get_sb() should
normally call simple_set_mnt() to instantiate the vfsmount. This will
always return 0, and so can be tail-called from get_sb().
(*) generic_shutdown_super() now calls shrink_dcache_sb() to clean up the
dcache upon superblock destruction rather than shrink_dcache_anon().
This is required because the superblock may now have multiple trees that
aren't actually bound to s_root, but that still need to be cleaned up. The
currently called functions assume that the whole tree is rooted at s_root,
and that anonymous dentries are not the roots of trees which results in
dentries being left unculled.
However, with the way NFS superblock sharing are currently set to be
implemented, these assumptions are violated: the root of the filesystem is
simply a dummy dentry and inode (the real inode for '/' may well be
inaccessible), and all the vfsmounts are rooted on anonymous[*] dentries
with child trees.
[*] Anonymous until discovered from another tree.
(*) The documentation has been adjusted, including the additional bit of
changing ext2_* into foo_* in the documentation.
[akpm@osdl.org: convert ipath_fs, do other stuff]
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Nathan Scott <nathans@sgi.com>
Cc: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-23 13:02:57 +04:00
2017-07-17 10:45:35 +03:00
s - > s_flags | = SB_ACTIVE ;
2005-04-17 02:20:36 +04:00
}
2010-07-25 00:46:55 +04:00
return dget ( s - > s_root ) ;
}
EXPORT_SYMBOL ( mount_bdev ) ;
2005-04-17 02:20:36 +04:00
void kill_block_super ( struct super_block * sb )
{
struct block_device * bdev = sb - > s_bdev ;
generic_shutdown_super ( sb ) ;
2023-07-24 20:51:45 +03:00
if ( bdev ) {
sync_blockdev ( bdev ) ;
2024-02-08 20:47:35 +03:00
fput ( sb - > s_bdev_file ) ;
2023-07-24 20:51:45 +03:00
}
2005-04-17 02:20:36 +04:00
}
EXPORT_SYMBOL ( kill_block_super ) ;
[PATCH] BLOCK: Make it possible to disable the block layer [try #6]
Make it possible to disable the block layer. Not all embedded devices require
it, some can make do with just JFFS2, NFS, ramfs, etc - none of which require
the block layer to be present.
This patch does the following:
(*) Introduces CONFIG_BLOCK to disable the block layer, buffering and blockdev
support.
(*) Adds dependencies on CONFIG_BLOCK to any configuration item that controls
an item that uses the block layer. This includes:
(*) Block I/O tracing.
(*) Disk partition code.
(*) All filesystems that are block based, eg: Ext3, ReiserFS, ISOFS.
(*) The SCSI layer. As far as I can tell, even SCSI chardevs use the
block layer to do scheduling. Some drivers that use SCSI facilities -
such as USB storage - end up disabled indirectly from this.
(*) Various block-based device drivers, such as IDE and the old CDROM
drivers.
(*) MTD blockdev handling and FTL.
(*) JFFS - which uses set_bdev_super(), something it could avoid doing by
taking a leaf out of JFFS2's book.
(*) Makes most of the contents of linux/blkdev.h, linux/buffer_head.h and
linux/elevator.h contingent on CONFIG_BLOCK being set. sector_div() is,
however, still used in places, and so is still available.
(*) Also made contingent are the contents of linux/mpage.h, linux/genhd.h and
parts of linux/fs.h.
(*) Makes a number of files in fs/ contingent on CONFIG_BLOCK.
(*) Makes mm/bounce.c (bounce buffering) contingent on CONFIG_BLOCK.
(*) set_page_dirty() doesn't call __set_page_dirty_buffers() if CONFIG_BLOCK
is not enabled.
(*) fs/no-block.c is created to hold out-of-line stubs and things that are
required when CONFIG_BLOCK is not set:
(*) Default blockdev file operations (to give error ENODEV on opening).
(*) Makes some /proc changes:
(*) /proc/devices does not list any blockdevs.
(*) /proc/diskstats and /proc/partitions are contingent on CONFIG_BLOCK.
(*) Makes some compat ioctl handling contingent on CONFIG_BLOCK.
(*) If CONFIG_BLOCK is not defined, makes sys_quotactl() return -ENODEV if
given command other than Q_SYNC or if a special device is specified.
(*) In init/do_mounts.c, no reference is made to the blockdev routines if
CONFIG_BLOCK is not defined. This does not prohibit NFS roots or JFFS2.
(*) The bdflush, ioprio_set and ioprio_get syscalls can now be absent (return
error ENOSYS by way of cond_syscall if so).
(*) The seclvl_bd_claim() and seclvl_bd_release() security calls do nothing if
CONFIG_BLOCK is not set, since they can't then happen.
Signed-Off-By: David Howells <dhowells@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2006-09-30 22:45:40 +04:00
# endif
2005-04-17 02:20:36 +04:00
2010-07-25 11:46:36 +04:00
struct dentry * mount_nodev ( struct file_system_type * fs_type ,
2005-04-17 02:20:36 +04:00
int flags , void * data ,
2010-07-25 11:46:36 +04:00
int ( * fill_super ) ( struct super_block * , void * , int ) )
2005-04-17 02:20:36 +04:00
{
int error ;
2012-06-25 15:55:37 +04:00
struct super_block * s = sget ( fs_type , NULL , set_anon_super , flags , NULL ) ;
2005-04-17 02:20:36 +04:00
if ( IS_ERR ( s ) )
2010-07-25 11:46:36 +04:00
return ERR_CAST ( s ) ;
2005-04-17 02:20:36 +04:00
2017-07-17 10:45:35 +03:00
error = fill_super ( s , data , flags & SB_SILENT ? 1 : 0 ) ;
2005-04-17 02:20:36 +04:00
if ( error ) {
2009-05-06 09:07:50 +04:00
deactivate_locked_super ( s ) ;
2010-07-25 11:46:36 +04:00
return ERR_PTR ( error ) ;
2005-04-17 02:20:36 +04:00
}
2017-07-17 10:45:35 +03:00
s - > s_flags | = SB_ACTIVE ;
2010-07-25 11:46:36 +04:00
return dget ( s - > s_root ) ;
2005-04-17 02:20:36 +04:00
}
2010-07-25 11:46:36 +04:00
EXPORT_SYMBOL ( mount_nodev ) ;
2022-01-17 01:07:26 +03:00
int reconfigure_single ( struct super_block * s ,
int flags , void * data )
2018-11-04 17:28:36 +03:00
{
struct fs_context * fc ;
int ret ;
/* The caller really need to be passing fc down into mount_single(),
* then a chunk of this can be removed . [ Bollocks - - AV ]
* Better yet , reconfiguration shouldn ' t happen , but rather the second
* mount should be rejected if the parameters are not compatible .
*/
fc = fs_context_for_reconfigure ( s - > s_root , flags , MS_RMT_MASK ) ;
if ( IS_ERR ( fc ) )
return PTR_ERR ( fc ) ;
ret = parse_monolithic_mount_data ( fc , data ) ;
if ( ret < 0 )
goto out ;
ret = reconfigure_super ( fc ) ;
out :
put_fs_context ( fc ) ;
return ret ;
}
2005-04-17 02:20:36 +04:00
static int compare_single ( struct super_block * s , void * p )
{
return 1 ;
}
2010-07-25 01:48:30 +04:00
struct dentry * mount_single ( struct file_system_type * fs_type ,
2005-04-17 02:20:36 +04:00
int flags , void * data ,
2010-07-25 01:48:30 +04:00
int ( * fill_super ) ( struct super_block * , void * , int ) )
2005-04-17 02:20:36 +04:00
{
struct super_block * s ;
int error ;
2012-06-25 15:55:37 +04:00
s = sget ( fs_type , compare_single , set_anon_super , flags , NULL ) ;
2005-04-17 02:20:36 +04:00
if ( IS_ERR ( s ) )
2010-07-25 01:48:30 +04:00
return ERR_CAST ( s ) ;
2005-04-17 02:20:36 +04:00
if ( ! s - > s_root ) {
2017-07-17 10:45:35 +03:00
error = fill_super ( s , data , flags & SB_SILENT ? 1 : 0 ) ;
2018-11-04 17:28:36 +03:00
if ( ! error )
s - > s_flags | = SB_ACTIVE ;
2009-12-18 23:18:15 +03:00
} else {
2018-11-04 17:28:36 +03:00
error = reconfigure_single ( s , flags , data ) ;
}
if ( unlikely ( error ) ) {
deactivate_locked_super ( s ) ;
return ERR_PTR ( error ) ;
2005-04-17 02:20:36 +04:00
}
2010-07-25 01:48:30 +04:00
return dget ( s - > s_root ) ;
}
EXPORT_SYMBOL ( mount_single ) ;
2018-11-04 11:19:03 +03:00
/**
* vfs_get_tree - Get the mountable root
* @ fc : The superblock configuration context .
*
* The filesystem is invoked to get or create a superblock which can then later
* be used for mounting . The filesystem places a pointer to the root to be
* used for mounting in @ fc - > root .
*/
int vfs_get_tree ( struct fs_context * fc )
2005-04-17 02:20:36 +04:00
{
2011-03-18 05:08:28 +03:00
struct super_block * sb ;
2018-11-04 11:19:03 +03:00
int error ;
2010-02-05 17:30:46 +03:00
2018-12-24 02:55:56 +03:00
if ( fc - > root )
return - EBUSY ;
/* Get the mountable root in fc->root, with a ref on the root and a ref
* on the superblock .
*/
error = fc - > ops - > get_tree ( fc ) ;
2018-11-04 11:19:03 +03:00
if ( error < 0 )
return error ;
2005-04-17 02:20:36 +04:00
2018-12-24 02:55:56 +03:00
if ( ! fc - > root ) {
pr_err ( " Filesystem %s get_tree() didn't set fc->root \n " ,
fc - > fs_type - > name ) ;
/* We don't know what the locking state of the superblock is -
* if there is a superblock .
*/
BUG ( ) ;
}
2018-11-04 11:19:03 +03:00
sb = fc - > root - > d_sb ;
2011-03-18 05:08:28 +03:00
WARN_ON ( ! sb - > s_bdi ) ;
2018-05-11 04:20:57 +03:00
/*
2023-08-18 17:00:50 +03:00
* super_wake ( ) contains a memory barrier which also care of
* ordering for super_cache_count ( ) . We place it before setting
* SB_BORN as the data dependency between the two functions is
* the superblock structure contents that we just set up , not
* the SB_BORN flag .
2018-05-11 04:20:57 +03:00
*/
2023-08-18 17:00:50 +03:00
super_wake ( sb , SB_BORN ) ;
[PATCH] VFS: Permit filesystem to override root dentry on mount
Extend the get_sb() filesystem operation to take an extra argument that
permits the VFS to pass in the target vfsmount that defines the mountpoint.
The filesystem is then required to manually set the superblock and root dentry
pointers. For most filesystems, this should be done with simple_set_mnt()
which will set the superblock pointer and then set the root dentry to the
superblock's s_root (as per the old default behaviour).
The get_sb() op now returns an integer as there's now no need to return the
superblock pointer.
This patch permits a superblock to be implicitly shared amongst several mount
points, such as can be done with NFS to avoid potential inode aliasing. In
such a case, simple_set_mnt() would not be called, and instead the mnt_root
and mnt_sb would be set directly.
The patch also makes the following changes:
(*) the get_sb_*() convenience functions in the core kernel now take a vfsmount
pointer argument and return an integer, so most filesystems have to change
very little.
(*) If one of the convenience function is not used, then get_sb() should
normally call simple_set_mnt() to instantiate the vfsmount. This will
always return 0, and so can be tail-called from get_sb().
(*) generic_shutdown_super() now calls shrink_dcache_sb() to clean up the
dcache upon superblock destruction rather than shrink_dcache_anon().
This is required because the superblock may now have multiple trees that
aren't actually bound to s_root, but that still need to be cleaned up. The
currently called functions assume that the whole tree is rooted at s_root,
and that anonymous dentries are not the roots of trees which results in
dentries being left unculled.
However, with the way NFS superblock sharing are currently set to be
implemented, these assumptions are violated: the root of the filesystem is
simply a dummy dentry and inode (the real inode for '/' may well be
inaccessible), and all the vfsmounts are rooted on anonymous[*] dentries
with child trees.
[*] Anonymous until discovered from another tree.
(*) The documentation has been adjusted, including the additional bit of
changing ext2_* into foo_* in the documentation.
[akpm@osdl.org: convert ipath_fs, do other stuff]
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Nathan Scott <nathans@sgi.com>
Cc: Roland Dreier <rolandd@cisco.com>
Signed-off-by: Andrew Morton <akpm@osdl.org>
Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2006-06-23 13:02:57 +04:00
2018-11-04 11:19:03 +03:00
error = security_sb_set_mnt_opts ( sb , fc - > security , 0 , NULL ) ;
2018-12-20 23:04:50 +03:00
if ( unlikely ( error ) ) {
fc_drop_locked ( fc ) ;
return error ;
2018-12-05 19:58:35 +03:00
}
2009-09-19 00:05:53 +04:00
/*
* filesystems should never set s_maxbytes larger than MAX_LFS_FILESIZE
* but s_maxbytes was an unsigned long long for many releases . Throw
* this warning for a little while to try and catch filesystems that
2011-03-29 17:33:31 +04:00
* violate this rule .
2009-09-19 00:05:53 +04:00
*/
2011-03-18 05:08:28 +03:00
WARN ( ( sb - > s_maxbytes < 0 ) , " %s set sb->s_maxbytes to "
2018-11-04 11:19:03 +03:00
" negative value (%lld) \n " , fc - > fs_type - > name , sb - > s_maxbytes ) ;
2009-09-19 00:05:53 +04:00
2018-11-04 11:19:03 +03:00
return 0 ;
2005-04-17 02:20:36 +04:00
}
2018-11-04 11:19:03 +03:00
EXPORT_SYMBOL ( vfs_get_tree ) ;
2005-04-17 02:20:36 +04:00
2017-04-12 13:24:28 +03:00
/*
* Setup private BDI for given superblock . It gets automatically cleaned up
* in generic_shutdown_super ( ) .
*/
int super_setup_bdi_name ( struct super_block * sb , char * fmt , . . . )
{
struct backing_dev_info * bdi ;
int err ;
va_list args ;
2020-05-04 15:48:00 +03:00
bdi = bdi_alloc ( NUMA_NO_NODE ) ;
2017-04-12 13:24:28 +03:00
if ( ! bdi )
return - ENOMEM ;
va_start ( args , fmt ) ;
2017-04-12 13:24:49 +03:00
err = bdi_register_va ( bdi , fmt , args ) ;
2017-04-12 13:24:28 +03:00
va_end ( args ) ;
if ( err ) {
bdi_put ( bdi ) ;
return err ;
}
WARN_ON ( sb - > s_bdi ! = & noop_backing_dev_info ) ;
sb - > s_bdi = bdi ;
2021-11-05 23:36:58 +03:00
sb - > s_iflags | = SB_I_PERSB_BDI ;
2017-04-12 13:24:28 +03:00
return 0 ;
}
EXPORT_SYMBOL ( super_setup_bdi_name ) ;
/*
* Setup private BDI for given superblock . I gets automatically cleaned up
* in generic_shutdown_super ( ) .
*/
int super_setup_bdi ( struct super_block * sb )
{
static atomic_long_t bdi_seq = ATOMIC_LONG_INIT ( 0 ) ;
return super_setup_bdi_name ( sb , " %.28s-%ld " , sb - > s_type - > name ,
atomic_long_inc_return ( & bdi_seq ) ) ;
}
EXPORT_SYMBOL ( super_setup_bdi ) ;
2012-06-12 18:20:34 +04:00
/**
* sb_wait_write - wait until all writers to given file system finish
* @ sb : the super for which we wait
* @ level : type of writers we wait for ( normal vs page fault )
*
* This function waits until there are no writers of given type to given file
2015-08-11 18:05:04 +03:00
* system .
2012-06-12 18:20:34 +04:00
*/
static void sb_wait_write ( struct super_block * sb , int level )
{
2015-08-11 18:05:04 +03:00
percpu_down_write ( sb - > s_writers . rw_sem + level - 1 ) ;
}
2012-06-12 18:20:34 +04:00
2016-09-26 19:55:25 +03:00
/*
* We are going to return to userspace and forget about these locks , the
* ownership goes to the caller of thaw_super ( ) which does unlock ( ) .
*/
static void lockdep_sb_freeze_release ( struct super_block * sb )
{
int level ;
for ( level = SB_FREEZE_LEVELS - 1 ; level > = 0 ; level - - )
percpu_rwsem_release ( sb - > s_writers . rw_sem + level , 0 , _THIS_IP_ ) ;
}
/*
* Tell lockdep we are holding these locks before we call - > unfreeze_fs ( sb ) .
*/
static void lockdep_sb_freeze_acquire ( struct super_block * sb )
2015-08-11 18:05:04 +03:00
{
int level ;
2012-06-12 18:20:34 +04:00
2015-08-11 18:05:04 +03:00
for ( level = 0 ; level < SB_FREEZE_LEVELS ; + + level )
percpu_rwsem_acquire ( sb - > s_writers . rw_sem + level , 0 , _THIS_IP_ ) ;
2016-09-26 19:55:25 +03:00
}
2022-01-30 19:53:16 +03:00
static void sb_freeze_unlock ( struct super_block * sb , int level )
2016-09-26 19:55:25 +03:00
{
2022-01-30 19:53:16 +03:00
for ( level - - ; level > = 0 ; level - - )
2015-08-11 18:05:04 +03:00
percpu_up_write ( sb - > s_writers . rw_sem + level ) ;
2012-06-12 18:20:34 +04:00
}
2023-07-17 19:00:10 +03:00
static int wait_for_partially_frozen ( struct super_block * sb )
{
int ret = 0 ;
do {
unsigned short old = sb - > s_writers . frozen ;
up_write ( & sb - > s_umount ) ;
ret = wait_var_event_killable ( & sb - > s_writers . frozen ,
sb - > s_writers . frozen ! = old ) ;
down_write ( & sb - > s_umount ) ;
} while ( ret = = 0 & &
sb - > s_writers . frozen ! = SB_UNFROZEN & &
sb - > s_writers . frozen ! = SB_FREEZE_COMPLETE ) ;
return ret ;
}
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
# define FREEZE_HOLDERS (FREEZE_HOLDER_KERNEL | FREEZE_HOLDER_USERSPACE)
# define FREEZE_FLAGS (FREEZE_HOLDERS | FREEZE_MAY_NEST)
static inline int freeze_inc ( struct super_block * sb , enum freeze_holder who )
{
WARN_ON_ONCE ( ( who & ~ FREEZE_FLAGS ) ) ;
WARN_ON_ONCE ( hweight32 ( who & FREEZE_HOLDERS ) > 1 ) ;
if ( who & FREEZE_HOLDER_KERNEL )
+ + sb - > s_writers . freeze_kcount ;
if ( who & FREEZE_HOLDER_USERSPACE )
+ + sb - > s_writers . freeze_ucount ;
return sb - > s_writers . freeze_kcount + sb - > s_writers . freeze_ucount ;
}
static inline int freeze_dec ( struct super_block * sb , enum freeze_holder who )
{
WARN_ON_ONCE ( ( who & ~ FREEZE_FLAGS ) ) ;
WARN_ON_ONCE ( hweight32 ( who & FREEZE_HOLDERS ) > 1 ) ;
if ( ( who & FREEZE_HOLDER_KERNEL ) & & sb - > s_writers . freeze_kcount )
- - sb - > s_writers . freeze_kcount ;
if ( ( who & FREEZE_HOLDER_USERSPACE ) & & sb - > s_writers . freeze_ucount )
- - sb - > s_writers . freeze_ucount ;
return sb - > s_writers . freeze_kcount + sb - > s_writers . freeze_ucount ;
}
static inline bool may_freeze ( struct super_block * sb , enum freeze_holder who )
{
WARN_ON_ONCE ( ( who & ~ FREEZE_FLAGS ) ) ;
WARN_ON_ONCE ( hweight32 ( who & FREEZE_HOLDERS ) > 1 ) ;
if ( who & FREEZE_HOLDER_KERNEL )
return ( who & FREEZE_MAY_NEST ) | |
sb - > s_writers . freeze_kcount = = 0 ;
if ( who & FREEZE_HOLDER_USERSPACE )
return ( who & FREEZE_MAY_NEST ) | |
sb - > s_writers . freeze_ucount = = 0 ;
return false ;
}
2010-03-23 17:34:56 +03:00
/**
2010-05-25 09:22:34 +04:00
* freeze_super - lock the filesystem and force it into a consistent state
* @ sb : the super to lock
2023-07-17 19:00:09 +03:00
* @ who : context that wants to freeze
2010-03-23 17:34:56 +03:00
*
* Syncs the super to make sure the filesystem is consistent and calls the fs ' s
2023-07-17 19:00:09 +03:00
* freeze_fs . Subsequent calls to this without first thawing the fs may return
2010-03-23 17:34:56 +03:00
* - EBUSY .
2012-06-12 18:20:34 +04:00
*
2023-07-17 19:00:09 +03:00
* @ who should be :
* * % FREEZE_HOLDER_USERSPACE if userspace wants to freeze the fs ;
* * % FREEZE_HOLDER_KERNEL if the kernel wants to freeze the fs .
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
* * % FREEZE_MAY_NEST whether nesting freeze and thaw requests is allowed .
2023-07-17 19:00:09 +03:00
*
* The @ who argument distinguishes between the kernel and userspace trying to
* freeze the filesystem . Although there cannot be multiple kernel freezes or
* multiple userspace freezes in effect at any given time , the kernel and
* userspace can both hold a filesystem frozen . The filesystem remains frozen
* until there are no kernel or userspace freezes in effect .
*
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
* A filesystem may hold multiple devices and thus a filesystems may be
* frozen through the block layer via multiple block devices . In this
* case the request is marked as being allowed to nest by passing
* FREEZE_MAY_NEST . The filesystem remains frozen until all block
* devices are unfrozen . If multiple freezes are attempted without
* FREEZE_MAY_NEST - EBUSY will be returned .
*
2012-06-12 18:20:34 +04:00
* During this function , sb - > s_writers . frozen goes through these values :
*
* SB_UNFROZEN : File system is normal , all writes progress as usual .
*
* SB_FREEZE_WRITE : The file system is in the process of being frozen . New
* writes should be blocked , though page faults are still allowed . We wait for
* all writes to complete and then proceed to the next stage .
*
* SB_FREEZE_PAGEFAULT : Freezing continues . Now also page faults are blocked
* but internal fs threads can still modify the filesystem ( although they
* should not dirty new pages or inodes ) , writeback can run etc . After waiting
* for all running page faults we sync the filesystem which will clean all
* dirty pages and inodes ( no new dirty pages or inodes can be created when
* sync is running ) .
*
* SB_FREEZE_FS : The file system is frozen . Now all internal sources of fs
* modification are blocked ( e . g . XFS preallocation truncation on inode
* reclaim ) . This is usually implemented by blocking new transactions for
* filesystems that have them and need this additional guard . After all
* internal writers are finished we call - > freeze_fs ( ) to finish filesystem
* freezing . Then we transition to SB_FREEZE_COMPLETE state . This state is
* mostly auxiliary for filesystems to verify they do not modify frozen fs .
*
* sb - > s_writers . frozen is protected by sb - > s_umount .
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
*
* Return : If the freeze was successful zero is returned . If the freeze
* failed a negative error code is returned .
2010-03-23 17:34:56 +03:00
*/
2023-07-17 19:00:09 +03:00
int freeze_super ( struct super_block * sb , enum freeze_holder who )
2010-03-23 17:34:56 +03:00
{
int ret ;
2023-10-24 16:01:07 +03:00
if ( ! super_lock_excl ( sb ) ) {
WARN_ON_ONCE ( " Dying superblock while freezing! " ) ;
return - EINVAL ;
}
2010-03-23 17:34:56 +03:00
atomic_inc ( & sb - > s_active ) ;
2023-08-22 14:32:50 +03:00
2023-07-17 19:00:10 +03:00
retry :
2023-07-17 19:00:09 +03:00
if ( sb - > s_writers . frozen = = SB_FREEZE_COMPLETE ) {
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
if ( may_freeze ( sb , who ) )
ret = ! ! WARN_ON_ONCE ( freeze_inc ( sb , who ) = = 1 ) ;
else
ret = - EBUSY ;
/* All freezers share a single active reference. */
deactivate_locked_super ( sb ) ;
return ret ;
2023-07-17 19:00:09 +03:00
}
2012-06-12 18:20:34 +04:00
if ( sb - > s_writers . frozen ! = SB_UNFROZEN ) {
2023-07-17 19:00:10 +03:00
ret = wait_for_partially_frozen ( sb ) ;
if ( ret ) {
deactivate_locked_super ( sb ) ;
return ret ;
}
goto retry ;
2010-03-23 17:34:56 +03:00
}
2017-07-17 10:45:34 +03:00
if ( sb_rdonly ( sb ) ) {
2012-06-12 18:20:34 +04:00
/* Nothing to do really... */
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
WARN_ON_ONCE ( freeze_inc ( sb , who ) > 1 ) ;
2012-06-12 18:20:34 +04:00
sb - > s_writers . frozen = SB_FREEZE_COMPLETE ;
2023-07-17 19:00:10 +03:00
wake_up_var ( & sb - > s_writers . frozen ) ;
2023-08-18 17:00:48 +03:00
super_unlock_excl ( sb ) ;
2010-03-23 17:34:56 +03:00
return 0 ;
}
2012-06-12 18:20:34 +04:00
sb - > s_writers . frozen = SB_FREEZE_WRITE ;
/* Release s_umount to preserve sb_start_write -> s_umount ordering */
2023-08-18 17:00:48 +03:00
super_unlock_excl ( sb ) ;
2012-06-12 18:20:34 +04:00
sb_wait_write ( sb , SB_FREEZE_WRITE ) ;
2023-11-27 14:51:31 +03:00
__super_lock_excl ( sb ) ;
2012-06-12 18:20:34 +04:00
/* Now we go and block page faults... */
sb - > s_writers . frozen = SB_FREEZE_PAGEFAULT ;
sb_wait_write ( sb , SB_FREEZE_PAGEFAULT ) ;
/* All writers are done so after syncing there won't be dirty data */
2022-01-30 19:53:16 +03:00
ret = sync_filesystem ( sb ) ;
if ( ret ) {
sb - > s_writers . frozen = SB_UNFROZEN ;
sb_freeze_unlock ( sb , SB_FREEZE_PAGEFAULT ) ;
2023-07-17 19:00:10 +03:00
wake_up_var ( & sb - > s_writers . frozen ) ;
2022-01-30 19:53:16 +03:00
deactivate_locked_super ( sb ) ;
return ret ;
}
2010-03-23 17:34:56 +03:00
2012-06-12 18:20:34 +04:00
/* Now wait for internal filesystem counter */
sb - > s_writers . frozen = SB_FREEZE_FS ;
sb_wait_write ( sb , SB_FREEZE_FS ) ;
2010-03-23 17:34:56 +03:00
if ( sb - > s_op - > freeze_fs ) {
ret = sb - > s_op - > freeze_fs ( sb ) ;
if ( ret ) {
printk ( KERN_ERR
" VFS:Filesystem freeze failed \n " ) ;
2012-06-12 18:20:34 +04:00
sb - > s_writers . frozen = SB_UNFROZEN ;
2022-01-30 19:53:16 +03:00
sb_freeze_unlock ( sb , SB_FREEZE_FS ) ;
2023-07-17 19:00:10 +03:00
wake_up_var ( & sb - > s_writers . frozen ) ;
2010-03-23 17:34:56 +03:00
deactivate_locked_super ( sb ) ;
return ret ;
}
}
2012-06-12 18:20:34 +04:00
/*
2016-09-26 19:07:48 +03:00
* For debugging purposes so that fs can warn if it sees write activity
* when frozen is set to SB_FREEZE_COMPLETE , and for thaw_super ( ) .
2012-06-12 18:20:34 +04:00
*/
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
WARN_ON_ONCE ( freeze_inc ( sb , who ) > 1 ) ;
2012-06-12 18:20:34 +04:00
sb - > s_writers . frozen = SB_FREEZE_COMPLETE ;
2023-07-17 19:00:10 +03:00
wake_up_var ( & sb - > s_writers . frozen ) ;
2016-09-26 19:55:25 +03:00
lockdep_sb_freeze_release ( sb ) ;
2023-08-18 17:00:48 +03:00
super_unlock_excl ( sb ) ;
2010-03-23 17:34:56 +03:00
return 0 ;
}
EXPORT_SYMBOL ( freeze_super ) ;
2023-07-17 19:00:09 +03:00
/*
* Undoes the effect of a freeze_super_locked call . If the filesystem is
* frozen both by userspace and the kernel , a thaw call from either source
* removes that state without releasing the other state or unlocking the
* filesystem .
*/
static int thaw_super_locked ( struct super_block * sb , enum freeze_holder who )
2010-03-23 17:34:56 +03:00
{
2023-10-27 09:40:01 +03:00
int error = - EINVAL ;
2010-03-23 17:34:56 +03:00
2023-10-27 09:40:01 +03:00
if ( sb - > s_writers . frozen ! = SB_FREEZE_COMPLETE )
goto out_unlock ;
2023-07-17 19:00:09 +03:00
2023-10-27 09:40:01 +03:00
/*
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
* All freezers share a single active reference .
* So just unlock in case there are any left .
2023-10-27 09:40:01 +03:00
*/
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
if ( freeze_dec ( sb , who ) )
goto out_unlock ;
2010-03-23 17:34:56 +03:00
2017-07-17 10:45:34 +03:00
if ( sb_rdonly ( sb ) ) {
2015-08-11 18:05:04 +03:00
sb - > s_writers . frozen = SB_UNFROZEN ;
2023-07-17 19:00:10 +03:00
wake_up_var ( & sb - > s_writers . frozen ) ;
2023-10-27 09:40:01 +03:00
goto out_deactivate ;
2015-08-11 18:05:04 +03:00
}
2010-03-23 17:34:56 +03:00
2016-09-26 19:55:25 +03:00
lockdep_sb_freeze_acquire ( sb ) ;
2010-03-23 17:34:56 +03:00
if ( sb - > s_op - > unfreeze_fs ) {
error = sb - > s_op - > unfreeze_fs ( sb ) ;
if ( error ) {
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
pr_err ( " VFS: Filesystem thaw failed \n " ) ;
freeze_inc ( sb , who ) ;
2016-09-26 19:55:25 +03:00
lockdep_sb_freeze_release ( sb ) ;
2023-10-27 09:40:01 +03:00
goto out_unlock ;
2010-03-23 17:34:56 +03:00
}
}
2012-06-12 18:20:34 +04:00
sb - > s_writers . frozen = SB_UNFROZEN ;
2023-07-17 19:00:10 +03:00
wake_up_var ( & sb - > s_writers . frozen ) ;
2022-01-30 19:53:16 +03:00
sb_freeze_unlock ( sb , SB_FREEZE_FS ) ;
2023-10-27 09:40:01 +03:00
out_deactivate :
2010-03-23 17:34:56 +03:00
deactivate_locked_super ( sb ) ;
return 0 ;
2023-10-27 09:40:01 +03:00
out_unlock :
super_unlock_excl ( sb ) ;
return error ;
2010-03-23 17:34:56 +03:00
}
2017-10-03 19:17:41 +03:00
2021-01-14 11:04:39 +03:00
/**
* thaw_super - - unlock filesystem
* @ sb : the super to thaw
2023-07-17 19:00:09 +03:00
* @ who : context that wants to freeze
*
* Unlocks the filesystem and marks it writeable again after freeze_super ( )
* if there are no remaining freezes on the filesystem .
2021-01-14 11:04:39 +03:00
*
2023-07-17 19:00:09 +03:00
* @ who should be :
* * % FREEZE_HOLDER_USERSPACE if userspace wants to thaw the fs ;
* * % FREEZE_HOLDER_KERNEL if the kernel wants to thaw the fs .
fs: handle freezing from multiple devices
Before [1] freezing a filesystems through the block layer only worked
for the main block device as the owning superblock of additional block
devices could not be found. Any filesystem that made use of multiple
block devices would only be freezable via it's main block device.
For example, consider xfs over device mapper with /dev/dm-0 as main
block device and /dev/dm-1 as external log device. Two freeze requests
before [1]:
(1) dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2) dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-1)
-> dm-1->bd_fsfreeze_count++
The owning superblock isn't found and only the block device freeze
count is incremented. Returns 0.
Two freeze requests after [1]:
(1') dmsetup suspend /dev/dm-0 on the main block device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns 0.
(2') dmsetup suspend /dev/dm-1 on the log device
bdev_freeze(dm-0)
-> dm-0->bd_fsfreeze_count++
-> freeze_super(xfs-sb)
The owning superblock is found and the filesystem gets frozen.
Returns -EBUSY.
When (2') is called we initiate a freeze from another block device of
the same superblock. So we increment the bd_fsfreeze_count for that
additional block device. But we now also find the owning superblock for
additional block devices and call freeze_super() again which reports
-EBUSY.
This can be reproduced through xfstests via:
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p4 /dev/nvme1n1p3
mkfs.xfs -f -m crc=1,reflink=1,rmapbt=1, -i sparse=1 -lsize=1g,logdev=/dev/nvme1n1p6 /dev/nvme1n1p5
FSTYP=xfs
export TEST_DEV=/dev/nvme1n1p3
export TEST_DIR=/mnt/test
export TEST_LOGDEV=/dev/nvme1n1p4
export SCRATCH_DEV=/dev/nvme1n1p5
export SCRATCH_MNT=/mnt/scratch
export SCRATCH_LOGDEV=/dev/nvme1n1p6
export USE_EXTERNAL=yes
sudo ./check generic/311
Current semantics allow two concurrent freezers: one initiated from
userspace via FREEZE_HOLDER_USERSPACE and one initiated from the kernel
via FREEZE_HOLDER_KERNEL. If there are multiple concurrent freeze
requests from either FREEZE_HOLDER_USERSPACE or FREEZE_HOLDER_KERNEL
-EBUSY is returned.
We need to preserve these semantics because as they are uapi via
FIFREEZE and FITHAW ioctl()s. IOW, freezes don't nest for FIFREEZE and
FITHAW. Other kernels consumers rely on non-nesting freezes as well.
With freezes initiated from the block layer freezes need to nest if the
same superblock is frozen via multiple devices. So we need to start
counting the number of freeze requests.
If FREEZE_MAY_NEST is passed alongside FREEZE_HOLDER_KERNEL or
FREEZE_HOLDER_USERSPACE we allow the caller to nest freeze calls.
To accommodate the old semantics we split the freeze counter into two
counting kernel initiated and userspace initiated freezes separately. We
can then also stop recording FREEZE_HOLDER_* in struct sb_writers.
We also simplify freezing by making all concurrent freezers share a
single active superblock reference count instead of having separate
references for kernel and userspace. I don't see why we would need two
active reference counts. Neither FREEZE_HOLDER_KERNEL nor
FREEZE_HOLDER_USERSPACE can put the active reference as long as they are
concurrent freezers anwyay. That was already true before we allowed
nesting freezes.
Survives various fstests runs with different options including the
reproducer, online scrub, and online repair, fsfreze, and so on. Also
survives blktests.
Link: https://lore.kernel.org/linux-block/87bkccnwxc.fsf@debian-BULLSEYE-live-builder-AMD64
Link: https://lore.kernel.org/r/20231104-vfs-multi-device-freeze-v2-2-5b5b69626eac@kernel.org
Fixes: 288d8706abfc ("bdev: implement freeze and thaw holder operations") [1] # no backport needed
Tested-by: Chandan Babu R <chandanbabu@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Jan Kara <jack@suse.cz>
Reported-by: Chandan Babu R <chandanbabu@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
2023-11-04 17:00:13 +03:00
* * % FREEZE_MAY_NEST whether nesting freeze and thaw requests is allowed
*
* A filesystem may hold multiple devices and thus a filesystems may
* have been frozen through the block layer via multiple block devices .
* The filesystem remains frozen until all block devices are unfrozen .
2021-01-14 11:04:39 +03:00
*/
2023-07-17 19:00:09 +03:00
int thaw_super ( struct super_block * sb , enum freeze_holder who )
2017-10-03 19:17:41 +03:00
{
2023-10-24 16:01:07 +03:00
if ( ! super_lock_excl ( sb ) ) {
WARN_ON_ONCE ( " Dying superblock while thawing! " ) ;
return - EINVAL ;
}
2023-07-17 19:00:09 +03:00
return thaw_super_locked ( sb , who ) ;
2017-10-03 19:17:41 +03:00
}
2010-03-23 17:34:56 +03:00
EXPORT_SYMBOL ( thaw_super ) ;
2023-01-25 09:58:38 +03:00
/*
* Create workqueue for deferred direct IO completions . We allocate the
* workqueue when it ' s first needed . This avoids creating workqueue for
* filesystems that don ' t need it and also allows us to create the workqueue
* late enough so the we can include s_id in the name of the workqueue .
*/
int sb_init_dio_done_wq ( struct super_block * sb )
{
struct workqueue_struct * old ;
struct workqueue_struct * wq = alloc_workqueue ( " dio/%s " ,
WQ_MEM_RECLAIM , 0 ,
sb - > s_id ) ;
if ( ! wq )
return - ENOMEM ;
/*
* This has to be atomic as more DIOs can race to create the workqueue
*/
old = cmpxchg ( & sb - > s_dio_done_wq , NULL , wq ) ;
/* Someone created workqueue before us? Free ours... */
if ( old )
destroy_workqueue ( wq ) ;
return 0 ;
}
2023-08-22 20:50:59 +03:00
EXPORT_SYMBOL_GPL ( sb_init_dio_done_wq ) ;