lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20130408162819.GA24008@andromeda.usersys.redhat.com>
Date:	Mon, 8 Apr 2013 13:28:20 -0300
From:	Carlos Maiolino <cmaiolino@...hat.com>
To:	Lukas Czerner <lczerner@...hat.com>
Cc:	linux-ext4@...r.kernel.org, tytso@....edu
Subject: Re: [PATCH v2] ext4: introduce reserved space

Looks Good,
Thanks Lukas.

Reviewed-by: Carlos Maiolino <cmaiolino@...hat.com>


On Mon, Apr 08, 2013 at 03:43:32PM +0200, Lukas Czerner wrote:
> Currently in ENOSPC condition when writing into unwritten space, or
> punching a hole, we might need to split the extent and grow extent tree.
> However since we can not allocate any new metadata blocks we'll have to
> zero out unwritten part of extent or punched out part of extent, or in
> the worst case return ENOSPC even though use actually does not allocate
> any space.
> 
> Also in delalloc path we do reserve metadata and data blocks for the
> time we're going to write out, however metadata block reservation is
> very tricky especially since we expect that logical connectivity implies
> physical connectivity, however that might not be the case and hence we
> might end up allocating more metadata blocks than previously reserved.
> So in future, metadata reservation checks should be removed since we can
> not assure that we do not under reserve.
> 
> And this is where reserved space comes into the picture. When mounting
> the file system we slice off a little bit of the file system space (2%
> or 4096 clusters, whichever is smaller) which can be then used for the
> cases mentioned above to prevent costly zeroout, or unexpected ENOSPC.
> 
> The number of reserved clusters can be set via sysfs, however it can
> never be bigger than number of free clusters in the file system.
> 
> Note that this patch fixes the failure of xfstest 274 as expected.
> 
> Signed-off-by: Lukas Czerner <lczerner@...hat.com>
> ---
> v2: Mount even if there is not enough free space to reserve
> 
>  Documentation/filesystems/ext4.txt |   11 +++++
>  fs/ext4/balloc.c                   |   18 ++++++--
>  fs/ext4/ext4.h                     |   13 +++--
>  fs/ext4/extents.c                  |   27 ++++++++----
>  fs/ext4/inode.c                    |   11 ++++-
>  fs/ext4/super.c                    |   84 ++++++++++++++++++++++++++++++++++-
>  6 files changed, 141 insertions(+), 23 deletions(-)
> 
> diff --git a/Documentation/filesystems/ext4.txt b/Documentation/filesystems/ext4.txt
> index 34ea4f1..1ce3b3e 100644
> --- a/Documentation/filesystems/ext4.txt
> +++ b/Documentation/filesystems/ext4.txt
> @@ -494,6 +494,17 @@ Files in /sys/fs/ext4/<devname>
>   session_write_kbytes         This file is read-only and shows the number of
>                                kilobytes of data that have been written to this
>                                filesystem since it was mounted.
> +
> + reserved_clusters            This is RW file and contains number of reserved
> +                              clusters in the file system which will be used
> +                              in the specific situations to avoid costly
> +                              zeroout, unexpected ENOSPC, or possible data
> +                              loss. The default is 2% or 4096 clusters,
> +                              whichever is smaller and this can be changed
> +                              however it can never exceed number of clusters
> +                              in the file system. If there is not enough space
> +                              for the reserved space when mounting the file
> +                              mount will _not_ fail.
>  ..............................................................................
>  
>  Ioctls
> diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
> index 92e68b3..3e53020 100644
> --- a/fs/ext4/balloc.c
> +++ b/fs/ext4/balloc.c
> @@ -478,20 +478,22 @@ ext4_read_block_bitmap(struct super_block *sb, ext4_group_t block_group)
>  static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
>  				  s64 nclusters, unsigned int flags)
>  {
> -	s64 free_clusters, dirty_clusters, root_clusters;
> +	s64 free_clusters, dirty_clusters, rsv, resv_clusters;
>  	struct percpu_counter *fcc = &sbi->s_freeclusters_counter;
>  	struct percpu_counter *dcc = &sbi->s_dirtyclusters_counter;
>  
>  	free_clusters  = percpu_counter_read_positive(fcc);
>  	dirty_clusters = percpu_counter_read_positive(dcc);
> +	resv_clusters = atomic64_read(&sbi->s_resv_clusters);
>  
>  	/*
>  	 * r_blocks_count should always be multiple of the cluster ratio so
>  	 * we are safe to do a plane bit shift only.
>  	 */
> -	root_clusters = ext4_r_blocks_count(sbi->s_es) >> sbi->s_cluster_bits;
> +	rsv = (ext4_r_blocks_count(sbi->s_es) >> sbi->s_cluster_bits) +
> +	      resv_clusters;
>  
> -	if (free_clusters - (nclusters + root_clusters + dirty_clusters) <
> +	if (free_clusters - (nclusters + rsv + dirty_clusters) <
>  					EXT4_FREECLUSTERS_WATERMARK) {
>  		free_clusters  = percpu_counter_sum_positive(fcc);
>  		dirty_clusters = percpu_counter_sum_positive(dcc);
> @@ -499,15 +501,21 @@ static int ext4_has_free_clusters(struct ext4_sb_info *sbi,
>  	/* Check whether we have space after accounting for current
>  	 * dirty clusters & root reserved clusters.
>  	 */
> -	if (free_clusters >= ((root_clusters + nclusters) + dirty_clusters))
> +	if (free_clusters >= (rsv + nclusters + dirty_clusters))
>  		return 1;
>  
>  	/* Hm, nope.  Are (enough) root reserved clusters available? */
>  	if (uid_eq(sbi->s_resuid, current_fsuid()) ||
>  	    (!gid_eq(sbi->s_resgid, GLOBAL_ROOT_GID) && in_group_p(sbi->s_resgid)) ||
>  	    capable(CAP_SYS_RESOURCE) ||
> -		(flags & EXT4_MB_USE_ROOT_BLOCKS)) {
> +	    (flags & EXT4_MB_USE_ROOT_BLOCKS)) {
>  
> +		if (free_clusters >= (nclusters + dirty_clusters +
> +				      resv_clusters))
> +			return 1;
> +	}
> +	/* No free blocks. Let's see if we can dip into reserved pool */
> +	if (flags & EXT4_MB_USE_RESERVED) {
>  		if (free_clusters >= (nclusters + dirty_clusters))
>  			return 1;
>  	}
> diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
> index 4a01ba3..5dd240f 100644
> --- a/fs/ext4/ext4.h
> +++ b/fs/ext4/ext4.h
> @@ -121,6 +121,8 @@ typedef unsigned int ext4_group_t;
>  #define EXT4_MB_STREAM_ALLOC		0x0800
>  /* Use reserved root blocks if needed */
>  #define EXT4_MB_USE_ROOT_BLOCKS		0x1000
> +/* Use blocks from reserved pool */
> +#define EXT4_MB_USE_RESERVED		0x2000
>  
>  struct ext4_allocation_request {
>  	/* target inode for block we're allocating */
> @@ -557,9 +559,8 @@ enum {
>  #define EXT4_GET_BLOCKS_UNINIT_EXT		0x0002
>  #define EXT4_GET_BLOCKS_CREATE_UNINIT_EXT	(EXT4_GET_BLOCKS_UNINIT_EXT|\
>  						 EXT4_GET_BLOCKS_CREATE)
> -	/* Caller is from the delayed allocation writeout path,
> -	   so set the magic i_delalloc_reserve_flag after taking the
> -	   inode allocation semaphore for */
> +	/* Caller is from the delayed allocation writeout path
> +	 * finally doing the actual allocation of delayed blocks */
>  #define EXT4_GET_BLOCKS_DELALLOC_RESERVE	0x0004
>  	/* caller is from the direct IO path, request to creation of an
>  	unitialized extents if not allocated, split the uninitialized
> @@ -571,8 +572,9 @@ enum {
>  	/* Convert extent to initialized after IO complete */
>  #define EXT4_GET_BLOCKS_IO_CONVERT_EXT		(EXT4_GET_BLOCKS_CONVERT|\
>  					 EXT4_GET_BLOCKS_CREATE_UNINIT_EXT)
> -	/* Punch out blocks of an extent */
> -#define EXT4_GET_BLOCKS_PUNCH_OUT_EXT		0x0020
> +	/* Eventual metadata allocation (due to growing extent tree)
> +	 * should not fail, so try to use reserved blocks for that.*/
> +#define EXT4_GET_BLOCKS_METADATA_NOFAIL		0x0020
>  	/* Don't normalize allocation size (used for fallocate) */
>  #define EXT4_GET_BLOCKS_NO_NORMALIZE		0x0040
>  	/* Request will not result in inode size update (user for fallocate) */
> @@ -1179,6 +1181,7 @@ struct ext4_sb_info {
>  	unsigned int s_mount_flags;
>  	unsigned int s_def_mount_opt;
>  	ext4_fsblk_t s_sb_block;
> +	atomic64_t s_resv_clusters;
>  	kuid_t s_resuid;
>  	kgid_t s_resgid;
>  	unsigned short s_mount_state;
> diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
> index 372b2cb..e61a676 100644
> --- a/fs/ext4/extents.c
> +++ b/fs/ext4/extents.c
> @@ -1878,8 +1878,8 @@ int ext4_ext_insert_extent(handle_t *handle, struct inode *inode,
>  	 * There is no free space in the found leaf.
>  	 * We're gonna add a new leaf in the tree.
>  	 */
> -	if (flag & EXT4_GET_BLOCKS_PUNCH_OUT_EXT)
> -		flags = EXT4_MB_USE_ROOT_BLOCKS;
> +	if (flag & EXT4_GET_BLOCKS_METADATA_NOFAIL)
> +		flags = EXT4_MB_USE_RESERVED;
>  	err = ext4_ext_create_new_leaf(handle, inode, flags, path, newext);
>  	if (err)
>  		goto cleanup;
> @@ -2665,12 +2665,14 @@ again:
>  
>  			/*
>  			 * Split the extent in two so that 'end' is the last
> -			 * block in the first new extent
> +			 * block in the first new extent. Also we should not
> +			 * fail removing space due to ENOSPC so try to use
> +			 * reserved block if that happens.
>  			 */
>  			err = ext4_split_extent_at(handle, inode, path,
> -						end + 1, split_flag,
> -						EXT4_GET_BLOCKS_PRE_IO |
> -						EXT4_GET_BLOCKS_PUNCH_OUT_EXT);
> +					end + 1, split_flag,
> +					EXT4_GET_BLOCKS_PRE_IO |
> +					EXT4_GET_BLOCKS_METADATA_NOFAIL);
>  
>  			if (err < 0)
>  				goto out;
> @@ -3108,7 +3110,8 @@ out:
>  static int ext4_ext_convert_to_initialized(handle_t *handle,
>  					   struct inode *inode,
>  					   struct ext4_map_blocks *map,
> -					   struct ext4_ext_path *path)
> +					   struct ext4_ext_path *path,
> +					   int flags)
>  {
>  	struct ext4_sb_info *sbi;
>  	struct ext4_extent_header *eh;
> @@ -3287,7 +3290,7 @@ static int ext4_ext_convert_to_initialized(handle_t *handle,
>  	}
>  
>  	allocated = ext4_split_extent(handle, inode, path,
> -				      &split_map, split_flag, 0);
> +				      &split_map, split_flag, flags);
>  	if (allocated < 0)
>  		err = allocated;
>  
> @@ -3593,6 +3596,12 @@ ext4_ext_handle_uninitialized_extents(handle_t *handle, struct inode *inode,
>  		  flags, allocated);
>  	ext4_ext_show_leaf(inode, path);
>  
> +	/*
> +	 * When writing into uninitialized space, we should not fail to
> +	 * allocate metadata blocks for the new extent block if needed.
> +	 */
> +	flags |= EXT4_GET_BLOCKS_METADATA_NOFAIL;
> +
>  	trace_ext4_ext_handle_uninitialized_extents(inode, map, flags,
>  						    allocated, newblock);
>  
> @@ -3652,7 +3661,7 @@ ext4_ext_handle_uninitialized_extents(handle_t *handle, struct inode *inode,
>  	}
>  
>  	/* buffered write, writepage time, convert*/
> -	ret = ext4_ext_convert_to_initialized(handle, inode, map, path);
> +	ret = ext4_ext_convert_to_initialized(handle, inode, map, path, flags);
>  	if (ret >= 0)
>  		ext4_update_inode_fsync_trans(handle, inode, 1);
>  out:
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index 95a0c62..3450829 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -1601,12 +1601,21 @@ static void mpage_da_map_and_submit(struct mpage_da_data *mpd)
>  	 */
>  	map.m_lblk = next;
>  	map.m_len = max_blocks;
> -	get_blocks_flags = EXT4_GET_BLOCKS_CREATE;
> +	/*
> +	 * We're in delalloc path and it is possible that we're going to
> +	 * need more metadata blocks than previously reserved. However
> +	 * we must not fail because we're in writeback and there is
> +	 * nothing we can do about it so it might result in data loss.
> +	 * So use reserved blocks to allocate metadata if possible.
> +	 */
> +	get_blocks_flags = EXT4_GET_BLOCKS_CREATE |
> +			   EXT4_GET_BLOCKS_METADATA_NOFAIL;
>  	if (ext4_should_dioread_nolock(mpd->inode))
>  		get_blocks_flags |= EXT4_GET_BLOCKS_IO_CREATE_EXT;
>  	if (mpd->b_state & (1 << BH_Delay))
>  		get_blocks_flags |= EXT4_GET_BLOCKS_DELALLOC_RESERVE;
>  
> +
>  	blks = ext4_map_blocks(handle, mpd->inode, &map, get_blocks_flags);
>  	if (blks < 0) {
>  		struct super_block *sb = mpd->inode->i_sb;
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 9379b7f..1b302fa 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -81,6 +81,7 @@ static int ext4_feature_set_ok(struct super_block *sb, int readonly);
>  static void ext4_destroy_lazyinit_thread(void);
>  static void ext4_unregister_li_request(struct super_block *sb);
>  static void ext4_clear_request_list(void);
> +static int ext4_reserve_clusters(struct ext4_sb_info *, ext4_fsblk_t);
>  
>  #if !defined(CONFIG_EXT2_FS) && !defined(CONFIG_EXT2_FS_MODULE) && defined(CONFIG_EXT4_USE_FOR_EXT23)
>  static struct file_system_type ext2_fs_type = {
> @@ -2375,6 +2376,17 @@ struct ext4_attr {
>  	int offset;
>  };
>  
> +static int parse_strtoull(const char *buf,
> +		unsigned long long max, unsigned long long *value)
> +{
> +	int ret;
> +
> +	ret = kstrtoull(skip_spaces(buf), 0, value);
> +	if (!ret && *value > max)
> +		ret = -EINVAL;
> +	return ret;
> +}
> +
>  static int parse_strtoul(const char *buf,
>  		unsigned long max, unsigned long *value)
>  {
> @@ -2459,6 +2471,27 @@ static ssize_t sbi_ui_store(struct ext4_attr *a,
>  	return count;
>  }
>  
> +static ssize_t reserved_clusters_show(struct ext4_attr *a,
> +				  struct ext4_sb_info *sbi, char *buf)
> +{
> +	return snprintf(buf, PAGE_SIZE, "%lu\n",
> +			atomic64_read(&sbi->s_resv_clusters));
> +}
> +
> +static ssize_t reserved_clusters_store(struct ext4_attr *a,
> +				   struct ext4_sb_info *sbi,
> +				   const char *buf, size_t count)
> +{
> +	unsigned long long val;
> +	int ret;
> +
> +	if (parse_strtoull(buf, -1ULL, &val))
> +		return -EINVAL;
> +	ret = ext4_reserve_clusters(sbi, val);
> +
> +	return ret ? ret : count;
> +}
> +
>  static ssize_t trigger_test_error(struct ext4_attr *a,
>  				  struct ext4_sb_info *sbi,
>  				  const char *buf, size_t count)
> @@ -2496,6 +2529,7 @@ static struct ext4_attr ext4_attr_##name = __ATTR(name, mode, show, store)
>  EXT4_RO_ATTR(delayed_allocation_blocks);
>  EXT4_RO_ATTR(session_write_kbytes);
>  EXT4_RO_ATTR(lifetime_write_kbytes);
> +EXT4_RW_ATTR(reserved_clusters);
>  EXT4_ATTR_OFFSET(inode_readahead_blks, 0644, sbi_ui_show,
>  		 inode_readahead_blks_store, s_inode_readahead_blks);
>  EXT4_RW_ATTR_SBI_UI(inode_goal, s_inode_goal);
> @@ -2513,6 +2547,7 @@ static struct attribute *ext4_attrs[] = {
>  	ATTR_LIST(delayed_allocation_blocks),
>  	ATTR_LIST(session_write_kbytes),
>  	ATTR_LIST(lifetime_write_kbytes),
> +	ATTR_LIST(reserved_clusters),
>  	ATTR_LIST(inode_readahead_blks),
>  	ATTR_LIST(inode_goal),
>  	ATTR_LIST(mb_stats),
> @@ -3188,6 +3223,40 @@ int ext4_calculate_overhead(struct super_block *sb)
>  	return 0;
>  }
>  
> +
> +static ext4_fsblk_t ext4_calculate_resv_clusters(struct ext4_sb_info *sbi)
> +{
> +	ext4_fsblk_t resv_clusters;
> +
> +	/*
> +	 * By default we reserve 2% or 4096 clusters, whichever is smaller.
> +	 * This should cover the situations where we can not afford to run
> +	 * out of space like for example punch hole, or converting
> +	 * uninitialized extents in delalloc path. In most cases such
> +	 * allocation would require 1, or 2 blocks, higher numbers are
> +	 * very rare.
> +	 */
> +	resv_clusters = ext4_blocks_count(sbi->s_es) >> sbi->s_cluster_bits;
> +
> +	do_div(resv_clusters, 50);
> +	resv_clusters = min_t(ext4_fsblk_t, resv_clusters, 4096);
> +
> +	return resv_clusters;
> +}
> +
> +
> +static int ext4_reserve_clusters(struct ext4_sb_info *sbi, ext4_fsblk_t count)
> +{
> +	ext4_fsblk_t clusters = ext4_blocks_count(sbi->s_es) >>
> +				sbi->s_cluster_bits;
> +
> +	if (count >= clusters)
> +		return -EINVAL;
> +
> +	atomic64_set(&sbi->s_resv_clusters, count);
> +	return 0;
> +}
> +
>  static int ext4_fill_super(struct super_block *sb, void *data, int silent)
>  {
>  	char *orig_data = kstrdup(data, GFP_KERNEL);
> @@ -3907,6 +3976,13 @@ no_journal:
>  			 "available");
>  	}
>  
> +	err = ext4_reserve_clusters(sbi, ext4_calculate_resv_clusters(sbi));
> +	if (err) {
> +		ext4_msg(sb, KERN_ERR, "failed to reserve %llu clusters for "
> +			 "reserved pool", ext4_calculate_resv_clusters(sbi));
> +		goto failed_mount4a;
> +	}
> +
>  	err = ext4_setup_system_zone(sb);
>  	if (err) {
>  		ext4_msg(sb, KERN_ERR, "failed to initialize system "
> @@ -4738,9 +4814,10 @@ static int ext4_statfs(struct dentry *dentry, struct kstatfs *buf)
>  	struct super_block *sb = dentry->d_sb;
>  	struct ext4_sb_info *sbi = EXT4_SB(sb);
>  	struct ext4_super_block *es = sbi->s_es;
> -	ext4_fsblk_t overhead = 0;
> +	ext4_fsblk_t overhead = 0, resv_blocks;
>  	u64 fsid;
>  	s64 bfree;
> +	resv_blocks = EXT4_C2B(sbi, atomic64_read(&sbi->s_resv_clusters));
>  
>  	if (!test_opt(sb, MINIX_DF))
>  		overhead = sbi->s_overhead;
> @@ -4752,8 +4829,9 @@ static int ext4_statfs(struct dentry *dentry, struct kstatfs *buf)
>  		percpu_counter_sum_positive(&sbi->s_dirtyclusters_counter);
>  	/* prevent underflow in case that few free space is available */
>  	buf->f_bfree = EXT4_C2B(sbi, max_t(s64, bfree, 0));
> -	buf->f_bavail = buf->f_bfree - ext4_r_blocks_count(es);
> -	if (buf->f_bfree < ext4_r_blocks_count(es))
> +	buf->f_bavail = buf->f_bfree -
> +			(ext4_r_blocks_count(es) + resv_blocks);
> +	if (buf->f_bfree < (ext4_r_blocks_count(es) + resv_blocks))
>  		buf->f_bavail = 0;
>  	buf->f_files = le32_to_cpu(es->s_inodes_count);
>  	buf->f_ffree = percpu_counter_sum_positive(&sbi->s_freeinodes_counter);
> -- 
> 1.7.7.6
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Carlos
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists