| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAGudoHHtSpoqami61KxAJBsk77G0wCTSy-zvNH9W8Pb+S3PoQA@mail.gmail.com> Date: Fri, 19 Sep 2025 18:41:44 +0200 From: Mateusz Guzik <mjguzik@...il.com> To: Dave Chinner <david@...morbit.com> Cc: Al Viro <viro@...iv.linux.org.uk>, Max Kellermann <max.kellermann@...os.com>, slava.dubeyko@....com, xiubli@...hat.com, idryomov@...il.com, amarkuze@...hat.com, ceph-devel@...r.kernel.org, netfs@...ts.linux.dev, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, stable@...r.kernel.org, Josef Bacik <josef@...icpanda.com>, Christian Brauner <brauner@...nel.org> Subject: Re: [PATCH] ceph: fix deadlock bugs by making iput() calls asynchronous On Thu, Sep 18, 2025 at 3:51 AM Dave Chinner <david@...morbit.com> wrote: > > On Thu, Sep 18, 2025 at 02:04:52AM +0200, Mateusz Guzik wrote: > > On Thu, Sep 18, 2025 at 1:08 AM Mateusz Guzik <mjguzik@...il.com> wrote: > > > > > > On Thu, Sep 18, 2025 at 12:51 AM Dave Chinner <david@...morbit.com> wrote: > > > > - wait for Josef to finish his inode refcount rework patchset that > > > > gets rid of this whole "writeback doesn't hold an inode reference" > > > > problem that is the root cause of this the deadlock. > > > > > > > > All that adding a whacky async iput work around does right now is > > > > make it harder for Josef to land the patchset that makes this > > > > problem go away entirely.... > > > > > > > > > > Per Max this is a problem present on older kernels as well, something > > > of this sort is needed to cover it regardless of what happens in > > > mainline. > > > > > > As for mainline, I don't believe Josef's patchset addresses the problem. > > > > > > The newly added refcount now taken by writeback et al only gates the > > > inode getting freed, it does not gate almost any of iput/evict > > > processing. As in with the patchset writeback does not hold a real > > > reference. > > > > > > So ceph can still iput from writeback and find itself waiting in > > > inode_wait_for_writeback, unless the filesystem can be converted to > > > use the weaker refcounts and iobj_put instead (but that's not > > > something I would be betting on). > > > > To further elaborate, an extra count which only gates the struct being > > freed has limited usefulness. Notably it does not help filesystems > > which need the inode to be valid for use the entire time as evict() is > > only stalled *after* ->evict_inode(), which might have destroyed the > > vital parts. > > Not sure I follow you - ->evict_inode() comes after waiting for > writeback and other VFS operations to complete. There's nothing in > the VFS eviction code that actually blocks after ->evict_inode() is > called. > I'm stating that on the stock kernel writeback is indeed guaranteed to finish first. My general note there was that the refcount patchset only gates freeing, consequently reducing its usefulness. > > For example it > > may be ceph needs the full reference in writeback, > > IMO, we should always hold a full reference in writeback, because > doing so addresses the underlying eviction vs writeback race > condition that exists. i.e. we currently handle the lack of > reference counts in writeback by blocking on I_SYNC in eviction to > prevent a UAF. > > If we have an active reference for writeback in the first > place then eviction doesn't need to block on writeback because, by > definition, we cannot be performing writeback and eviction at the > same time.... > I agree with the benefit The problem here is that on the stock kernel writeback is guaranteed to never invoke ->evict_inode et al. Just allowing it to hold the ->i_count ref would mean there would be corner cases where it has to go through with the actual iput(), which imo would constitute a regression. If iput_async() as a first class citizen showed up, I would be all for holding the real ref around writeback. Looks like we agree something of the sort should be implemented, I repeat however that the refcount patchset is imo not the way to get there. > > then the new ref is > > of no use here. But for the sake of argument let's say ceph will get > > away with the ligher ref instead. Even then this is on the clock for a > > different filesystem to show up which can't do it and needs an async > > iput and then its developers are looking at "whacky work arounds". > > Right, that's because we haven't addressed the underlying problem. > > That is, we need to hold the right references at the VFS level such > that filesystems can't drop the last reference to the inode whilst > high level VFS inode operations (such as writeback) are in progress > on that inode. > > Done properly, eviction can then be done asynchronously for all > inodes because we've guaranteed there are no active or > pending active users of the inode.... > > .... and at that point, all the custom async inode garbage > collection stuff that XFS does goes away because it is native > VFS functionality :) > I completely agree here, I just claim the patchset by Josef does not move the kernel in that direction. > > The actual generic async iput is the actual async iput, not an > > arbitrary chunk of it after the inode is partway through processing. > > But then any form of extra refcounting is of no significance. > > > > To that end a non-whacky mechanism to defer iput would be most > > welcome, presumably provided by the vfs layer itself. Per remarks by > > Al elsewhere, care needs to be taken to make sure all inodes are > > sorted out before the super block gets destroyed. > > Yes, but first we have to get the reference counting right, such > that inode eviction only occurs after we've guaranteed there are no > other active users of the inode. Page cache residency and dirty > inodes are still in active use, we should account for them that way. > I don't have a strong opinion here. If anything I find it suspicious that code invoked by writeback can end up issuing iput() on something, but that's not something I'm going to die on a hill for. Also note the refs as proposed by Josef don't fit the idea as they allow for majority of iput() to progress. I claim there are issues concerning flag management (I_WILL_FREE et al) which would best sorted out before changes in refcount management are implemented (of whatever variety). > > This suggests expanding the super_block to track all of the deferred > > iputs and drain them early in sb destruction. The current struct inode > > on LP64 has 2 * 4 byte holes and llist linkage is only 8 bytes, so > > this can be added without growing the struct above stock kernel. > > Right, we already do this lockless llist based async garbage > collection under ->destroy_inode with XFS. > > > I would argue it would be good if the work could be deffered to > > task_work if possible (fput-style). Waiting for these should be easy > > enough, but arguably the thread which is supposed to get to them can > > be stalled elsewhere indefinitely, so perhaps this bit is a no-go. > > If the reference counting is right, nothing expect a new lookup on > the inode should stall on an inode queued for eviction... > The remark about getting stuck did not concern anything inode-specific. Rather, any thread can get stuck indefinitely in certain parts of the kernel. Should that happen after it has iput to process in task_work, that could be a problem for the mechanism. Anyhow, the *pressing* issue right now is sorting out the deadlock for ceph including for kernels older than mainline. And for that I don't think the patch as proposed by Max is objectionable. (granted though, I thought the vfs layer would wait for all inodes during unmount instead of barfing, but ceph is draining the queue the patch postponed the work to so it should be fine. extra points for the fact that ceph already used to have iput_async).
Powered by blists - more mailing lists