ceph: avoid iput_final() while holding mutex or in dispatch thread
iput_final() may wait for reahahead pages. The wait can cause deadlock.
For example:
Workqueue: ceph-msgr ceph_con_workfn [libceph]
Call Trace:
schedule+0x36/0x80
io_schedule+0x16/0x40
__lock_page+0x101/0x140
truncate_inode_pages_range+0x556/0x9f0
truncate_inode_pages_final+0x4d/0x60
evict+0x182/0x1a0
iput+0x1d2/0x220
iterate_session_caps+0x82/0x230 [ceph]
dispatch+0x678/0xa80 [ceph]
ceph_con_workfn+0x95b/0x1560 [libceph]
process_one_work+0x14d/0x410
worker_thread+0x4b/0x460
kthread+0x105/0x140
ret_from_fork+0x22/0x40
Workqueue: ceph-msgr ceph_con_workfn [libceph]
Call Trace:
__schedule+0x3d6/0x8b0
schedule+0x36/0x80
schedule_preempt_disabled+0xe/0x10
mutex_lock+0x2f/0x40
ceph_check_caps+0x505/0xa80 [ceph]
ceph_put_wrbuffer_cap_refs+0x1e5/0x2c0 [ceph]
writepages_finish+0x2d3/0x410 [ceph]
__complete_request+0x26/0x60 [libceph]
handle_reply+0x6c8/0xa10 [libceph]
dispatch+0x29a/0xbb0 [libceph]
ceph_con_workfn+0x95b/0x1560 [libceph]
process_one_work+0x14d/0x410
worker_thread+0x4b/0x460
kthread+0x105/0x140
ret_from_fork+0x22/0x40
In above example, truncate_inode_pages_range() waits for readahead pages
while holding s_mutex. ceph_check_caps() waits for s_mutex and blocks
OSD dispatch thread. Later OSD replies (for readahead) can't be handled.
ceph_check_caps() also may lock snap_rwsem for read. So similar deadlock
can happen if iput_final() is called while holding snap_rwsem.
In general, it's not good to call iput_final() inside MDS/OSD dispatch
threads or while holding any mutex.
The fix is introducing ceph_async_iput(), which calls iput_final() in
workqueue.
Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
This commit is contained in:
Yan, Zheng
@@ -1476,7 +1476,8 @@ static int readdir_prepopulate_inodes_only(struct ceph_mds_request *req,
|
||||
pr_err("fill_inode badness on %p got %d\n", in, rc);
|
||||
err = rc;
|
||||
}
|
||||
iput(in);
|
||||
/* avoid calling iput_final() in mds dispatch threads */
|
||||
ceph_async_iput(in);
|
||||
}
|
||||
|
||||
return err;
|
||||
@@ -1674,8 +1675,11 @@ retry_lookup:
|
||||
&req->r_caps_reservation);
|
||||
if (ret < 0) {
|
||||
pr_err("fill_inode badness on %p\n", in);
|
||||
if (d_really_is_negative(dn))
|
||||
iput(in);
|
||||
if (d_really_is_negative(dn)) {
|
||||
/* avoid calling iput_final() in mds
|
||||
* dispatch threads */
|
||||
ceph_async_iput(in);
|
||||
}
|
||||
d_drop(dn);
|
||||
err = ret;
|
||||
goto next_item;
|
||||
@@ -1685,7 +1689,7 @@ retry_lookup:
|
||||
if (ceph_security_xattr_deadlock(in)) {
|
||||
dout(" skip splicing dn %p to inode %p"
|
||||
" (security xattr deadlock)\n", dn, in);
|
||||
iput(in);
|
||||
ceph_async_iput(in);
|
||||
skipped++;
|
||||
goto next_item;
|
||||
}
|
||||
@@ -1736,6 +1740,25 @@ bool ceph_inode_set_size(struct inode *inode, loff_t size)
|
||||
return ret;
|
||||
}
|
||||
|
||||
/*
|
||||
* Put reference to inode, but avoid calling iput_final() in current thread.
|
||||
* iput_final() may wait for reahahead pages. The wait can cause deadlock in
|
||||
* some contexts.
|
||||
*/
|
||||
void ceph_async_iput(struct inode *inode)
|
||||
{
|
||||
if (!inode)
|
||||
return;
|
||||
for (;;) {
|
||||
if (atomic_add_unless(&inode->i_count, -1, 1))
|
||||
break;
|
||||
if (queue_work(ceph_inode_to_client(inode)->inode_wq,
|
||||
&ceph_inode(inode)->i_work))
|
||||
break;
|
||||
/* queue work failed, i_count must be at least 2 */
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* Write back inode data in a worker thread. (This can't be done
|
||||
* in the message handler context.)
|
||||
|
||||
Reference in New Issue
Block a user