[0/19,v2] ext4: Fix transaction overflow due to revoke descriptors

Message ID	20190930103544.11479-1-jack@suse.cz
Headers	show Return-Path: <linux-ext4-owner@vger.kernel.org> From: Jan Kara <jack@suse.cz> To: <linux-ext4@vger.kernel.org> Cc: Ted Tso <tytso@mit.edu>, Jan Kara <jack@suse.cz> Subject: [PATCH 0/19 v2] ext4: Fix transaction overflow due to revoke descriptors Date: Mon, 30 Sep 2019 12:43:18 +0200 Message-Id: <20190930103544.11479-1-jack@suse.cz> Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk
Series	ext4: Fix transaction overflow due to revoke descriptors \| expand [0/19,v2] ext4: Fix transaction overflow due to revoke descriptors [01/19] jbd2: Fix possible overflow in jbd2_log_space_left() [02/19] jbd2: Fixup stale comment in commit code [03/19] ext4: Do not iput inode under running transaction in ext4_mkdir() [04/19] ext4: Use ext4_journal_extend() instead of jbd2_journal_extend() [05/19] ext4: Avoid unnecessary revokes in ext4_alloc_branch() [06/19] ext4: Provide function to handle transaction restarts [07/19] ext4, jbd2: Provide accessor function for handle credits [08/19] ocfs2: Use accessor function for h_buffer_credits [09/19] jbd2: Fix statistics for the number of logged blocks [10/19] jbd2: Reorganize jbd2_journal_stop() [11/19] jbd2: Drop pointless check from jbd2_journal_stop() [12/19] jbd2: Drop pointless wakeup from jbd2_journal_stop() [13/19] jbd2: Factor out common parts of stopping and restarting a handle [14/19] jbd2: Account descriptor blocks into t_outstanding_credits [15/19] jbd2: Drop jbd2_space_needed() [16/19] jbd2: Reserve space for revoke descriptor blocks [17/19] jbd2: Rename h_buffer_credits to h_total_credits [18/19] jbd2: Make credit checking more strict [19/19] ext4: Reserve revoke credits for freed blocks

Message ID

20190930103544.11479-1-jack@suse.cz

Headers

From: Jan Kara <jack@suse.cz>
To: <linux-ext4@vger.kernel.org>
Cc: Ted Tso <tytso@mit.edu>, Jan Kara <jack@suse.cz>
Subject: [PATCH 0/19 v2] ext4: Fix transaction overflow due to revoke
	descriptors
Date: Mon, 30 Sep 2019 12:43:18 +0200
Message-Id: <20190930103544.11479-1-jack@suse.cz>
Sender: linux-ext4-owner@vger.kernel.org
Precedence: bulk

Series

ext4: Fix transaction overflow due to revoke descriptors | expand

Message

Jan Kara Sept. 30, 2019, 10:43 a.m. UTC

Hello,

I'm sending v2 of this series in a quick succession since some more
stress-testing has revealed some bugs and I've also reorganized the series a
bit so I've decided to post new version early not to waste review bandwidth.

Changes since v1:
* Reordered some patches to reduce code churn
* Computation in jbd2_revoke_descriptors_per_block() was too early - moved it
  to later when journal superblock is loaded and so the feature checking
  actually works.
* Made sure nobody outside JBD2 uses handle->h_buffer_credits since now it
  contains also credits for revoke descriptors and it was confusing come users.
* Updated cover letter with more details about reproducer

Original cover letter:

I've recently got a bug report where JBD2 assertion failed due to
transaction commit running out of journal space. After closer inspection of
the crash dump it seems that the problem is that there were too many
journal descriptor blocks (more that max_transaction_size >> 5 + 32 we
estimate in jbd2_log_space_left()) due to descriptor blocks with revoke
records. In fact the estimate on the number of descriptor blocks looks
pretty arbitrary and there can be much more descriptor blocks needed for
revoke records. We need one revoke record for every metadata block freed.
So in the worst case (1k blocksize, 64-bit journal feature enabled,
checksumming enabled) we fit 125 revoke record in one descriptor block.  In
common cases its about 500 revoke records per descriptor block. Now when
we free large directories or large file with data journalling enabled, we can
have *lots* of blocks to revoke - with extent mapped files easily millions
in a single transaction which can mean 10k descriptor blocks - clearly more
than the estimate of 128 descriptor blocks per transaction ;)

This patch series aims at fixing the problem by accounting descriptor blocks
into transaction credits and reserving appropriate amount of credits for revoke
descriptors on transaction handle start. Similar to normal transaction credits,
the filesystem has to provide estimate for the number of blocks it is going
to revoke using the transaction handle so that credits for revoke descriptors
can be reserved.

The series has survived fstests in couple configurations and also the stress
test like:
  Create filesystem with 1KB blocksize and journal size 32MB
  Mount the filesystem with -o nodelalloc
  for (( i = 0; i < 4; i++ )); do
    dd if=/dev/zero of=file$i bs=1M count=2048 conv=fsync
    chattr +j file$i
  done
  for (( i = 0; i < 4; i++ )); do
    rm file$i&
  done

which reliably triggers the assertion failure in JBD2 on unpatched kernel.

Review and comments are welcome :).

								Honza
Previous versions:
Link: http://lore.kernel.org/r/20190927111536.16455-1-jack@suse.cz