On Mon, Jan 28, 2013 at 05:55:57PM +0100, Stefan Behrens wrote: > [CC list reduced (my initial statement was that such dead_list > corruptions happen without the snapshot-aware defrag patch, by now the > contents is not related to the snapshot-aware defrag patch anymore)] > [...] > > No, this did not fix the problem (and I changed the patch and replaced > "root" with "gang[0]" for the compiler's satisfaction). Same stack trace > as before. > > This happens without scrub or defrag running in parallel. The mount > options are compress=lzo,space_cache,inode_cache. I mount the > filesystem, create about 1000 subvols and snapshots, fill some data in > the subvolumes, delete all subvolumes, wait until "btrfs subvol list ... > | wc -l" prints 0, then immediately unmount the filesystem and then it > crashs. > > Disabling the inode_cache mount option eliminates the crash.
Hi Stefan, What about this patch(UNTESTED)? thanks, liubo diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c index ca7ace7..dac9d4b 100644 --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -4142,9 +4142,14 @@ static void inode_tree_del(struct inode *inode) * root_refs of 0, so this could end up dropping the tree root as a * snapshot, so we need the extra !root->fs_info->tree_root check to * make sure we don't drop it. + * + * Inode cache's inodes may be iput and add root back to dead roots + * list during killing super, which leads to use-after-free, so + * we need to check fs_info->closing to keep us from use-after-free. */ if (empty && btrfs_root_refs(&root->root_item) == 0 && - root != root->fs_info->tree_root) { + root != root->fs_info->tree_root && + btrfs_fs_closing(root->fs_info) > 1) { synchronize_srcu(&root->fs_info->subvol_srcu); spin_lock(&root->inode_lock); empty = RB_EMPTY_ROOT(&root->inode_tree); > > BTW, when I reproduced this crash with 6600 outstanding subvolume > deletions, the next mount command took 40 minutes to return back to user > mode. The btrfs-cleaner thread was executing btrfs_clean_old_snapshots() > and was writing the superblocks everytime I looked on its stack. The > mount process was executing btrfs_find_orphan_roots() the first half of > the time and afterwards btrfs_orphan_cleanup() for the rest of the 40 > minutes. > > > >> BUG: unable to handle kernel paging request at ffff88042503b830 > >> IP: [<ffffffff814532b7>] __list_add+0x17/0xd0 > >> PGD 1e0c063 PUD bf58e067 PMD bf6b7067 PTE 800000042503b160 > >> Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC > >> Modules linked in: btrfs bonding raid1 mpt2sas scsi_transport_sas > >> raid_class > >> CPU 2 > >> Pid: 10259, comm: umount Not tainted 3.8.0-rc4+ #16 Supermicro X8SIL/X8SIL > >> RIP: 0010:[<ffffffff814532b7>] [<ffffffff814532b7>] __list_add+0x17/0xd0 > >> RSP: 0018:ffff8802f67a1bd8 EFLAGS: 00010286 > >> RAX: ffff880425b7c560 RBX: ffff880423ca2828 RCX: 0000000000000001 > >> RDX: ffff88042503b828 RSI: ffff8804257794c0 RDI: ffff880423ca2828 > >> RBP: ffff8802f67a1bf8 R08: 0000000000077850 R09: 0000000000000000 > >> R10: 0000000000000000 R11: 0000000000000001 R12: ffff880423ca2000 > >> R13: ffff880423ca2898 R14: 0000000000000000 R15: ffff8802f67a1d30 > >> FS: 00007f6e89bba740(0000) GS:ffff88042ea00000(0000) > >> knlGS:0000000000000000 > >> CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b > >> CR2: ffff88042503b830 CR3: 000000029a56c000 CR4: 00000000000007e0 > >> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > >> DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > >> Process umount (pid: 10259, threadinfo ffff8802f67a0000, task > >> ffff880425b7c560) > >> Stack: > >> ffffffffa00a414f ffff880423ca2000 ffff880423ca2000 ffff880423ca2898 > >> ffff8802f67a1c18 ffffffffa00a4170 ffff88042a60c1f8 ffff88042a60c1f8 > >> ffff8802f67a1c48 ffffffffa00b3180 ffff88042a60c1f8 ffff88042a60c280 > >> Call Trace: > >> [<ffffffffa00a414f>] ? btrfs_add_dead_root+0x1f/0x60 [btrfs] > >> [<ffffffffa00a4170>] btrfs_add_dead_root+0x40/0x60 [btrfs] > >> [<ffffffffa00b3180>] btrfs_destroy_inode+0x1d0/0x2d0 [btrfs] > >> [<ffffffff811b5d17>] destroy_inode+0x37/0x60 > >> [<ffffffff811b5e4d>] evict+0x10d/0x1a0 > >> [<ffffffff811b65f5>] iput+0x105/0x190 > >> [<ffffffffa009bd68>] free_fs_root+0x18/0x90 [btrfs] > >> [<ffffffffa009f1ab>] btrfs_free_fs_root+0x7b/0x90 [btrfs] > >> [<ffffffffa009f26f>] del_fs_roots+0xaf/0xf0 [btrfs] > >> [<ffffffffa00a0bc6>] close_ctree+0x1c6/0x300 [btrfs] > >> [<ffffffff811b6a7c>] ? evict_inodes+0xec/0x100 > >> [<ffffffffa00763a4>] btrfs_put_super+0x14/0x20 [btrfs] > >> [<ffffffff8119dfcc>] generic_shutdown_super+0x5c/0xe0 > >> [<ffffffff8119e0e1>] kill_anon_super+0x11/0x20 > >> [<ffffffffa007a3a5>] btrfs_kill_super+0x15/0x90 [btrfs] > >> [<ffffffff8119f111>] ? deactivate_super+0x41/0x70 > >> [<ffffffff8119e4dd>] deactivate_locked_super+0x3d/0x70 > >> [<ffffffff8119f119>] deactivate_super+0x49/0x70 > >> [<ffffffff811ba772>] mntput_no_expire+0xd2/0x130 > >> [<ffffffff811bb621>] sys_umount+0x71/0x390 > >> [<ffffffff81983012>] system_call_fastpath+0x16/0x1b > >> Code: 48 83 c4 08 5b 5d c3 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 > >> e5 48 83 ec 20 48 89 5d e8 4c 89 65 f0 48 89 fb 4c 89 6d f8 <4c> 8b 42 08 > >> 49 89 f5 49 89 d4 49 39 f0 75 31 4d 8b 45 00 4d 39 > >> RIP [<ffffffff814532b7>] __list_add+0x17/0xd0 > >> RSP <ffff8802f67a1bd8> > >> CR2: ffff88042503b830 > >> ---[ end trace 5e44f1afc74751aa ]--- > -- To unsubscribe from this list: send the line "unsubscribe linux-btrfs" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html