dm era: commit metadata in postsuspend after worker stops

ntsiron · Mike Snitzer · commit 9ae6e8b1c9bb · 2022-06-21T13:35:01.000-04:00
During postsuspend dm-era does the following: 1. Archives the current era 2. Commits the metadata, as part of the RPC call for archiving the current era 3. Stops the worker Until the worker stops, it might write to the metadata again. Moreover, these writes are not flushed to disk immediately, but are cached by the dm-bufio client, which writes them back asynchronously. As a result, the committed metadata of a suspended dm-era device might not be consistent with the in-core metadata. In some cases, this can result in the corruption of the on-disk metadata. Suppose the following sequence of events: 1. Load a new table, e.g. a snapshot-origin table, to a device with a dm-era table 2. Suspend the device 3. dm-era commits its metadata, but the worker does a few more metadata writes until it stops, as part of digesting an archived writeset 4. These writes are cached by the dm-bufio client 5. Load the dm-era table to another device. 6. The new instance of the dm-era target loads the committed, on-disk metadata, which don't include the extra writes done by the worker after the metadata commit. 7. Resume the new device 8. The new dm-era target instance starts using the metadata 9. Resume the original device 10. The destructor of the old dm-era target instance is called and destroys the dm-bufio client, which results in flushing the cached writes to disk 11. These writes might overwrite the writes done by the new dm-era instance, hence corrupting its metadata. Fix this by committing the metadata after the worker stops running. stop_worker uses flush_workqueue to flush the current work. However, the work item may re-queue itself and flush_workqueue doesn't wait for re-queued works to finish. This could result in the worker changing the metadata after they have been committed, or writing to the metadata concurrently with the commit in the postsuspend thread. Use drain_workqueue instead, which waits until the work and all re-queued works finish. Fixes: eec4057 ("dm: add era target") Cc: stable@vger.kernel.org # v3.15+ Signed-off-by: Nikos Tsironis <ntsironis@arrikto.com> Signed-off-by: Mike Snitzer <snitzer@kernel.org>
diff --git a/drivers/md/dm-era-target.c b/drivers/md/dm-era-target.c
@@ -1400,7 +1400,7 @@ static void start_worker(struct era *era)
 static void stop_worker(struct era *era)
 {
 	atomic_set(&era->suspended, 1);
-	flush_workqueue(era->wq);
+	drain_workqueue(era->wq);
 }
 
 /*----------------------------------------------------------------
@@ -1570,6 +1570,12 @@ static void era_postsuspend(struct dm_target *ti)
 	}
 
 	stop_worker(era);
+
+	r = metadata_commit(era->md);
+	if (r) {
+		DMERR("%s: metadata_commit failed", __func__);
+		/* FIXME: fail mode */
+	}
 }
 
 static int era_preresume(struct dm_target *ti)

Original file line number	Diff line number	Diff line change
`@@ -1400,7 +1400,7 @@ static void start_worker(struct era *era)`
`1400`	`1400`	`static void stop_worker(struct era *era)`
`1401`	`1401`	`{`
`1402`	`1402`	`atomic_set(&era->suspended, 1);`
`1403`		`- flush_workqueue(era->wq);`
	`1403`	`+ drain_workqueue(era->wq);`
`1404`	`1404`	`}`
`1405`	`1405`
`1406`	`1406`	`/*----------------------------------------------------------------`
`@@ -1570,6 +1570,12 @@ static void era_postsuspend(struct dm_target *ti)`
`1570`	`1570`	`}`
`1571`	`1571`
`1572`	`1572`	`stop_worker(era);`
	`1573`	`+`
	`1574`	`+ r = metadata_commit(era->md);`
	`1575`	`+ if (r) {`
	`1576`	`+ DMERR("%s: metadata_commit failed", __func__);`
	`1577`	`+ /* FIXME: fail mode */`
	`1578`	`+ }`
`1573`	`1579`	`}`
`1574`	`1580`
`1575`	`1581`	`static int era_preresume(struct dm_target *ti)`