hdr_recl calls zthr_wakeup() on destroyed zthr #9047

sdimitro · 2019-07-16T23:01:41Z

There exists a race condition were hdr_recl() calls
zthr_wakeup() on a destroyed zthr. The timeline is the
following:

[1] hdr_recl() runs first and goes intro zthr_wakeup()
because arc_initialized is set.
[2] arc_fini() is called by another thread, zeroes
that flag, destroying the zthr, and goes into
buf_init().
[3] hdr_recl() tries to enter the destroyed mutex
and we blow up.

This patch ensures that the ARC's zthrs are not offloaded
any new work once arc_initialized is set and then destroys
them after all of the ARC state has been deleted.

Signed-off-by: Serapheim Dimitropoulos serapheim@delphix.com

How Has This Been Tested?

Has been internally soaking in DelphixOS for ~6 months now

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Performance enhancement (non-breaking change which improves efficiency)
Code cleanup (non-breaking change which makes code smaller or more readable)
Breaking change (fix or feature that would cause existing functionality to change)
Documentation (a change to man pages or other documentation)

Checklist:

My code follows the ZFS on Linux code style requirements.
I have updated the documentation accordingly.
I have read the contributing document.
I have added tests to cover my changes.
All new and existing tests passed.
All commit messages are properly formatted and contain Signed-off-by.

There exists a race condition were hdr_recl() calls zthr_wakeup() on a destroyed zthr. The timeline is the following: [1] hdr_recl() runs first and goes intro zthr_wakeup() because arc_initialized is set. [2] arc_fini() is called by another thread, zeroes that flag, destroying the zthr, and goes into buf_init(). [3] hdr_recl() tries to enter the destroyed mutex and we blow up. This patch ensures that the ARC's zthrs are not offloaded any new work once arc_initialized is set and then destroys them after all of the ARC state has been deleted. Signed-off-by: Serapheim Dimitropoulos <serapheim@delphix.com>

codecov · 2019-07-18T22:12:47Z

Codecov Report

Merging #9047 into master will decrease coverage by 0.04%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master    #9047      +/-   ##
==========================================
- Coverage   78.75%   78.71%   -0.05%     
==========================================
  Files         402      402              
  Lines      121005   121007       +2     
==========================================
- Hits        95300    95249      -51     
- Misses      25705    25758      +53

Flag	Coverage Δ
#kernel	`79.59% <100%> (+0.02%)`	⬆️
#user	`66.29% <100%> (-0.24%)`	⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a649768...7b90af2. Read the comment docs.

There exists a race condition were hdr_recl() calls zthr_wakeup() on a destroyed zthr. The timeline is the following: [1] hdr_recl() runs first and goes intro zthr_wakeup() because arc_initialized is set. [2] arc_fini() is called by another thread, zeroes that flag, destroying the zthr, and goes into buf_init(). [3] hdr_recl() tries to enter the destroyed mutex and we blow up. This patch ensures that the ARC's zthrs are not offloaded any new work once arc_initialized is set and then destroys them after all of the ARC state has been deleted. Reviewed by: Matt Ahrens <matt@delphix.com> Reviewed by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Serapheim Dimitropoulos <serapheim@delphix.com> Closes openzfs#9047

There exists a race condition were hdr_recl() calls zthr_wakeup() on a destroyed zthr. The timeline is the following: [1] hdr_recl() runs first and goes intro zthr_wakeup() because arc_initialized is set. [2] arc_fini() is called by another thread, zeroes that flag, destroying the zthr, and goes into buf_init(). [3] hdr_recl() tries to enter the destroyed mutex and we blow up. This patch ensures that the ARC's zthrs are not offloaded any new work once arc_initialized is set and then destroys them after all of the ARC state has been deleted. Reviewed by: Matt Ahrens <matt@delphix.com> Reviewed by: Brian Behlendorf <behlendorf1@llnl.gov> Signed-off-by: Serapheim Dimitropoulos <serapheim@delphix.com> Closes #9047

sdimitro requested review from ahrens and brad-lewis July 16, 2019 23:04

sdimitro added the Status: Code Review Needed Ready for review and testing label Jul 16, 2019

sdimitro force-pushed the zol-62110 branch from 38d74db to 7b90af2 Compare July 17, 2019 16:53

ahrens approved these changes Jul 17, 2019

View reviewed changes

behlendorf approved these changes Jul 18, 2019

View reviewed changes

behlendorf added Status: Accepted Ready to integrate (reviewed, tested) and removed Status: Code Review Needed Ready for review and testing labels Jul 18, 2019

behlendorf merged commit 1c44a5c into openzfs:master Jul 18, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

hdr_recl calls zthr_wakeup() on destroyed zthr #9047

hdr_recl calls zthr_wakeup() on destroyed zthr #9047

sdimitro commented Jul 16, 2019

codecov bot commented Jul 18, 2019

hdr_recl calls zthr_wakeup() on destroyed zthr #9047

hdr_recl calls zthr_wakeup() on destroyed zthr #9047

Conversation

sdimitro commented Jul 16, 2019

How Has This Been Tested?

Types of changes

Checklist:

codecov bot commented Jul 18, 2019

Codecov Report