linux-toradex.git/fs/bcachefs/subvolume.c, branch v6.17 Linux kernel for Apalis and Colibri modules bcachefs: Fix subvol to missing root repair 2025-06-04T20:45:41+00:00 Kent Overstreet kent.overstreet@linux.dev 2025-06-02T23:48:27+00:00 29cc6fb7c068c773049d3bde14b939033893eff4 We had a bug where the root inode of a subvolume was erronously deleted: bch2_evict_inode() called bch2_inode_rm(), meaning the VFS inode's i_nlink was somehow set to 0 when it shouldn't have - the inode in the btree indicated it clearly was not unlinked. This has been addressed with additional safety checks in bch2_inode_rm() - pulling in the safety checks we already were doing when deleting unlinked inodes in recovery - but the really disastrous bug was in check_subvols(), which on finding a dangling subvol (subvol with a missing root inode) would delete the subvolume. I assume this bug dates from early check_directory_structure() code, which originally handled subvolumes and normal paths - the idea being that still live contents of the subvolume would get reattached somewhere. But that's incorrect, and disastrously so; deleting a subvolume triggers deleting the snapshot ID it points to, deleting the entire contents. The correct way to repair is to recreate the root inode if it's missing; then any contents will get reattached under that subvolume's lost+found. Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> 
We had a bug where the root inode of a subvolume was erronously deleted:
bch2_evict_inode() called bch2_inode_rm(), meaning the VFS inode's
i_nlink was somehow set to 0 when it shouldn't have - the inode in the
btree indicated it clearly was not unlinked.

This has been addressed with additional safety checks in
bch2_inode_rm() - pulling in the safety checks we already were doing
when deleting unlinked inodes in recovery - but the really disastrous
bug was in check_subvols(), which on finding a dangling subvol (subvol
with a missing root inode) would delete the subvolume.

I assume this bug dates from early check_directory_structure() code,
which originally handled subvolumes and normal paths - the idea being
that still live contents of the subvolume would get reattached
somewhere.

But that's incorrect, and disastrously so; deleting a subvolume triggers
deleting the snapshot ID it points to, deleting the entire contents.

The correct way to repair is to recreate the root inode if it's missing;
then any contents will get reattached under that subvolume's lost+found.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
bcachefs: Add flags to subvolume_to_text() 2025-06-04T20:45:41+00:00 Kent Overstreet kent.overstreet@linux.dev 2025-06-02T21:23:49+00:00 bfaac2c54694f72d08db5cfad0a1fce2a4c7e45e Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> 
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
bcachefs: BCH_RECOVERY_PASS_NO_RATELIMIT 2025-06-02T16:16:36+00:00 Kent Overstreet kent.overstreet@linux.dev 2025-05-31T17:01:44+00:00 0942b852d4070e448231d2e204ac82ad47f5920a Add a superblock flag to temporarily disable ratelimiting for a recovery pass. This will be used to make check_key_has_snapshot safer: we don't want to delete a key for a missing snapshot unless we know that the snapshots and subvolumes btrees are consistent, i.e. check_snapshots and check_subvols have run recently. Changing those btrees - creating/deleting a subvolume or snapshot - will set the "disable ratelimit" flag, i.e. ensuring that those passes run if check_key_has_snapshot discovers an error. We're only disabling ratelimiting in the snapshot/subvol delete paths, we're not so concerned about the create paths. Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> 
Add a superblock flag to temporarily disable ratelimiting for a recovery
pass.

This will be used to make check_key_has_snapshot safer: we don't want to
delete a key for a missing snapshot unless we know that the snapshots
and subvolumes btrees are consistent, i.e. check_snapshots and
check_subvols have run recently.

Changing those btrees - creating/deleting a subvolume or snapshot - will
set the "disable ratelimit" flag, i.e. ensuring that those passes run if
check_key_has_snapshot discovers an error.

We're only disabling ratelimiting in the snapshot/subvol delete paths,
we're not so concerned about the create paths.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
bcachefs: bch_err_throw() 2025-06-02T16:16:35+00:00 Kent Overstreet kent.overstreet@linux.dev 2025-05-28T15:57:50+00:00 09b9c72bd4b77a954123997377665fb30f1d07e1 Add a tracepoint for any time we return an error and unwind. Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> 
Add a tracepoint for any time we return an error and unwind.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
bcachefs: Replace rcu_read_lock() with guards 2025-06-01T04:03:12+00:00 Kent Overstreet kent.overstreet@linux.dev 2025-05-24T20:33:39+00:00 18dad454cd16cbb4c219dbd19a0008af52eb294a The new guard(), scoped_guard() allow for more natural code. Some of the uses with creative flow control have been left. Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> 
The new guard(), scoped_guard() allow for more natural code.

Some of the uses with creative flow control have been left.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
bcachefs: bch2_run_explicit_recovery_pass() cleanup 2025-05-22T00:15:04+00:00 Kent Overstreet kent.overstreet@linux.dev 2025-05-14T19:54:20+00:00 d4b30ed90c778bd5612fc82c2a5536de66d95184 Consolidate the run_explicit_recovery_pass() interfaces by adding a flags parameter; this will also let us add a RUN_RECOVERY_PASS_ratelimit flag. Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> 
Consolidate the run_explicit_recovery_pass() interfaces by adding a
flags parameter; this will also let us add a RUN_RECOVERY_PASS_ratelimit
flag.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
bcachefs: snapshot delete progress indicator 2025-05-22T00:14:40+00:00 Kent Overstreet kent.overstreet@linux.dev 2025-05-01T18:47:39+00:00 15dbd0d8146356a43003784ce38aabae32e96197 Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> 
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
bcachefs: Run most explicit recovery passes persistent 2025-05-22T00:14:37+00:00 Kent Overstreet kent.overstreet@linux.dev 2025-04-26T16:39:17+00:00 7677859a47a464f1c5603077809d4bc13f2d549f If we detect an error that requires running a recovery pass, and we're not in recovery, we won't be able to fix it until the next mount - make sure we're noting in the superblock that it needs to run. Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> 
If we detect an error that requires running a recovery pass, and we're
not in recovery, we won't be able to fix it until the next mount - make
sure we're noting in the superblock that it needs to run.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
bcachefs: bch_fs.writes -> enumerated_refs 2025-05-22T00:14:27+00:00 Kent Overstreet kent.overstreet@linux.dev 2025-04-18T18:56:09+00:00 c9b1d94a2196fcfd1985ff8728b22abda400b1ac Drop the single-purpose write ref code in bcachefs.h, and convert to enumarated refs. Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> 
Drop the single-purpose write ref code in bcachefs.h, and convert to
enumarated refs.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
bcachefs: Flag for repair on missing subvolume 2025-05-22T00:14:18+00:00 Kent Overstreet kent.overstreet@linux.dev 2025-04-15T23:15:43+00:00 bdad8962c94d3e557317b3d0691a507177f27a22 Instead of going emegency read only with a bch2_fs_inconsistent() call, log the error and recovery pass appropriately. If we're still in recovery it'll be repaired immediately, otherwise it'll be repaired on the next mount. Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev> 
Instead of going emegency read only with a bch2_fs_inconsistent() call,
log the error and recovery pass appropriately.

If we're still in recovery it'll be repaired immediately, otherwise
it'll be repaired on the next mount.

Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>