Btrfs: make filesystem read-only when submitting barrier fails

So far the return code of barrier_all_devices() is ignored, which
means that errors are ignored. The result can be a corrupt
filesystem which is not consistent.
This commit adds code to evaluate the return code of
barrier_all_devices(). The normal btrfs_error() mechanism is used to
switch the filesystem into read-only mode when errors are detected.

In order to decide whether barrier_all_devices() should return
error or success, the number of disks that are allowed to fail the
barrier submission is calculated. This calculation accounts for the
worst RAID level of metadata, system and data. If single, dup or
RAID0 is in use, a single disk error is already considered to be
fatal. Otherwise a single disk error is tolerated.

The calculation of the number of disks that are tolerated to fail
the barrier operation is performed when the filesystem gets mounted,
when a balance operation is started and finished, and when devices
are added or removed.

Signed-off-by: Stefan Behrens <sbehrens@giantdisaster.de>

1 files changed, 30 insertions, 0 deletions

diff --git a/fs/btrfs/volumes.c b/fs/btrfs/volumes.c
index dfe5e3a22f55..029b903a4ae3 100644
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -1475,6 +1475,9 @@ int btrfs_rm_device(struct btrfs_root *root, char *device_path)
                 free_fs_devices(cur_devices);
         }
 
+        root->fs_info->num_tolerated_disk_barrier_failures =
+                btrfs_calc_num_tolerated_disk_barrier_failures(root->fs_info);
+
         /*
          * at this point, the device is zero sized.  We want to
          * remove it from the devices list and zero out the old super
@@ -1799,6 +1802,8 @@ int btrfs_init_new_device(struct btrfs_root *root, char *device_path)
         btrfs_clear_space_info_full(root->fs_info);
 
         unlock_chunks(root);
+        root->fs_info->num_tolerated_disk_barrier_failures =
+                btrfs_calc_num_tolerated_disk_barrier_failures(root->fs_info);
         ret = btrfs_commit_transaction(trans, root);
 
         if (seeding_dev) {
@@ -2809,6 +2814,26 @@ int btrfs_balance(struct btrfs_balance_control *bctl,
                 }
         }
 
+        if (bctl->sys.flags & BTRFS_BALANCE_ARGS_CONVERT) {
+                int num_tolerated_disk_barrier_failures;
+                u64 target = bctl->sys.target;
+
+                num_tolerated_disk_barrier_failures =
+                        btrfs_calc_num_tolerated_disk_barrier_failures(fs_info);
+                if (num_tolerated_disk_barrier_failures > 0 &&
+                    (target &
+                     (BTRFS_BLOCK_GROUP_DUP | BTRFS_BLOCK_GROUP_RAID0 |
+                      BTRFS_AVAIL_ALLOC_BIT_SINGLE)))
+                        num_tolerated_disk_barrier_failures = 0;
+                else if (num_tolerated_disk_barrier_failures > 1 &&
+                         (target &
+                          (BTRFS_BLOCK_GROUP_RAID1 | BTRFS_BLOCK_GROUP_RAID10)))
+                        num_tolerated_disk_barrier_failures = 1;
+
+                fs_info->num_tolerated_disk_barrier_failures =
+                        num_tolerated_disk_barrier_failures;
+        }
+
         ret = insert_balance_item(fs_info->tree_root, bctl);
         if (ret && ret != -EEXIST)
                 goto out;
@@ -2841,6 +2866,11 @@ int btrfs_balance(struct btrfs_balance_control *bctl,
                 __cancel_balance(fs_info);
         }
 
+        if (bctl->sys.flags & BTRFS_BALANCE_ARGS_CONVERT) {
+                fs_info->num_tolerated_disk_barrier_failures =
+                        btrfs_calc_num_tolerated_disk_barrier_failures(fs_info);
+        }
+
         wake_up(&fs_info->balance_wait_q);
 
         return ret;