Prevent user accounting on readonly pool

Trying to mount a dataset from a readonly pool could inadvertently start
the user accounting upgrade task, leading to the following failure:

VERIFY3(tx->tx_threads == 2) failed (0 == 2)
PANIC at txg.c:680:txg_wait_synced()
Showing stack for process 2541
CPU: 2 PID: 2541 Comm: z_upgrade Tainted: P           O  3.16.0-4-amd64 #1 Debian 3.16.51-3
Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
Call Trace:
 [<0>] ? dump_stack+0x5d/0x78
 [<0>] ? spl_panic+0xc9/0x110 [spl]
 [<0>] ? dnode_next_offset+0x1d4/0x2c0 [zfs]
 [<0>] ? dmu_object_next+0x77/0x130 [zfs]
 [<0>] ? dnode_rele_and_unlock+0x4d/0x120 [zfs]
 [<0>] ? txg_wait_synced+0x91/0x220 [zfs]
 [<0>] ? dmu_objset_id_quota_upgrade_cb+0x10f/0x140 [zfs]
 [<0>] ? dmu_objset_upgrade_task_cb+0xe3/0x170 [zfs]
 [<0>] ? taskq_thread+0x2cc/0x5d0 [spl]
 [<0>] ? wake_up_state+0x10/0x10
 [<0>] ? taskq_thread_should_stop.part.3+0x70/0x70 [spl]
 [<0>] ? kthread+0xbd/0xe0
 [<0>] ? kthread_create_on_node+0x180/0x180
 [<0>] ? ret_from_fork+0x58/0x90
 [<0>] ? kthread_create_on_node+0x180/0x180

This patch updates both functions responsible for checking if we can
perform user accounting to verify the pool is not readonly.

Reviewed-by: Alek Pinchuk <[email protected]>
Reviewed-by: Brian Behlendorf <[email protected]>
Signed-off-by: loli10K <[email protected]>
Closes openzfs#8424

module/zfs/dmu_objset.c

@@ -2433,7 +2433,8 @@ dmu_objset_userobjspace_upgradable(objset_t *os)
 	return (dmu_objset_type(os) == DMU_OST_ZFS &&
 	    !dmu_objset_is_snapshot(os) &&
 	    dmu_objset_userobjused_enabled(os) &&
-	    !dmu_objset_userobjspace_present(os));
+	    !dmu_objset_userobjspace_present(os) &&
+	    spa_writeable(dmu_objset_spa(os)));
 }
 
 boolean_t
@@ -2442,7 +2443,8 @@ dmu_objset_projectquota_upgradable(objset_t *os)
 	return (dmu_objset_type(os) == DMU_OST_ZFS &&
 	    !dmu_objset_is_snapshot(os) &&
 	    dmu_objset_projectquota_enabled(os) &&
-	    !dmu_objset_projectquota_present(os));
+	    !dmu_objset_projectquota_present(os) &&
+	    spa_writeable(dmu_objset_spa(os)));
 }
 
 void

tests/runfiles/linux.run

@@ -841,7 +841,8 @@ tests = ['truncate_001_pos', 'truncate_002_pos', 'truncate_timestamps']
 tags = ['functional', 'truncate']
 
 [tests/functional/upgrade]
-tests = ['upgrade_userobj_001_pos', 'upgrade_projectquota_001_pos']
+tests = ['upgrade_userobj_001_pos', 'upgrade_projectquota_001_pos',
+    'upgrade_readonly_pool']
 tags = ['functional', 'upgrade']
 
 [tests/functional/user_namespace]

tests/zfs-tests/tests/functional/upgrade/Makefile.am

@@ -3,7 +3,8 @@ dist_pkgdata_SCRIPTS = \
 	setup.ksh \
 	cleanup.ksh \
 	upgrade_userobj_001_pos.ksh \
-	upgrade_projectquota_001_pos.ksh
+	upgrade_projectquota_001_pos.ksh \
+	upgrade_readonly_pool.ksh
 
 dist_pkgdata_DATA = \
 	upgrade_common.kshlib

tests/zfs-tests/tests/functional/upgrade/upgrade_readonly_pool.ksh

@@ -0,0 +1,66 @@
+#!/bin/ksh -p
+#
+# This file and its contents are supplied under the terms of the
+# Common Development and Distribution License ("CDDL"), version 1.0.
+# You may only use this file in accordance with the terms of version
+# 1.0 of the CDDL.
+#
+# A full copy of the text of the CDDL should have accompanied this
+# source.  A copy of the CDDL is also available via the Internet at
+# http://www.illumos.org/license/CDDL.
+#
+
+#
+# Copyright 2019, loli10K <[email protected]>. All rights reserved.
+#
+
+. $STF_SUITE/tests/functional/upgrade/upgrade_common.kshlib
+
+#
+# DESCRIPTION:
+# User accounting upgrade should not be executed on readonly pool
+#
+# STRATEGY:
+# 1. Create a pool with the feature@userobj_accounting disabled to simulate
+#    a legacy pool from a previous ZFS version.
+# 2. Create a file on the "legecy" dataset and store its checksum
+# 3. Enable feature@userobj_accounting on the pool and verify it is only
+#    "enabled" and not "active": upgrading starts when the filesystem is mounted
+# 4. Export the pool and re-import is readonly, without mounting any filesystem
+# 5. Try to mount the root dataset manually without the "ro" option, then verify
+#    filesystem status and the pool feature status (not "active") to ensure the
+#    pool "readonly" status is enforced.
+#
+
+verify_runnable "global"
+
+TESTFILE="$TESTDIR/file.bin"
+
+log_assert "User accounting upgrade should not be executed on readonly pool"
+log_onexit cleanup_upgrade
+
+# 1. Create a pool with the feature@userobj_accounting disabled to simulate
+#    a legacy pool from a previous ZFS version.
+log_must zpool create -d -m $TESTDIR $TESTPOOL $TMPDEV
+
+# 2. Create a file on the "legecy" dataset
+log_must touch $TESTDIR/file.bin
+
+# 3. Enable feature@userobj_accounting on the pool and verify it is only
+#    "enabled" and not "active": upgrading starts when the filesystem is mounted
+log_must zpool set feature@userobj_accounting=enabled $TESTPOOL
+log_must test "enabled" == "$(get_pool_prop 'feature@userobj_accounting' $TESTPOOL)"
+
+# 4. Export the pool and re-import is readonly, without mounting any filesystem
+log_must zpool export $TESTPOOL
+log_must zpool import -o readonly=on -N -d "$(dirname $TMPDEV)" $TESTPOOL
+
+# 5. Try to mount the root dataset manually without the "ro" option, then verify
+#    filesystem status and the pool feature status (not "active") to ensure the
+#    pool "readonly" status is enforced.
+log_must mount -t zfs -o zfsutil $TESTPOOL $TESTDIR
+log_must stat "$TESTFILE"
+log_mustnot touch "$TESTFILE"
+log_must test "enabled" == "$(get_pool_prop 'feature@userobj_accounting' $TESTPOOL)"
+
+log_pass "User accounting upgrade is not executed on readonly pool"