Bcc: Subject: Re: [PATCH v2 4/4] overlay: Add rudimentary checking of writeback errseq on volatile remount Reply-To: In-Reply-To: <20201130193342.GD14328@xxxxxxxxxx> On Mon, Nov 30, 2020 at 02:33:42PM -0500, Vivek Goyal wrote: > On Fri, Nov 27, 2020 at 01:20:58AM -0800, Sargun Dhillon wrote: > > Volatile remounts validate the following at the moment: > > * Has the module been reloaded / the system rebooted > > * Has the workdir been remounted > > > > This adds a new check for errors detected via the superblock's > > errseq_t. At mount time, the errseq_t is snapshotted to disk, > > and upon remount it's re-verified. This allows for kernel-level > > detection of errors without forcing userspace to perform a > > sync and allows for the hidden detection of writeback errors. > > > > Signed-off-by: Sargun Dhillon <sargun@xxxxxxxxx> > > Cc: linux-fsdevel@xxxxxxxxxxxxxxx > > Cc: linux-unionfs@xxxxxxxxxxxxxxx > > Cc: Miklos Szeredi <miklos@xxxxxxxxxx> > > Cc: Amir Goldstein <amir73il@xxxxxxxxx> > > Cc: Vivek Goyal <vgoyal@xxxxxxxxxx> > > --- > > fs/overlayfs/overlayfs.h | 1 + > > fs/overlayfs/readdir.c | 6 ++++++ > > fs/overlayfs/super.c | 1 + > > 3 files changed, 8 insertions(+) > > > > diff --git a/fs/overlayfs/overlayfs.h b/fs/overlayfs/overlayfs.h > > index de694ee99d7c..e8a711953b64 100644 > > --- a/fs/overlayfs/overlayfs.h > > +++ b/fs/overlayfs/overlayfs.h > > @@ -85,6 +85,7 @@ struct ovl_volatile_info { > > */ > > uuid_t ovl_boot_id; /* Must stay first member */ > > u64 s_instance_id; > > + errseq_t errseq; /* Implemented as a u32 */ > > } __packed; > > > > /* > > diff --git a/fs/overlayfs/readdir.c b/fs/overlayfs/readdir.c > > index 7b66fbb20261..5795b28bb4cf 100644 > > --- a/fs/overlayfs/readdir.c > > +++ b/fs/overlayfs/readdir.c > > @@ -1117,6 +1117,12 @@ static int ovl_verify_volatile_info(struct ovl_fs *ofs, > > return -EINVAL; > > } > > > > + err = errseq_check(&volatiledir->d_sb->s_wb_err, info.errseq); > > Might be a stupid question. Will ask anyway. > > But what protects against wrapping of counter. IOW, Say we stored info.errseq > value as A. It is possible that bunch of errors occurred and at remount > time ->s_wb_err is back to A and we pass the check. (Despite the fact lots > of errors have occurred since we sampled). > > Thanks > Vivek > +Jeff Layton <jlayton@xxxxxxxxxx> Nothing. The current errseq API works like this today where if you have 2^20 (1048576) errors, and syncfs (or other calls that mark the errseq as seen), and the error that occured 1048575 times ago was the same error as you just last had, and the error on the upperdir has already been marked as seen, the error will be swallowed up silently. This exists throughout all of VFS. I think we're potentially making this more likely by checkpointing to disk. The one aspect which is a little different about the usecase in the patch is that it relies on this mechanism to determine if an error has occured after the entire FS was constructed, so it's somewhat more consequential than the current issue in VFS which will just bubble up errors in a few files. On my system syncfs takes about 2 milliseconds, so you have a chance to experience this every ~30 minutes if the syscalls align in the right way. If we expanded the errseq_t to u64, we would potentially get a collision every 4503599627370496 calls, or assuming the 2 millisecond invariant holds, every 285 years. Now, we probably don't want to make errseq_t into a u64 because of performance reasons (not all systems have native u64 cmpxchg), and the extra memory it'd take up. If we really want to avoid this case, I can think of one "simple" solution, which is something like laying out errseq_t as something like a errseq_t_src that's 64-bits, and all readers just look at the lower 32-bits. The longer errseq_t would exist on super_blocks, but files would still get the shorter one. To potentially avoid the performance penalty of atomic longs, we could also do something like this: typedef struct { atomic_t overflow; u32 errseq; } errseq_t_big; And in errseq_set, do: /* Wraps */ if (new < old) atomic_inc(&eseq->overflow); *shrug* I don't think that the above scenario is likely though.