On Thu, Mar 08, 2018 at 03:03:54PM +0100, Carlos Maiolino wrote:
> Hi,
>
> On Wed, Mar 07, 2018 at 02:24:51PM -0500, Brian Foster wrote:
> > Disliked-by: Brian Foster <bfoster@xxxxxxxxxx>
> > ---
> >
> > Sent as RFC for the time being. This tests Ok on a straight xfstests run
> > and also seems to pass Darrick's agfl fixup tester (thanks) both on
> > upstream and on a rhel7 kernel with some minor supporting hacks.
> >
> > I tried to tighten up the logic a bit to reduce the odds of mistaking
> > actual corruption for a padding mismatch as much as possible. E.g.,
> > limit to cases where the agfl is wrapped, make sure we don't mistake a
> > corruption that looks like an agfl with 120 entries on a packed kernel,
> > etc.
> >
> > While I do prefer an on-demand fixup approach to a mount time scan, ISTM
> > that in either case it's impossible to completely eliminate the risk of
> > confusing corruption with a padding mismatch so long as we're doing a
> > manual agfl fixup. The more I think about that the more I really dislike
> > doing this. :(
> >
> > After some IRC discussion with djwong and sandeen, I'm wondering if the
> > existence of 'xfs_repair -d' is a good enough last resort for those
> > users who might be bit by unexpected padding issues on a typical
> > upgrade. If so, we could fall back to a safer mount-time detection model
> > that enforces a read-only mount and let the user run repair. The
> > supposition is that those who aren't prepared to repair via a ramdisk or
> > whatever should be able to 'xfs_repair -d' a rootfs that is mounted
> > read-only provided agfl padding is the only inconsistency.
> >
> > Eric points out that we can still write an unmount record for a
> > read-only mount, but I'm not sure that would be a problem if repair only
> > needs to fix the agfl. xfs_repair shouldn't touch the log unless there's
> > a recovery issue or it needs to be reformatted to update the LSN, both
> > of which seem to qualify as "you have more problems than agfl padding
> > and need to run repair anyways" to me. Thoughts?
> >
>
> Sorry if this may sound stupid, but in the possibility this can help the issue,
> or at least me learning something new.
>
> ISTM this issue is all related to the way xfs_agfl packing. I read the commit
> log where packed attribute was added to xfs_agfl, and I was wondering...
>
> What are the implications of breaking up the lsn field in xfs_agfl, in 2 __be32?
> Merge it together in a 64bit field when reading it from disk, or split it when
> writing to?
> It seems to me this would avoid the size difference we are seeing now in 32/64
> bit systems, and avoid such risk of confusion when trying to discern between a
> corrupted agfl and a padding mismatch.
>
> But still, just as reinforcement, this is just a guess, and I have no idea if
> this is feasible or not, but in case I'm completely nuts, I'll learn something
> new :)
Btw, I thought about this because once the LSN is logically separated between
cycle number and block number, it could possibly be recorded using two separated
32bit fields in xfs_agfl, but again, I don't know yet if this feasible, just my
$0.02
>
> Cheers.
>
> > Brian
> >
> > fs/xfs/libxfs/xfs_alloc.c | 147 +++++++++++++++++++++++++++++++++++++++++++++-
> > fs/xfs/xfs_mount.h | 1 +
> > fs/xfs/xfs_trace.h | 18 ++++++
> > 3 files changed, 164 insertions(+), 2 deletions(-)
> >
> > diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c
> > index c02781a4c091..31330996e31c 100644
> > --- a/fs/xfs/libxfs/xfs_alloc.c
> > +++ b/fs/xfs/libxfs/xfs_alloc.c
> > @@ -2054,6 +2054,136 @@ xfs_alloc_space_available(
> > }
> >
> > /*
> > + * Estimate the on-disk agfl size based on the agf state. A size mismatch due to
> > + * padding is only significant if the agfl wraps around the end or refers to an
> > + * invalid first/last value.
> > + */
> > +static int
> > +xfs_agfl_ondisk_size(
> > + struct xfs_mount *mp,
> > + int first,
> > + int last,
> > + int count)
> > +{
> > + int active = count;
> > + int agfl_size = XFS_AGFL_SIZE(mp);
> > + bool wrapped = (first > last) ? true : false;
> > +
> > + if (count && last >= first)
> > + active = last - first + 1;
> > + else if (count)
> > + active = agfl_size - first + last + 1;
> > +
> > + if (wrapped && active == count + 1)
> > + agfl_size--;
> > + else if ((wrapped && active == count - 1) ||
> > + first == agfl_size || last == agfl_size)
> > + agfl_size++;
> > +
> > + /*
> > + * We can't discern the packing problem from certain forms of corruption
> > + * that may look exactly the same. To minimize the chance of mistaking
> > + * corruption for a size mismatch, clamp the size to known valid values.
> > + * A packed header agfl has 119 entries and the older unpacked format
> > + * has one less.
> > + */
> > + if (agfl_size < 118 || agfl_size > 119)
> > + agfl_size = XFS_AGFL_SIZE(mp);
> > +
> > + return agfl_size;
> > +}
> > +
> > +static bool
> > +xfs_agfl_need_padfix(
> > + struct xfs_mount *mp,
> > + struct xfs_agf *agf)
> > +{
> > + int f = be32_to_cpu(agf->agf_flfirst);
> > + int l = be32_to_cpu(agf->agf_fllast);
> > + int c = be32_to_cpu(agf->agf_flcount);
> > +
> > + if (!xfs_sb_version_hascrc(&mp->m_sb))
> > + return false;
> > +
> > + return xfs_agfl_ondisk_size(mp, f, l, c) != XFS_AGFL_SIZE(mp);
> > +}
> > +
> > +static int
> > +xfs_agfl_check_padfix(
> > + struct xfs_trans *tp,
> > + struct xfs_buf *agbp,
> > + struct xfs_buf *agflbp,
> > + struct xfs_perag *pag)
> > +{
> > + struct xfs_mount *mp = tp->t_mountp;
> > + struct xfs_agf *agf = XFS_BUF_TO_AGF(agbp);
> > + __be32 *agfl_bno = XFS_BUF_TO_AGFL_BNO(mp, agflbp);
> > + int agfl_size = XFS_AGFL_SIZE(mp);
> > + int ofirst, olast, osize;
> > + int nfirst, nlast;
> > + int logflags = 0;
> > + int startoff = 0;
> > +
> > + if (!pag->pagf_needpadfix)
> > + return 0;
> > +
> > + ofirst = nfirst = be32_to_cpu(agf->agf_flfirst);
> > + olast = nlast = be32_to_cpu(agf->agf_fllast);
> > + osize = xfs_agfl_ondisk_size(mp, ofirst, olast, pag->pagf_flcount);
> > +
> > + /*
> > + * If the on-disk agfl is smaller than what the kernel expects, the
> > + * last slot of the on-disk agfl is a gap with bogus data. Move the
> > + * first valid block into the gap and bump the pointer.
> > + */
> > + if (osize < agfl_size) {
> > + ASSERT(pag->pagf_flcount != 0);
> > + agfl_bno[agfl_size - 1] = agfl_bno[ofirst];
> > + startoff = (char *) &agfl_bno[agfl_size - 1] - (char *) agflbp->b_addr;
> > + nfirst++;
> > + goto done;
> > + }
> > +
> > + /*
> > + * Otherwise, the on-disk agfl is larger than what the current kernel
> > + * expects. If empty, just fix up the first and last pointers. If not,
> > + * move the inaccessible block to the end of the valid range.
> > + */
> > + nfirst = do_mod(nfirst, agfl_size);
> > + if (pag->pagf_flcount == 0) {
> > + nlast = (nfirst == 0 ? agfl_size - 1 : nfirst - 1);
> > + goto done;
> > + }
> > + if (nlast != agfl_size)
> > + nlast++;
> > + nlast = do_mod(nlast, agfl_size);
> > + agfl_bno[nlast] = agfl_bno[osize - 1];
> > + startoff = (char *) &agfl_bno[nlast] - (char *) agflbp->b_addr;
> > +
> > +done:
> > + if (nfirst != ofirst) {
> > + agf->agf_flfirst = cpu_to_be32(nfirst);
> > + logflags |= XFS_AGF_FLFIRST;
> > + }
> > + if (nlast != olast) {
> > + agf->agf_fllast = cpu_to_be32(nlast);
> > + logflags |= XFS_AGF_FLLAST;
> > + }
> > + if (startoff) {
> > + xfs_trans_buf_set_type(tp, agflbp, XFS_BLFT_AGFL_BUF);
> > + xfs_trans_log_buf(tp, agflbp, startoff,
> > + startoff + sizeof(xfs_agblock_t) - 1);
> > + }
> > + if (logflags)
> > + xfs_alloc_log_agf(tp, agbp, logflags);
> > +
> > + trace_xfs_agfl_padfix(mp, osize, agfl_size);
> > + pag->pagf_needpadfix = false;
> > +
> > + return 0;
> > +}
> > +
> > +/*
> > * Decide whether to use this allocation group for this allocation.
> > * If so, fix up the btree freelist's size.
> > */
> > @@ -2258,6 +2388,12 @@ xfs_alloc_get_freelist(
> > if (error)
> > return error;
> >
> > + pag = xfs_perag_get(mp, be32_to_cpu(agf->agf_seqno));
> > + error = xfs_agfl_check_padfix(tp, agbp, agflbp, pag);
> > + if (error) {
> > + xfs_perag_put(pag);
> > + return error;
> > + }
> >
> > /*
> > * Get the block number and update the data structures.
> > @@ -2269,7 +2405,6 @@ xfs_alloc_get_freelist(
> > if (be32_to_cpu(agf->agf_flfirst) == XFS_AGFL_SIZE(mp))
> > agf->agf_flfirst = 0;
> >
> > - pag = xfs_perag_get(mp, be32_to_cpu(agf->agf_seqno));
> > be32_add_cpu(&agf->agf_flcount, -1);
> > xfs_trans_agflist_delta(tp, -1);
> > pag->pagf_flcount--;
> > @@ -2376,11 +2511,18 @@ xfs_alloc_put_freelist(
> > if (!agflbp && (error = xfs_alloc_read_agfl(mp, tp,
> > be32_to_cpu(agf->agf_seqno), &agflbp)))
> > return error;
> > +
> > + pag = xfs_perag_get(mp, be32_to_cpu(agf->agf_seqno));
> > + error = xfs_agfl_check_padfix(tp, agbp, agflbp, pag);
> > + if (error) {
> > + xfs_perag_put(pag);
> > + return error;
> > + }
> > +
> > be32_add_cpu(&agf->agf_fllast, 1);
> > if (be32_to_cpu(agf->agf_fllast) == XFS_AGFL_SIZE(mp))
> > agf->agf_fllast = 0;
> >
> > - pag = xfs_perag_get(mp, be32_to_cpu(agf->agf_seqno));
> > be32_add_cpu(&agf->agf_flcount, 1);
> > xfs_trans_agflist_delta(tp, 1);
> > pag->pagf_flcount++;
> > @@ -2588,6 +2730,7 @@ xfs_alloc_read_agf(
> > pag->pagb_count = 0;
> > pag->pagb_tree = RB_ROOT;
> > pag->pagf_init = 1;
> > + pag->pagf_needpadfix = xfs_agfl_need_padfix(mp, agf);
> > }
> > #ifdef DEBUG
> > else if (!XFS_FORCED_SHUTDOWN(mp)) {
> > diff --git a/fs/xfs/xfs_mount.h b/fs/xfs/xfs_mount.h
> > index e0792d036be2..78a6377a9b38 100644
> > --- a/fs/xfs/xfs_mount.h
> > +++ b/fs/xfs/xfs_mount.h
> > @@ -353,6 +353,7 @@ typedef struct xfs_perag {
> > char pagi_inodeok; /* The agi is ok for inodes */
> > uint8_t pagf_levels[XFS_BTNUM_AGF];
> > /* # of levels in bno & cnt btree */
> > + bool pagf_needpadfix;
> > uint32_t pagf_flcount; /* count of blocks in freelist */
> > xfs_extlen_t pagf_freeblks; /* total free blocks */
> > xfs_extlen_t pagf_longest; /* longest free space */
> > diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h
> > index 945de08af7ba..c7a3bcd6cc4a 100644
> > --- a/fs/xfs/xfs_trace.h
> > +++ b/fs/xfs/xfs_trace.h
> > @@ -3339,6 +3339,24 @@ TRACE_EVENT(xfs_trans_resv_calc,
> > __entry->logflags)
> > );
> >
> > +TRACE_EVENT(xfs_agfl_padfix,
> > + TP_PROTO(struct xfs_mount *mp, int osize, int nsize),
> > + TP_ARGS(mp, osize, nsize),
> > + TP_STRUCT__entry(
> > + __field(dev_t, dev)
> > + __field(int, osize)
> > + __field(int, nsize)
> > + ),
> > + TP_fast_assign(
> > + __entry->dev = mp->m_super->s_dev;
> > + __entry->osize = osize;
> > + __entry->nsize = nsize;
> > + ),
> > + TP_printk("dev %d:%d old size %d new size %d",
> > + MAJOR(__entry->dev), MINOR(__entry->dev),
> > + __entry->osize, __entry->nsize)
> > +);
> > +
> > #endif /* _TRACE_XFS_H */
> >
> > #undef TRACE_INCLUDE_PATH
> > --
> > 2.13.6
> >
> > --
> > To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
> > the body of a message to majordomo@xxxxxxxxxxxxxxx
> > More majordomo info at http://vger.kernel.org/majordomo-info.html
>
> --
> Carlos
--
Carlos
--
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
