On Mon, Mar 22, 2021 at 09:29:44AM -0700, Darrick J. Wong wrote: > On Mon, Mar 22, 2021 at 11:07:09AM -0400, Brian Foster wrote: > > On Sat, Mar 20, 2021 at 09:40:07AM -0700, Darrick J. Wong wrote: > > > From: Darrick J. Wong <djwong@xxxxxxxxxx> > > > > > > While running some fuzz tests on inode metadata, I noticed that the > > > filesystem health report (as provided by xfs_spaceman) failed to report > > > the file corruption even when spaceman was run immediately after running > > > xfs_scrub to detect the corruption. That isn't the intended behavior; > > > one ought to be able to run scrub to detect errors in the ondisk > > > metadata and be able to access to those reports for some time after the > > > scrub. > > > > > > After running the same sequence through an instrumented kernel, I > > > discovered the reason why -- scrub igets the file, scans it, marks it > > > sick, and ireleases the inode. When the VFS lets go of the incore > > > inode, it moves to RECLAIMABLE state. If spaceman igets the incore > > > inode before it moves to RECLAIM state, iget reinitializes the VFS > > > state, clears the sick and checked masks, and hands back the inode. At > > > this point, the caller has the exact same incore inode, but with all the > > > health state erased. > > > > > > > So this requires some degree of cache pressure to reproduce, right? > > None at all, actually -- xfs_scrub uses bulkstat to find inodes to > scrub. Bulkstat sets I_DONTCACHE on the files it reads, so the VFS > drops the inode (if there are no dentries or the dentries are also > marked DONTCACHE) as soon as irele drops the refcount to zero. > Ah, I see. So in the DONTCACHE case, the inode release translates to immediate eviction and thus immediate reclaimable status. > IOWs, the fuzz test can do this on an idle system: > > # xfs_db -x -c 'inode XXX' -c 'fuzz -d core.blah random' /dev/sda > # mount /dev/sda /mnt > # xfs_scrub -d -T -v -n /mnt/ > Corruption: inode XXX record > # xfs_spaceman -c 'health -c' /mnt/ > > and spaceman doesn't report the corruption that we /just/ found. > > > I.e., the inode likely does not immediately go to reclaimable state on > > release, but rather the vfs eventually decides to evict and we > > inactivate from there. If we grab the inode after that point, it > > effectively behaves as if the inode structure was freed and we re-read > > from disk because we cleared health state earlier than necessary. > > Right. > > > If I'm following that correctly, do you observe a noticeable impact in > > terms of health state lifetime? The change seems reasonable, I'm just > > wondering how much longer we'd expect to have this information available > > after vfs eviction occurs and if/how that impacts userspace scrub > > behavior. > > I notice /some/ increase in health state lifetime. With the patch > applied the shell code above works as intended (spaceman reports inode > XXX is broken) so long as inode reclaim doesn't run before spaceman. > Because these days reclaim is triggered by the AIL releasing the inodes, > this means that spaceman only has to be run before the next fsync or the > log force expiration. > Not sure what you mean by AIL releasing inodes associated with a scrub scan.. does scrub dirty unhealthy inodes? Regardless, it seems like we're still potentially racing with an actual reclaim and thus loss of health state is still technically possible, just made noticeably less likely in certain cases by this patch (due to I_DONTCACHE)... > Similarly, if a different user program open()s the inode after a scan, > then the health state will stick around as long as there hasn't been > enough memory pressure to push the inode out of memory for real. > > My development tree also contains a patchset that adds the ability for > inode reclaim to notice that it's freeing an inode that had health > problems, and record in the per-AG health state that some inode > somewhere in that AG had a problem, but that's for a future submission. > This will close the hole that inode health state perishes rather quickly > under memory pressure. > ... and presumably eventually addressed by perag tracking. That all seems reasonable to me. Thanks for the details: Reviewed-by: Brian Foster <bfoster@xxxxxxxxxx> > --D > > > Brian > > > > > In other words, we're erasing the incore inode's health state flags when > > > we've decided NOT to sever the link between the incore inode and the > > > ondisk inode. This is wrong, so we need to remove the lines that zero > > > the fields from xfs_iget_cache_hit. > > > > > > As a precaution, we add the same lines into xfs_reclaim_inode just after > > > we sever the link between incore and ondisk inode. Strictly speaking > > > this isn't necessary because once an inode has gone through reclaim it > > > must go through xfs_inode_alloc (which also zeroes the state) and > > > xfs_iget is careful to check for mismatches between the inode it pulls > > > out of the radix tree and the one it wants. > > > > > > Fixes: 6772c1f11206 ("xfs: track metadata health status") > > > Signed-off-by: Darrick J. Wong <djwong@xxxxxxxxxx> > > > --- > > > fs/xfs/xfs_icache.c | 4 ++-- > > > 1 file changed, 2 insertions(+), 2 deletions(-) > > > > > > diff --git a/fs/xfs/xfs_icache.c b/fs/xfs/xfs_icache.c > > > index 595bda69b18d..5325fa28d099 100644 > > > --- a/fs/xfs/xfs_icache.c > > > +++ b/fs/xfs/xfs_icache.c > > > @@ -587,8 +587,6 @@ xfs_iget_cache_hit( > > > ip->i_flags |= XFS_INEW; > > > xfs_inode_clear_reclaim_tag(pag, ip->i_ino); > > > inode->i_state = I_NEW; > > > - ip->i_sick = 0; > > > - ip->i_checked = 0; > > > > > > spin_unlock(&ip->i_flags_lock); > > > spin_unlock(&pag->pag_ici_lock); > > > @@ -1205,6 +1203,8 @@ xfs_reclaim_inode( > > > spin_lock(&ip->i_flags_lock); > > > ip->i_flags = XFS_IRECLAIM; > > > ip->i_ino = 0; > > > + ip->i_sick = 0; > > > + ip->i_checked = 0; > > > spin_unlock(&ip->i_flags_lock); > > > > > > xfs_iunlock(ip, XFS_ILOCK_EXCL); > > > > > >