This is a note to let you know that I've just added the patch titled
xfs: always verify the log tail during recovery
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xfs-always-verify-the-log-tail-during-recovery.patch
and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Mon Sep 18 10:16:36 CEST 2017
From: Christoph Hellwig <hch@xxxxxx>
Date: Sun, 17 Sep 2017 14:06:52 -0700
Subject: xfs: always verify the log tail during recovery
To: stable@xxxxxxxxxxxxxxx
Cc: linux-xfs@xxxxxxxxxxxxxxx, Brian Foster <bfoster@xxxxxxxxxx>, "Darrick J . Wong" <darrick.wong@xxxxxxxxxx>
Message-ID: <20170917210712.10804-28-hch@xxxxxx>
From: Brian Foster <bfoster@xxxxxxxxxx>
commit 5297ac1f6d7cbf45464a49b9558831f271dfc559 upstream.
Log tail verification currently only occurs when torn writes are
detected at the head of the log. This was introduced because a
change in the head block due to torn writes can lead to a change in
the tail block (each log record header references the current tail)
and the tail block should be verified before log recovery proceeds.
Tail corruption is possible outside of torn write scenarios,
however. For example, partial log writes can be detected and cleared
during the initial head/tail block discovery process. If the partial
write coincides with a tail overwrite, the log tail is corrupted and
recovery fails.
To facilitate correct handling of log tail overwites, update log
recovery to always perform tail verification. This is necessary to
detect potential tail overwrite conditions when torn writes may not
have occurred. This changes normal (i.e., no torn writes) recovery
behavior slightly to detect and return CRC related errors near the
tail before actual recovery starts.
Signed-off-by: Brian Foster <bfoster@xxxxxxxxxx>
Reviewed-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/xfs/xfs_log_recover.c | 26 +++-----------------------
1 file changed, 3 insertions(+), 23 deletions(-)
--- a/fs/xfs/xfs_log_recover.c
+++ b/fs/xfs/xfs_log_recover.c
@@ -1183,31 +1183,11 @@ xlog_verify_head(
ASSERT(0);
return 0;
}
-
- /*
- * Now verify the tail based on the updated head. This is
- * required because the torn writes trimmed from the head could
- * have been written over the tail of a previous record. Return
- * any errors since recovery cannot proceed if the tail is
- * corrupt.
- *
- * XXX: This leaves a gap in truly robust protection from torn
- * writes in the log. If the head is behind the tail, the tail
- * pushes forward to create some space and then a crash occurs
- * causing the writes into the previous record's tail region to
- * tear, log recovery isn't able to recover.
- *
- * How likely is this to occur? If possible, can we do something
- * more intelligent here? Is it safe to push the tail forward if
- * we can determine that the tail is within the range of the
- * torn write (e.g., the kernel can only overwrite the tail if
- * it has actually been pushed forward)? Alternatively, could we
- * somehow prevent this condition at runtime?
- */
- error = xlog_verify_tail(log, *head_blk, *tail_blk);
}
+ if (error)
+ return error;
- return error;
+ return xlog_verify_tail(log, *head_blk, *tail_blk);
}
/*
Patches currently in stable-queue which might be from hch@xxxxxx are
queue-4.9/xfs-open-code-xfs_buf_item_dirty.patch
queue-4.9/xfs-properly-retry-failed-inode-items-in-case-of-error-during-buffer-writeback.patch
queue-4.9/xfs-use-kmem_free-to-free-return-value-of-kmem_zalloc.patch
queue-4.9/xfs-fix-inobt-inode-allocation-search-optimization.patch
queue-4.9/xfs-add-infrastructure-needed-for-error-propagation-during-buffer-io-failure.patch
queue-4.9/xfs-try-to-avoid-blowing-out-the-transaction-reservation-when-bunmaping-a-shared-extent.patch
queue-4.9/xfs-don-t-set-v3-xflags-for-v2-inodes.patch
queue-4.9/xfs-free-cowblocks-and-retry-on-buffered-write-enospc.patch
queue-4.9/xfs-add-log-recovery-tracepoint-for-head-tail.patch
queue-4.9/xfs-toggle-readonly-state-around-xfs_log_mount_finish.patch
queue-4.9/xfs-fix-log-recovery-corruption-error-due-to-tail-overwrite.patch
queue-4.9/xfs-move-bmbt-owner-change-to-last-step-of-extent-swap.patch
queue-4.9/xfs-set-firstfsb-to-nullfsblock-before-feeding-it-to-_bmapi_write.patch
queue-4.9/xfs-fix-quotacheck-dquot-id-overflow-infinite-loop.patch
queue-4.9/xfs-remove-bli-from-ail-before-release-on-transaction-abort.patch
queue-4.9/xfs-check-_btree_check_block-value.patch
queue-4.9/xfs-check-for-race-with-xfs_reclaim_inode-in-xfs_ifree_cluster.patch
queue-4.9/xfs-always-verify-the-log-tail-during-recovery.patch
queue-4.9/xfs-open-code-end_buffer_async_write-in-xfs_finish_page_writeback.patch
queue-4.9/xfs-relog-dirty-buffers-during-swapext-bmbt-owner-change.patch
queue-4.9/xfs-don-t-allow-bmap-on-rt-files.patch
queue-4.9/xfs-disable-per-inode-dax-flag.patch
queue-4.9/xfs-refactor-buffer-logging-into-buffer-dirtying-helper.patch
queue-4.9/xfs-fix-recovery-failure-when-log-record-header-wraps-log-end.patch
queue-4.9/xfs-free-uncommitted-transactions-during-log-recovery.patch
queue-4.9/xfs-skip-bmbt-block-ino-validation-during-owner-change.patch
queue-4.9/xfs-don-t-log-dirty-ranges-for-ordered-buffers.patch
queue-4.9/xfs-stop-searching-for-free-slots-in-an-inode-chunk-when-there-are-none.patch
queue-4.9/xfs-fix-incorrect-log_flushed-on-fsync.patch
queue-4.9/xfs-evict-all-inodes-involved-with-log-redo-item.patch
queue-4.9/xfs-write-unmount-record-for-ro-mounts.patch
queue-4.9/xfs-clear-ms_active-after-finishing-log-recovery.patch
queue-4.9/xfs-don-t-crash-on-unexpected-holes-in-dir-attr-btrees.patch
queue-4.9/xfs-fix-spurious-spin_is_locked-assert-failures-on-non-smp-kernels.patch
queue-4.9/xfs-fix-per-inode-dax-flag-inheritance.patch
queue-4.9/xfs-fix-multi-ag-deadlock-in-xfs_bunmapi.patch
queue-4.9/xfs-remove-unnecessary-dirty-bli-format-check-for-ordered-bufs.patch
queue-4.9/xfs-disallow-marking-previously-dirty-buffers-as-ordered.patch
queue-4.9/xfs-handle-efscorrupted-during-head-tail-verification.patch
queue-4.9/xfs-release-bli-from-transaction-properly-on-fs-shutdown.patch
queue-4.9/iomap-fix-integer-truncation-issues-in-the-zeroing-and-dirtying-helpers.patch
queue-4.9/xfs-don-t-leak-quotacheck-dquots-when-cow-recovery.patch
queue-4.9/xfs-ordered-buffer-log-items-are-never-formatted.patch
queue-4.9/xfs-check-_alloc_read_agf-buffer-pointer-before-using.patch
queue-4.9/xfs-remove-xfs_trans_ail_delete_bulk.patch