From: Al Viro <viro@ZenIV.linux.org.uk>
To: Brian Foster <bfoster@redhat.com>
Cc: linux-fsdevel@vger.kernel.org, Dave Chinner <dchinner@redhat.com>,
xfs@oss.sgi.com
Subject: fs corruption exposed by "xfs: increase prealloc size to double that of the previous extent"
Date: Sat, 15 Mar 2014 21:02:16 +0000 [thread overview]
Message-ID: <20140315210216.GP18016@ZenIV.linux.org.uk> (raw)
Regression in xfstests generic/263 is quite real - what happens is
that e.g.
ltp/fsx -F -H -N 10000 -o 128000 -l 500000 -r 4096 -t 512 -w 512 -Z /mnt/junk
where /mnt is on xfs ends up with a very odd file. mmap() of its last
page has garbage in the page tail when observed on *any* kernel. Copying
that file (with cp -a) yields a copy that doesn't trigger that behaviour.
What's more, xfs_repair doesn't notice anything fishy with that sucker.
This had been introduced (or, more likely, exposed) by the commit in
question. As far as I can see, it's an on-disk corruption of some sort;
it *might* be triggered by some kind of dio-related race, but I would be
rather surprised if that had been the case - fsx is single-threaded,
after all, and making it fsync() *and* mmap/msync/munmap after each write
still produces such a file. The file contents per se is fine, it's the
page tail on mmap() that is bogus.
Filesystem image after that crap is on ftp.linux.org.uk/pub/people/viro/img.bz2;
with that image mounted on /mnt we have
; ls -l /mnt/junk
-rw-r--r-- 1 root root 444928 Mar 15 16:26 /mnt/junk
; echo $((0x6ca00))
444928
; cat >foo.c <<'EOF'
#include <unistd.h>
#include <sys/mman.h>
main(int argc, char **argv)
{
int fd = open(argv[1], 0);
char *p = (char *)mmap(0, 0xa00, PROT_READ, MAP_SHARED, fd, (off_t)0x6c000);
if (p != (char *)-1)
write(1, p + 0xa00, 4096 - 0xa00);
}
EOF
; gcc foo.c
; ./a.out /mnt/junk | od -c
<lots of garbage>
; cp -a /mnt/junk /mnt/junk1
; ./a.out /mnt/junk1 | od -c
0000000 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
*
0003000
And that's essentially what makes generic/263 complain. Note, BTW, that
fallocate and hole-punching is irrelevant - test in generic/263 steps into
those, but the same thing happens with these operations disabled (by -F -H).
I've found the thread from last June where you've mentioned generic/263
regression; AFAICS, Dave's comments there had been wrong...
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
WARNING: multiple messages have this Message-ID (diff)
From: Al Viro <viro@ZenIV.linux.org.uk>
To: Brian Foster <bfoster@redhat.com>
Cc: xfs@oss.sgi.com, Dave Chinner <dchinner@redhat.com>,
linux-fsdevel@vger.kernel.org
Subject: fs corruption exposed by "xfs: increase prealloc size to double that of the previous extent"
Date: Sat, 15 Mar 2014 21:02:16 +0000 [thread overview]
Message-ID: <20140315210216.GP18016@ZenIV.linux.org.uk> (raw)
Regression in xfstests generic/263 is quite real - what happens is
that e.g.
ltp/fsx -F -H -N 10000 -o 128000 -l 500000 -r 4096 -t 512 -w 512 -Z /mnt/junk
where /mnt is on xfs ends up with a very odd file. mmap() of its last
page has garbage in the page tail when observed on *any* kernel. Copying
that file (with cp -a) yields a copy that doesn't trigger that behaviour.
What's more, xfs_repair doesn't notice anything fishy with that sucker.
This had been introduced (or, more likely, exposed) by the commit in
question. As far as I can see, it's an on-disk corruption of some sort;
it *might* be triggered by some kind of dio-related race, but I would be
rather surprised if that had been the case - fsx is single-threaded,
after all, and making it fsync() *and* mmap/msync/munmap after each write
still produces such a file. The file contents per se is fine, it's the
page tail on mmap() that is bogus.
Filesystem image after that crap is on ftp.linux.org.uk/pub/people/viro/img.bz2;
with that image mounted on /mnt we have
; ls -l /mnt/junk
-rw-r--r-- 1 root root 444928 Mar 15 16:26 /mnt/junk
; echo $((0x6ca00))
444928
; cat >foo.c <<'EOF'
#include <unistd.h>
#include <sys/mman.h>
main(int argc, char **argv)
{
int fd = open(argv[1], 0);
char *p = (char *)mmap(0, 0xa00, PROT_READ, MAP_SHARED, fd, (off_t)0x6c000);
if (p != (char *)-1)
write(1, p + 0xa00, 4096 - 0xa00);
}
EOF
; gcc foo.c
; ./a.out /mnt/junk | od -c
<lots of garbage>
; cp -a /mnt/junk /mnt/junk1
; ./a.out /mnt/junk1 | od -c
0000000 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0 \0
*
0003000
And that's essentially what makes generic/263 complain. Note, BTW, that
fallocate and hole-punching is irrelevant - test in generic/263 steps into
those, but the same thing happens with these operations disabled (by -F -H).
I've found the thread from last June where you've mentioned generic/263
regression; AFAICS, Dave's comments there had been wrong...
next reply other threads:[~2014-03-15 21:02 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-15 21:02 Al Viro [this message]
2014-03-15 21:02 ` fs corruption exposed by "xfs: increase prealloc size to double that of the previous extent" Al Viro
2014-03-16 2:21 ` Al Viro
2014-03-16 2:39 ` Al Viro
2014-03-16 2:39 ` Al Viro
2014-03-16 20:56 ` Al Viro
2014-03-16 20:56 ` Al Viro
2014-03-17 1:36 ` Dave Chinner
2014-03-17 1:36 ` Dave Chinner
2014-03-17 2:43 ` Dave Chinner
2014-03-18 1:16 ` Dave Chinner
2014-03-17 0:11 ` Dave Chinner
2014-03-17 0:11 ` Dave Chinner
2014-03-17 0:29 ` Al Viro
2014-03-17 0:29 ` Al Viro
2014-03-17 1:28 ` Al Viro
2014-03-17 1:38 ` Al Viro
2014-03-17 1:41 ` Dave Chinner
2014-03-17 1:41 ` Dave Chinner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140315210216.GP18016@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=bfoster@redhat.com \
--cc=dchinner@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.