From: Dave Chinner <david@fromorbit.com>
To: Brian Foster <bfoster@redhat.com>
Cc: fstests@vger.kernel.org, xfs@oss.sgi.com
Subject: Re: [PATCH] xfs/053: test for stale data exposure via falloc/writeback interaction
Date: Mon, 29 Sep 2014 13:32:44 +1000 [thread overview]
Message-ID: <20140929033244.GL4758@dastard> (raw)
In-Reply-To: <1411756349-4537-1-git-send-email-bfoster@redhat.com>
On Fri, Sep 26, 2014 at 02:32:29PM -0400, Brian Foster wrote:
> XFS buffered I/O writeback has a subtle race condition that leads to
> stale data exposure if the filesystem happens to crash after delayed
> allocation blocks are converted on disk and before data is written back
> to said blocks.
>
> Use file allocation commands to attempt to reproduce a related, but
> slightly different variant of this problem. The associated falloc
> commands can lead to partial writeback that converts an extent larger
> than the range affected by falloc. If the filesystem crashes after the
> extent conversion but before all other cached data is written to the
> extent, stale data can be exposed.
>
> Signed-off-by: Brian Foster <bfoster@redhat.com>
> ---
>
> This fell out of a combination of a conversation with Dave about XFS
> writeback and buffer/cache coherency and some hacking I'm doing on the
> XFS zero range implementation. Note that fpunch currently fails the
> test. Also, this test is XFS specific primarily due to the use of
> godown.
.....
> +_crashtest()
> +{
> + cmd=$1
> + img=$SCRATCH_MNT/$seq.img
> + mnt=$SCRATCH_MNT/$seq.mnt
> + file=$mnt/file
> +
> + # Create an fs on a small, initialized image. The pattern is written to
> + # the image to detect stale data exposure.
> + $XFS_IO_PROG -f -c "truncate 0" -c "pwrite 0 25M" $img \
> + >> $seqres.full 2>&1
> + $MKFS_XFS_PROG $MKFS_OPTIONS $img >> $seqres.full 2>&1
> +
> + mkdir -p $mnt
> + mount $img $mnt
> +
> + echo $cmd
> +
> + # write, run the test command and shutdown the fs
> + $XFS_IO_PROG -f -c "pwrite -S 1 0 64k" -c "$cmd 60k 4k" $file | \
> + _filter_xfs_io
So at this point the file is correctly 64k in size in memory.
> + ./src/godown -f $mnt
And here you tell godown to flush the log, so if there's a
transaction in the that sets the inode size to 64k.
> + umount $mnt
> + mount $img $mnt
Then log recovery will set the file size to 64k, and:
> +
> + # we generally expect a zero-sized file (this should be silent)
> + hexdump $file
This comment is not actually correct. I'm actually seeing 64k length
files after recovery in 2 of 3 cases being tested, so I don't think
this is a correct observation.
Some clarification of what is actually being tested is needed
here.
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
WARNING: multiple messages have this Message-ID (diff)
From: Dave Chinner <david@fromorbit.com>
To: Brian Foster <bfoster@redhat.com>
Cc: fstests@vger.kernel.org, xfs@oss.sgi.com
Subject: Re: [PATCH] xfs/053: test for stale data exposure via falloc/writeback interaction
Date: Mon, 29 Sep 2014 13:32:44 +1000 [thread overview]
Message-ID: <20140929033244.GL4758@dastard> (raw)
In-Reply-To: <1411756349-4537-1-git-send-email-bfoster@redhat.com>
On Fri, Sep 26, 2014 at 02:32:29PM -0400, Brian Foster wrote:
> XFS buffered I/O writeback has a subtle race condition that leads to
> stale data exposure if the filesystem happens to crash after delayed
> allocation blocks are converted on disk and before data is written back
> to said blocks.
>
> Use file allocation commands to attempt to reproduce a related, but
> slightly different variant of this problem. The associated falloc
> commands can lead to partial writeback that converts an extent larger
> than the range affected by falloc. If the filesystem crashes after the
> extent conversion but before all other cached data is written to the
> extent, stale data can be exposed.
>
> Signed-off-by: Brian Foster <bfoster@redhat.com>
> ---
>
> This fell out of a combination of a conversation with Dave about XFS
> writeback and buffer/cache coherency and some hacking I'm doing on the
> XFS zero range implementation. Note that fpunch currently fails the
> test. Also, this test is XFS specific primarily due to the use of
> godown.
.....
> +_crashtest()
> +{
> + cmd=$1
> + img=$SCRATCH_MNT/$seq.img
> + mnt=$SCRATCH_MNT/$seq.mnt
> + file=$mnt/file
> +
> + # Create an fs on a small, initialized image. The pattern is written to
> + # the image to detect stale data exposure.
> + $XFS_IO_PROG -f -c "truncate 0" -c "pwrite 0 25M" $img \
> + >> $seqres.full 2>&1
> + $MKFS_XFS_PROG $MKFS_OPTIONS $img >> $seqres.full 2>&1
> +
> + mkdir -p $mnt
> + mount $img $mnt
> +
> + echo $cmd
> +
> + # write, run the test command and shutdown the fs
> + $XFS_IO_PROG -f -c "pwrite -S 1 0 64k" -c "$cmd 60k 4k" $file | \
> + _filter_xfs_io
So at this point the file is correctly 64k in size in memory.
> + ./src/godown -f $mnt
And here you tell godown to flush the log, so if there's a
transaction in the that sets the inode size to 64k.
> + umount $mnt
> + mount $img $mnt
Then log recovery will set the file size to 64k, and:
> +
> + # we generally expect a zero-sized file (this should be silent)
> + hexdump $file
This comment is not actually correct. I'm actually seeing 64k length
files after recovery in 2 of 3 cases being tested, so I don't think
this is a correct observation.
Some clarification of what is actually being tested is needed
here.
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2014-09-29 3:32 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-26 18:32 [PATCH] xfs/053: test for stale data exposure via falloc/writeback interaction Brian Foster
2014-09-26 18:32 ` Brian Foster
2014-09-29 3:32 ` Dave Chinner [this message]
2014-09-29 3:32 ` Dave Chinner
2014-09-29 14:09 ` Brian Foster
2014-09-29 14:09 ` Brian Foster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140929033244.GL4758@dastard \
--to=david@fromorbit.com \
--cc=bfoster@redhat.com \
--cc=fstests@vger.kernel.org \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.