From: "Darrick J. Wong" <djwong@kernel.org>
To: Dave Chinner <david@fromorbit.com>
Cc: linux-xfs@vger.kernel.org
Subject: Re: [PATCH 09/10] xfs: Enforce attr3 buffer recovery order
Date: Mon, 26 Jul 2021 15:34:32 -0700 [thread overview]
Message-ID: <20210726223432.GD559212@magnolia> (raw)
In-Reply-To: <20210726215221.GT664593@dread.disaster.area>
On Tue, Jul 27, 2021 at 07:52:21AM +1000, Dave Chinner wrote:
> On Mon, Jul 26, 2021 at 10:57:01AM -0700, Darrick J. Wong wrote:
> > On Mon, Jul 26, 2021 at 04:07:15PM +1000, Dave Chinner wrote:
> > > IOWs, attr3 leaf buffers fall through the magic number checks
> > > unrecognised, so trigger the "recover immediately" behaviour instead
> > > of undergoing an LSN check. IOWs, we incorrectly replay ATTR3 leaf
> > > buffers and that causes silent on disk corruption of inode attribute
> > > forks and potentially other things....
> > >
> > > Git history shows this is *another* zero day bug, this time
> > > introduced in commit 50d5c8d8e938 ("xfs: check LSN ordering for v5
> > > superblocks during recovery") which failed to handle the attr3 leaf
> > > buffers in recovery. And we've failed to handle them ever since...
> >
> > I wonder, what happens if we happen to have a rt bitmap block where a
> > sparse allocation pattern at the start of the rt device just happens to
> > match one of these magic numbers + fs UUID? Does that imply that log
> > recovery can be tricked into forgetting to replay rtbitmap blocks?
>
> Possibly. RT bitmap/summary buffers are marked by type in the
> xfs_buf_log_format type field so log recovery can recognise these
> and do the right thing with them. So it really comes down to whether
> log recovery handles XFS_BLFT_RTBITMAP_BUF types differently to any
> other buffers. Which, without looking at the code, I doubt it does,
> so there's probably fixes needed there, too...
It handles them the same as every other buffer, which is to say that I
think we've found another recovery zeroday.
xlog_recover_buf_commit_pass2 reads the ondisk buffer, and then calls
xlog_recover_get_buf_lsn to fish the LSN out of the ondisk buffer. That
second function doesn't corroborate the ondisk magic with the XFS_BLFT_*
flags recovered from the buffer item, so if the log item was for an rt
bitmap block and the user controls the rt layout as I describe above,
they can totally screw up log recovery.
Only after we return a garbage LSN do we call xlog_recover_do_reg_buffer
-> xlog_recover_validate_buf_type and look at the buf_f flags to attach
verifier ops, but by then it's too late to undo the damage.
I think the answer is to combine the two functions so that we check the
BLFT and the ondisk magic. If they match, we can set b_ops and return
the ondisk LSN and then decide if we're really going to replay the bli
contents. If they don't match, I guess we recover the whole bli? Or
abort? I'll try to get to that after $meetings.
--D
>
> Cheers,
>
> Dave.
> --
> Dave Chinner
> david@fromorbit.com
next prev parent reply other threads:[~2021-07-26 22:34 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-26 6:07 [PATCH 0/10 v2] xfs: fix log cache flush regressions and bugs Dave Chinner
2021-07-26 6:07 ` [PATCH 01/10] xfs: flush data dev on external log write Dave Chinner
2021-07-26 6:07 ` [PATCH 02/10] xfs: external logs need to flush data device Dave Chinner
2021-07-26 6:07 ` [PATCH 03/10] xfs: fold __xlog_state_release_iclog into xlog_state_release_iclog Dave Chinner
2021-07-26 17:20 ` Darrick J. Wong
2021-07-26 6:07 ` [PATCH 04/10] xfs: fix ordering violation between cache flushes and tail updates Dave Chinner
2021-07-26 7:22 ` Christoph Hellwig
2021-07-26 17:35 ` Darrick J. Wong
2021-07-26 21:44 ` Dave Chinner
2021-07-26 22:16 ` Darrick J. Wong
2021-07-26 6:07 ` [PATCH 05/10] xfs: factor out forced iclog flushes Dave Chinner
2021-07-26 7:25 ` Christoph Hellwig
2021-07-26 17:48 ` Darrick J. Wong
2021-07-26 21:47 ` Dave Chinner
2021-07-26 6:07 ` [PATCH 06/10] xfs: log forces imply data device cache flushes Dave Chinner
2021-07-26 7:27 ` Christoph Hellwig
2021-07-26 17:58 ` Darrick J. Wong
2021-07-26 6:07 ` [PATCH 07/10] xfs: avoid unnecessary waits in xfs_log_force_lsn() Dave Chinner
2021-07-26 6:07 ` [PATCH 08/10] xfs: logging the on disk inode LSN can make it go backwards Dave Chinner
2021-07-26 6:07 ` [PATCH 09/10] xfs: Enforce attr3 buffer recovery order Dave Chinner
2021-07-26 7:35 ` Christoph Hellwig
2021-07-26 17:57 ` Darrick J. Wong
2021-07-26 21:52 ` Dave Chinner
2021-07-26 22:34 ` Darrick J. Wong [this message]
2021-07-26 6:07 ` [PATCH 10/10] xfs: need to see iclog flags in tracing Dave Chinner
2021-07-26 7:36 ` Christoph Hellwig
2021-07-26 17:57 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210726223432.GD559212@magnolia \
--to=djwong@kernel.org \
--cc=david@fromorbit.com \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).