From: Long Li <leo.lilong@huawei.com>
To: Sasha Levin <sashal@kernel.org>, <stable@vger.kernel.org>
Cc: "Darrick J. Wong" <djwong@kernel.org>, Carlos Maiolino <cem@kernel.org>
Subject: Re: [PATCH 6.18.y 3/3] xfs: close crash window in attr dabtree inactivation
Date: Thu, 2 Apr 2026 19:22:44 +0800 [thread overview]
Message-ID: <ac5RhJ8M7G6tiVnX@localhost.localdomain> (raw)
In-Reply-To: <20260402101055.771010-3-sashal@kernel.org>
On Thu, Apr 02, 2026 at 06:10:55AM -0400, Sasha Levin wrote:
> From: Long Li <leo.lilong@huawei.com>
>
> [ Upstream commit b854e1c4eff3473b6d3a9ae74129ac5c48bc0b61 ]
>
> When inactivating an inode with node-format extended attributes,
> xfs_attr3_node_inactive() invalidates all child leaf/node blocks via
> xfs_trans_binval(), but intentionally does not remove the corresponding
> entries from their parent node blocks. The implicit assumption is that
> xfs_attr_inactive() will truncate the entire attr fork to zero extents
> afterwards, so log recovery will never reach the root node and follow
> those stale pointers.
>
> However, if a log shutdown occurs after the leaf/node block cancellations
> commit but before the attr bmap truncation commits, this assumption
> breaks. Recovery replays the attr bmap intact (the inode still has
> attr fork extents), but suppresses replay of all cancelled leaf/node
> blocks, maybe leaving them as stale data on disk. On the next mount,
> xlog_recover_process_iunlinks() retries inactivation and attempts to
> read the root node via the attr bmap. If the root node was not replayed,
> reading the unreplayed root block triggers a metadata verification
> failure immediately; if it was replayed, following its child pointers
> to unreplayed child blocks triggers the same failure:
>
> XFS (pmem0): Metadata corruption detected at
> xfs_da3_node_read_verify+0x53/0x220, xfs_da3_node block 0x78
> XFS (pmem0): Unmount and run xfs_repair
> XFS (pmem0): First 128 bytes of corrupted metadata buffer:
> 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> XFS (pmem0): metadata I/O error in "xfs_da_read_buf+0x104/0x190" at daddr 0x78 len 8 error 117
>
> Fix this in two places:
>
> In xfs_attr3_node_inactive(), after calling xfs_trans_binval() on a
> child block, immediately remove the entry that references it from the
> parent node in the same transaction. This eliminates the window where
> the parent holds a pointer to a cancelled block. Once all children are
> removed, the now-empty root node is converted to a leaf block within the
> same transaction. This node-to-leaf conversion is necessary for crash
> safety. If the system shutdown after the empty node is written to the
> log but before the second-phase bmap truncation commits, log recovery
> will attempt to verify the root block on disk. xfs_da3_node_verify()
> does not permit a node block with count == 0; such a block will fail
> verification and trigger a metadata corruption shutdown. on the other
> hand, leaf blocks are allowed to have this transient state.
>
> In xfs_attr_inactive(), split the attr fork truncation into two explicit
> phases. First, truncate all extents beyond the root block (the child
> extents whose parent references have already been removed above).
> Second, invalidate the root block and truncate the attr bmap to zero in
> a single transaction. The two operations in the second phase must be
> atomic: as long as the attr bmap has any non-zero length, recovery can
> follow it to the root block, so the root block invalidation must commit
> together with the bmap-to-zero truncation.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Cc: stable@vger.kernel.org
> Signed-off-by: Long Li <leo.lilong@huawei.com>
> Reviewed-by: Darrick J. Wong <djwong@kernel.org>
> Signed-off-by: Carlos Maiolino <cem@kernel.org>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
Hi Sasha,
The current patch depends on e942498385bf ("xfs: only assert new size for
datafork during truncate extents"), otherwise it will trigger an assertion.
Thanks,
Long Li
prev parent reply other threads:[~2026-04-02 11:27 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-30 10:03 FAILED: patch "[PATCH] xfs: close crash window in attr dabtree inactivation" failed to apply to 6.18-stable tree gregkh
2026-04-02 10:10 ` [PATCH 6.18.y 1/3] xfs: factor out xfs_attr3_node_entry_remove Sasha Levin
2026-04-02 10:10 ` [PATCH 6.18.y 2/3] xfs: factor out xfs_attr3_leaf_init Sasha Levin
2026-04-02 10:10 ` [PATCH 6.18.y 3/3] xfs: close crash window in attr dabtree inactivation Sasha Levin
2026-04-02 11:22 ` Long Li [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ac5RhJ8M7G6tiVnX@localhost.localdomain \
--to=leo.lilong@huawei.com \
--cc=cem@kernel.org \
--cc=djwong@kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox