• Darrick J. Wong's avatar
    xfs: remove all COW fork extents when remounting readonly · 089558bc
    Darrick J. Wong authored
    As part of multiple customer escalations due to file data corruption
    after copy on write operations, I wrote some fstests that use fsstress
    to hammer on COW to shake things loose.  Regrettably, I caught some
    filesystem shutdowns due to incorrect rmap operations with the following
    loop:
    
    mount <filesystem>				# (0)
    fsstress <run only readonly ops> &		# (1)
    while true; do
    	fsstress <run all ops>
    	mount -o remount,ro			# (2)
    	fsstress <run only readonly ops>
    	mount -o remount,rw			# (3)
    done
    
    When (2) happens, notice that (1) is still running.  xfs_remount_ro will
    call xfs_blockgc_stop to walk the inode cache to free all the COW
    extents, but the blockgc mechanism races with (1)'s reader threads to
    take IOLOCKs and loses, which means that it doesn't clean them all out.
    Call such a file (A).
    
    When (3) happens, xfs_remount_rw calls xfs_reflink_recover_cow, which
    walks the ondisk refcount btree and frees any COW extent that it finds.
    This function does not check the inode cache, which means that incore
    COW forks of inode (A) is now inconsistent with the ondisk metadata.  If
    one of those former COW extents are allocated and mapped into another
    file (B) and someone triggers a COW to the stale reservation in (A), A's
    dirty data will be written into (B) and once that's done, those blocks
    will be transferred to (A)'s data fork without bumping the refcount.
    
    The results are catastrophic -- file (B) and the refcount btree are now
    corrupt.  Solve this race by forcing the xfs_blockgc_free_space to run
    synchronously, which causes xfs_icwalk to return to inodes that were
    skipped because the blockgc code couldn't take the IOLOCK.  This is safe
    to do here because the VFS has already prohibited new writer threads.
    
    Fixes: 10ddf64e ("xfs: remove leftover CoW reservations when remounting ro")
    Signed-off-by: default avatarDarrick J. Wong <djwong@kernel.org>
    Reviewed-by: default avatarDave Chinner <dchinner@redhat.com>
    Reviewed-by: default avatarChandan Babu R <chandan.babu@oracle.com>
    089558bc
xfs_super.c 58.8 KB