2018-06-05 19:42:14 -07:00
// SPDX-License-Identifier: GPL-2.0
2013-08-12 20:49:33 +10:00
/*
* Copyright ( c ) 2000 - 2003 , 2005 Silicon Graphics , Inc .
* All Rights Reserved .
*/
# ifndef __XFS_INODE_FORK_H__
# define __XFS_INODE_FORK_H__
struct xfs_inode_log_item ;
2013-10-23 10:51:50 +11:00
struct xfs_dinode ;
2013-08-12 20:49:33 +10:00
/*
* File incore extent information , present for each of data & attr forks .
*/
2018-07-17 16:51:50 -07:00
struct xfs_ifork {
xfs: fix inode fork extent count overflow
[commit message is verbose for discussion purposes - will trim it
down later. Some questions about implementation details at the end.]
Zorro Lang recently ran a new test to stress single inode extent
counts now that they are no longer limited by memory allocation.
The test was simply:
# xfs_io -f -c "falloc 0 40t" /mnt/scratch/big-file
# ~/src/xfstests-dev/punch-alternating /mnt/scratch/big-file
This test uncovered a problem where the hole punching operation
appeared to finish with no error, but apparently only created 268M
extents instead of the 10 billion it was supposed to.
Further, trying to punch out extents that should have been present
resulted in success, but no change in the extent count. It looked
like a silent failure.
While running the test and observing the behaviour in real time,
I observed the extent coutn growing at ~2M extents/minute, and saw
this after about an hour:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next ; \
> sleep 60 ; \
> xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 127657993
fsxattr.nextents = 129683339
#
And a few minutes later this:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4177861124
#
Ah, what? Where did that 4 billion extra extents suddenly come from?
Stop the workload, unmount, mount:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 166044375
#
And it's back at the expected number. i.e. the extent count is
correct on disk, but it's screwed up in memory. I loaded up the
extent list, and immediately:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4192576215
#
It's bad again. So, where does that number come from?
xfs_fill_fsxattr():
if (ip->i_df.if_flags & XFS_IFEXTENTS)
fa->fsx_nextents = xfs_iext_count(&ip->i_df);
else
fa->fsx_nextents = ip->i_d.di_nextents;
And that's the behaviour I just saw in a nutshell. The on disk count
is correct, but once the tree is loaded into memory, it goes whacky.
Clearly there's something wrong with xfs_iext_count():
inline xfs_extnum_t xfs_iext_count(struct xfs_ifork *ifp)
{
return ifp->if_bytes / sizeof(struct xfs_iext_rec);
}
Simple enough, but 134M extents is 2**27, and that's right about
where things went wrong. A struct xfs_iext_rec is 16 bytes in size,
which means 2**27 * 2**4 = 2**31 and we're right on target for an
integer overflow. And, sure enough:
struct xfs_ifork {
int if_bytes; /* bytes in if_u1 */
....
Once we get 2**27 extents in a file, we overflow if_bytes and the
in-core extent count goes wrong. And when we reach 2**28 extents,
if_bytes wraps back to zero and things really start to go wrong
there. This is where the silent failure comes from - only the first
2**28 extents can be looked up directly due to the overflow, all the
extents above this index wrap back to somewhere in the first 2**28
extents. Hence with a regular pattern, trying to punch a hole in the
range that didn't have holes mapped to a hole in the first 2**28
extents and so "succeeded" without changing anything. Hence "silent
failure"...
Fix this by converting if_bytes to a int64_t and converting all the
index variables and size calculations to use int64_t types to avoid
overflows in future. Signed integers are still used to enable easy
detection of extent count underflows. This enables scalability of
extent counts to the limits of the on-disk format - MAXEXTNUM
(2**31) extents.
Current testing is at over 500M extents and still going:
fsxattr.nextents = 517310478
Reported-by: Zorro Lang <zlang@redhat.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2019-10-17 13:40:33 -07:00
int64_t if_bytes ; /* bytes in if_u1 */
2013-08-12 20:49:33 +10:00
struct xfs_btree_block * if_broot ; /* file's incore btree root */
xfs: fix inode fork extent count overflow
[commit message is verbose for discussion purposes - will trim it
down later. Some questions about implementation details at the end.]
Zorro Lang recently ran a new test to stress single inode extent
counts now that they are no longer limited by memory allocation.
The test was simply:
# xfs_io -f -c "falloc 0 40t" /mnt/scratch/big-file
# ~/src/xfstests-dev/punch-alternating /mnt/scratch/big-file
This test uncovered a problem where the hole punching operation
appeared to finish with no error, but apparently only created 268M
extents instead of the 10 billion it was supposed to.
Further, trying to punch out extents that should have been present
resulted in success, but no change in the extent count. It looked
like a silent failure.
While running the test and observing the behaviour in real time,
I observed the extent coutn growing at ~2M extents/minute, and saw
this after about an hour:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next ; \
> sleep 60 ; \
> xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 127657993
fsxattr.nextents = 129683339
#
And a few minutes later this:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4177861124
#
Ah, what? Where did that 4 billion extra extents suddenly come from?
Stop the workload, unmount, mount:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 166044375
#
And it's back at the expected number. i.e. the extent count is
correct on disk, but it's screwed up in memory. I loaded up the
extent list, and immediately:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4192576215
#
It's bad again. So, where does that number come from?
xfs_fill_fsxattr():
if (ip->i_df.if_flags & XFS_IFEXTENTS)
fa->fsx_nextents = xfs_iext_count(&ip->i_df);
else
fa->fsx_nextents = ip->i_d.di_nextents;
And that's the behaviour I just saw in a nutshell. The on disk count
is correct, but once the tree is loaded into memory, it goes whacky.
Clearly there's something wrong with xfs_iext_count():
inline xfs_extnum_t xfs_iext_count(struct xfs_ifork *ifp)
{
return ifp->if_bytes / sizeof(struct xfs_iext_rec);
}
Simple enough, but 134M extents is 2**27, and that's right about
where things went wrong. A struct xfs_iext_rec is 16 bytes in size,
which means 2**27 * 2**4 = 2**31 and we're right on target for an
integer overflow. And, sure enough:
struct xfs_ifork {
int if_bytes; /* bytes in if_u1 */
....
Once we get 2**27 extents in a file, we overflow if_bytes and the
in-core extent count goes wrong. And when we reach 2**28 extents,
if_bytes wraps back to zero and things really start to go wrong
there. This is where the silent failure comes from - only the first
2**28 extents can be looked up directly due to the overflow, all the
extents above this index wrap back to somewhere in the first 2**28
extents. Hence with a regular pattern, trying to punch a hole in the
range that didn't have holes mapped to a hole in the first 2**28
extents and so "succeeded" without changing anything. Hence "silent
failure"...
Fix this by converting if_bytes to a int64_t and converting all the
index variables and size calculations to use int64_t types to avoid
overflows in future. Signed integers are still used to enable easy
detection of extent count underflows. This enables scalability of
extent counts to the limits of the on-disk format - MAXEXTNUM
(2**31) extents.
Current testing is at over 500M extents and still going:
fsxattr.nextents = 517310478
Reported-by: Zorro Lang <zlang@redhat.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2019-10-17 13:40:33 -07:00
unsigned int if_seq ; /* fork mod counter */
2017-11-03 10:34:46 -07:00
int if_height ; /* height of the extent tree */
2013-08-12 20:49:33 +10:00
union {
2017-11-03 10:34:46 -07:00
void * if_root ; /* extent tree root */
2013-08-12 20:49:33 +10:00
char * if_data ; /* inline file data */
} if_u1 ;
xfs: fix inode fork extent count overflow
[commit message is verbose for discussion purposes - will trim it
down later. Some questions about implementation details at the end.]
Zorro Lang recently ran a new test to stress single inode extent
counts now that they are no longer limited by memory allocation.
The test was simply:
# xfs_io -f -c "falloc 0 40t" /mnt/scratch/big-file
# ~/src/xfstests-dev/punch-alternating /mnt/scratch/big-file
This test uncovered a problem where the hole punching operation
appeared to finish with no error, but apparently only created 268M
extents instead of the 10 billion it was supposed to.
Further, trying to punch out extents that should have been present
resulted in success, but no change in the extent count. It looked
like a silent failure.
While running the test and observing the behaviour in real time,
I observed the extent coutn growing at ~2M extents/minute, and saw
this after about an hour:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next ; \
> sleep 60 ; \
> xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 127657993
fsxattr.nextents = 129683339
#
And a few minutes later this:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4177861124
#
Ah, what? Where did that 4 billion extra extents suddenly come from?
Stop the workload, unmount, mount:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 166044375
#
And it's back at the expected number. i.e. the extent count is
correct on disk, but it's screwed up in memory. I loaded up the
extent list, and immediately:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4192576215
#
It's bad again. So, where does that number come from?
xfs_fill_fsxattr():
if (ip->i_df.if_flags & XFS_IFEXTENTS)
fa->fsx_nextents = xfs_iext_count(&ip->i_df);
else
fa->fsx_nextents = ip->i_d.di_nextents;
And that's the behaviour I just saw in a nutshell. The on disk count
is correct, but once the tree is loaded into memory, it goes whacky.
Clearly there's something wrong with xfs_iext_count():
inline xfs_extnum_t xfs_iext_count(struct xfs_ifork *ifp)
{
return ifp->if_bytes / sizeof(struct xfs_iext_rec);
}
Simple enough, but 134M extents is 2**27, and that's right about
where things went wrong. A struct xfs_iext_rec is 16 bytes in size,
which means 2**27 * 2**4 = 2**31 and we're right on target for an
integer overflow. And, sure enough:
struct xfs_ifork {
int if_bytes; /* bytes in if_u1 */
....
Once we get 2**27 extents in a file, we overflow if_bytes and the
in-core extent count goes wrong. And when we reach 2**28 extents,
if_bytes wraps back to zero and things really start to go wrong
there. This is where the silent failure comes from - only the first
2**28 extents can be looked up directly due to the overflow, all the
extents above this index wrap back to somewhere in the first 2**28
extents. Hence with a regular pattern, trying to punch a hole in the
range that didn't have holes mapped to a hole in the first 2**28
extents and so "succeeded" without changing anything. Hence "silent
failure"...
Fix this by converting if_bytes to a int64_t and converting all the
index variables and size calculations to use int64_t types to avoid
overflows in future. Signed integers are still used to enable easy
detection of extent count underflows. This enables scalability of
extent counts to the limits of the on-disk format - MAXEXTNUM
(2**31) extents.
Current testing is at over 500M extents and still going:
fsxattr.nextents = 517310478
Reported-by: Zorro Lang <zlang@redhat.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2019-10-17 13:40:33 -07:00
short if_broot_bytes ; /* bytes allocated for root */
2020-05-18 10:28:05 -07:00
int8_t if_format ; /* format of this fork */
2020-05-18 10:27:22 -07:00
xfs_extnum_t if_nextents ; /* # of extents in this fork */
2018-07-17 16:51:50 -07:00
} ;
2013-08-12 20:49:33 +10:00
2021-01-22 16:48:11 -08:00
/*
* Worst - case increase in the fork extent count when we ' re adding a single
* extent to a fork and there ' s no possibility of splitting an existing mapping .
*/
# define XFS_IEXT_ADD_NOSPLIT_CNT (1)
2021-01-22 16:48:11 -08:00
/*
* Punching out an extent from the middle of an existing extent can cause the
* extent count to increase by 1.
* i . e . | Old extent | Hole | Old extent |
*/
# define XFS_IEXT_PUNCH_HOLE_CNT (1)
2021-01-22 16:48:12 -08:00
/*
* Directory entry addition can cause the following ,
* 1. Data block can be added / removed .
* A new extent can cause extent count to increase by 1.
* 2. Free disk block can be added / removed .
* Same behaviour as described above for Data block .
* 3. Dabtree blocks .
* XFS_DA_NODE_MAXDEPTH blocks can be added . Each of these can be new
* extents . Hence extent count can increase by XFS_DA_NODE_MAXDEPTH .
*/
# define XFS_IEXT_DIR_MANIP_CNT(mp) \
( ( XFS_DA_NODE_MAXDEPTH + 1 + 1 ) * ( mp ) - > m_dir_geo - > fsbcount )
2021-01-22 16:48:13 -08:00
/*
* Adding / removing an xattr can cause XFS_DA_NODE_MAXDEPTH extents to
* be added . One extra extent for dabtree in case a local attr is
* large enough to cause a double split . It can also cause extent
* count to increase proportional to the size of a remote xattr ' s
* value .
*/
# define XFS_IEXT_ATTR_MANIP_CNT(rmt_blks) \
( XFS_DA_NODE_MAXDEPTH + max ( 1 , rmt_blks ) )
2021-01-22 16:48:14 -08:00
/*
* A write to a sub - interval of an existing unwritten extent causes the original
* extent to be split into 3 extents
* i . e . | Unwritten | Real | Unwritten |
* Hence extent count can increase by 2.
*/
# define XFS_IEXT_WRITE_UNWRITTEN_CNT (2)
2021-01-22 16:48:14 -08:00
/*
* Moving an extent to data fork can cause a sub - interval of an existing extent
* to be unmapped . This will increase extent count by 1. Mapping in the new
* extent can increase the extent count by 1 again i . e .
* | Old extent | New extent | Old extent |
* Hence number of extents increases by 2.
*/
# define XFS_IEXT_REFLINK_END_COW_CNT (2)
2021-01-22 16:48:15 -08:00
/*
* Removing an initial range of source / donor file ' s extent and adding a new
* extent ( from donor / source file ) in its place will cause extent count to
* increase by 1.
*/
# define XFS_IEXT_SWAP_RMAP_CNT (1)
2013-08-12 20:49:33 +10:00
/*
* Fork handling .
*/
2021-03-29 11:11:44 -07:00
# define XFS_IFORK_Q(ip) ((ip)->i_forkoff != 0)
# define XFS_IFORK_BOFF(ip) ((int)((ip)->i_forkoff << 3))
2013-08-12 20:49:33 +10:00
# define XFS_IFORK_PTR(ip,w) \
( ( w ) = = XFS_DATA_FORK ? \
& ( ip ) - > i_df : \
2016-10-03 09:11:32 -07:00
( ( w ) = = XFS_ATTR_FORK ? \
( ip ) - > i_afp : \
( ip ) - > i_cowfp ) )
2013-08-12 20:49:33 +10:00
# define XFS_IFORK_DSIZE(ip) \
2020-03-18 08:15:10 -07:00
( XFS_IFORK_Q ( ip ) ? XFS_IFORK_BOFF ( ip ) : XFS_LITINO ( ( ip ) - > i_mount ) )
2013-08-12 20:49:33 +10:00
# define XFS_IFORK_ASIZE(ip) \
2020-03-18 08:15:10 -07:00
( XFS_IFORK_Q ( ip ) ? XFS_LITINO ( ( ip ) - > i_mount ) - XFS_IFORK_BOFF ( ip ) : 0 )
2013-08-12 20:49:33 +10:00
# define XFS_IFORK_SIZE(ip,w) \
( ( w ) = = XFS_DATA_FORK ? \
XFS_IFORK_DSIZE ( ip ) : \
2016-10-03 09:11:32 -07:00
( ( w ) = = XFS_ATTR_FORK ? \
XFS_IFORK_ASIZE ( ip ) : \
0 ) )
2013-08-12 20:49:33 +10:00
# define XFS_IFORK_MAXEXT(ip, w) \
( XFS_IFORK_SIZE ( ip , w ) / sizeof ( xfs_bmbt_rec_t ) )
2020-05-18 10:28:05 -07:00
static inline bool xfs_ifork_has_extents ( struct xfs_ifork * ifp )
{
return ifp - > if_format = = XFS_DINODE_FMT_EXTENTS | |
ifp - > if_format = = XFS_DINODE_FMT_BTREE ;
}
xfs: refactor "does this fork map blocks" predicate
Replace the open-coded checks for whether or not an inode fork maps
blocks with a macro that will implant the code for us. This helps us
declutter the bmap code a bit.
Note that I had to use a macro instead of a static inline function
because of C header dependency problems between xfs_inode.h and
xfs_inode_fork.h.
Conversion was performed with the following Coccinelle script:
@@
expression ip, w;
@@
- XFS_IFORK_FORMAT(ip, w) == XFS_DINODE_FMT_EXTENTS || XFS_IFORK_FORMAT(ip, w) == XFS_DINODE_FMT_BTREE
+ xfs_ifork_has_extents(ip, w)
@@
expression ip, w;
@@
- XFS_IFORK_FORMAT(ip, w) != XFS_DINODE_FMT_EXTENTS && XFS_IFORK_FORMAT(ip, w) != XFS_DINODE_FMT_BTREE
+ !xfs_ifork_has_extents(ip, w)
@@
expression ip, w;
@@
- XFS_IFORK_FORMAT(ip, w) == XFS_DINODE_FMT_BTREE || XFS_IFORK_FORMAT(ip, w) == XFS_DINODE_FMT_EXTENTS
+ xfs_ifork_has_extents(ip, w)
@@
expression ip, w;
@@
- XFS_IFORK_FORMAT(ip, w) != XFS_DINODE_FMT_BTREE && XFS_IFORK_FORMAT(ip, w) != XFS_DINODE_FMT_EXTENTS
+ !xfs_ifork_has_extents(ip, w)
@@
expression ip, w;
@@
- (xfs_ifork_has_extents(ip, w))
+ xfs_ifork_has_extents(ip, w)
@@
expression ip, w;
@@
- (!xfs_ifork_has_extents(ip, w))
+ !xfs_ifork_has_extents(ip, w)
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2019-11-07 15:05:21 -08:00
2020-05-18 10:27:22 -07:00
static inline xfs_extnum_t xfs_ifork_nextents ( struct xfs_ifork * ifp )
{
if ( ! ifp )
return 0 ;
return ifp - > if_nextents ;
}
2020-05-18 10:28:05 -07:00
static inline int8_t xfs_ifork_format ( struct xfs_ifork * ifp )
{
if ( ! ifp )
return XFS_DINODE_FMT_EXTENTS ;
return ifp - > if_format ;
}
xfs: initialise attr fork on inode create
When we allocate a new inode, we often need to add an attribute to
the inode as part of the create. This can happen as a result of
needing to add default ACLs or security labels before the inode is
made visible to userspace.
This is highly inefficient right now. We do the create transaction
to allocate the inode, then we do an "add attr fork" transaction to
modify the just created empty inode to set the inode fork offset to
allow attributes to be stored, then we go and do the attribute
creation.
This means 3 transactions instead of 1 to allocate an inode, and
this greatly increases the load on the CIL commit code, resulting in
excessive contention on the CIL spin locks and performance
degradation:
18.99% [kernel] [k] __pv_queued_spin_lock_slowpath
3.57% [kernel] [k] do_raw_spin_lock
2.51% [kernel] [k] __raw_callee_save___pv_queued_spin_unlock
2.48% [kernel] [k] memcpy
2.34% [kernel] [k] xfs_log_commit_cil
The typical profile resulting from running fsmark on a selinux enabled
filesytem is adds this overhead to the create path:
- 15.30% xfs_init_security
- 15.23% security_inode_init_security
- 13.05% xfs_initxattrs
- 12.94% xfs_attr_set
- 6.75% xfs_bmap_add_attrfork
- 5.51% xfs_trans_commit
- 5.48% __xfs_trans_commit
- 5.35% xfs_log_commit_cil
- 3.86% _raw_spin_lock
- do_raw_spin_lock
__pv_queued_spin_lock_slowpath
- 0.70% xfs_trans_alloc
0.52% xfs_trans_reserve
- 5.41% xfs_attr_set_args
- 5.39% xfs_attr_set_shortform.constprop.0
- 4.46% xfs_trans_commit
- 4.46% __xfs_trans_commit
- 4.33% xfs_log_commit_cil
- 2.74% _raw_spin_lock
- do_raw_spin_lock
__pv_queued_spin_lock_slowpath
0.60% xfs_inode_item_format
0.90% xfs_attr_try_sf_addname
- 1.99% selinux_inode_init_security
- 1.02% security_sid_to_context_force
- 1.00% security_sid_to_context_core
- 0.92% sidtab_entry_to_string
- 0.90% sidtab_sid2str_get
0.59% sidtab_sid2str_put.part.0
- 0.82% selinux_determine_inode_label
- 0.77% security_transition_sid
0.70% security_compute_sid.part.0
And fsmark creation rate performance drops by ~25%. The key point to
note here is that half the additional overhead comes from adding the
attribute fork to the newly created inode. That's crazy, considering
we can do this same thing at inode create time with a couple of
lines of code and no extra overhead.
So, if we know we are going to add an attribute immediately after
creating the inode, let's just initialise the attribute fork inside
the create transaction and chop that whole chunk of code out of
the create fast path. This completely removes the performance
drop caused by enabling SELinux, and the profile looks like:
- 8.99% xfs_init_security
- 9.00% security_inode_init_security
- 6.43% xfs_initxattrs
- 6.37% xfs_attr_set
- 5.45% xfs_attr_set_args
- 5.42% xfs_attr_set_shortform.constprop.0
- 4.51% xfs_trans_commit
- 4.54% __xfs_trans_commit
- 4.59% xfs_log_commit_cil
- 2.67% _raw_spin_lock
- 3.28% do_raw_spin_lock
3.08% __pv_queued_spin_lock_slowpath
0.66% xfs_inode_item_format
- 0.90% xfs_attr_try_sf_addname
- 0.60% xfs_trans_alloc
- 2.35% selinux_inode_init_security
- 1.25% security_sid_to_context_force
- 1.21% security_sid_to_context_core
- 1.19% sidtab_entry_to_string
- 1.20% sidtab_sid2str_get
- 0.86% sidtab_sid2str_put.part.0
- 0.62% _raw_spin_lock_irqsave
- 0.77% do_raw_spin_lock
__pv_queued_spin_lock_slowpath
- 0.84% selinux_determine_inode_label
- 0.83% security_transition_sid
0.86% security_compute_sid.part.0
Which indicates the XFS overhead of creating the selinux xattr has
been halved. This doesn't fix the CIL lock contention problem, just
means it's not a limiting factor for this workload. Lock contention
in the security subsystems is going to be an issue soon, though...
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
[djwong: fix compilation error when CONFIG_SECURITY=n]
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Reviewed-by: Gao Xiang <hsiangkao@redhat.com>
2021-03-22 09:52:03 -07:00
struct xfs_ifork * xfs_ifork_alloc ( enum xfs_dinode_fmt format ,
xfs_extnum_t nextents ) ;
2016-10-03 09:11:32 -07:00
struct xfs_ifork * xfs_iext_state_to_fork ( struct xfs_inode * ip , int state ) ;
2020-05-14 14:01:17 -07:00
int xfs_iformat_data_fork ( struct xfs_inode * , struct xfs_dinode * ) ;
int xfs_iformat_attr_fork ( struct xfs_inode * , struct xfs_dinode * ) ;
2017-04-03 12:22:20 -07:00
void xfs_iflush_fork ( struct xfs_inode * , struct xfs_dinode * ,
2014-04-14 19:04:46 +10:00
struct xfs_inode_log_item * , int ) ;
2020-05-18 10:29:27 -07:00
void xfs_idestroy_fork ( struct xfs_ifork * ifp ) ;
xfs: fix inode fork extent count overflow
[commit message is verbose for discussion purposes - will trim it
down later. Some questions about implementation details at the end.]
Zorro Lang recently ran a new test to stress single inode extent
counts now that they are no longer limited by memory allocation.
The test was simply:
# xfs_io -f -c "falloc 0 40t" /mnt/scratch/big-file
# ~/src/xfstests-dev/punch-alternating /mnt/scratch/big-file
This test uncovered a problem where the hole punching operation
appeared to finish with no error, but apparently only created 268M
extents instead of the 10 billion it was supposed to.
Further, trying to punch out extents that should have been present
resulted in success, but no change in the extent count. It looked
like a silent failure.
While running the test and observing the behaviour in real time,
I observed the extent coutn growing at ~2M extents/minute, and saw
this after about an hour:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next ; \
> sleep 60 ; \
> xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 127657993
fsxattr.nextents = 129683339
#
And a few minutes later this:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4177861124
#
Ah, what? Where did that 4 billion extra extents suddenly come from?
Stop the workload, unmount, mount:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 166044375
#
And it's back at the expected number. i.e. the extent count is
correct on disk, but it's screwed up in memory. I loaded up the
extent list, and immediately:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4192576215
#
It's bad again. So, where does that number come from?
xfs_fill_fsxattr():
if (ip->i_df.if_flags & XFS_IFEXTENTS)
fa->fsx_nextents = xfs_iext_count(&ip->i_df);
else
fa->fsx_nextents = ip->i_d.di_nextents;
And that's the behaviour I just saw in a nutshell. The on disk count
is correct, but once the tree is loaded into memory, it goes whacky.
Clearly there's something wrong with xfs_iext_count():
inline xfs_extnum_t xfs_iext_count(struct xfs_ifork *ifp)
{
return ifp->if_bytes / sizeof(struct xfs_iext_rec);
}
Simple enough, but 134M extents is 2**27, and that's right about
where things went wrong. A struct xfs_iext_rec is 16 bytes in size,
which means 2**27 * 2**4 = 2**31 and we're right on target for an
integer overflow. And, sure enough:
struct xfs_ifork {
int if_bytes; /* bytes in if_u1 */
....
Once we get 2**27 extents in a file, we overflow if_bytes and the
in-core extent count goes wrong. And when we reach 2**28 extents,
if_bytes wraps back to zero and things really start to go wrong
there. This is where the silent failure comes from - only the first
2**28 extents can be looked up directly due to the overflow, all the
extents above this index wrap back to somewhere in the first 2**28
extents. Hence with a regular pattern, trying to punch a hole in the
range that didn't have holes mapped to a hole in the first 2**28
extents and so "succeeded" without changing anything. Hence "silent
failure"...
Fix this by converting if_bytes to a int64_t and converting all the
index variables and size calculations to use int64_t types to avoid
overflows in future. Signed integers are still used to enable easy
detection of extent count underflows. This enables scalability of
extent counts to the limits of the on-disk format - MAXEXTNUM
(2**31) extents.
Current testing is at over 500M extents and still going:
fsxattr.nextents = 517310478
Reported-by: Zorro Lang <zlang@redhat.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2019-10-17 13:40:33 -07:00
void xfs_idata_realloc ( struct xfs_inode * ip , int64_t byte_diff ,
int whichfork ) ;
2013-08-12 20:49:33 +10:00
void xfs_iroot_realloc ( struct xfs_inode * , int , int ) ;
int xfs_iread_extents ( struct xfs_trans * , struct xfs_inode * , int ) ;
int xfs_iextents_copy ( struct xfs_inode * , struct xfs_bmbt_rec * ,
int ) ;
xfs: fix inode fork extent count overflow
[commit message is verbose for discussion purposes - will trim it
down later. Some questions about implementation details at the end.]
Zorro Lang recently ran a new test to stress single inode extent
counts now that they are no longer limited by memory allocation.
The test was simply:
# xfs_io -f -c "falloc 0 40t" /mnt/scratch/big-file
# ~/src/xfstests-dev/punch-alternating /mnt/scratch/big-file
This test uncovered a problem where the hole punching operation
appeared to finish with no error, but apparently only created 268M
extents instead of the 10 billion it was supposed to.
Further, trying to punch out extents that should have been present
resulted in success, but no change in the extent count. It looked
like a silent failure.
While running the test and observing the behaviour in real time,
I observed the extent coutn growing at ~2M extents/minute, and saw
this after about an hour:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next ; \
> sleep 60 ; \
> xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 127657993
fsxattr.nextents = 129683339
#
And a few minutes later this:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4177861124
#
Ah, what? Where did that 4 billion extra extents suddenly come from?
Stop the workload, unmount, mount:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 166044375
#
And it's back at the expected number. i.e. the extent count is
correct on disk, but it's screwed up in memory. I loaded up the
extent list, and immediately:
# xfs_io -f -c "stat" /mnt/scratch/big-file |grep next
fsxattr.nextents = 4192576215
#
It's bad again. So, where does that number come from?
xfs_fill_fsxattr():
if (ip->i_df.if_flags & XFS_IFEXTENTS)
fa->fsx_nextents = xfs_iext_count(&ip->i_df);
else
fa->fsx_nextents = ip->i_d.di_nextents;
And that's the behaviour I just saw in a nutshell. The on disk count
is correct, but once the tree is loaded into memory, it goes whacky.
Clearly there's something wrong with xfs_iext_count():
inline xfs_extnum_t xfs_iext_count(struct xfs_ifork *ifp)
{
return ifp->if_bytes / sizeof(struct xfs_iext_rec);
}
Simple enough, but 134M extents is 2**27, and that's right about
where things went wrong. A struct xfs_iext_rec is 16 bytes in size,
which means 2**27 * 2**4 = 2**31 and we're right on target for an
integer overflow. And, sure enough:
struct xfs_ifork {
int if_bytes; /* bytes in if_u1 */
....
Once we get 2**27 extents in a file, we overflow if_bytes and the
in-core extent count goes wrong. And when we reach 2**28 extents,
if_bytes wraps back to zero and things really start to go wrong
there. This is where the silent failure comes from - only the first
2**28 extents can be looked up directly due to the overflow, all the
extents above this index wrap back to somewhere in the first 2**28
extents. Hence with a regular pattern, trying to punch a hole in the
range that didn't have holes mapped to a hole in the first 2**28
extents and so "succeeded" without changing anything. Hence "silent
failure"...
Fix this by converting if_bytes to a int64_t and converting all the
index variables and size calculations to use int64_t types to avoid
overflows in future. Signed integers are still used to enable easy
detection of extent count underflows. This enables scalability of
extent counts to the limits of the on-disk format - MAXEXTNUM
(2**31) extents.
Current testing is at over 500M extents and still going:
fsxattr.nextents = 517310478
Reported-by: Zorro Lang <zlang@redhat.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2019-10-17 13:40:33 -07:00
void xfs_init_local_fork ( struct xfs_inode * ip , int whichfork ,
const void * data , int64_t size ) ;
2013-08-12 20:49:33 +10:00
2017-11-03 10:34:46 -07:00
xfs_extnum_t xfs_iext_count ( struct xfs_ifork * ifp ) ;
2017-11-03 10:34:43 -07:00
void xfs_iext_insert ( struct xfs_inode * , struct xfs_iext_cursor * cur ,
2017-11-03 10:34:46 -07:00
struct xfs_bmbt_irec * , int ) ;
2017-11-03 10:34:43 -07:00
void xfs_iext_remove ( struct xfs_inode * , struct xfs_iext_cursor * ,
2017-11-03 10:34:47 -07:00
int ) ;
2013-08-12 20:49:33 +10:00
void xfs_iext_destroy ( struct xfs_ifork * ) ;
2016-11-24 11:39:32 +11:00
bool xfs_iext_lookup_extent ( struct xfs_inode * ip ,
struct xfs_ifork * ifp , xfs_fileoff_t bno ,
2017-11-03 10:34:43 -07:00
struct xfs_iext_cursor * cur ,
struct xfs_bmbt_irec * gotp ) ;
2017-10-23 16:32:39 -07:00
bool xfs_iext_lookup_extent_before ( struct xfs_inode * ip ,
struct xfs_ifork * ifp , xfs_fileoff_t * end ,
2017-11-03 10:34:43 -07:00
struct xfs_iext_cursor * cur ,
struct xfs_bmbt_irec * gotp ) ;
bool xfs_iext_get_extent ( struct xfs_ifork * ifp ,
struct xfs_iext_cursor * cur ,
2016-11-24 11:39:32 +11:00
struct xfs_bmbt_irec * gotp ) ;
2017-10-19 11:04:44 -07:00
void xfs_iext_update_extent ( struct xfs_inode * ip , int state ,
2017-11-03 10:34:43 -07:00
struct xfs_iext_cursor * cur ,
struct xfs_bmbt_irec * gotp ) ;
2017-11-03 10:34:46 -07:00
void xfs_iext_first ( struct xfs_ifork * , struct xfs_iext_cursor * ) ;
void xfs_iext_last ( struct xfs_ifork * , struct xfs_iext_cursor * ) ;
void xfs_iext_next ( struct xfs_ifork * , struct xfs_iext_cursor * ) ;
void xfs_iext_prev ( struct xfs_ifork * , struct xfs_iext_cursor * ) ;
2017-11-03 10:34:43 -07:00
static inline bool xfs_iext_next_extent ( struct xfs_ifork * ifp ,
struct xfs_iext_cursor * cur , struct xfs_bmbt_irec * gotp )
{
xfs_iext_next ( ifp , cur ) ;
return xfs_iext_get_extent ( ifp , cur , gotp ) ;
}
static inline bool xfs_iext_prev_extent ( struct xfs_ifork * ifp ,
struct xfs_iext_cursor * cur , struct xfs_bmbt_irec * gotp )
{
xfs_iext_prev ( ifp , cur ) ;
return xfs_iext_get_extent ( ifp , cur , gotp ) ;
}
/*
* Return the extent after cur in gotp without updating the cursor .
*/
static inline bool xfs_iext_peek_next_extent ( struct xfs_ifork * ifp ,
struct xfs_iext_cursor * cur , struct xfs_bmbt_irec * gotp )
{
struct xfs_iext_cursor ncur = * cur ;
xfs_iext_next ( ifp , & ncur ) ;
return xfs_iext_get_extent ( ifp , & ncur , gotp ) ;
}
/*
* Return the extent before cur in gotp without updating the cursor .
*/
static inline bool xfs_iext_peek_prev_extent ( struct xfs_ifork * ifp ,
struct xfs_iext_cursor * cur , struct xfs_bmbt_irec * gotp )
{
struct xfs_iext_cursor ncur = * cur ;
xfs_iext_prev ( ifp , & ncur ) ;
return xfs_iext_get_extent ( ifp , & ncur , gotp ) ;
}
# define for_each_xfs_iext(ifp, ext, got) \
for ( xfs_iext_first ( ( ifp ) , ( ext ) ) ; \
xfs_iext_get_extent ( ( ifp ) , ( ext ) , ( got ) ) ; \
xfs_iext_next ( ( ifp ) , ( ext ) ) )
2016-11-24 11:39:32 +11:00
2013-08-12 20:49:33 +10:00
extern struct kmem_zone * xfs_ifork_zone ;
2016-10-03 09:11:32 -07:00
extern void xfs_ifork_init_cow ( struct xfs_inode * ip ) ;
2020-05-14 14:01:19 -07:00
int xfs_ifork_verify_local_data ( struct xfs_inode * ip ) ;
int xfs_ifork_verify_local_attr ( struct xfs_inode * ip ) ;
2021-01-22 16:48:10 -08:00
int xfs_iext_count_may_overflow ( struct xfs_inode * ip , int whichfork ,
int nr_to_add ) ;
2018-01-08 10:51:06 -08:00
2021-04-13 11:15:12 -07:00
/* returns true if the fork has extents but they are not read in yet. */
static inline bool xfs_need_iread_extents ( struct xfs_ifork * ifp )
{
return ifp - > if_format = = XFS_DINODE_FMT_BTREE & & ifp - > if_height = = 0 ;
}
2013-08-12 20:49:33 +10:00
# endif /* __XFS_INODE_FORK_H__ */