• Dave Chinner's avatar
    xfs: quiesce the filesystem after recovery on readonly mount · ddeb14f4
    Dave Chinner authored
    Recently we've had a number of reports where log recovery on a v5
    filesystem has reported corruptions that looked to be caused by
    recovery being re-run over the top of an already-recovered
    metadata. This has uncovered a bug in recovery (fixed elsewhere)
    but the vector that caused this was largely unknown.
    
    A kdump test started tripping over this problem - the system
    would be crashed, the kdump kernel and environment would boot and
    dump the kernel core image, and then the system would reboot. After
    reboot, the root filesystem was triggering log recovery and
    corruptions were being detected. The metadumps indicated the above
    log recovery issue.
    
    What is happening is that the kdump kernel and environment is
    mounting the root device read-only to find the binaries needed to do
    it's work. The result of this is that it is running log recovery.
    However, because there were unlinked files and EFIs to be processed
    by recovery, the completion of phase 1 of log recovery could not
    mark the log clean. And because it's a read-only mount, the unmount
    process does not write records to the log to mark it clean, either.
    Hence on the next mount of the filesystem, log recovery was run
    again across all the metadata that had already been recovered and
    this is what triggered corruption warnings.
    
    To avoid this problem, we need to ensure that a read-only mount
    always updates the log when it completes the second phase of
    recovery. We already handle this sort of issue with rw->ro remount
    transitions, so the solution is as simple as quiescing the
    filesystem at the appropriate time during the mount process. This
    results in the log being marked clean so the mount behaviour
    recorded in the logs on repeated RO mounts will change (i.e. log
    recovery will no longer be run on every mount until a RW mount is
    done). This is a user visible change in behaviour, but it is
    harmless.
    Signed-off-by: default avatarDave Chinner <dchinner@redhat.com>
    Reviewed-by: default avatarEric Sandeen <sandeen@redhat.com>
    Signed-off-by: default avatarDave Chinner <david@fromorbit.com>
    ddeb14f4
xfs_super.h 2.22 KB