• Q
    btrfs: Do mandatory tree block check before submitting bio · 8d47a0d8
    Qu Wenruo 提交于
    There are at least 2 reports about a memory bit flip sneaking into
    on-disk data.
    
    Currently we only have a relaxed check triggered at
    btrfs_mark_buffer_dirty() time, as it's not mandatory and only for
    CONFIG_BTRFS_FS_CHECK_INTEGRITY enabled build, it doesn't help users to
    detect such problem.
    
    This patch will address the hole by triggering comprehensive check on
    tree blocks before writing it back to disk.
    
    The design points are:
    
    - Timing of the check: Tree block write hook
      This timing is chosen to reduce the overhead.
      The comprehensive check should be as expensive as a checksum
      calculation.
      Doing full check at btrfs_mark_buffer_dirty() is too expensive for end
      user.
    
    - Loose empty leaf check
      Originally for an empty leaf, tree-checker will report error if it's
      not a tree root.
    
      The problem for such check at write time is:
      * False alert for tree root created in current transaction
        In that case, the commit root still needs to be written to disk.
        And since current root can differ from commit root, then it will
        cause false alert.
        This happens for log tree.
    
      * False alert for relocated tree block
        Relocated tree block can be written to disk due to memory pressure,
        in that case an empty csum tree root can be written to disk and
        cause false alert, since csum root node hasn't been updated.
    
      Previous patch of removing comprehensive empty leaf owner check has
      paved the way for this patch.
    
    The example error output will be something like:
    
      BTRFS critical (device dm-3): corrupt leaf: root=2 block=1350630375424 slot=68, bad key order, prev (10510212874240 169 0) current (1714119868416 169 0)
      BTRFS error (device dm-3): block=1350630375424 write time tree block corruption detected
      BTRFS: error (device dm-3) in btrfs_commit_transaction:2220: errno=-5 IO failure (Error while writing out transaction)
      BTRFS info (device dm-3): forced readonly
      BTRFS warning (device dm-3): Skipping commit of aborted transaction.
      BTRFS: error (device dm-3) in cleanup_transaction:1839: errno=-5 IO failure
      BTRFS info (device dm-3): delayed_refs has NO entry
    Reported-by: NLeonard Lausen <leonard@lausen.nl>
    Signed-off-by: NQu Wenruo <wqu@suse.com>
    Signed-off-by: NDavid Sterba <dsterba@suse.com>
    8d47a0d8
disk-io.c 124.4 KB