Re: [PATCH v2 3/4] btrfs: send: fix invalid commands for inodes with changed rdev but same gen - Roman Anasal

From: Roman Anasal | BDSU <roman.anasal@bdsu.de>
To: "fdmanana@gmail.com" <fdmanana@gmail.com>
Cc: "linux-btrfs@vger.kernel.org" <linux-btrfs@vger.kernel.org>
Subject: Re: [PATCH v2 3/4] btrfs: send: fix invalid commands for inodes with changed rdev but same gen
Date: Sun, 31 Jan 2021 15:52:30 +0000	[thread overview]
Message-ID: <aa2cf62fc268c9db63d47ef408accca79bc7b22f.camel@bdsu.de> (raw)
In-Reply-To: <CAL3q7H79meSfikTKvTujQzA_SRb3bfF9ajYtWSVTfu0+pLE8wQ@mail.gmail.com>

On Mon, Jan 25, 2021 at 20:51 +0000 Filipe Manana wrote:
> On Mon, Jan 25, 2021 at 7:51 PM Roman Anasal <roman.anasal@bdsu.de>
> wrote:
> > Second example:
> >   # case 2: same ino at different path
> >   btrfs subvolume create subvol1
> >   btrfs subvolume create subvol2
> >   mknod subvol1/a c 1 3
> >   mknod subvol2/b c 1 5
> >   btrfs property set subvol1 ro true
> >   btrfs property set subvol2 ro true
> >   btrfs send -p subvol1 subvol2 | btrfs receive --dump
> 
> As I've told you before for the v1 patchset from a week or two ago,
> this is not a supported scenario for incremental sends.
> Incremental sends are meant to be used on RO snapshots of the same
> subvolume, and those snapshots must never be changed after they were
> created.
> 
> Incremental sends were simply not designed for these cases, and can
> never be guaranteed to work with such cases.
> 
> The bug is not having incremental sends fail right away, with an
> explicit error message, when the send and parent roots aren't RO
> snapshots of the same subvolume.

Since this should be fixed then I'd like to propose to add the
following check:

The inodes of the subvolumes' root directories (ino
BTRFS_FIRST_FREE_OBJECTID = 256) must have the same generation.

Since create_subvol() will always commit the transaction, i.e.
increment the generation, no two _independently_ created subvolumes can
be created within the same generation (are there race conditions
possible here?).
Taking a snapshot of a subvolume does not modify the generation of the
root dir inode. Also it is not possible to change or delete/re-create
the root directory of a subvolume since this would delete the subvolume
itself.

So having two subvolumes with root directories created with different
generations means they were created independently and can not share a
common ancestor. Doing an incremental send with them is unsafe and thus
must return an error.
With the root directories at the same generation though the subvolumes
are based on a common ancestor which is a requirement for a safe
incremental send.

Are my assumptions and my understanding here correct? Then this check
would catch most of the unsafe parents.
If so I could have a shot at a patch for this if you'd like me to?

This check still does not solve the second edge case though, when
snapshots are modified afterwards and diverge independently form one
another. For this I still see no good solution besides a new on-disk
flag whether a snapshot was *ever* set to ro=false. But with that I'm
not sure how to (not) inherit that flag in a safe way ...