orphan cleanup on readonly fs will corrupt future fs!

orphan cleanup on readonly fs will corrupt future fs!

[Amir Goldstein]

Hi guys,

I have just realized something very disturbing -
that orphan cleanup is not being skipped on readonly mount of ext4/ext3.

I know that journal recovery is done on readonly mount
and there is problem with that, since nothing happens
in the fs level.

But orphan cleanup deletes inodes and frees blocks and that
could be very bad for some RO_COMPAT features, SNAPSHOT
and BIGALLOC to name two.

I am not so sure why orphan cleanup is so important for readonly
mount in the first place?

Now the damage has been done, because current stock kernels will
corrupt future fs with SNAPSHOT and BIGALLOC features
(unless Ted backs up from the decision to make BIGALLOC RO_COMPAT...)

I think that we should skip orphan cleanup on readonly mount ASAP and try
to push this fix to as many stable/maint kernels out there, before the
problem gets worse.

Can anyway see a problem with skipping orphan cleanup?
Maybe there is a problem with later remount read-write?

I would spend time more time to investigate these questions,
but I find this problem too disturbing and urgent to wait until I find
the time to do so...

Amir.

Re: orphan cleanup on readonly fs will corrupt future fs!

[Ted Ts'o]

On Sat, Feb 26, 2011 at 08:21:47PM +0200, Amir Goldstein wrote:
> Hi guys,
> 
> I have just realized something very disturbing -
> that orphan cleanup is not being skipped on readonly mount of ext4/ext3.
> 
> I know that journal recovery is done on readonly mount
> and there is problem with that, since nothing happens
> in the fs level.
> 
> But orphan cleanup deletes inodes and frees blocks and that
> could be very bad for some RO_COMPAT features, SNAPSHOT
> and BIGALLOC to name two.

Yes, good point.  Fortunately it won't be a problem for the BIGALLOC
feature, since other changes in the superblock will cause the kernel's
sanity checks to refuse to mount it until we teach future kernels how
not to freak out when s_blocks_per_group > blocksize * 8, for example.

But yes, this is something we should fix.

						- Ted

Re: orphan cleanup on readonly fs will corrupt future fs!

[Eric Sandeen]

On 2/26/11 12:21 PM, Amir Goldstein wrote:
> Hi guys,
> 
> I have just realized something very disturbing -
> that orphan cleanup is not being skipped on readonly mount of ext4/ext3.
> 
> I know that journal recovery is done on readonly mount
> and there is problem with that, since nothing happens
> in the fs level.
> 
> But orphan cleanup deletes inodes and frees blocks and that
> could be very bad for some RO_COMPAT features, SNAPSHOT
> and BIGALLOC to name two.

One thing to note is that if the device itself is readonly,
both journal recovery and orphan processing will be skipped,
if I recall...

-Eric

> I am not so sure why orphan cleanup is so important for readonly
> mount in the first place?
> 
> Now the damage has been done, because current stock kernels will
> corrupt future fs with SNAPSHOT and BIGALLOC features
> (unless Ted backs up from the decision to make BIGALLOC RO_COMPAT...)
> 
> I think that we should skip orphan cleanup on readonly mount ASAP and try
> to push this fix to as many stable/maint kernels out there, before the
> problem gets worse.
> 
> Can anyway see a problem with skipping orphan cleanup?
> Maybe there is a problem with later remount read-write?
> 
> I would spend time more time to investigate these questions,
> but I find this problem too disturbing and urgent to wait until I find
> the time to do so...
> 
> Amir.