From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-qk0-f173.google.com ([209.85.220.173]:42509 "EHLO mail-qk0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751421AbeDMM4l (ORCPT ); Fri, 13 Apr 2018 08:56:41 -0400 Received: by mail-qk0-f173.google.com with SMTP id b198so8939733qkg.9 for ; Fri, 13 Apr 2018 05:56:41 -0700 (PDT) Message-ID: <1523624198.4847.3.camel@redhat.com> Subject: Re: fsync() errors is unsafe and risks data loss From: Jeff Layton To: Matthew Wilcox Cc: Andres Freund , "Theodore Y. Ts'o" , Dave Chinner , Andreas Dilger , 20180410184356.GD3563@thunk.org, Ext4 Developers List , Linux FS Devel , "Joshua D. Drake" Date: Fri, 13 Apr 2018 08:56:38 -0400 In-Reply-To: <20180412213110.GF18364@bombadil.infradead.org> References: <20180410220726.vunhvwuzxi5bm6e5@alap3.anarazel.de> <190CF56C-C03D-4504-8B35-5DB479801513@dilger.ca> <20180412021752.2wykkutkmzh4ikbf@alap3.anarazel.de> <20180412030248.GA8509@bombadil.infradead.org> <1523531354.4532.21.camel@redhat.com> <20180412120122.GE23861@dastard> <20180412151646.GQ2801@thunk.org> <20180412201322.77igwnxfqbmnsxkf@alap3.anarazel.de> <20180412202830.GA18364@bombadil.infradead.org> <1523567694.7617.8.camel@redhat.com> <20180412213110.GF18364@bombadil.infradead.org> Content-Type: text/plain; charset="UTF-8" Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Thu, 2018-04-12 at 14:31 -0700, Matthew Wilcox wrote: > On Thu, Apr 12, 2018 at 05:14:54PM -0400, Jeff Layton wrote: > > On Thu, 2018-04-12 at 13:28 -0700, Matthew Wilcox wrote: > > > On Thu, Apr 12, 2018 at 01:13:22PM -0700, Andres Freund wrote: > > > > I think a per-file or even per-blockdev/fs error state that'd be > > > > returned by fsync() would be more than sufficient. > > > > > > Ah; this was my suggestion to Jeff on IRC. That we add a per- > > > superblock > > > wb_err and then allow syncfs() to return it. So you'd open an fd on > > > a directory (for example), and call syncfs() which would return -EIO > > > or -ENOSPC if either of those conditions had occurred since you > > > opened > > > the fd. > > > > Not a bad idea and shouldn't be too costly. mapping_set_error could > > flag the superblock one before or after the one in the mapping. > > > > We'd need to define what happens if you interleave fsync and syncfs > > calls on the same inode though. How do we handle file->f_wb_err in that > > case? Would we need a second field in struct file to act as the per-sb > > error cursor? > > Ooh. I hadn't thought that through. Bleh. I don't want to add a field > to struct file for this uncommon case. > > Maybe O_PATH could be used for this? It gets you a file descriptor on > a particular filesystem, so syncfs() is defined, but it can't report > a writeback error. So if you open something O_PATH, you can use the > file's f_wb_err for the mapping's error cursor. > That might work. It'd be a syscall behavioral change so we'd need to document that well. It's probably innocuous though -- I doubt we have a lot of callers in the field opening files with O_PATH and calling syncfs on them. -- Jeff Layton