| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 30 Aug 2009 08:49:09 +0200 From: Pavel Machek <pavel@....cz> To: Theodore Tso <tytso@....edu>, david@...g.hm, Ric Wheeler <rwheeler@...hat.com>, Florian Weimer <fweimer@....de>, Goswin von Brederlow <goswin-v-b@....de>, Rob Landley <rob@...dley.net>, kernel list <linux-kernel@...r.kernel.org>, Andrew Morton <akpm@...l.org>, mtk.manpages@...il.com, rdunlap@...otime.net, linux-doc@...r.kernel.org, linux-ext4@...r.kernel.org, corbet@....net Subject: Re: [patch] document flash/RAID dangers On Wed 2009-08-26 08:37:09, Theodore Tso wrote: > On Wed, Aug 26, 2009 at 01:25:36PM +0200, Pavel Machek wrote: > > > you just plain cannot count on writes that are in flight when a powerfail > > > happens to do predictable things, let alone what you consider sane or > > > proper. > > > > From what I see, this kind of failure is rather harder to reproduce > > than the software problems. And at least SGI machines were designed to > > avoid this... > > > > Anyway, I'd like to hear from ext3 people... what happens on read > > errors in journal? That's what you'd expect to see in situation above. > > On a power failure, what normally happens is that the random garbage > gets written into the disk drive's last dying gasp, since the memory > starts going insane and sends garbage to the disk. So the disk > successfully completes the write, but the sector contains garbage. > Since HDD's tend to be last thing to die, being less sensitive to > voltage drops than the memory or DMA controller, my experience is that > you don't get a read error after the system comes up, you just get > garbage written into the journal. > > The ext3 journalling code waits until all of the journal code is > written, and only then writes the commit block. On restart, we look > for the last valid commit block. So if the power failure is before we > write the commit block, we replay the journal up until the previous > commit block. If the power failure is while we are writing the commit > block, garbage will be written out instead of the commit block, and so > it falls back to the previous case. > > We do not allow any updates to the filesystem metadata to take place > until the commit block has been written; therefore the filesystem > stays consistent. Ok, cool. > If there the journal *does* develop read errors, then fsck will > require a manual fsck, and so the boot operation will get stopped so a > system administrator can provide manual intervention. The best bet > for the sysadmin is to replay as much of the journal she can, and then > let fsck fix any resulting filesystem inconsistencies. In practice, ...and that should result in consistent fs with no data loss, because read error is essentialy the same as garbage given back, right? ...plus, this is significant difference from logical-logging filesystems, no? Should this go to Documentation/, somewhere? Pavel -- (english) http://www.livejournal.com/~pavelmachek (cesky, pictures) http://atrey.karlin.mff.cuni.cz/~pavel/picture/horses/blog.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists