Revert "ext4: Remove journal_checksum mount option and enable it by default"

This reverts commit d0646f7b636d067d715fab52a2ba9c6f0f46b0d7, as requested by Eric Sandeen. It can basically cause an ext4 filesystem to miss recovery (and thus get mounted with errors) if the journal checksum does not match. Quoth Eric: "My hand-wavy hunch about what is happening is that we're finding a bad checksum on the last partially-written transaction, which is not surprising, but if we have a wrapped log and we're doing the initial scan for head/tail, and we abort scanning on that bad checksum, then we are essentially running an unrecovered filesystem. But that's hand-wavy and I need to go look at the code. We lived without journal checksums on by default until now, and at this point they're doing more harm than good, so we should revert the default-changing commit until we can fix it and do some good power-fail testing with the fixes in place." See http://bugzilla.kernel.org/show_bug.cgi?id=14354 for all the gory details. Requested-by: Eric Sandeen <sandeen@redhat.com> Cc: Theodore Tso <tytso@mit.edu> Cc: Alexey Fisher <bug-track@fisher-privat.net> Cc: Maxim Levitsky <maximlevitsky@gmail.com> Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Cc: Mathias Burén <mathias.buren@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Revert "ext4: Remove journal_checksum mount option and enable it by default"
This reverts commit d0646f7b636d067d715fab52a2ba9c6f0f46b0d7, as requested by Eric Sandeen. It can basically cause an ext4 filesystem to miss recovery (and thus get mounted with errors) if the journal checksum does not match. Quoth Eric: "My hand-wavy hunch about what is happening is that we're finding a bad checksum on the last partially-written transaction, which is not surprising, but if we have a wrapped log and we're doing the initial scan for head/tail, and we abort scanning on that bad checksum, then we are essentially running an unrecovered filesystem. But that's hand-wavy and I need to go look at the code. We lived without journal checksums on by default until now, and at this point they're doing more harm than good, so we should revert the default-changing commit until we can fix it and do some good power-fail testing with the fixes in place." See http://bugzilla.kernel.org/show_bug.cgi?id=14354 for all the gory details. Requested-by: Eric Sandeen <sandeen@redhat.com> Cc: Theodore Tso <tytso@mit.edu> Cc: Alexey Fisher <bug-track@fisher-privat.net> Cc: Maxim Levitsky <maximlevitsky@gmail.com> Cc: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> Cc: Mathias Burén <mathias.buren@gmail.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Linus Torvalds
1 parent c35102c3e1
Showing 3 changed files with 22 additions and 7 deletions Side-by-side Diff
Documentation/filesystems/ext4.txt
fs/ext4/ext4.h
fs/ext4/super.c
@@ -134,9 +134,15 @@
                      	mount options "ro,noload" can be used to prevent
 		     	writes to the filesystem.
  
+journal_checksum	Enable checksumming of the journal transactions.
+			This will allow the recovery code in e2fsck and the
+			kernel to detect corruption in the kernel.  It is a
+			compatible change and will be ignored by older kernels.
+
 journal_async_commit	Commit block can be written to disk without waiting
 			for descriptor blocks. If enabled older kernels cannot
-			mount the device.
+			mount the device. This will enable 'journal_checksum'
+			internally.
  
 journal=update		Update the ext4 file system's journal to the current
 			format.
@@ -743,6 +743,7 @@
 #define EXT4_MOUNT_QUOTA		0x80000 /* Some quota option set */
 #define EXT4_MOUNT_USRQUOTA		0x100000 /* "old" user quota */
 #define EXT4_MOUNT_GRPQUOTA		0x200000 /* "old" group quota */
+#define EXT4_MOUNT_JOURNAL_CHECKSUM	0x800000 /* Journal checksums */
 #define EXT4_MOUNT_JOURNAL_ASYNC_COMMIT	0x1000000 /* Journal Async Commit */
 #define EXT4_MOUNT_I_VERSION            0x2000000 /* i_version support */
 #define EXT4_MOUNT_DELALLOC		0x8000000 /* Delalloc support */
@@ -1300,9 +1300,11 @@
 			*journal_devnum = option;
 			break;
 		case Opt_journal_checksum:
-			break;	/* Kept for backwards compatibility */
+			set_opt(sbi->s_mount_opt, JOURNAL_CHECKSUM);
+			break;
 		case Opt_journal_async_commit:
 			set_opt(sbi->s_mount_opt, JOURNAL_ASYNC_COMMIT);
+			set_opt(sbi->s_mount_opt, JOURNAL_CHECKSUM);
 			break;
 		case Opt_noload:
 			set_opt(sbi->s_mount_opt, NOLOAD);
  
  
@@ -2759,14 +2761,20 @@
 		goto failed_mount4;
 	}
  
-	jbd2_journal_set_features(sbi->s_journal,
-				  JBD2_FEATURE_COMPAT_CHECKSUM, 0, 0);
-	if (test_opt(sb, JOURNAL_ASYNC_COMMIT))
-		jbd2_journal_set_features(sbi->s_journal, 0, 0,
+	if (test_opt(sb, JOURNAL_ASYNC_COMMIT)) {
+		jbd2_journal_set_features(sbi->s_journal,
+				JBD2_FEATURE_COMPAT_CHECKSUM, 0,
 				JBD2_FEATURE_INCOMPAT_ASYNC_COMMIT);
-	else
+	} else if (test_opt(sb, JOURNAL_CHECKSUM)) {
+		jbd2_journal_set_features(sbi->s_journal,
+				JBD2_FEATURE_COMPAT_CHECKSUM, 0, 0);
 		jbd2_journal_clear_features(sbi->s_journal, 0, 0,
 				JBD2_FEATURE_INCOMPAT_ASYNC_COMMIT);
+	} else {
+		jbd2_journal_clear_features(sbi->s_journal,
+				JBD2_FEATURE_COMPAT_CHECKSUM, 0,
+				JBD2_FEATURE_INCOMPAT_ASYNC_COMMIT);
+	}
  
 	/* We have now updated the journal if required, so we can
 	 * validate the data journaling mode. */
...	...	@@ -134,9 +134,15 @@
134	134	mount options "ro,noload" can be used to prevent
135	135	writes to the filesystem.
136	136
	137	+journal_checksum Enable checksumming of the journal transactions.
	138	+ This will allow the recovery code in e2fsck and the
	139	+ kernel to detect corruption in the kernel. It is a
	140	+ compatible change and will be ignored by older kernels.
	141	+
137	142	journal_async_commit Commit block can be written to disk without waiting
138	143	for descriptor blocks. If enabled older kernels cannot
139		- mount the device.
	144	+ mount the device. This will enable 'journal_checksum'
	145	+ internally.
140	146
141	147	journal=update Update the ext4 file system's journal to the current
142	148	format.
...	...	@@ -743,6 +743,7 @@
743	743	#define EXT4_MOUNT_QUOTA 0x80000 /* Some quota option set */
744	744	#define EXT4_MOUNT_USRQUOTA 0x100000 /* "old" user quota */
745	745	#define EXT4_MOUNT_GRPQUOTA 0x200000 /* "old" group quota */
	746	+#define EXT4_MOUNT_JOURNAL_CHECKSUM 0x800000 /* Journal checksums */
746	747	#define EXT4_MOUNT_JOURNAL_ASYNC_COMMIT 0x1000000 /* Journal Async Commit */
747	748	#define EXT4_MOUNT_I_VERSION 0x2000000 /* i_version support */
748	749	#define EXT4_MOUNT_DELALLOC 0x8000000 /* Delalloc support */
...	...	@@ -1300,9 +1300,11 @@
1300	1300	*journal_devnum = option;
1301	1301	break;
1302	1302	case Opt_journal_checksum:
1303		- break; /* Kept for backwards compatibility */
	1303	+ set_opt(sbi->s_mount_opt, JOURNAL_CHECKSUM);
	1304	+ break;
1304	1305	case Opt_journal_async_commit:
1305	1306	set_opt(sbi->s_mount_opt, JOURNAL_ASYNC_COMMIT);
	1307	+ set_opt(sbi->s_mount_opt, JOURNAL_CHECKSUM);
1306	1308	break;
1307	1309	case Opt_noload:
1308	1310	set_opt(sbi->s_mount_opt, NOLOAD);
1309	1311
1310	1312
...	...	@@ -2759,14 +2761,20 @@
2759	2761	goto failed_mount4;
2760	2762	}
2761	2763
2762		- jbd2_journal_set_features(sbi->s_journal,
2763		- JBD2_FEATURE_COMPAT_CHECKSUM, 0, 0);
2764		- if (test_opt(sb, JOURNAL_ASYNC_COMMIT))
2765		- jbd2_journal_set_features(sbi->s_journal, 0, 0,
	2764	+ if (test_opt(sb, JOURNAL_ASYNC_COMMIT)) {
	2765	+ jbd2_journal_set_features(sbi->s_journal,
	2766	+ JBD2_FEATURE_COMPAT_CHECKSUM, 0,
2766	2767	JBD2_FEATURE_INCOMPAT_ASYNC_COMMIT);
2767		- else
	2768	+ } else if (test_opt(sb, JOURNAL_CHECKSUM)) {
	2769	+ jbd2_journal_set_features(sbi->s_journal,
	2770	+ JBD2_FEATURE_COMPAT_CHECKSUM, 0, 0);
2768	2771	jbd2_journal_clear_features(sbi->s_journal, 0, 0,
2769	2772	JBD2_FEATURE_INCOMPAT_ASYNC_COMMIT);
	2773	+ } else {
	2774	+ jbd2_journal_clear_features(sbi->s_journal,
	2775	+ JBD2_FEATURE_COMPAT_CHECKSUM, 0,
	2776	+ JBD2_FEATURE_INCOMPAT_ASYNC_COMMIT);
	2777	+ }
2770	2778
2771	2779	/* We have now updated the journal if required, so we can
2772	2780	* validate the data journaling mode. */