Aneesh Kumar K.V wrote: > On Mon, Mar 30, 2009 at 08:53:42AM -0500, Eric Sandeen wrote: >> Aneesh Kumar K.V wrote: >> >>> We do a vmtruncate if we failed to allocate blocks in >>> ext3_write_begin. That is done after the closing the current >>> transaction. If we crash in between (ie, after committing the >>> transaction allocating blocks and before committing the transaction that >>> is doing truncate) we would only have some data blocks leaking. But >>> that would be better than user seeing zero's in the file ?. Also if we >>> happen to add the inode to the orphan list and crash, the recovery would >>> truncate it properly. So by doing a vmtruncate I guess the window would be >>> small and we are already doing that in ext3_write_begin. >> I don't agree that leaking data blocks is better than exposing zeros... >> the former is a security flaw, the latter a (significant) annoyance. >> > > Even when we fail to track few data blocks we do zero them using > page_zero_new_buffers. So it should not imply a security flaw. I guess > if we crash failing to commit the truncate fsck will look at the bitmap > and find the blocks which are not tracked by any inode and will mark them > free. Oh, perhaps I misunderstood. I thought you meant leaking data in uninitialized blocks, but you meant losing track of those blocks' allocation, I guess. Sorry for the confusion... -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-ext4" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
