Re: [PATCH 2/2] ext4: handle errors in ext4_clear_blocks()

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Mar 21, 2011 at 6:23 AM, Amir Goldstein <amir73il@xxxxxxxxx> wrote:
> On Mon, Mar 21, 2011 at 3:37 AM, Ted Ts'o <tytso@xxxxxxx> wrote:
>> On Tue, Mar 01, 2011 at 02:28:26PM +0200, Amir Goldstein wrote:
>>> +out_err:
>>> +     ext4_std_error(inode->i_sb, err);
>>> +     return err;
>>
>> Umm, you do realize this function will mark the file system as dirty,
>> and possibly remount the file system read-only, or panic the system,
>> right?
>
> I am counting on that. In fact I think we should not allow snapshots
> and errors=continue,
> otherwise we just as good (bad) as LVM snapshot that vanishes when it
> runs out of space.
>
>>
>> That's appropriate for normal journal failures (since there's no
>> recovering from them), but if you're proposing that a simple lack of
>> free blocks when doing a COW operation will result in a ENOSPC, all a
>> malicious userspace application needs to do to potentially bring the
>> system down is to attempt to unlink or truncate a file while COW
>> snapshots are enabled.....

And FYI, unlink/truncate of large file doesn't take up a lot of disk space,
the data blocks are moved to snapshot and only metadata needs to be
COWed, which should be accounted for by the snapshot disk space
reservation.

The worst DoS, which a malicious user space application can do is to
take up it's own disk quota X number of retained snapshots.
This is something that systems administrators have to take into account
when mixing snapshots and quotas.
Just creating new files and deleting them, does not make snapshot disk
usage grow.


>
> It's not that easy to cause ENOSPC during COW.
> s_snapshot_r_blocks has blocks reserved for COW,
> but I do want the fs to freeze if that reservation somehow runs out.
> The reservation is based on metadata size estimation, calculated
> for no of used inodes no of dirs and no of used blocks. It may fall
> short when there are very many hard links or very long file names,
> resulting in lots of directory blocks and when all of them are COWed.
>
> short in many hard links
>
>>
>> Do you really want me to include this patch?  I think you may want to
>> rethink how you want to handle this case....
>
> I do, because when errors=remount-ro, this function emmits lots of
> "journal has aborted" errors, which are of no useful to anyone...
>
>>
>>                                                - Ted
>>
>
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Reiser Filesystem Development]     [Ceph FS]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Linux FS]     [Yosemite National Park]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Device Mapper]     [Linux Media]

  Powered by Linux