On Fri, Jun 22, 2018 at 02:52:38PM +0300, Artem Blagodarenko wrote: > From: Andreas Dilger <andreas.dilger@xxxxxxxxx> > > The present e2fsck code checks the inode, per field basis. It > doesn't take into consideration to total sanity of the inode. > This may cause e2fsck turning a garbage inode into an apparently > sane inode ("It is a vessel of fertilizer, and none may abide > its strength."). > > The following patch adds a heuristics to detect the degree of > badness of an inode. icount mechanism is used to keep track of > the badness of every inode. The badness is increased as various > fields in inode are found to be corrupt. Badness above a certain > threshold value results in deletion of the inode. The default > badness threshold value is 7, it can be specified to e2fsck > using "-E inode_badness_threshold=<value>" The main thing I don't like about this patch, as I've stated before, is that it spreads out the badness calculation all over a large amount of code. If we want to do something like this, what I think makes more sense is to have a libext2fs function which calculates a badness score, and which is called in pass1 --- and if it exceeds some threshold, we can offer to clear it right then and there. However, I had already implemented a while back something which evaluates the sanity of the inode table block on a holistic fashion --- see the check_inode_block_sanity() function in lib/ext2fs/inode.c. I think this is a superior approach since the primary way that e2fsck gets insane inodes is when an inode table block is scrambled. At the moment the code only evaluate inode sanity by looking at i_blocks. So if you have evidence that the current hueristics in the inode_scan code is not sufficient, what I would propose is this. We can create a new function, ext2fs_inode_check_sanity() which evaluates an inode and returns a badness value. We can then use it in the inode_scan functions with a lower threshold, and if more than 50% of the inodes are bad, we declare the entire inode table bad. We can also use a higher threshold in pass 1, where if the sanity exceeds that threshold, we can offer to the user to clear the inode up front. Fair enough? > tests/f_ind_inode_collision/expect.2 | 18 ++++- By the way, this is something which indicates that proposed patch is not ready for submission. The standard we set for e2fsck is that it should repair all file system damage in a single pass. If the resulting file system after and e2fsck -fy pass results in corruptions detected during a second pass of e2fsck, that's considered a bug that should be fixed. So to the extent that e2fsck can no longer fix all of the corruptions in the f_ind_inode_collision test, that's a regression. Cheers, - Ted