Date: Thu, 17 May 2018 10:04:01 +0200 From: Stefan Esser <se@freebsd.org> To: Bruce Evans <brde@optusnet.com.au>, FreeBSD File-Systems <freebsd-fs@freebsd.org> Subject: Re: [Bug 210316] panic after trying to r/w mount msdosfs on write protected media Message-ID: <8c1cb4b3-633a-5b14-0713-727b03f44f4e@freebsd.org> In-Reply-To: <20180517163709.F1129@besplex.bde.org> References: <bug-210316-3630@https.bugs.freebsd.org/bugzilla/> <bug-210316-3630-eXVbCR5qFd@https.bugs.freebsd.org/bugzilla/> <20180517163709.F1129@besplex.bde.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Am 17.05.18 um 09:14 schrieb Bruce Evans: > On Thu, 17 May 2018 a bug that doesn't want replies@freebsd.org wrote: > >> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=210316 >> >> --- Comment #14 from Andriy Gapon <avg@FreeBSD.org> --- >> (In reply to Conrad Meyer from comment #13) >> >> Indeed, if we talk about the general behaviour. >> >> I see that I utterly failed to explain that I was thinking purely in a context >> of what msdos does in markvoldirty. >> Right now that code can leave behind a perpetually dirty buffer and I was >> thinking how that can be avoided. >> >> Maybe markvoldirty should do >> bp = getblk(...) >> bp->b_flags |= B_INVAL | B_RELBUF | B_NOCACHE; >> bp->b_flags &= ~(B_ASYNC | B_CACHE); >> brelse(bp); >> after a failed write? >> Looks clumsy, but should work. > > I think this is the only way to clean up the buffer cache. > >> Or maybe markvoldirty should not use buffer cache for its write? >> It could use g_write_data, for example. But that sounds like layering >> violation. > > Not a good way. > > Markvoldirty() was obtained from apple and fixed a bit by me, but is still > very bad, without even this write protection bug. > > Before it was implemented, you could use removable media with write > protection on, and have no writes occur even if you forgot to mount > with ro, and nothing bad happened if the media was removed without > unmounting provided it was never explicitly written to. Now, > markvoldirty() ensures that bad things happen if the media is removed > without unmounting, even if the media is writeable initially so that > markvoldirty() doesn't fail. > > I thought that failures were handled better. markvoldirty() returns > bwrite(). There is a lot of error handling for this, but this ends > up as just markvoldirty() back to clean with the result voided for the > final call. For unwriteable media, the buffer remains in the buffer > cache forever. > > One idea for improving this is to delay markvoldirty() until the first > explicit write(). Also, don't clobber the disk to write atimes even if > the fs is mounted rw and without -noatime (it takes something like FAT32 > before atimes even exist in msdosfs). msdosfs has always had an internal > flag pm_fmod which was apparently intended for a similar optimization, but > it is useless since it is always set on successful rw mounts and not cleared > until unmount, and it is write-only except for a check in msdosfs_sync() > where it just causes a panic if it is not set. The voldirty flag and > any internal dirty flags should also be set to clean if the file system > is not written to for some time after a successful complete sync, so that > the fs is usually clean if it is not written to often. All versions of > Windows that I have tried seem to do this. Some 20 years ago I had to work with AIX machines, and I found that they offered a nice feature for accesses to removable media (floppy disks, at that time). If such a media was not written to for a few seconds, it could be removed without unmounting. I proposed to implement a timer that was triggered when the number of dirty buffers for a partition drops to zero and that is canceled when the partition is written to (this does not need to be a timer of course, polling for that case every few seconds works as well), at that time. And pre-soft-updates and journaling that feature had also been of advantage for UFS file systems that are rarely written but where the cause of most fsck delay after an unclean shutdown. In case that a media (whether removable or not) was mounted R/W and not written to (had no dirty buffers) for more than a few seconds, the mount could be downgraded to R/O (in the same way as by a "mount -u -o ro"). A flag that recorded the fact, that this partition may be written to could then be checked in the "write to R/O partition" error case, and if the file system was only temporarily set to R/O, it could be treated like a first access to a writable partition (i.e., write a dirty flag into the super-block or whatever action the file system performs when mounted R/W). In short, the suggestion is to down-grade the mount state of any file-system not used for some configurable time to R/O, with an automatic upgrade to R/W on the next write attempt. I did not try to fully implement that feature when floppy disks became less and less relevant, but with USB and SD media being used as writable media, today, the same situation exists as with floppy disks some 20 years ago. The only requirement for such a mechanism is that the number of dirty buffers per partition is known and accessible for a polling every few seconds, that causes the temporary down-grade to R/O to be triggered. Everything else is trivial (i.e., just check a flag in the "write to R/O" error path and clear the R/O flag in such a way that the dirty flag gets written). That requires a (trivial) change in each file system that wants to be able to upgrade to R/W after the temporary downgrade to R/O, though. Regards, STefan
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8c1cb4b3-633a-5b14-0713-727b03f44f4e>