[1/1] xfs: do not check NEEDSREPAIR if ro,norecovery mount.

Message ID	20250203085513.79335-2-lukas@herbolt.com (mailing list archive)
State	Queued
Headers	show Received: from mx0.herbolt.com (mx0.herbolt.com [5.59.97.199]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F30B2AD27 for <linux-xfs@vger.kernel.org>; Mon, 3 Feb 2025 09:04:27 +0000 (UTC) From: Lukas Herbolt <lukas@herbolt.com> To: cem@kernel.org, djwong@kernel.org Cc: linux-xfs@vger.kernel.org, Lukas Herbolt <lukas@herbolt.com> Subject: [PATCH 1/1] xfs: do not check NEEDSREPAIR if ro,norecovery mount. Date: Mon, 3 Feb 2025 09:55:13 +0100 Message-ID: <20250203085513.79335-2-lukas@herbolt.com> In-Reply-To: <20250203085513.79335-1-lukas@herbolt.com> References: <20250203085513.79335-1-lukas@herbolt.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	RFE: Do not check NEEDSREPAIR if ro,norecovery mount. \| expand [0/1] RFE: Do not check NEEDSREPAIR if ro,norecovery mount. [1/1] xfs: do not check NEEDSREPAIR if ro,norecovery mount.

Lukas Herbolt Feb. 3, 2025, 8:55 a.m. UTC

If there is corrutpion on the filesystem andxfs_repair
fails to repair it. The last resort of getting the data
is to use norecovery,ro mount. But if the NEEDSREPAIR is
set the filesystem cannot be mounted. The flag must be
cleared out manually using xfs_db, to get access to what
left over of the corrupted fs.

Signed-off-by: Lukas Herbolt <lukas@herbolt.com>
---
 fs/xfs/xfs_super.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

Darrick J. Wong Feb. 3, 2025, 10:26 p.m. UTC | #1

On Mon, Feb 03, 2025 at 09:55:13AM +0100, Lukas Herbolt wrote:
> If there is corrutpion on the filesystem andxfs_repair
> fails to repair it. The last resort of getting the data
> is to use norecovery,ro mount. But if the NEEDSREPAIR is
> set the filesystem cannot be mounted. The flag must be
> cleared out manually using xfs_db, to get access to what
> left over of the corrupted fs.
> 
> Signed-off-by: Lukas Herbolt <lukas@herbolt.com>
> ---
>  fs/xfs/xfs_super.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
> index 394fdf3bb535..c2566dcc4f88 100644
> --- a/fs/xfs/xfs_super.c
> +++ b/fs/xfs/xfs_super.c
> @@ -1635,8 +1635,12 @@ xfs_fs_fill_super(
>  #endif
>  	}
>  
> -	/* Filesystem claims it needs repair, so refuse the mount. */
> -	if (xfs_has_needsrepair(mp)) {
> +	/*
> +	 * Filesystem claims it needs repair, so refuse the mount unless
> +	 * norecovery is also specified, in which case the filesystem can
> +	 * be mounted with no risk of further damage.
> +	 */
> +	if (xfs_has_needsrepair(mp) && !xfs_has_norecovery(mp)) {

I think a better way to handle badly damaged filesystems is for us to
provide a means to extract directory trees in userspace, rather than
making the user take the risk of mounting a known-bad filesystem.
I've a draft of an xfs_db subcommand for doing exactly that and will
share for xfsprogs 6.14.

--D

>  		xfs_warn(mp, "Filesystem needs repair.  Please run xfs_repair.");
>  		error = -EFSCORRUPTED;
>  		goto out_free_sb;
> -- 
> 2.48.1
> 
>

Eric Sandeen Feb. 4, 2025, 5:55 p.m. UTC | #2

On 2/3/25 4:26 PM, Darrick J. Wong wrote:
> On Mon, Feb 03, 2025 at 09:55:13AM +0100, Lukas Herbolt wrote:
>> If there is corrutpion on the filesystem andxfs_repair
>> fails to repair it. The last resort of getting the data
>> is to use norecovery,ro mount. But if the NEEDSREPAIR is
>> set the filesystem cannot be mounted. The flag must be
>> cleared out manually using xfs_db, to get access to what
>> left over of the corrupted fs.
>>
>> Signed-off-by: Lukas Herbolt <lukas@herbolt.com>
>> ---
>>  fs/xfs/xfs_super.c | 8 ++++++--
>>  1 file changed, 6 insertions(+), 2 deletions(-)
>>
>> diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
>> index 394fdf3bb535..c2566dcc4f88 100644
>> --- a/fs/xfs/xfs_super.c
>> +++ b/fs/xfs/xfs_super.c
>> @@ -1635,8 +1635,12 @@ xfs_fs_fill_super(
>>  #endif
>>  	}
>>  
>> -	/* Filesystem claims it needs repair, so refuse the mount. */
>> -	if (xfs_has_needsrepair(mp)) {
>> +	/*
>> +	 * Filesystem claims it needs repair, so refuse the mount unless
>> +	 * norecovery is also specified, in which case the filesystem can
>> +	 * be mounted with no risk of further damage.
>> +	 */
>> +	if (xfs_has_needsrepair(mp) && !xfs_has_norecovery(mp)) {
> 
> I think a better way to handle badly damaged filesystems is for us to
> provide a means to extract directory trees in userspace, rather than
> making the user take the risk of mounting a known-bad filesystem.
> I've a draft of an xfs_db subcommand for doing exactly that and will
> share for xfsprogs 6.14.

I think whether a userspace extractor is better or not depends on the
usecase. I suppose there's some truth that a NEEDSREPAIR filesystem is
"known bad" but we already suffer the risk of "unknown bad" filesystems
today. (Or for that matter, the fact that we allow "norecovery" today,
which also guarantees a mount of an inconsistent filesystem.)

"Something is wrong with this filesystem, let's mount it readonly and
copy off the data" is a pretty time-tested approach, I think, hampered
only by the fairly recent addition of NEEDSREPAIR.

a userspace scrape-the-device tool may well be useful for some, but
I don't think that vs. this kernelspace option needs to be an either/or
decision.

Thanks,

-Eric

> --D
> 
>>  		xfs_warn(mp, "Filesystem needs repair.  Please run xfs_repair.");
>>  		error = -EFSCORRUPTED;
>>  		goto out_free_sb;
>> -- 
>> 2.48.1
>>
>>
>

Darrick J. Wong Feb. 4, 2025, 7:59 p.m. UTC | #3

On Tue, Feb 04, 2025 at 11:55:00AM -0600, Eric Sandeen wrote:
> On 2/3/25 4:26 PM, Darrick J. Wong wrote:
> > On Mon, Feb 03, 2025 at 09:55:13AM +0100, Lukas Herbolt wrote:
> >> If there is corrutpion on the filesystem andxfs_repair
> >> fails to repair it. The last resort of getting the data
> >> is to use norecovery,ro mount. But if the NEEDSREPAIR is
> >> set the filesystem cannot be mounted. The flag must be
> >> cleared out manually using xfs_db, to get access to what
> >> left over of the corrupted fs.
> >>
> >> Signed-off-by: Lukas Herbolt <lukas@herbolt.com>
> >> ---
> >>  fs/xfs/xfs_super.c | 8 ++++++--
> >>  1 file changed, 6 insertions(+), 2 deletions(-)
> >>
> >> diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
> >> index 394fdf3bb535..c2566dcc4f88 100644
> >> --- a/fs/xfs/xfs_super.c
> >> +++ b/fs/xfs/xfs_super.c
> >> @@ -1635,8 +1635,12 @@ xfs_fs_fill_super(
> >>  #endif
> >>  	}
> >>  
> >> -	/* Filesystem claims it needs repair, so refuse the mount. */
> >> -	if (xfs_has_needsrepair(mp)) {
> >> +	/*
> >> +	 * Filesystem claims it needs repair, so refuse the mount unless
> >> +	 * norecovery is also specified, in which case the filesystem can
> >> +	 * be mounted with no risk of further damage.
> >> +	 */
> >> +	if (xfs_has_needsrepair(mp) && !xfs_has_norecovery(mp)) {
> > 
> > I think a better way to handle badly damaged filesystems is for us to
> > provide a means to extract directory trees in userspace, rather than
> > making the user take the risk of mounting a known-bad filesystem.
> > I've a draft of an xfs_db subcommand for doing exactly that and will
> > share for xfsprogs 6.14.
> 
> I think whether a userspace extractor is better or not depends on the
> usecase. I suppose there's some truth that a NEEDSREPAIR filesystem is
> "known bad" but we already suffer the risk of "unknown bad" filesystems
> today. (Or for that matter, the fact that we allow "norecovery" today,
> which also guarantees a mount of an inconsistent filesystem.)
> 
> "Something is wrong with this filesystem, let's mount it readonly and
> copy off the data" is a pretty time-tested approach, I think, hampered
> only by the fairly recent addition of NEEDSREPAIR.
> 
> a userspace scrape-the-device tool may well be useful for some, but
> I don't think that vs. this kernelspace option needs to be an either/or
> decision.

Fair enough; it's not like we have a tool today that can extract
directory trees from an unmountable filesystem.  Do you want to rvb this
one, then?

--D

> Thanks,
> 
> -Eric
> 
> > --D
> > 
> >>  		xfs_warn(mp, "Filesystem needs repair.  Please run xfs_repair.");
> >>  		error = -EFSCORRUPTED;
> >>  		goto out_free_sb;
> >> -- 
> >> 2.48.1
> >>
> >>
> > 
> 
>

Dave Chinner Feb. 4, 2025, 8:18 p.m. UTC | #4

On Mon, Feb 03, 2025 at 09:55:13AM +0100, Lukas Herbolt wrote:
> If there is corrutpion on the filesystem andxfs_repair
> fails to repair it. The last resort of getting the data
> is to use norecovery,ro mount. But if the NEEDSREPAIR is
> set the filesystem cannot be mounted. The flag must be
> cleared out manually using xfs_db, to get access to what
> left over of the corrupted fs.
> 
> Signed-off-by: Lukas Herbolt <lukas@herbolt.com>
> ---
>  fs/xfs/xfs_super.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
> index 394fdf3bb535..c2566dcc4f88 100644
> --- a/fs/xfs/xfs_super.c
> +++ b/fs/xfs/xfs_super.c
> @@ -1635,8 +1635,12 @@ xfs_fs_fill_super(
>  #endif
>  	}
>  
> -	/* Filesystem claims it needs repair, so refuse the mount. */
> -	if (xfs_has_needsrepair(mp)) {
> +	/*
> +	 * Filesystem claims it needs repair, so refuse the mount unless
> +	 * norecovery is also specified, in which case the filesystem can
> +	 * be mounted with no risk of further damage.
> +	 */
> +	if (xfs_has_needsrepair(mp) && !xfs_has_norecovery(mp)) {
>  		xfs_warn(mp, "Filesystem needs repair.  Please run xfs_repair.");
>  		error = -EFSCORRUPTED;
>  		goto out_free_sb;

Look fine. I've had to hack around this with xfs_db when testing
(broken) xfs_repair mods a couple of times myself...

Reviewed-by: Dave Chinner <dchinner@redhat.com>

Eric Sandeen Feb. 4, 2025, 8:37 p.m. UTC | #5

On 2/3/25 2:55 AM, Lukas Herbolt wrote:
> If there is corrutpion on the filesystem andxfs_repair
> fails to repair it. The last resort of getting the data
> is to use norecovery,ro mount. But if the NEEDSREPAIR is
> set the filesystem cannot be mounted. The flag must be
> cleared out manually using xfs_db, to get access to what
> left over of the corrupted fs.
> 
> Signed-off-by: Lukas Herbolt <lukas@herbolt.com>
> ---
>  fs/xfs/xfs_super.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/fs/xfs/xfs_super.c b/fs/xfs/xfs_super.c
> index 394fdf3bb535..c2566dcc4f88 100644
> --- a/fs/xfs/xfs_super.c
> +++ b/fs/xfs/xfs_super.c
> @@ -1635,8 +1635,12 @@ xfs_fs_fill_super(
>  #endif
>  	}
>  
> -	/* Filesystem claims it needs repair, so refuse the mount. */
> -	if (xfs_has_needsrepair(mp)) {
> +	/*
> +	 * Filesystem claims it needs repair, so refuse the mount unless
> +	 * norecovery is also specified, in which case the filesystem can
> +	 * be mounted with no risk of further damage.
> +	 */
> +	if (xfs_has_needsrepair(mp) && !xfs_has_norecovery(mp)) {
>  		xfs_warn(mp, "Filesystem needs repair.  Please run xfs_repair.");
>  		error = -EFSCORRUPTED;
>  		goto out_free_sb;

thanks Lukas, this looks good to me as well. And with ro,norecovery
there should (tm) be no writes whatever to the filesystem so risk of
introducing further corruption from the mount should be zero.

Reviewed-by: Eric Sandeen <sandeen@redhat.com>

[1/1] xfs: do not check NEEDSREPAIR if ro,norecovery mount.

Commit Message

Comments

Patch