[RFC] ext4: Fix fs can't panic when abort by user

[RFC] ext4: Fix fs can't panic when abort by user

[Ye Bin]

Test steps:
1. mount /dev/sda -o errors=panic test
2. mount /dev/sda -o remount,ro test
3. mount /dev/sda -o remount,abort test

Before 014c9caa29d3 not been merged there will trigger panic. But
014c9caa29d3 change this behavior.

Fixes: 014c9caa29d3 ("ext4: make ext4_abort() use __ext4_error()")
Signed-off-by: Ye Bin <yebin10@huawei.com>
---
 fs/ext4/super.c | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index b9693680463a..acb75dc396f8 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -667,9 +667,6 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
 			ext4_commit_super(sb);
 	}
 
-	if (sb_rdonly(sb) || continue_fs)
-		return;
-
 	/*
 	 * We force ERRORS_RO behavior when system is rebooting. Otherwise we
 	 * could panic during 'reboot -f' as the underlying device got already
@@ -679,6 +676,10 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
 		panic("EXT4-fs (device %s): panic forced after error\n",
 			sb->s_id);
 	}
+
+	if (sb_rdonly(sb) || continue_fs)
+		return;
+
 	ext4_msg(sb, KERN_CRIT, "Remounting filesystem read-only");
 	/*
 	 * Make sure updated value of ->s_mount_flags will be visible before
-- 
2.25.4

Re: [RFC] ext4: Fix fs can't panic when abort by user

[Theodore Ts'o]

On Thu, Apr 01, 2021 at 04:19:03PM +0800, Ye Bin wrote:
> Test steps:
> 1. mount /dev/sda -o errors=panic test
> 2. mount /dev/sda -o remount,ro test
> 3. mount /dev/sda -o remount,abort test
> 
> Before 014c9caa29d3 not been merged there will trigger panic. But
> 014c9caa29d3 change this behavior.

This makes sense, but I'll note this behavior has changed over time.

root@kvm-xfstests:~# mount -o errors=panic /dev/vdc /vdc
[   20.252713] EXT4-fs (vdc): mounted filesystem with ordered data mode. Opts: errors=panic
root@kvm-xfstests:~# mount -o remount,ro /dev/vdc
[   24.832448] EXT4-fs (vdc): re-mounted. Opts: (null)
root@kvm-xfstests:~# mount -o remount,abort /dev/vdc
[   30.833543] EXT4-fs error (device vdc): ext4_remount:5340: Abort forced by user
mount: /vdc: cannot remount /dev/vdc read-write, is write-protected.
root@kvm-xfstests:~# mount -o remount,abort,ro /dev/vdc
[   34.545549] EXT4-fs error (device vdc): ext4_remount:5340: Abort forced by user
[   34.555475] EXT4-fs (vdc): re-mounted. Opts: abort
root@kvm-xfstests:~# uname -a
Linux kvm-xfstests 4.19.163-xfstests #1 SMP Sat Dec 19 23:55:11 EST 2020 x86_64 GNU/Linux
root@kvm-xfstests:~#

The same is true for the 5.4 kernel.

I do agree that it *should* force a panic, and the fact that
superblock is read-only shouldn't make a difference as to how
errors=panic is handled.

So I think the patch is correct, but I'll note that it also changes
this case:

1)  mount -o /dev/sda -o ro,errors=panic test
2)  echo test > /sys/fs/ext4/sda/trigger_fs_error

With this patch, this will also now panic, whereas before, an
ext4_error() would not trigger a panic.  I think that's better because
it makes things more consistent --- but it is a change in behavior
which could potentially surprise some people.  But since they can
easily get the previous behavior with an explicit "mount -o
ro,errors=continue", I think that's acceptable.

I'll apply the patch with a modified commit description to warn of
this particular change in behavior.

						- Ted

Re: [RFC] ext4: Fix fs can't panic when abort by user

[Theodore Ts'o]

On Fri, Apr 09, 2021 at 05:28:54PM -0400, Theodore Ts'o wrote:
> I'll apply the patch with a modified commit description to warn of
> this particular change in behavior.

Applied with the following commit description:

    ext4: always panic when errors=panic is specified
    
    Before commit 014c9caa29d3 ("ext4: make ext4_abort() use
    __ext4_error()"), the following series of commands would trigger a
    panic:
    
    1. mount /dev/sda -o ro,errors=panic test
    2. mount /dev/sda -o remount,abort test
    
    After commit 014c9caa29d3, remounting a file system using the test
    mount option "abort" will no longer trigger a panic.  This commit will
    restore the behaviour immediately before commit 014c9caa29d3.
    (However, note that the Linux kernel's behavior has not been
    consistent; some previous kernel versions, including 5.4 and 4.19
    similarly did not panic after using the mount option "abort".)
    
    This also makes a change to long-standing behaviour; namely, the
    following series commands will now cause a panic, when previously it
    did not:
    
    1. mount /dev/sda -o ro,errors=panic test
    2. echo test > /sys/fs/ext4/sda/trigger_fs_error
    
    However, this makes ext4's behaviour much more consistent, so this is
    a good thing.
    
    Fixes: 014c9caa29d3 ("ext4: make ext4_abort() use __ext4_error()")
    Signed-off-by: Ye Bin <yebin10@huawei.com>
    Link: https://lore.kernel.org/r/20210401081903.3421208-1-yebin10@huawei.com
    Signed-off-by: Theodore Ts'o <tytso@mit.edu>