Ubuntu
e2fsprogs package

fsck.ext4 -n wrote to & destroyed filesystem

Bug #537483 reported by Bela Lubkin on 2010-03-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	e2fsprogs (Ubuntu)	Fix Released	Undecided	Unassigned

Bug Description

Binary package hint: e2fsprogs

System is running Ubuntu 10.04-current (was in the middle of upgrading last night's new packages -- had installed almost all, but not yet rebooted from the new 2.6.32-16 kernel -- was still on 2.6.32-15). As the system is completely crashed, I cannot report on the exact e2fsprogs / fsck releases. However, it was the newest version available in any of the Ubuntu 10.04 Lucid Lynx repositories (including -backports and -proposed, if anything is in those yet). I had run an `apt-get dist-upgrade` less than 2 hours before the crash; e2fsprogs would be whichever version was last issued before about 2010-03-11 1530 GMT.

WHAT HAPPENED:

Out of curiousity -- and somewhat bothered at how slow and noisy disk operations were during the day's round of upgrades -- I determined to run fsck's "-E fragcheck" -- "show me details about filesystem fragmentation" flag.

Below (after all text) is a cut-and-paste from the ssh session I ran the command from.

The exact command I ran was:

time fsck.ext4 -n -v -t -t -D -E fragcheck /dev/sda5

in which flags are:

   -n DO NOT WRITE TO THE FILESYSTEM
   -v verbose
   -t timing information; twice for extra details
   -D optimize directories
   -E fragcheck "print a detailed report of any discontiguous blocks"

The documentation for -D comments that it "will detect directory entries with duplicate names in a single directory, which e2fsck normally does not enforce". It was for this enhanced detection that I added this flag. I realize that it is a flag which directs fsck to write, but I believe that it -- as with all(*) other writing flags -- would be rendered inoperable by "-n". That is, I believed that the combination "-n -D" would cause additional checks (for directories needing optimization & for duplicate directory entries) without causing any writes. (*)I realize this isn't fully true, that the three bad-block-related flags -[clL] are effective even under -n. This is clearly documented; the clarity of _that_ documentation lends support to the supposition that no _other_ flags will override -n.

In any case, I do not know if it was -D, the combination of -D -E fragcheck, or some other random issue which caused the problem. For all I know, `fsck -n` is fundamentally broken on ext4. I do not wish to conduct further experiments after this unwitting one, which will leave me reconstructing a system.

As the transcript shows, fsck responded with:

/dev/sda5 is mounted.

WARNING!!! Running e2fsck on a mounted filesystem may cause
SEVERE filesystem damage.

Do you really want to continue (y/n)?

Perhaps foolishly, I assumed that this message is issued in all cases -- whether or not fsck will actually be writing.

[Aside: the message should be enhanced as follows: if, due to -n, fsck _UNDERSTANDS_ that it is not going to be doing any writes, the message should read something like: "WARNING... may cause SEVERE filesystem damage. The current run is DISABLED by the `-n' flag to write to the filesystem, so no actual damage will occur." (of course this message should only be added if we're sure that it's true!). On the other hand, if -n was _NOT_ present, it should additionally comment "The current run is ENABLED to write to the filesystem. Do you really want to continue..." My point here is that this message should unambiguously inform the user whether it's just a sham warning, issued as a matter of form even though this is a dry run; or a REAL warning that damage is about to occur.]

In any case, I did answer "yes" in the belief that it wasn't actually going to write.

As the transcript shows, it displayed that it was recovering the journal, and then that there was a bad magic number.

After that I ran `fdisk -l`, which failed with an I/O error (I assume due to the binary or shared objects not being accessible); and then `df`, which succeeded but showed the root filesystem (/dev/sda5) in bad shape.

At that point I was sure the system was destroyed. Just in case, I switched power off without doing any software shutdown actions; but this did not help. Upon reboot I see:

error: unknown filesystem.
grub rescue> _

I may attempt some sort of rescue with `mkfs -S`, but I don't have much hope of recovery since I don't know the necessary parameters. :-(

POSSIBLE CAUSE: system was in-place upgraded from Ubuntu 9.10 Karmic Koala. Root filesystem was ext3, not ext4, before the upgrade. I don't believe I did anything to explicitly upgrade it to ext4. I probably should not have invoked fsck as `fsck.ext4` but rather just `e2fsck` or `fsck`, allowing the system to draw its own conclusion about filesystem type.

I had earlier run some exploratory commands like `tune2fs -l`, `dumpe2fs -l`; the output included something, I cannot say what at this point, which made me believe the current FS format was ext4.

Even if I was wrong to explicitly call for ext4, even if the actual on-disk format was ext3, I do not believe this command should have destroyed the filesystem! At the very least it should have called more specific attention to the problem: "On-disk filesystem format has been detected as ext3. Checking this with ext4 algorithms will probably damage the filesystem. Are you still sure you want to continue?"

Below is the actual cut-and-paste, completely unedited transcript from the fatal ssh session.

>Bela<

root@adelie:~# time fsck.ext4 -n -v -t -t -D -E fragcheck /dev/sda5
e2fsck 1.41.10 (10-Feb-2009)
/dev/sda5 is mounted.

WARNING!!! Running e2fsck on a mounted filesystem may cause
SEVERE filesystem damage.

Do you really want to continue (y/n)? yes

/dev/sda5: recovering journal

fsck.ext4: Bad magic number in super-block while trying to re-open /dev/sda5
e2fsck: io manager magic bad!

real 0m11.921s
user 0m0.180s
sys 0m0.304s
root@adelie:~#
root@adelie:~# fdisk -l
bash: /sbin/fdisk: Input/output error
root@adelie:~# df
Filesystem 1K-blocks Used Available Use% Mounted on
/dev/sda5 73786976294836933504 73786976294768062164 68871340 100% /
none 767392 276 767116 1% /dev
none 771608 48 771560 1% /dev/shm
none 771608 220 771388 1% /var/run
none 771608 0 771608 0% /var/lock
none 771608 0 771608 0% /lib/init/rw
none 73786976294836933504 73786976294768062164 68871340 100% /var/lib/ureadahead/debugfs

Related branches

lp:ubuntu/lucid/e2fsprogs

lp:ubuntu/maverick/e2fsprogs

Revision history for this message

Bela Lubkin (filbo) wrote on 2010-03-11:

The gist, in case it's lost in all the detail above:

I ran `fsck -n` on a filesystem, with some other flags which were not documented as overriding -n.

It hosed my filesystem.

Revision history for this message

Theodore Ts'o (tytso) wrote on 2010-03-13: Re: [Bug 537483] [NEW] fsck.ext4 -n wrote to & destroyed filesystem

Download full text (8.8 KiB)

On Thu, Mar 11, 2010 at 04:55:37PM -0000, Bela Lubkin wrote:
> The documentation for -D comments that it "will detect directory entries
> with duplicate names in a single directory, which e2fsck normally does
> not enforce". It was for this enhanced detection that I added this
> flag. I realize that it is a flag which directs fsck to write, but I
> believe that it -- as with all(*) other writing flags -- would be
> rendered inoperable by "-n". That is, I believed that the combination
> "-n -D" would cause additional checks (for directories needing
> optimization & for duplicate directory entries) without causing any
> writes. (*)I realize this isn't fully true, that the three bad-block-
> related flags -[clL] are effective even under -n. This is clearly
> documented; the clarity of _that_ documentation lends support to the
> supposition that no _other_ flags will override -n.

Yeah, sorry. The -D option was added later, and I forgot to update
the man page for the -n option. The -D option does indeed allow the
file system to be opened read/write, and will rewrite the directories,
which is danagerous when the file system is mounted.

Your assumption that -n would make the -D will modify the filesystem
part go away was a bad one.

> In any case, I do not know if it was -D, the combination of -D -E
> fragcheck, or some other random issue which caused the problem. For all
> I know, `fsck -n` is fundamentally broken on ext4. I do not wish to
> conduct further experiments after this unwitting one, which will leave
> me reconstructing a system.

There is a bug with -D and small directories in e2fsprogs 1.41.10,
which I've since fixed, which may have affected you, but
fundamentally, it is dangeorus to run e2fsck -D while the filesystem
is mounted.

> As the transcript shows, fsck responded with:
>
> /dev/sda5 is mounted.
>
> WARNING!!! Running e2fsck on a mounted filesystem may cause
> SEVERE filesystem damage.
>
> Do you really want to continue (y/n)?
>
> Perhaps foolishly, I assumed that this message is issued in all cases --
> whether or not fsck will actually be writing.

Nope, e2fsck is smart. It only issues this warning when the
filesystem is opened read-only. If you try to run "e2fsck -n
/dev/XXX" on a mounted filesystem", it won't ask that question.

So yeah, you made two bad assumptions, and that's what lead to your
file system getting badly screwed up.

I'll change things so the message is made more explicit. In case
you're curious, the reason why it was originally the worded the way it
was because if the /etc/mtab hasn't been cleared by the init scripts
when a user booted into single user mode, it was possible for e2fsck
to think the filesystem is mounted, when it really wasn't mounted.
But I'd much rather someone get scared off from running e2fsck if
their /etc/mtab hasn't been cleared after a system crash, if it avoids
the user who thinks, "surely this message doesn't apply to *me*".

On Thu, Mar 11, 2010 at 04:55:37PM -0000, Bela Lubkin wrote:
> The documentation for -D comments that it "will detect directory entries
> with duplicate names in a single directory, which e2fsck normally does
> not enforce".  It was for this enhanced detection that I added this
> flag.  I realize that it is a flag which directs fsck to write, but I
> believe that it -- as with all(*) other writing flags -- would be
> rendered inoperable by "-n".  That is, I believed that the combination
> "-n -D" would cause additional checks (for directories needing
> optimization & for duplicate directory entries) without causing any
> writes.  (*)I realize this isn't fully true, that the three bad-block-
> related flags -[clL] are effective even under -n.  This is clearly
> documented; the clarity of _that_ documentation lends support to the
> supposition that no _other_ flags will override -n.

Yeah, sorry.  The -D option was added later, and I forgot to update
the man page for the -n option.  The -D option does indeed allow the
file system to be opened read/write, and will rewrite the directories,
which is danagerous when the file system is mounted.

Your assumption that -n would make the -D will modify the filesystem
part go away was a bad one.

> In any case, I do not know if it was -D, the combination of -D -E
> fragcheck, or some other random issue which caused the problem.  For all
> I know, `fsck -n` is fundamentally broken on ext4.  I do not wish to
> conduct further experiments after this unwitting one, which will leave
> me reconstructing a system.

> As the transcript shows, fsck responded with:
> 
>    /dev/sda5 is mounted.
> 
>    WARNING!!!  Running e2fsck on a mounted filesystem may cause
>    SEVERE filesystem damage.
> 
>    Do you really want to continue (y/n)?
> 
> Perhaps foolishly, I assumed that this message is issued in all cases --
> whether or not fsck will actually be writing.

Nope, e2fsck is smart.  It only issues this warning when the
filesystem is opened read-only.  If you try to run "e2fsck -n
/dev/XXX" on a mounted filesystem", it won't ask that question.

So yeah, you made two bad assumptions, and that's what lead to your
file system getting badly screwed up.

I'll change things so the message is made more explicit.  In case
you're curious, the reason why it was originally the worded the way it
was because if the /etc/mtab hasn't been cleared by the init scripts
when a user booted into single user mode, it was possible for e2fsck
to think the filesystem is mounted, when it really wasn't mounted.
But I'd much rather someone get scared off from running e2fsck if
their /etc/mtab hasn't been cleared after a system crash, if it avoids
the user who thinks, "surely this message doesn't apply to *me*".

> After that I ran `fdisk -l`, which failed with an I/O error (I assume
> due to the binary or shared objects not being accessible); and then
> `df`, which succeeded but showed the root filesystem (/dev/sda5) in bad
> shape.
> 
> At that point I was sure the system was destroyed.  Just in case, I
> switched power off without doing any software shutdown actions; but this
> did not help.  Upon reboot I see:
> 
>    error: unknown filesystem.
>    grub rescue> _

Now *that's* surprising.  That makes it sound like that superblock was
destroyed, but it shouldn't have happened even when e2fsck is run
read/write on a mounted filesystem.  I can't really explain that.

> POSSIBLE CAUSE: system was in-place upgraded from Ubuntu 9.10 Karmic
> Koala.  Root filesystem was ext3, not ext4, before the upgrade.  I don't
> believe I did anything to explicitly upgrade it to ext4.  I probably
> should not have invoked fsck as `fsck.ext4` but rather just `e2fsck` or
> `fsck`, allowing the system to draw its own conclusion about filesystem
> type.

Nope, that's not it.  Whether you invoke e2fsck as e2fsck, fsck.ext4,
or fsck.ext3, doesn't change anything at all about its behaviour.  The
fatal mistake was -n -D, and then answering "yes" to the WARNING!!!
question.

> WARNING!!!  Running e2fsck on a mounted filesystem may cause
> SEVERE filesystem damage.
> 
> Do you really want to continue (y/n)? yes
> 
> /dev/sda5: recovering journal

Ah.... recovering the journal while the file system is mounted might
very well have done somehow wiped out the superblock.

Anyway, I've applied the following two patches to e2fsck, which will
be in e2fsprogs 1.41.11.  Thanks for the feedback, and I'm sorry you
managed to corrupt your filesystem.

I think if you run e2fsck from a rescue CD, you should hopefully be
able to recover most of your data.  Some of the files might end up in
/lost+found, but hopefully you'll be able to recover your home
directory files, even if you need to reinstall the system afterwards.

Best regards,

- Ted

From: Theodore Ts'o <tytso@mit.edu>
Date: Fri, 12 Mar 2010 19:18:20 -0500
Subject: [PATCH 1/2] e2fsck: Make the -n always open the file system read-only

A user was surprised when -n -D caused the file system to be opened
read/write, and then outsmarted himself when e2fsck asked the question:

WARNING!!!  Running e2fsck on a mounted filesystem may cause
   SEVERE filesystem damage.

Do you really want to continue (y/n)?

This is partially our fault for not documenting the fact that -D
overrode opening the filesystem read-write.  But the bottom line is it
much safer if -n *always* opens the file system read-only, so there
can be no confusion.  This means that we have to disable certain
combination of options, such as "-n -c", "-n -l", and "-n -L", and
"-n -D", but the utility of these combinations is pretty low, and
is more than offset by making e2fsck idiot-proof.

Addresses-Launchpad-Bug: #537483

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
---
 e2fsck/e2fsck.8.in |   11 +----------
 e2fsck/unix.c      |   19 +++++++++++++++++--
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/e2fsck/e2fsck.8.in b/e2fsck/e2fsck.8.in
index a970173..3fb15e6 100644
--- a/e2fsck/e2fsck.8.in
+++ b/e2fsck/e2fsck.8.in
@@ -242,16 +242,7 @@ in the file are added to the bad blocks list.)
 Open the filesystem read-only, and assume an answer of `no' to all
 questions.  Allows
 .B e2fsck
-to be used non-interactively.  (Note: if the 
-.BR \-c ,
-.BR \-l ,
-or
-.B \-L
-options are specified in addition to the 
-.B \-n
-option, then the filesystem will be opened read-write, to permit the
-bad-blocks list to be updated.  However, no other changes will be made
-to the filesystem.)  This option
+to be used non-interactively.  This option
 may not be specified at the same time as the 
 .B \-p
 or
diff --git a/e2fsck/unix.c b/e2fsck/unix.c
index 6248958..49e9008 100644
--- a/e2fsck/unix.c
+++ b/e2fsck/unix.c
@@ -789,8 +789,23 @@ static errcode_t PRS(int argc, char *argv[], e2fsck_t *ret_ctx)
 		return 0;
 	if (optind != argc - 1)
 		usage(ctx);
-	if ((ctx->options & E2F_OPT_NO) && !bad_blocks_file &&
-	    !cflag && !(ctx->options & E2F_OPT_COMPRESS_DIRS))
+	if ((ctx->options & E2F_OPT_NO) &&
+	    (ctx->options & E2F_OPT_COMPRESS_DIRS)) {
+		com_err(ctx->program_name, 0,
+			_("The -n and -D options are incompatible."));
+		fatal_error(ctx, 0);
+	}
+	if ((ctx->options & E2F_OPT_NO) && cflag) {
+		com_err(ctx->program_name, 0,
+			_("The -n and -c options are incompatible."));
+		fatal_error(ctx, 0);
+	}
+	if ((ctx->options & E2F_OPT_NO) && bad_blocks_file) {
+		com_err(ctx->program_name, 0,
+			_("The -n and -l/-L options are incompatible."));
+		fatal_error(ctx, 0);
+	}
+	if (ctx->options & E2F_OPT_NO)
 		ctx->options |= E2F_OPT_READONLY;
 
 	ctx->io_options = strchr(argv[optind], '?');
------------------------------

From: Theodore Ts'o <tytso@mit.edu>
Date: Fri, 12 Mar 2010 19:25:33 -0500
Subject: [PATCH 2/2] e2fsck: Make the "filesystem is mounted" message more scary

I guess the message wasn't scary enough for users who are just smart
enough to really get themselves in deep doo-doo.  Let's make it even
scarier.

Addresses-Launchpad-Bug: #537483

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
---
 e2fsck/unix.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/e2fsck/unix.c b/e2fsck/unix.c
index 49e9008..124f7e6 100644
--- a/e2fsck/unix.c
+++ b/e2fsck/unix.c
@@ -230,8 +230,8 @@ static void check_mount(e2fsck_t ctx)
 	if (!ctx->interactive)
 		fatal_error(ctx, _("Cannot continue, aborting.\n\n"));
 	printf(_("\n\n\007\007\007\007WARNING!!!  "
-	       "Running e2fsck on a mounted filesystem may cause\n"
-	       "SEVERE filesystem damage.\007\007\007\n\n"));
+	       "The filesystem is mounted.   If you continue you ***WILL***\n"
+	       "cause ***SEVERE*** filesystem damage.\007\007\007\n\n"));
 	cont = ask_yn(_("Do you really want to continue"), -1);
 	if (!cont) {
 		printf (_("check aborted.\n"));
-- 
1.6.6.1.1.g974db.dirty

Revision history for this message

Launchpad Janitor (janitor) wrote on 2010-03-22:

This bug was fixed in the package e2fsprogs - 1.41.11-1ubuntu1

---------------
e2fsprogs (1.41.11-1ubuntu1) lucid; urgency=low

  * Merge from Debian unstable, remaining changes:
    - Do not build-depend on dietlibc-dev, which is universe.
    - Do now allow pkg-create-dbgsym to operate on this package.
    - Always use external libblkid and libuuid from util-linux, rather than
      building our own.
    - Includes debian/control in the source package to force the above.
    - Build with -O2 on powerpc to avoid a suspected toolchain bug
      (LP: #450214).
    - Do not include /etc/e2fsck.conf and remove on upgrade.
    (Fixes LP: #521648, #537483, #530071)

e2fsprogs (1.41.11-1) unstable; urgency=medium

  * New upstream release
  * Add Heimdal function com_right_r() to libcom_err (Closes: #558910)
  * Allow e2fsck to run even if the physical device has more than 2**32 blocks
  * Debugfs's "logdump -b <blk>" now properly shows the allocation status
    of the block <blk>. (Closes: #564084)
  * Make e2fsck's "the filesystem is mounted" message is now more scary
    to hopefully dissuade users from thinking, "surely that message
    doesn't apply to *me*" :-(
  * e2fsck -n will now always open the file system read-only. We now
    disallow certain combination of options which previously were manual
    exceptions; this is bad because it causes users to think they are
    smarter than they really are. So "-n -c", "-n -l", "-n -L", and
    "-n -D" are no longer supported.
  * If the partition is badly aligned, have mke2fs just print a warning
    message and continue. Previously mke2fs would ask to confirm, and
    this broke distro installation scripts.
  * Fix a bug in libext2fs caused the creation of very large journals
    for ext4 to be _very_ slow.
  * E2fsck now understands the EOFBLOCKS_FL flag which will be used in
    2.6.34 kernels to make e2fsck not complain about blocks deliberately
    fallocated() beyond an inode's i_size.
  * Fix a bug in e2fsck which could cause e2fsck -D to corrupt
    non-indexed directories. (Closes: #572453)
  * debian/rules: can be compiled statically with stack protector now.
    (Closes: #573923)
  * Update debian policy compliance to 3.8.4
-- Scott James Remnant <email address hidden> Mon, 22 Mar 2010 17:48:20 +0000

This bug was fixed in the package e2fsprogs - 1.41.11-1ubuntu1

---------------
e2fsprogs (1.41.11-1ubuntu1) lucid; urgency=low

e2fsprogs (1.41.11-1) unstable; urgency=medium

* New upstream release
  * Add Heimdal function com_right_r() to libcom_err (Closes: #558910)
  * Allow e2fsck to run even if the physical device has more than 2**32 blocks
  * Debugfs's "logdump -b <blk>" now properly shows the allocation status
    of the block <blk>.  (Closes: #564084)
  * Make e2fsck's "the filesystem is mounted" message is now more scary
    to hopefully dissuade users from thinking, "surely that message
    doesn't apply to *me*"  :-(
  * e2fsck -n will now always open the file system read-only.   We now
    disallow certain combination of options which previously were manual
    exceptions; this is bad because it causes users to think they are
    smarter than they really are.   So "-n -c", "-n -l", "-n -L", and
    "-n -D" are no longer supported.
  * If the partition is badly aligned, have mke2fs just print a warning
    message and continue.  Previously mke2fs would ask to confirm, and
    this broke distro installation scripts.
  * Fix a bug in libext2fs caused the creation of very large journals
    for ext4 to be _very_ slow.
  * E2fsck now understands the EOFBLOCKS_FL flag which will be used in
    2.6.34 kernels to make e2fsck not complain about blocks deliberately
    fallocated() beyond an inode's i_size.
  * Fix a bug in e2fsck which could cause e2fsck -D to corrupt
    non-indexed directories.  (Closes: #572453)
  * debian/rules: can be compiled statically with stack protector now.
    (Closes: #573923)
  * Update debian policy compliance to 3.8.4
 -- Scott James Remnant <scott@ubuntu.com>   Mon, 22 Mar 2010 17:48:20 +0000

Changed in e2fsprogs (Ubuntu):
status:	New → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntue2fsprogs package

fsck.ext4 -n wrote to & destroyed filesystem

Bug Description

Related branches

Other bug subscribers

Remote bug watches

Ubuntu
e2fsprogs package