Re: [NetBSD 8.0] Another panic in ffs_newvnode()

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Mon, Jul 10, 2017 at 12:15:15AM +0200, BERTRAND Jo??l wrote:
> Robert Elz a ?crit :
> >     Date:        Sun, 9 Jul 2017 17:11:13 -0000 (UTC)
> >     From:        mlelstv%serpens.de@localhost (Michael van Elst)
> >     Message-ID:  <ojto3h$2di$1%serpens.de@localhost>
> > 
> >   | That sounds like some heavier corruption from the past. fsck cannot repair
> >   | everything.
> > 
> > Are we really sure that mounting filesystems
> > 
> > 	rw,log,async
> > 
> > works properly?
> 
> 	I mount these disks for a long time without any trouble with log and
>	async.

If you mount the filesystem "async" and the machine ever loses power,
crashes for any reason, or otherwise fails to shut down in other than a
perfectly controlled and normal manner, you should expect filesystem
corruption.

The use of "log" does not really help.  The "async" flag
is really not safe for general use -- it makes not just data writes
but also metadata writes async, and that means potential corruption if
any are pending at crash/power-loss time.  You may not discover this
corruption until much later.

To safely do asynchronous metadata writes with FFS you need to compute
an ordering over all pending data to be written.  That's what softdep
does.  We don't have code to do that any more.

We have in the past had TNF servers that ran with scratch filesystems
mounted "async".  To avoid panics at boot time we re-newfsed these
flesystems before mount, every time.

Thor