Can those assumptions be broken in the corrupted filesystem?

Same

Same

The superblock and all cylinder groups are copied as part of the creation of the snapshot, and it will not be marked as a snapshot until all the copies have been done and committed. We create a list of all the blocks that were copied as part of the snapshot creation which we check at the top of ffs_copyonwrite() to avoid needing to look them up in the snapshot vnode. The table is never modified after the creation, so absent disk corruption it cannot get broken.

I could get fsck to recreate the list and make sure that it matches if you think that is useful or necessary. I could also check to see that the blocks have actually been copied in the snapshot (that is they point to a disk block rather than being 0 (uncopied), BLK_SNAP (owned by other snapshot), or BLK_UNCOPIED (unallocated when we were created). But like the above mentioned list of copied blocks, they are set up as part of creating the snapshot so will only get corrupted by disk corruption.

See above comment on line 458 about blocks copied during snapshot creation.

See above comment on line 458 about blocks copied during snapshot creation.

As I understand, users' expectations (myself included) is that after fsck reported that the filesystem is clean, it is usable for safe mounting. Failures that fsck is supposed to fix include both kernel and storage corruption.

For instance, once I saw the problem where hardware RAID overwrite enough blocks with other data from the same disk, as if write request incorrectly calculated started block. As result, once cg block was destroyed. I expect that fsck would be able to do something that would give me access to the data from other cgs.

So I think that fsck_ffs must check the consistency there, and either try to correct, or try to safely remove the corrupted snapshot.

How about I add a check-hash to the list that tracks what has been pre-copied and if the check-hash fails offer to remove the offending snapshot file?

I would say that this is some step in the right direction, but not the ultimate solution.

Also, I suppose by removal you mean zeroing out the snapshot inode, instead of proper removal. Then, the unreferenced blocks from the snapshot are garbage-collected by fsck.

Also, I think that removing the snapshot, we need to remove all later snapshots as well, since AFAIR, blocks are not CoW if they are already owned by an earlier snapshot.

Also, please note that removing snapshot causes user data loss, which sometimes can be avoided. User might rely on the data caught by the snapshot, which is later modified (which is the reason to take the snapshot, after all).

But regardless, even with all limitations, this would be a step into better fsck handling of the corrupted snapshots.

Could this be a function? You would need to pass several parameters, including manually constructed string fragment for pwarn, and a return value to pass control to fail label outside, but IMO it is much cleaner than such unwieldy macro.

Could you, please, add more comments to the code.

It is not completely clear to me what is checked there. In fact, the line 239

if (*blkp++ != (chkblk))

looks like we just check that the superblock/summary/cgs lists fit into the snapshot file size.

Am I missing something?

I started with this as a function and found that it was even less clear than the macro. It ends up looking a lot like the macro except that it is more convoluted. One of its parameters is daddr_t **blkp so every use of blkp has an extra level of indirection. At least in the macro it is clear when you are incrementing the pointer versus using the pointer.

Hopefully the added comments make it clearer what is being checked.