• NeilBrown's avatar
    md/raid5: disable 'DISCARD' by default due to safety concerns. · 35d98626
    NeilBrown authored
    commit 8e0e99ba upstream.
    
    It has come to my attention (thanks Martin) that 'discard_zeroes_data'
    is only a hint.  Some devices in some cases don't do what it
    says on the label.
    
    The use of DISCARD in RAID5 depends on reads from discarded regions
    being predictably zero.  If a write to a previously discarded region
    performs a read-modify-write cycle it assumes that the parity block
    was consistent with the data blocks.  If all were zero, this would
    be the case.  If some are and some aren't this would not be the case.
    This could lead to data corruption after a device failure when
    data needs to be reconstructed from the parity.
    
    As we cannot trust 'discard_zeroes_data', ignore it by default
    and so disallow DISCARD on all raid4/5/6 arrays.
    
    As many devices are trustworthy, and as there are benefits to using
    DISCARD, add a module parameter to over-ride this caution and cause
    DISCARD to work if discard_zeroes_data is set.
    
    If a site want to enable DISCARD on some arrays but not on others they
    should select DISCARD support at the filesystem level, and set the
    raid456 module parameter.
        raid456.devices_handle_discard_safely=Y
    
    As this is a data-safety issue, I believe this patch is suitable for
    -stable.
    DISCARD support for RAID456 was added in 3.7
    
    Cc: Shaohua Li <shli@kernel.org>
    Cc: "Martin K. Petersen" <martin.petersen@oracle.com>
    Cc: Mike Snitzer <snitzer@redhat.com>
    Cc: Heinz Mauelshagen <heinzm@redhat.com>
    Acked-by: default avatarMartin K. Petersen <martin.petersen@oracle.com>
    Acked-by: default avatarMike Snitzer <snitzer@redhat.com>
    Fixes: 620125f2Signed-off-by: default avatarNeilBrown <neilb@suse.de>
    Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
    35d98626
raid5.c 192 KB