jbd2: don't wipe the journal on a failed journal checksum

commit e6a47428de84e19fda52f21ab73fde2906c40d09 upstream.

If there is a failed journal checksum, don't reset the journal.  This
allows for userspace programs to decide how to recover from this
situation.  It may be that ignoring the journal checksum failure might
be a better way of recovering the file system.  Once we add per-block
checksums, we can definitely do better.  Until then, a system
administrator can try backing up the file system image (or taking a
snapshot) and and trying to determine experimentally whether ignoring
the checksum failure or aborting the journal replay results in less
data loss.

Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
index 4b741491653e484747e67641770a12e2cc53c995..ead427ced0a6da6e1190a9e92589e3ede016d22b 100644 (file)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -1421,6 +1421,13 @@ int jbd2_journal_load(journal_t *journal)
        if (jbd2_journal_recover(journal))
                goto recovery_error;
 
+       if (journal->j_failed_commit) {
+               printk(KERN_ERR "JBD2: journal transaction %u on %s "
+                      "is corrupt.\n", journal->j_failed_commit,
+                      journal->j_devname);
+               return -EIO;
+       }
+
        /* OK, we've finished with the dynamic journal bits:
         * reinitialise the dynamic contents of the superblock in memory
         * and reset them on disk. */