diff options
| author | delphij <delphij@FreeBSD.org> | 2014-07-15 05:00:46 +0000 |
|---|---|---|
| committer | delphij <delphij@FreeBSD.org> | 2014-07-15 05:00:46 +0000 |
| commit | 91643324a9009cb5fbc8c00544b7781941f0d5d1 (patch) | |
| tree | 96763424322b9ebf40886910ff2b76637a13a1d8 /sys/cddl/contrib/opensolaris/uts/common/fs/zfs/spa_misc.c | |
| parent | 9d1dc5bcc93f630c5fc480593d45fbcfebef15f2 (diff) | |
| download | FreeBSD-src-91643324a9009cb5fbc8c00544b7781941f0d5d1.zip FreeBSD-src-91643324a9009cb5fbc8c00544b7781941f0d5d1.tar.gz | |
MFC r268079: MFV r267566:
4390 i/o errors when deleting filesystem/zvol can lead to space map
corruption
Diffstat (limited to 'sys/cddl/contrib/opensolaris/uts/common/fs/zfs/spa_misc.c')
| -rw-r--r-- | sys/cddl/contrib/opensolaris/uts/common/fs/zfs/spa_misc.c | 33 |
1 files changed, 32 insertions, 1 deletions
diff --git a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/spa_misc.c b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/spa_misc.c index a1d715a..287007c 100644 --- a/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/spa_misc.c +++ b/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/spa_misc.c @@ -255,13 +255,44 @@ SYSCTL_INT(_debug, OID_AUTO, zfs_flags, CTLFLAG_RWTUN, &zfs_flags, 0, * This should only be used as a last resort, as it typically results * in leaked space, or worse. */ -int zfs_recover = 0; +boolean_t zfs_recover = B_FALSE; SYSCTL_DECL(_vfs_zfs); TUNABLE_INT("vfs.zfs.recover", &zfs_recover); SYSCTL_INT(_vfs_zfs, OID_AUTO, recover, CTLFLAG_RDTUN, &zfs_recover, 0, "Try to recover from otherwise-fatal errors."); /* + * If destroy encounters an EIO while reading metadata (e.g. indirect + * blocks), space referenced by the missing metadata can not be freed. + * Normally this causes the background destroy to become "stalled", as + * it is unable to make forward progress. While in this stalled state, + * all remaining space to free from the error-encountering filesystem is + * "temporarily leaked". Set this flag to cause it to ignore the EIO, + * permanently leak the space from indirect blocks that can not be read, + * and continue to free everything else that it can. + * + * The default, "stalling" behavior is useful if the storage partially + * fails (i.e. some but not all i/os fail), and then later recovers. In + * this case, we will be able to continue pool operations while it is + * partially failed, and when it recovers, we can continue to free the + * space, with no leaks. However, note that this case is actually + * fairly rare. + * + * Typically pools either (a) fail completely (but perhaps temporarily, + * e.g. a top-level vdev going offline), or (b) have localized, + * permanent errors (e.g. disk returns the wrong data due to bit flip or + * firmware bug). In case (a), this setting does not matter because the + * pool will be suspended and the sync thread will not be able to make + * forward progress regardless. In case (b), because the error is + * permanent, the best we can do is leak the minimum amount of space, + * which is what setting this flag will do. Therefore, it is reasonable + * for this flag to normally be set, but we chose the more conservative + * approach of not setting it, so that there is no possibility of + * leaking space in the "partial temporary" failure case. + */ +boolean_t zfs_free_leak_on_eio = B_FALSE; + +/* * Expiration time in milliseconds. This value has two meanings. First it is * used to determine when the spa_deadman() logic should fire. By default the * spa_deadman() will fire if spa_sync() has not completed in 1000 seconds. |
