[PATCH] ext3: zero freed blocks
Theodore Tso
tytso at mit.edu
Fri Sep 8 20:10:34 UTC 2006
On Fri, Sep 08, 2006 at 10:04:53AM +0100, Ron Yorston wrote:
> Add a zerofree mount option to the ext3 filesystem. This causes freed
> blocks to be filled with zeros.
>
> Zeroing is only applied to data blocks, not metadata. This means that
> directory blocks and extended attributes are not zeroed.
>
> Signed-off-by; Ron Yorston <rmy at tigress.co.uk>
^ Should be a ':' character. :-)
Ideally, this wouldn't be done as a mount-time option, but rather only
if the secure_delete flag is set on the file. That way you don't do
it for all files, but just those that need to be zeroed.
The patch also has the potential danger that the data blocks are
getting zeroed before the transaction which contains the unlink has
committed. There is therefore the risk that the system might crash
after the blocks have been zero'ed, but before transaction has
committed. In that case, the file will still be there, but some or
all of its contents will be zero'ed.
The other thing which worries me about this patch is that if the
blocks which you have zero'ed out get reallocated and used for some
other file, and then data is written into the page cache and the page
gets written to disk before the zero'ized buffers hit the disk, the
new contents of the data blocks could get written. The reason for
this is that there is no cache coherency enforced between the page
cache and buffer cache, and so it is necessary to be very careful when
a particular block transitions between from being modified via buffer
cache versus the page cache.
Anyway, there's a reason why secure delete is a more than a little bit
tricky, and why it's never been implemented up until now. Not that
it's impossible to do, just that it's a lot more subtle than it looks. :-)
Regards,
- Ted
More information about the Ext3-users
mailing list