Srivathsa Dara [Thu, 24 Aug 2023 06:56:34 +0000 (06:56 +0000)]
debugfs: Use the hash_version from superblock if a file system is opened
The debugfs program's dx_hash command computes the hash for the given
filename, taking the hash_seed and hash_version (i.e hash algorithm)
as arguments. So the user has to refer to the superblock to get these
values used by the filesystem. So if debugfs has an opened file
system, use those values from the current file system.
[ Fixed patch to avoid crashing when a file system is not opened. --TYT ]
Andreas Dilger [Wed, 10 May 2023 05:18:49 +0000 (23:18 -0600)]
ext2fs: don't retry discard/zeroout repeatedly
Call safe_getenv(UNIX_IO_NOZEROOUT) once when the device is
opened and set CHANNEL_FLAG_NOZEROOUT if present instead of
getting uid/euid/getenv every time unix_zeroout() is called.
For unix_discard() and unix_zeroout() don't continue to call
them if the block device doesn't support these operations.
Baokun Li [Fri, 17 Feb 2023 10:09:22 +0000 (18:09 +0800)]
tune2fs/fuse2fs/debugfs: save error information during journal replay
Saving error information during journal replay, as in the kernel,
prevents information loss from making problems difficult to locate.
We save these error information until someone uses e2fsck to check
for and fix possible errors.
Baokun Li [Fri, 17 Feb 2023 10:09:21 +0000 (18:09 +0800)]
e2fsck: save EXT2_ERROR_FS flag during journal replay
When repairing a file system with s_errno missing from the journal
superblock but the file system superblock contains the ERROR_FS flag,
the ERROR_FS flag on the file system image is overwritten after the
journal replay, followed by a reload of the file system data from disk
and the ERROR_FS flag in memory is overwritten. Also s_errno is not set
and the ERROR_FS flag is not reset. Therefore, when checked later, no
forced check is performed, which makes it possible to have some errors
hidden in the disk image, which may make it read-only when using the
file system. So we save the ERROR_FS flag to the superblock after the
journal replay, instead of just relying on the jsb->s_errno to do this.
Andreas Dilger [Wed, 10 May 2023 04:57:57 +0000 (22:57 -0600)]
build: split version and release in configure
Update configure.ac to separate Version from Release if there is
a '-' in version.h::E2FSPROGS_VERSION (e.g. "1.46.6-rc1").
Otherwise, the '-' in the version can make RPM building unhappy.
Simplify the generation of E2FSPROGS_VERESION, E2FSPROGS_DATE and
E2FSPROGS_DAY to avoid multiple grep/awk/sed/tr stages.
Theodore Ts'o [Fri, 25 Aug 2023 21:28:01 +0000 (17:28 -0400)]
libext2fs: don't truncate the orphan file inode if it is newly allocated
In ext2fs_create_orphan_file(), don't try truncating inode for the
orphan file if ext2fs_create_orphan_file() allocated the inode. This
avoids problems where the newly allocated inode in the inode table
might contain garbage; if the metadata checksum feature is enabled,
this will generally result in the function failing with a checksum
invalid error, but this can cause mke2fs (which calls
ext2fs_create_orphan_file) to fail.
Eric Whitney [Fri, 21 Jul 2023 18:55:06 +0000 (14:55 -0400)]
e2fsprogs: modify dumpe2fs to report free block ranges for bigalloc
dumpe2fs has never been modified to correctly report block ranges
corresponding to free clusters in block allocation bitmaps from bigalloc
file systems. Rather than reporting block ranges covering all the
blocks in free clusters found in a block bitmap, it either reports just
the first block number in a cluster for a single free cluster, or a
range beginning with the first block number in the first cluster in a
series of free clusters, and ending with the first block number in the
last cluster in that series.
This behavior causes xfstest shared/298 to fail when run on a bigalloc
file system with a 1k block size. The test uses dumpe2fs to collect
a list of the blocks freed when files are deleted from a file system.
When the test deletes a file containing blocks located after the first
block in the last cluster in a series of clusters, dumpe2fs does not
report those blocks as free per the test's expectations.
Modify dumpe2fs to report full block ranges for free clusters. At the
same time, fix a small bug causing unnecessary !in_use() retests while
iterating over a block bitmap.
Theodore Ts'o [Tue, 8 Aug 2023 19:50:42 +0000 (15:50 -0400)]
debian: add missing copyright information
When the package-specific copyright information was removed, it
resulted in some information being lost. It probably makes sence to
have all of the licensing information in a single file, so add it back
to the debian/copyright file.
Theodore Ts'o [Thu, 15 Jun 2023 04:17:01 +0000 (00:17 -0400)]
resize2fs: use Direct I/O when reading the superblock for online resizes
If the file system is mounted, the superblock can be changing while
resize2fs is trying to read the superblock, resulting in checksum
failures. One way of avoiding this problem is read the superblock
using Direct I/O, since the kernel makes sure that what gets written
to disk is self-consistent.
Theodore Ts'o [Wed, 14 Jun 2023 18:44:19 +0000 (14:44 -0400)]
e2fsck: fix handling of a invalid symlink in an inline_data directory
If there is an inline directory that contains a directory entry to an
invalid symlink, and that invalid symlink is the portion of the inline
directory stored in an xattr portion of the inode, this can result in
a buffer overrun.
When check_dir_block() is handling the in-xattr portion of the inline
directory, it sets the buf pointer to the beginning of that part of
the inline directory. This results in the scratch buffer passed to
e2fsck_process_bad_inode() to incorrect, resulting in a buffer overrun
if e2fsck_pass1_check_symlink() needs to read the symlink target (when
the symlink is too long to fit in the i_blocks[] space).
This commit fixes this by using the original cd->buf instead of buf,
since it can get modified when handling inline directories.
Fixes: 0ac4b3973f31 ("e2fsck: inspect inline dir data as two directory blocks") Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Theodore Ts'o [Wed, 31 May 2023 16:11:53 +0000 (12:11 -0400)]
libsupport: fix function prototype for quota_write_inode()
Commit 2d2d799c7261 ("Clean up codes for adding new quota type")
changed the second paramter of quota_write_inode() from taking a
single quota type to taking a logical OR of (1 << quota_types).
The one thing this commit didn't change was the function prototype for
quota_write_inode() in the header file from an enum to an unsigned
int. Most C compilers don't seem to mind, and omission is mostly
harmless. However, mingw64 does issue a warning which gets promoted
to an error.
Fixes: 2d2d799c7261 ("Clean up codes for adding new quota type") Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Eric Biggers [Wed, 22 Mar 2023 03:29:45 +0000 (20:29 -0700)]
ci.yml: test cross-compiling for Android
Add jobs that cross-compile e2fsprogs for Android using the Android NDK.
These use the autotools-based build system, so they're a bit different
from the actual Android builds, but they should still be useful.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Eric Biggers [Wed, 22 Mar 2023 03:29:44 +0000 (20:29 -0700)]
e2freefrag: don't use linux/fsmap.h when fsmap_sizeof() is missing
Work around an issue with the Android NDK where its copy of
linux/fsmap.h is missing the inline functions fsmap_sizeof() and
fsmap_advance(). This was causing an error when building e2fsprogs
using the Android NDK, using the autotools-based build system.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Fix two compiler warnings on 32-bit platforms that have mallinfo() but
not mallinfo2(). These showed up when building e2fsprogs for armv7a or
i686 Android using the Android NDK, targeting Android API level 32 or
lower and using the autotools-based build system.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Theodore Ts'o [Tue, 30 May 2023 17:50:52 +0000 (13:50 -0400)]
e2fsck: Suppress "orphan file is clean" message in preen mode
The e2fsck report, "Feature orphan_present is set but orphan file is
clean" is intended to request permission before removing the r/o
compat feature, orphan_present. However, it is normal if the orphan
file is empty, and removing the r/o compat feature is a good thing so
that the file system can be mounted on older kernels.
When a file system with an orphan_file feature is mounted, the
orphan_present feature is set, and it is cleared when the file system
is cleanly unmounted. IF the sytstem crashes when there are no inodes
in the orphan file, e2fsck should just silently clear the flag in
preen mode.
Theodore Ts'o [Fri, 17 Mar 2023 02:57:10 +0000 (22:57 -0400)]
e2fsck: fix bad htree checksums in preen mode
We attempt to fix directories which have a bad/corrupted htree index
node by completely rebuilding the directory htree nodes. Since this
is a very safe thing to do and has no risk of losing directory
entries, we've enabled this for preen mode. Unfortunately, subsequent
index nodes look like empty directory entries that fill the entire
block --- without a checksum at the end of the directory. So these
nodes will be treated as a completely corrupted directory block, and
this will *not* be fixed while in preen mode.
So add code to treat an empty directory entry which covers the entire
block as valid if the directory is already on the list of inodes to be
rebuilt.
Eric Biggers [Wed, 8 Feb 2023 06:58:58 +0000 (22:58 -0800)]
ci.yml: store the config.h files as workflow artifacts
Store the config.h file for each platform as a workflow artifact, so
that it will be possible to download them and compare them to
util/android_config.h.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Andreas Dilger [Tue, 10 Jan 2023 04:02:52 +0000 (21:02 -0700)]
tests: fix r_move_itable_realloc to run on Linux
The check for the various unsupported OSes incorrectly checked if
the string "FreeBSD" was true, which it always was. Fix this.
Update the expect file as commit v1.46.4-17-g4ea80d031c7e did to
adjust the total number of blocks requested during resize.
Change-Id: I272dbec67ab30bac6413eb4cba0e3ab00183b893 Fixes: 5a3ea3905f ("tests: force test file systems to be built for Linux OS") Signed-off-by: Andreas Dilger <adilger@dilger.ca> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Andreas Dilger [Tue, 10 Jan 2023 04:05:35 +0000 (21:05 -0700)]
tests: fix u_direct_io to work with older losetup
Older losetup does not have --sector-size, but this isn't really
needed for the test to work. Instead specify the filesystem block
size directly to mke2fs, so that it works on all distros instead
of being skipped.
Change-Id: I5a0c82a9efdefd1b48f4d4288998c7725c9ae71e Signed-off-by: Andreas Dilger <adilger@dilger.ca> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Corey Hickey [Mon, 24 Jan 2022 02:53:13 +0000 (18:53 -0800)]
badblocks: fix operation with large-ish block sizes and/or counts
test_rw() and test_nd() need to allocate two or three times the product
of the block size and the block counts. This can overflow the signed int
type of block_size and result in allocate_buffer() being called with a
value smaller than intended. Once that buffer is written to, badblocks
segfaults.
Since allocate_buffer() accepts a size_t, change the input validation to
use SIZE_MAX and cast accordingly when calculating the argument.
Fixing the segfault allows larger values to be passed to read() and
write(); these need to be cast to size_t as well in order to avoid a
signed integer overflow causing failure, in which case badblocks would
fall back to testing a single block at once.
Before:
$ misc/badblocks -w -b 4096 -c 524288 -e 1 -s -v /tmp/testfile.bin
Checking for bad blocks in read-write mode
From block 0 to 524287
Segmentation fault
$ misc/badblocks -n -b 4096 -c 524288 -e 1 -s -v /tmp/testfile.bin
Checking for bad blocks in non-destructive read-write mode
From block 0 to 524287
Checking for bad blocks (non-destructive read-write test)
Segmentation fault
After:
$ misc/badblocks -w -b 4096 -c 524288 -e 1 -s -v /tmp/testfile.bin
Checking for bad blocks in read-write mode
From block 0 to 524287
Testing with pattern 0xaa: done
Reading and comparing: done
Testing with pattern 0x55: done
Reading and comparing: done
Testing with pattern 0xff: done
Reading and comparing: done
Testing with pattern 0x00: done
Reading and comparing: done
Pass completed, 0 bad blocks found. (0/0/0 errors)
$ misc/badblocks -n -b 4096 -c 524288 -e 1 -s -v /tmp/testfile.bin
Checking for bad blocks in non-destructive read-write mode
From block 0 to 524287
Checking for bad blocks (non-destructive read-write test)
Testing with random pattern: done
Pass completed, 0 bad blocks found. (0/0/0 errors)
Khem Raj [Thu, 15 Dec 2022 04:56:44 +0000 (20:56 -0800)]
ext2fs: Use 64bit lseek when _FILE_OFFSET_BITS is 64
Use lseek() with 64bit off_t when _FILE_OFFSET_BITS is 64
this fixes build with musl where there is no _llseek but lseek
is using off_t which is 64bit on musl
Khem Raj [Fri, 11 Nov 2022 04:34:54 +0000 (20:34 -0800)]
Add option to enable/disable largefile support
fallocate can be used to have 64bit off_t provided its compiled with
_FILE_OFFSET_BITS=64 which will be added automatically when
--enable-largefile is used.
[ Run autoreconf to update configure and config.h.in -- TYT ]
Theodore Ts'o [Tue, 31 Jan 2023 05:19:47 +0000 (00:19 -0500)]
libext2fs: unix_io: fix_potential error path deadlock in flush_cached_blocks()
We can't call the error handler while holding the CACHE_MUTEX (see
previous commit, "libext2fs: unix_io: fix_potential error path
deadlock in reuse_cache()" for details), so first try to write out all
of the dirty blocks in the cache, and then for those where we had
errors, then call the error handler.
Theodore Ts'o [Tue, 31 Jan 2023 04:18:41 +0000 (23:18 -0500)]
libext2fs: unix_io: fix potential error path deadlock in reuse_cache()
This was reported by [1] but the fix was incorrect. The issue is that
when unix_io was made thread-safe, it was necessary that to add a
CACHE_MUTEX to protect multiple threads from potentially colliding
with the very simple writeback cache used by the unix_io I/O manager.
The original I/O manager was purposefully kept simple, used a
fixed-size cache; accordingly, the locking used also kept simple, and
used a single global mutex.
The problem was that if an application (such as e2fsck) registers a
write error handler, that handler would be called with the CACHE_MUTEX
still held, and if that application tried to do any I/O --- for
example, closing the file system using ext2fs_close() and then exiting
--- the application would deadlock.
We should perhaps fix this either by deciding that the simple Unix I/O
cache doesn't actually buy much beyond some system call overhead, or
by putting in a full-fledged buffer I/O cache system which uses a much
larger cache with allocated memory, fine-grained locking and Direct
I/O to prevent double cache at the kernel and userspace level.
However, for now, fix the problem by waiting until after we have
released the CACHE_MUTEX before calling the write handler. This is
good enough given how e2fsck's ehandler.c use case, and in practice no
one else really uses the error handler in any case.
Eric Biggers [Mon, 30 Jan 2023 19:04:33 +0000 (19:04 +0000)]
AOSP: Android: consolidate warning suppressions
For warnings not supported by upstream e2fsprogs, it's a waste of time
to suppress them only in specific places, as they can show up anywhere
in future releases of e2fsprogs. Let's consolidate all these warning
suppressions into the top-level Android.bp for e2fsprogs.
Eric Biggers [Mon, 30 Jan 2023 19:04:32 +0000 (19:04 +0000)]
AOSP: Android: consolidate addition of include/mingw/
To match what the autotools-based build system does now, always add
include/mingw/ to the include path on Windows. I don't think this makes
a real difference anywhere, but this is much simpler.
Eric Biggers [Mon, 30 Jan 2023 19:04:31 +0000 (19:04 +0000)]
AOSP: lib/support: don't assume qsort_r() is always available on Linux
Since commit 4e5f24ae4267 ("Use an autoconf test to detect for a BSD- or
GNU-style qsort_r function"), e2fsck fails to build for Android because
lib/support/sort_r.h assumes that qsort_r() is always available on
"Linux", but in fact it's not supported by Android's libc.
Rename _SORT_R_LINUX to _SORT_R_GNU to clarify that it's really the
glibc convention for qsort_r(), not the "Linux" convention per se, and
make sort_r.h stop setting it automatically when __linux__ is defined.
Note: this change does *not* prevent glibc's qsort_r() from being used
when e2fsprogs is built using the autotools-based build system, as
'configure' checks for qsort_r() too. This change just affects the
fallback behavior for when qsort_r() was not already detected.
The upstream build system for e2fsprogs doesn't use
-fno-strict-aliasing, so update the Android.bp files to match.
Note: Android's build system currently uses -fno-strict-aliasing by
default anyway, so this change doesn't actually enable strict aliasing.
But that's a bit besides the point. The point is that this project
doesn't need anything special, so we don't need to do anything special.
Eric Biggers [Wed, 25 Jan 2023 23:45:33 +0000 (23:45 +0000)]
AOSP: mke2fs: stop suppressing warnings for Windows build
The warning this was intended to suppress was already fixed by
upstream commit 108f3021a6b6 ("mke2fs: use ext2fs_get_device_size2() on
all platforms").
Address sanitization was disabled in e2fsdroid over 5 years ago, due to
a bug in libext2fs. However, that bug has long since been fixed by
upstream commit 689b7be2da01 ("libext2fs: avoid dereferencing beyond
allocated memory in xattr code"). So it should be fine to re-enable
address sanitization now.
Eric Biggers [Wed, 4 Jan 2023 18:59:15 +0000 (18:59 +0000)]
AOSP: Update lib/ext2fs/Android.bp for upstream change
Compile windows_io.c on Windows, and unix_io.c everywhere else.
Change-Id: Ieab0b9ad5a9f7c275153e0f90553761693967762 Signed-off-by: Eric Biggers <ebiggers@google.com>
From AOSP commit: 0c82cec0d1aa70c993b5231a2c2244eb5175e638
Shikha Panwar [Fri, 9 Dec 2022 20:01:01 +0000 (20:01 +0000)]
AOSP: mke2fs.microdroid: Allow non-APEX version of libs
Microdroid uses mke2fs to format encryptedstore partition. This happens
in parallel to apex activation by apexd. Hence, sometime, mke2fs would
fail if some linker libraries are not available.
Create a target (mke2fs.microdroid) with bootstrap: true
Dennis Shen [Wed, 2 Nov 2022 14:47:38 +0000 (14:47 +0000)]
AOSP: Make blkid host_supported
We need blkid in deapexer to get the filesystem type of the payload
image. However, blkid will not be installed to host out dir unless we
make it host_supported which is what this change is about.
Viraj Shah [Mon, 17 Oct 2022 10:57:40 +0000 (12:57 +0200)]
debian: make the copyright file machine readable
Debian introduced a machine-readable copyright file a while ago.
Convert the general copyright file and the package-specific ones,
splitting the info that belongs to the package-specific ones.
Drop debian/e2fsck-static.copyright because that does not have a
file set that is very distinct from the general source; it would
just replicate parts of it.
This change adds some missing licenses that have to be documented
according to Debian Policy §12.5 as well as the copyright info for
many files.
Bastian Germann [Mon, 17 Oct 2022 16:50:35 +0000 (18:50 +0200)]
dict: Add modifification note required by license
The Kazlib license says:
"Permission is also granted to adapt this software to produce
derivative works, as long as the modified versions carry this copyright
notice and additional notices stating that the work has been modified."
Add the missing notice stating that the work has been modified.
This seems to have been intended to allow the use of a local "UUID" type
without colliding with "UUID" in the Windows API. However, this is
unnecessary because there's no local "UUID" type -- there's only uuid_t.
None of these .c files need the include of windows.h, either.
Finally, the unconditional definition of _WIN32_WINNT causes a compiler
warning when the user defines _WIN32_WINNT themself.
Since this code is unnecessary and is causing problems, just remove it.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Theodore Ts'o [Sat, 28 Jan 2023 06:22:29 +0000 (01:22 -0500)]
Change the xattr entry hash to use an unsighed char by default
Starting in Linux 6.2, char is forced to always unsigned when
compiling the kernel, even on those platforms (such as x86) where char
was traditionally signed. This exposed a bug in ext4, where when
calculating the extended attribute entry hash, we used a char value
from the extended attribute name. This resulted with the entry hash,
which is stored on-disk, to variable depending on whether the plaform
used a signed or unsigned char.
Fortunately, the xattr names tend to be ASCII characters with the 8th
bit zero, so it wasn't noticed two decades (this bugs dates back to
the introduction of extended attribute support to ext2 in 2.5.46).
However, when this change was made in v6.2-rc1, the inconsistency
between the extended attribute hash calculated by e2fsprogs (which was
still using a signed char on x86) was different from an x86 kernel,
and this triggered a test failure in generic/454.
This was fixed in kernel commit f3bbac32475b (" ext4: deal with legacy
signed xattr name hash values"), where Linus decreed that it wasn't
worth it to fix this the same way we had addressed has used by the
dir_index feature. Instead, starting in the 6.2 kernel, ext4 will
accept both the hash calculated using signed and unsigned chars, but
set the entry hash using the unsigned char. This commit makes
e2fsprogs follow suit.
Theodore Ts'o [Fri, 27 Jan 2023 20:35:12 +0000 (15:35 -0500)]
e2fsck: double cast a pointer to suppress a bogus compiler warning in kfree()
The C standard is wrong[1] with respect to the function signature of
free(), while the kernel's kfree() is correct. Unfortunately, this
leads to compiler warnings.
Sayeth Dennis Ritchie: "Noalias must go. This is non-negotiable"[2].
Noalias went. The confusion around const, alas, still remains.
Theodore Ts'o [Fri, 27 Jan 2023 20:23:12 +0000 (15:23 -0500)]
e2fsck: use ext2_ino_t instead of ino_t
The ino_t type is defined by the system header files, and may be
anything from an unsigned int, unsigned long, or an unsigned long
long. So where we are referring to an ext2/ext3/ext4 inode number, we
should use ext2_ino_t to avoid this ambiguity, especially when passing
an inode number to a printf-style function.
This was detected via a compiler warning on MacOS, but it's
potentially a real bug, since it can cause an error message to print a
garbled inode number.
Eric Biggers [Sat, 21 Jan 2023 20:32:30 +0000 (12:32 -0800)]
Add a configuration file for GitHub Actions
Add a workflow file for GitHub Actions, with jobs that build and test
e2fsprogs on various platforms with various options.
The workflow is configured to run on pushes only, since e2fsprogs does
not use GitHub pull requests.
This will work on any e2fsprogs fork on Github that has GitHub Actions
enabled. For example, the results for the testing I've been doing are
at https://github.com/ebiggers/e2fsprogs/actions.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Eric Biggers [Sat, 21 Jan 2023 20:32:29 +0000 (12:32 -0800)]
resize2fs: remove unused variable from adjust_superblock()
In adjust_superblock(), the 'group_block' variable is declared and set,
but it is never actually used. Remove it.
This addresses the following compiler warning with clang -Wall:
blk64_t group_block;
^
resize2fs.c:1119:11: warning: variable 'group_block' set but not used [-Wunused-but-set-variable] Reviewed-by: Lukas Czerner <lczerner@redhat.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Eric Biggers [Sat, 21 Jan 2023 20:32:28 +0000 (12:32 -0800)]
misc/util.c: enable MinGW alarm() when building for Windows
To compile for Windows, this file needs MinGW's implementation of
alarm(). To expose that definition, some macros must be defined before
including the system headers. This was done in Android.bp, but it was
not done in the autotools-based build system. Define these macros in
the source file itself so that all build systems work.
Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Eric Biggers [Sat, 21 Jan 2023 20:32:24 +0000 (12:32 -0800)]
misc/mke2fs: fix Windows build
unix_io_manager is no longer available on Windows. windows_io_manager
must be used instead.
Fixes: 86b6db9f5a43 ("libext2fs: code adaptation to use the Windows IO manager") Cc: Paulo Antonio Alvarez <pauloaalvarez@gmail.com> Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu>