Hi Andrew,
I posted these patches previously and revised to follow comments,

but they haven't been merged yet.  So I resend them.
The previous post:

http://kerneltrap.org/mailarchive/linux-kernel/2008/7/30/2742434
Thanks,
Subject: [PATCH 1/2] ext3: add an option to control error handling on file data
If the journal doesn't abort when it gets an IO error in file data

blocks, the file data corruption will spread silently.  Because

most of applications and commands do buffered writes without fsync(),

they don't notice the IO error.  It's scary for mission critical

systems.  On the other hand, if the journal aborts whenever it gets

an IO error in file data blocks, the system will easily become

inoperable.  So this patch introduces a filesystem option to

determine whether it aborts the journal or just call printk() when

it gets an IO error in file data.
If you mount a ext3 fs with data_err=abort option, it aborts on file

data write error.  If you mount it with data_err=ignore, it doesn't

abort, just call printk().  data_err=ignore is the default.
Signed-off-by: Hidehiro Kawai <hidehiro.kawai.ez@hitachi.com>

---

 Documentation/filesystems/ext3.txt |    5 +++++

 fs/ext3/super.c                    |   16 ++++++++++++++++

 fs/jbd/commit.c                    |    2 ++

 include/linux/ext3_fs.h            |    2 ++

 include/linux/jbd.h                |    3 +++

 5 files changed, 28 insertions(+)
Index: linux-2.6.27-rc5/Documentation/filesystems/ext3.txt

===================================================================

--- linux-2.6.27-rc5.orig/Documentation/filesystems/ext3.txt

+++ linux-2.6.27-rc5/Documentation/filesystems/ext3.txt

@@ -96,6 +96,11 @@ errors=remount-ro(*)	Remount the filesys

 errors=continue		Keep going on a filesystem error.

 errors=panic		Panic and halt the machine if an error occurs.
+data_err=ignore(*)	Just print an error message if an error occurs

+			in a file data buffer in ordered mode.

+data_err=abort		Abort the journal if an error occur...
[ message continues ]

In ordered mode, if a file data buffer being dirtied exists in

the committing transaction, we write the buffer to the disk, move

it from the committing transaction to the running transaction,

then dirty it.  But we don't have to remove the buffer from the

committing transaction when the buffer couldn't be written out,

otherwise it would miss the error and the committing transaction

would not abort.
This patch adds an error check before removing the buffer from the

committing transaction.
Signed-off-by: Hidehiro Kawai <hidehiro.kawai.ez@hitachi.com>

Acked-by: Jan Kara <jack@suse.cz>

---

This patch is the same as patch 2/5 of possible filesystem corruption

fixes (take 2).  It can be found at:

http://kerneltrap.org/mailarchive/linux-kernel/2008/6/2/2002144
 fs/jbd/transaction.c |   16 +++++++++++++---

 1 file changed, 13 insertions(+), 3 deletions(-)
Index: linux-2.6.27-rc5/fs/jbd/transaction.c

===================================================================

--- linux-2.6.27-rc5.orig/fs/jbd/transaction.c

+++ linux-2.6.27-rc5/fs/jbd/transaction.c

@@ -954,9 +954,10 @@ int journal_dirty_data(handle_t *handle,

 	journal_t *journal = handle->h_transaction->t_journal;

 	int need_brelse = 0;

 	struct journal_head *jh;

+	int ret = 0;
 	if (is_handle_aborted(handle))

-		return 0;

+		return ret;
 	jh = journal_add_journal_head(bh);

 	JBUFFER_TRACE(jh, "entry");

@@ -1067,7 +1068,16 @@ int journal_dirty_data(handle_t *handle,

 				   time if it is redirtied */

 			}
-			/* journal_clean_data_list() may have got there first */

+			/*

+			 * We cannot remove the buffer with io error from the

+			 * committing transaction, because otherwise it would

+			 * miss the error and the commit would not abort.

+			 */

+			if (unlikely(!buffer_uptodate(bh))) {

+				ret = -EIO;

+				goto no_journal;

+			}

+

 			if (jh->b_transaction != NULL) {

 				JBUFFER_TRACE(jh, "unfile from commit");

 				__journal_temp_unlink_buffer(jh);

@@ -1108,7 +1118,7 @@ no_j...
[ message continues ]