GNOME Bugzilla – Bug 760523
"Safely Remove Drive" does not work correctly for multi-partition drives, data loss highly possible
Last modified: 2016-02-29 12:57:41 UTC
I have several partitions on my USB drive. When I write something to one of the partitions and then use "Safely Remove Drive" context menu option, I often see a notification saying that I can safely unplug the drive, when in fact the data have not been synced yet. If I follow the instructions, I lose the unsynced data and risk corrupting the filesystem. Reproducer: 1. Create two blank partitions (I used ext4) on a USB disk. I called them data1 and data2. 2. Mount all partitions and copy a big file to data1. 3. Before the data is completely synced (you can check this by running "sync" command) choose "Safely Remove Drive" in Nautilus. 4. See "You can now unplug <drive name>" notification immediately. 5. Depending on a random chance, one of the two things happen: a) the first notification disappears, and after some time (once the data is synced), the same "You can now unplug <drive name>" notification appears again. That shows that both partitions were unmounted properly and you can now finally eject the drive. If you have ejected your drive after the first notification, you have just lost some data. b) the first notification disappears, and immediately you see another notification "Writing data to <drive name> - Don't unplug until finished". Once the data is synced, this is replaced by another "You can now unplug <drive name>" notification and you can now eject the drive. Please note that 5a) and 5b) happen randomly, there is some kind of a race condition. On one machine, I happen to mainly see 5a), on a different machine, I happen to mainly see 5b). I captured both versions in a screencast, you can have a look. Also, this problem is less severe when the partition containing unsynced data is unmounted as the first one. In my case, the partitions are mounted in data1 -> data2 order, and unmounted in data2 -> data1 order. So I need to copy files to data1 when reproducing this. If I copy data to data2, the first notification is "don't unplug until finished", so everything seems OK. (Of course, if I take this issue a step further and assume both partitions have unsynced data, then even ordering does not help and you can be fooled and lose some data). I'm just mentioning this to help to debug this. In my opinion, neither 5a) nor 5b) nor the case mentioned in above paragraph is a correct behavior. There should not be multiple notifications at all (one for every partition) - I'm trying to eject the drive as a whole, and therefore there should be a single notification. Of course the most confusing one and most dangerous one is 5a). Also please note that the notification is saying I can eject the whole drive (it does not say "you can now unplug data1", it says "you can now unplug <drive name>"), which in itself is a bad bug. I have the following theories about the 5a) vs 5b) difference: * Nautilus sometimes fails to emit the second notification. * Nautils does emit the notification, but they are fired so close to each other, that gnome-shell ignores the second one sometimes. How I believe this should be solved: * Nautilus should not emit one notification per partition when using "Safely Remove Drive" menu item. That only makes users likely to eject the drive the first time they see "you can now unplug <drive name>", even though other partitions are not synced yet. It should emit one notification for the whole drive. If there are *any* partitions which are not synced yet, it should show "Writing data to <drive name> - Don't unplug until finished". Once *all* partitions are unmounted and the drive powered down, only then it should show "You can now unplug <drive name>". * Nautilus should not rely on notifications only. When syncing and unmounting partitions, the eject triangle icons in the sidebar should be replaced by a small spinner. This very simply visual clue will make it clear to users when things are properly unmounted and when they are still not, even when there's some bug in the notification system. This will also help with the fact that many users hit the Eject button for every single partition instead of using "Safely Remove Drive" function. It's more natural and more visible to hit all the eject buttons. But that also introduces the problem with multiple notifications, which can trick the user into ejecting the drive prematurely. Using the spinner icons would solve this use case elegantly. I have already lost some data until I discovered this, please consider this an important bug. Thank you. nautilus-3.18.4-1.fc23.x86_64 gnome-shell-3.18.3-1.fc23.x86_64 gvfs-1.26.2-1.fc23.x86_64
Created attachment 318863 [details] screencast of 5a) This is the 5a) version. This is the case where users are most likely to lose data.
Created attachment 318864 [details] system journal for 5a) There is not much to see, there are no specific messages related to Nautilus or gnome-shell notifications when unmounting.
Created attachment 318865 [details] screencast of 5b) This is the 5b) version. This is when "you can now safely eject <drive name>" is replaced by "don't eject yet" in a short time.
I suppose this is rather bug in udisks2 volume monitor, but I can't reproduce it and I wonder why I don't see "Safely Remove Device", but just "Eject". It seems it might be because it is start-stop drive. Kamil, could you please provide output of "gvfs-mount -li"?
Created attachment 321651 [details] [review] udisks2: Show unmount notification only once when stopping Unfortunately I don't have any start-stop drive there, so I can't test it, but I suppose this might fix it...
>>> I don't see "Safely Remove Device", but just "Eject". Indeed, we only show the Safely Remove Device if the drive is start-stop. Otherwise just eject. (not sure how good is that or not, I'm actually trying to rework that handling as you already know). FWIW Ondrej and me discussed to add a device mounting folder per device using the computer:/// backend. This will help us to show the device as a whole in the sidebar, and only show eject for that one and unmount for the partitions. The notification is performed now by nautilus instead of gtk+, and we should be in full control on what a notification looks like, and just show a single notification if we are ejecting the drive, instead of a notification for every unmounted partition. Ondrej, not sure what your patch is trying to fix, if I understand correctly nautilus doesn't use the volumes monitor in order to make notifications, it only notifies when an operation has been created inside nautilus, so we are in full control of that.
(In reply to Carlos Soriano from comment #6) > >>> I don't see "Safely Remove Device", but just "Eject". > > Indeed, we only show the Safely Remove Device if the drive is start-stop. > Otherwise just eject. (not sure how good is that or not, I'm actually trying > to rework that handling as you already know). Ok, then my patch is needed probably, but it would be nice test it. I don't have any start-stop device, but maybe I may borrow the one from Kamil... > FWIW Ondrej and me discussed to add a device mounting folder per device > using the computer:/// backend. This will help us to show the device as a > whole in the sidebar, and only show eject for that one and unmount for the > partitions. > > The notification is performed now by nautilus instead of gtk+, and we should > be in full control on what a notification looks like, and just show a single > notification if we are ejecting the drive, instead of a notification for > every unmounted partition. > > Ondrej, not sure what your patch is trying to fix, if I understand correctly > nautilus doesn't use the volumes monitor in order to make notifications, it > only notifies when an operation has been created inside nautilus, so we are > in full control of that. gvfsudisks2voluemonitor unmounts all mounts if you call g_drive_eject_with_operation, or g_drive_stop. Provided GMountOperation may emit show-unmount-progress signal with some of the following strings: "%s has been unmounted\n" "You can now unplug %s\n" "Unmounting %s\nPlease wait\nWriting data to %s\nDon't unplug until finished" The strings are shown as notifications on client side, probably by GtkMountOperation... or directly by Nautilus? There is hack to emit show-unmount-progress per device and not per mount in case of g_drive_eject. The patch tries to do similar hack for g_drive_stop...
> > gvfsudisks2voluemonitor unmounts all mounts if you call > g_drive_eject_with_operation, or g_drive_stop. Provided GMountOperation may > emit show-unmount-progress signal with some of the following strings: > "%s has been unmounted\n" > "You can now unplug %s\n" > "Unmounting %s\nPlease wait\nWriting data to %s\nDon't unplug until finished" > > The strings are shown as notifications on client side, probably by > GtkMountOperation... or directly by Nautilus? Now in nautilus, we show a notification that we replace with new messages every time gtk+ reports progress. So we only show a notification per each GtkMountOperation. So that should work well if we just eject the drive. I think gvfs is just fine here. > > There is hack to emit show-unmount-progress per device and not per mount in > case of g_drive_eject. The patch tries to do similar hack for g_drive_stop... Ah ok, now I get your patch. I'm still interested in the one device per folder in computer:///. Do you think you would have some time for it for 3.20? Or should I spend some time for 3.22?
I have tested the gvfs fix available in http://koji.fedoraproject.org/koji/taskinfo?taskID=13127782 and it seems to fix the problem. Thanks a lot, Ondrej.
Comment on attachment 321651 [details] [review] udisks2: Show unmount notification only once when stopping Kamil, thanks for testing... master: commit ba397fa918250cee436e1cfd5fd5049b4ee42068 gnome-3-18: commit cf995149fdba04f54ddaeba0f8be84f269322dd2
(In reply to Carlos Soriano from comment #8) > (snap) > > I'm still interested in the one device per folder in computer:///. Do you > think you would have some time for it for 3.20? Or should I spend some time > for 3.22? Let's found some solution for 3.22, I'm sick currenlty. I've realized it won't be so simple as I though before. Let's discuss it in Brno personally...
(In reply to Ondrej Holy from comment #11) > (In reply to Carlos Soriano from comment #8) > > (snap) > > > > I'm still interested in the one device per folder in computer:///. Do you > > think you would have some time for it for 3.20? Or should I spend some time > > for 3.22? > > Let's found some solution for 3.22, I'm sick currenlty. I've realized it > won't be so simple as I though before. Let's discuss it in Brno personally... Sure, get well soon!