lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4A8F1FA5.5080501@hp.com>
Date:	Fri, 21 Aug 2009 18:28:53 -0400
From:	jim owens <jowens@...com>
To:	Theodore Ts'o <tytso@....edu>
CC:	linux-ext4@...r.kernel.org
Subject: Re: RFC: Clarifying Direct I/O Semantics

Theodore Ts'o wrote:
> As we had discussed on a previous ext4 conference call, I've created a
> formal write up of Direct I/O's semantics as they currently exist in
> Linux.  As far as I know it accurately reflects what we are currently
> doing today, so this is really more of a "document what we are doing"
> than any thing else.
> 
> Before I send this out to for wider review. could folks here take a look
> at it and let me know if I've made any embarassing mistakes or
> mis-statements?
> 
> http://ext4.wiki.kernel.org/index.php/Clarifying_Direct_IO's_Semantics
> 
> Thanks!!
> 
> 						- Ted
> 
> P.S.  For people who are too lazy to click on the above link, here's the
> version of the page as of this writing :-)
> 
> = Introduction = 
> 
> The exact semantics of Direct I/O (O_DIRECT) are well specified. It is
                                                        ^^^ not
> not a part of POSIX, or SUS, or any other formal standards
> specification. The exact meaning of O_DIRECT has historically been
> negotiated in non-public discussions between powerful enterprise
> database companies and proprietary Unix systems, and its behaviour has
> generally been passed down as oral lore rather than as a formal set of
> requirements and specifications.
> 
> The goal of this page is to summarize the current status, and to propose
> a more fully-fleshed out set of semantics for O_DIRECT which Linux file
> filesystem developers can agree, and for which application programmers
> (especially open source database implementors who may not have had an
> opportunity to have the same set of discussions with OS implementors as
> the large enterprise database developers have had). Once there is
> consensus, this wiki page should also be used as the basis for updating
> the Linux kernel man page for open(2).
> 
> = Ambiguities =
> 
> The Linux kernel man page for open(2) states:
> 
>     Try to minimize cache effects of the I/O to and from this file. In
>     general this will degrade performance, but it is useful in special
>     situations, such as when applications do their own caching. File I/O
>     is done directly to/from user space buffers. The I/O is synchronous,
>     that is, at the completion of a read(2) or write(2), data is
>     guaranteed to have been transferred. See NOTES below for further
>     discussion....
> 
>     The O_DIRECT flag may impose alignment restrictions on the length
>     and address of userspace buffers and the file offset of I/Os. In
>     Linux alignment restrictions vary by file system and kernel version
>     and might be absent entirely. However there is currently no file
>     system-independent interface for an application to discover these
>     restrictions for a given file or file system. Some file systems
>     provide their own interfaces for doing so, for example the
>     XFS_IOC_DIOINFO operation in xfsctl(3).
> 
> ==  Fallback behavior ==
> 
> The Linux man page does not state what happens if the alignment
> restrictions are not met; does the kernel start running rogue or
> nethack; does it send a signal such as SIGSEGV or SIGABORT, and kill the
> running process; or does it fall back to buffered I/O? Today, the answer
> is the latter; but it's not specified anywhere.

retval = -EINVAL; is what __blockdev_direct_IO does in that case
and what I was making btrfs directIO do.  but fall back is OK too
if we really want. what existing code fixes up the EINVAL?

> 
> This is relatively well understood by most implementors and users of
> O_DIRECT as part of the "oral lore", so simply updating the Linux man
> page should not be controversial.
>

The following section includes "sparse" AKA "allocating" writes but
just says "extending".  Either sparse-filling write needs covered
separately or we should say "allocating" instead of "extending.

> == Extending writes ==
> 
> Similarly unstated in the Linux man page --- or any specification I
> could find on the web --- is any mention about what happens if an
> O_DIRECT write needs to allocate blocks; for example, because the write
> is extending the size the file, or the write system call is writing into
> a sparse file's "hole" where a block had not been previously
> allocated. Current Linux implementations falls back to buffered I/O,
> such that the data goes through the page cache. The current
> implementation does wait until the I/O has been posted (although not
> necessarily with a barrier such that the data is guaranteed written to
> stable store by the storage device). However, Linux does not wait until
> the metadata associated with the block allocation has been committed to
> the filesystem; hence, if the system crashes after an extending write
> completes, there is no guarantee the data will be accessible to an
> application after the system reboots. To provide this guarantee, the
> application must use fsync(2), or set the O_SYNC or O_DSYNC flag on the
> file descriptor via fcntl(2).
> 
> Given that with an extending write, an explicit fsync(2) (or write with
> O_SYNC/O_DSYNC) is required, there doesn't seem to be much point in
> waiting until the data I/O is complete if the O_DIRECT write has fallen
> back to using buffered I/O --- after all, if the data has been copied
> into the page cache, the data buffered passed into the write(2) system
> call can be safely reused for other purposes, so it may be that the
> kernel should be allowed to return as soon as the data has been copied
> into the page cache.
> 
>>>From a specification point of view, the fact that extending writes can
> fall back to buffered I/O should be documented, and that any file system
> control data associated with the block I/O will not be synchronously
> committed unless the application explicitly requests this via fsync(2)
> or O_SYNC. If there is agreement that based on this, the kernel should
> be allowed to return once the data buffer passed to write(2) can be
> reused the application, this should be explicitly documented in the
> open(2) man page as well.
> 
> == Writes into preallocated space == 
> 
> In recent Linux kernels, it is possible to request that the file system
> allocate blocks with out initializing the blocks first. Since those
> blocks contain previously unused data blocks, those blocks or extents
> must be marked as uninitialized, so that reads of these uninitialized
> blocks will return a zero block instead of the previous contents of
> those blocks (which might cause a security exposure). The first time an
> application writes into preallocated block, the file system must clear
> the uninitialized bit, so that a subsequent read of that data block will
> return the written data, instead of a zero block.
> 
> This requirement, when applied to a direct I/O write, has similar
> implications to the extending write case, described above. Although the
> space for the direct I/O has already been reserved, a change to the file
> system metadata is required to mark the just-written data block or
> extent as being initialized. For file systems that use a journal to
> assure that the file system metadata is consistent, requiring direct I/O
> write to block until a file system commit is completed would be an
> unacceptable performance impact. On the other hand, if the data is not
> guaranteed to be present after a system crash unless the application
> uses an explicit fsync(2) call, this could take some application
> programmers by surprise --- especially since testing that the
> application data can be recovered after crashes that take place
> immediately after an extending write or a write into a preallocated
> block are cases that might not be well tested by all open source
> database.
> 
> The proposed solution is the same for the extending writes; that we
> document that O_DIRECT does not imply synchronous I/O of any file
> control data, and that it is unspecified whether data written into newly
> allocated blocks, or uninitialized regions of the file will survive a
> system crash until the data is explicitly flushed to disk via a system
> facility such as fsync(2). For that reason, the only thing which the
> application can infer in the case of writes to preallocated
> (uninitialized) file regions or file regions which require block
> allocation is that when the write(2) system call, the data buffer passed
> to write(2) may be reused for other purposes.

Possibly it should just be stated that directIO write data integrity
is based on the setting of posix O_SYNC and O_DSYNC.  Then it is their
choice to run slow-and-safe or fast.  O_SYNC requires metadata on disk.

> 
> = Conclusion =
> 
> Most users of direct I/O will hopefully not be affected by the
> clarifications in this document. These users tend to not to use
> extending writes with Direct I/O, or are already using an explicit
> fsync(2) after such extending writes. However, if there are applications
> that have been making assumptions about direct I/O implying O_SYNC
> semantics to meet (for example) database ACID requirements, changing
> their application to meet the semantics documented herein (which after
> all, is all applications have been getting anyway) should not be
> difficult.
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ