lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20180412202457.zszz7zl2pcdba35e@alap3.anarazel.de>
Date:   Thu, 12 Apr 2018 13:24:57 -0700
From:   Andres Freund <andres@...razel.de>
To:     Jeff Layton <jlayton@...hat.com>
Cc:     Matthew Wilcox <willy@...radead.org>,
        Andreas Dilger <adilger@...ger.ca>,
        20180410184356.GD3563@...nk.org,
        "Theodore Y. Ts'o" <tytso@....edu>,
        Ext4 Developers List <linux-ext4@...r.kernel.org>,
        Linux FS Devel <linux-fsdevel@...r.kernel.org>,
        "Joshua D. Drake" <jd@...mandprompt.com>
Subject: Re: fsync() errors is unsafe and risks data loss

On 2018-04-12 07:09:14 -0400, Jeff Layton wrote:
> On Wed, 2018-04-11 at 20:02 -0700, Matthew Wilcox wrote:
> > On Wed, Apr 11, 2018 at 07:17:52PM -0700, Andres Freund wrote:
> > > > > While there's some differing opinions on the referenced postgres thread,
> > > > > the fundamental problem isn't so much that a retry won't fix the
> > > > > problem, it's that we might NEVER see the failure.  If writeback happens
> > > > > in the background, encounters an error, undirties the buffer, we will
> > > > > happily carry on because we've never seen that. That's when we're
> > > > > majorly screwed.
> > > > 
> > > > 
> > > > I think there are two issues here - "fsync() on an fd that was just opened"
> > > > and "persistent error state (without keeping dirty pages in memory)".
> > > > 
> > > > If there is background data writeback *without an open file descriptor*,
> > > > there is no mechanism for the kernel to return an error to any application
> > > > which may exist, or may not ever come back.
> > > 
> > > And that's *horrible*. If I cp a file, and writeback fails in the
> > > background, and I then cat that file before restarting, I should be able
> > > to see that that failed. Instead of returning something bogus.
> 
> What are you expecting to happen in this case? Are you expecting a read
> error due to a writeback failure? Or are you just saying that we should
> be invalidating pages that failed to be written back, so that they can
> be re-read?

Yes, I'd hope for a read error after a writeback failure. I think that's
sane behaviour. But I don't really care *that* much.

At the very least *some* way to *know* that such a failure occurred from
userland without having to parse the kernel log. As far as I understand,
neither sync(2) (and thus sync(1)) nor syncfs(2) is guaranteed to report
an error if it was encountered by writeback in the background.

If that's indeed true for syncfs(2), even if the fd has been opened
before (which I can see how it could happen from an implementation POV,
nothing would associate a random FD with failures on different files),
it's really impossible to detect this stuff from userland without text
parsing.

Even if it'd were just a perf-fs /sys/$something file that'd return the
current count of unreported errors in a filesystem independent way, it'd
be better than what we have right now.

1) figure out /sys/$whatnot $directory belongs to
2) oldcount=$(cat /sys/$whatnot/unreported_errors)
3) filesystem operations in $directory
4) sync;sync;
5) newcount=$(cat /sys/$whatnot/unreported_errors)
6) test "$oldcount" -eq "$newcount" || die-with-horrible-message

Isn't beautiful to script, but it's also not absolutely terrible.

Greetings,

Andres Freund

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ