lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 7 Jul 2021 12:58:09 -0400
From:   "Theodore Ts'o" <>
To:     Christoph Hellwig <>
Subject: Re: [PATCH] ext4: fix EXT4_IOC_CHECKPOINT

On Wed, Jul 07, 2021 at 10:56:44AM +0200, Christoph Hellwig wrote:
> Issuing a discard for any kind of "contention deletion SLO" is highly
> dangerous as discard as defined by Linux (as well the underlying NVMe,
> SCSI, ATA, eMMC and virtio primitivies) are defined to not guarantee
> erasing of data but just allow optional and nondeterministic reclamation
> of space.  Instead issuing write zeroes is the only think to perform
> such an operation.  Remove the highly dangerous and misleading discard
> mode for EXT4_IOC_CHECKPOINT and only support the write zeroes based
> on, and clean up the resulting mess including the dry run mode.

A discard is not "dangerous"; how it behaves is simply not necessarily
guaranteed by the standards specification.  The userspace which uses
the ioctl simply needs to know how a particular block device might
react when it is given a discard.

I'll note that there is a similar issue with "WRITE SAME" or "ZEROOUT.
A WRITE SAME might take a fraction of a second --- or it might take
days --- depending on how the storage device is implemented.  It is
similarly unspecified by the various standards specification.  Hence,
userspace needs to know something about the block device before
deciding whether or not it would be good idea to issue a "WRITE SAME"
operation for large number of blocks.

This is why the API is implemented in terms of what command will be
issued to the block device, and not what the semantic meaning is for
that particular command.  That's up to the userspace application to
know out of band, and we should be able to give the privileged
application the freedom to decide which command makes the most amount
of sense.

	 	      	  	    		   - Ted

Powered by blists - more mailing lists