lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 16 Aug 2021 14:05:18 -0700
From:   "Darrick J. Wong" <>
Subject: [PATCHSET 0/2] dax: fix broken pmem poison narrative

Hi all,

Our current "advice" to people using persistent memory and FSDAX who
wish to recover upon receipt of a media error (aka 'hwpoison') event
from ACPI is to punch-hole that part of the file and then pwrite it,
which will magically cause the pmem to be reinitialized and the poison
to be cleared.

Punching doesn't make any sense at all -- we don't allow userspace to
allocate from specific parts of the storage, and another writer could
grab the poisoned range in the meantime.  In other words, the advice is
seriously overfitted to incidental xfs and ext4 behavior and can
completely fail.  Worse yet, that concurrent writer now has to deal with
the poison that it didn't know about, and someone else is trying to fix.

AFAICT, the only reason why the "punch and write" dance works at all is
that the XFS and ext4 currently call blkdev_issue_zeroout when
allocating pmem as part of a pwrite call.  A pwrite without the punch
won't clear the poison, because pwrite on a DAX file calls
dax_direct_access to access the memory directly, and dax_direct_access
is only smart enough to bail out on poisoned pmem.  It does not know how
to clear it.  Userspace could solve the problem by calling FIEMAP and
issuing a BLKZEROOUT, but that requires rawio capabilities.

The whole pmem poison recovery story is is wrong and needs to be
corrected ASAP before everyone else starts doing this.  Therefore,
create a dax_zeroinit_range function that filesystems can call to reset
the contents of the pmem to a known value and clear any state associated
with the media error.  Then, connect FALLOC_FL_ZERO_RANGE to this new
function (for DAX files) so that unprivileged userspace has a safe way
to reset the pmem and clear media errors.

If you're going to start using this mess, you probably ought to just
pull from my git trees, which are linked below.

This is an extraordinary way to destroy everything.  Enjoy!
Comments and questions are, as always, welcome.


kernel git tree:
 fs/dax.c            |   72 +++++++++++++++++++++++++++++++++++++++++++++++++++
 fs/ext4/extents.c   |   19 +++++++++++++
 fs/xfs/xfs_file.c   |   20 ++++++++++++++
 include/linux/dax.h |    7 +++++
 4 files changed, 118 insertions(+)

Powered by blists - more mailing lists