lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <74C79F4D-E9B0-4F47-ACF2-9335D3DB8604@javigon.com>
Date:   Tue, 29 Jan 2019 16:03:10 +0100
From:   Javier González <javier@...igon.com>
To:     Hans Holmberg <hans@...tronix.com>
Cc:     Matias Bjørling <mb@...htnvm.io>,
        Zhoujie Wu <zjwu@...vell.com>, linux-block@...r.kernel.org,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Hans Holmberg <hans.holmberg@...xlabs.com>
Subject: Re: [PATCH] lightnvm: pblk: extend line wp balance check

> On 29 Jan 2019, at 13.49, Hans Holmberg <hans@...tronix.com> wrote:
> 
> On Tue, Jan 29, 2019 at 12:19 PM Javier González <javier@...igon.com> wrote:
>>> On 29 Jan 2019, at 09.47, hans@...tronix.com wrote:
>>> 
>>> From: Hans Holmberg <hans.holmberg@...xlabs.com>
>>> 
>>> pblk stripes writes of minimal write size across all non-offline chunks
>>> in a line, which means that the maximum write pointer delta should not
>>> exceed the minimal write size. Extend the line write pointer balance check
>>> to cover this case.
>>> 
>>> Signed-off-by: Hans Holmberg <hans.holmberg@...xlabs.com>
>>> ---
>>> 
>>> This patch applies on top of Zhoujie's V3 of
>>> "lightnvm: pblk: ignore bad block wp for pblk_line_wp_is_unbalanced
>>> 
>>> drivers/lightnvm/pblk-recovery.c | 60 ++++++++++++++++++++------------
>>> 1 file changed, 37 insertions(+), 23 deletions(-)
>>> 
>>> diff --git a/drivers/lightnvm/pblk-recovery.c b/drivers/lightnvm/pblk-recovery.c
>>> index 02d466e6925e..d86f580036d3 100644
>>> --- a/drivers/lightnvm/pblk-recovery.c
>>> +++ b/drivers/lightnvm/pblk-recovery.c
>>> @@ -302,41 +302,55 @@ static int pblk_pad_distance(struct pblk *pblk, struct pblk_line *line)
>>>      return (distance > line->left_msecs) ? line->left_msecs : distance;
>>> }
>>> 
>>> -static int pblk_line_wp_is_unbalanced(struct pblk *pblk,
>>> -                                   struct pblk_line *line)
>>> +/* Return a chunk belonging to a line by stripe(write order) index */
>>> +static struct nvm_chk_meta *pblk_get_stripe_chunk(struct pblk *pblk,
>>> +                                               struct pblk_line *line,
>>> +                                               int index)
>>> {
>>>      struct nvm_tgt_dev *dev = pblk->dev;
>>>      struct nvm_geo *geo = &dev->geo;
>>> -     struct pblk_line_meta *lm = &pblk->lm;
>>>      struct pblk_lun *rlun;
>>> -     struct nvm_chk_meta *chunk;
>>>      struct ppa_addr ppa;
>>> -     u64 line_wp;
>>> -     int pos, i, bit;
>>> +     int pos;
>>> 
>>> -     bit = find_first_zero_bit(line->blk_bitmap, lm->blk_per_line);
>>> -     if (bit >= lm->blk_per_line)
>>> -             return 0;
>>> -     rlun = &pblk->luns[bit];
>>> +     rlun = &pblk->luns[index];
>>>      ppa = rlun->bppa;
>>>      pos = pblk_ppa_to_pos(geo, ppa);
>>> -     chunk = &line->chks[pos];
>>> 
>>> -     line_wp = chunk->wp;
>>> +     return &line->chks[pos];
>>> +}
>>> 
>>> -     for (i = bit + 1; i < lm->blk_per_line; i++) {
>>> -             rlun = &pblk->luns[i];
>>> -             ppa = rlun->bppa;
>>> -             pos = pblk_ppa_to_pos(geo, ppa);
>>> -             chunk = &line->chks[pos];
>>> +static int pblk_line_wps_are_unbalanced(struct pblk *pblk,
>>> +                                   struct pblk_line *line)
>>> +{
>>> +     struct pblk_line_meta *lm = &pblk->lm;
>>> +     int blk_in_line = lm->blk_per_line;
>>> +     struct nvm_chk_meta *chunk;
>>> +     u64 max_wp, min_wp;
>>> +     int i;
>>> 
>>> -             if (chunk->state & NVM_CHK_ST_OFFLINE)
>>> -                     continue;
>>> +     i = find_first_zero_bit(line->blk_bitmap, blk_in_line);
>>> +
>>> +     /* If there is one or zero good chunks in the line,
>>> +      * the write pointers can't be unbalanced.
>>> +      */
>>> +     if (i >= (blk_in_line - 1))
>>> +             return 0;
>>> 
>>> -             if (chunk->wp > line_wp)
>>> +     chunk = pblk_get_stripe_chunk(pblk, line, i);
>>> +     max_wp = chunk->wp;
>>> +     if (max_wp > pblk->max_write_pgs)
>>> +             min_wp = max_wp - pblk->max_write_pgs;
>>> +     else
>>> +             min_wp = 0;
>>> +
>>> +     i = find_next_zero_bit(line->blk_bitmap, blk_in_line, i + 1);
>>> +     while (i < blk_in_line) {
>>> +             chunk = pblk_get_stripe_chunk(pblk, line, i);
>>> +             if (chunk->wp > max_wp || chunk->wp < min_wp)
>>>                      return 1;
>>> -             else if (chunk->wp < line_wp)
>>> -                     line_wp = chunk->wp;
>>> +
>>> +             i = find_next_zero_bit(line->blk_bitmap, blk_in_line, i + 1);
>>>      }
>>> 
>>>      return 0;
>>> @@ -362,7 +376,7 @@ static int pblk_recov_scan_oob(struct pblk *pblk, struct pblk_line *line,
>>>      int ret;
>>>      u64 left_ppas = pblk_sec_in_open_line(pblk, line) - lm->smeta_sec;
>>> 
>>> -     if (pblk_line_wp_is_unbalanced(pblk, line))
>>> +     if (pblk_line_wps_are_unbalanced(pblk, line))
>>>              pblk_warn(pblk, "recovering unbalanced line (%d)\n", line->id);
>>> 
>>>      ppa_list = p.ppa_list;
>>> --
>>> 2.17.1
>> 
>> If I am understanding correctly, you want to protect against the case
>> where a pfail has broken the ws_min partition of a chunk, right? I say
>> this because there is a guarantee that the minimal write size and pblk's
>> write size align with ws_min and ws_opt. Even if we have grown bad
>> blocks on pfail for the current line (which is a bigger problem because
>> we have potentially lost data), this guarantee would remain.
>> 
>> If this is the case, my first reaction would be to say that the
>> controller is responsible for guaranteeing atomicity for both scalar and
>> vector I/Os. If this is not guaranteed, we have bigger problems than
>> this (e.g., for the write error recovery path).
>> 
>> Are you thinking of a different case?
> 
> The write pointer check triggers a warning if something unexpected has
> happened to the chunks.
> i.e. if something else than pblk messed with the disk, or if the user
> tries to recover a pblk instance with an invalid lun configuration.

But this will only solve a very specific corner case of this, right?
This is, when you are writing at WP on a middle LUN exactly < ws_min.

For example, If the user attempts to start pblk with a different LUN
configuration, the alignment is the same an pblk will actually fail
because it cannot find any emeta.

For completion, the original wp_unbalanced patch attempted to protect
against the case where several outstanding I/Os to different PUs are
inflight and then you have a pfail. In this case, a write to a PU that
is not "next" in the line bitmap completes and we have a whole, meaning
that if we recover this case, we risk to overwrite valid data, as we
break the "sequentiality" the line, which allows for recovering by
replaying the P2L stored on the OOB.

> 
> This patch adds a warning if a chunk wp is too small(i.e. if a chunk
> was unexpectedly reset)

I am not arguing against the implementation, I am just trying to
understand what you are trying to fix. If it is the case I described
originally, then I do not think it is possible on the Open-Channel
architecture. If you want to add protection against corruptions, then
this needs more work as many corruption cases are missing - you would
need something like a OOB watermark to protect open lines and something
like a OOB lba CRC check in emeta to validate that no data has been
altered.

If you ask me, I do not think the latter belongs to pblk, and if it did,
I would suggest a whole new (optional) feature that adds this short of
integrity protection, ideally, reusing NVMe PI. In the original pblk, we
have followed the same assumption as block devices do; you can go an
write on the side to a block device that has a FS on top; the block
device will not complain at all - if the FS detects this then they will
try to fix it, otherwise you lost data.

In this context, we have discussed about a pblk tool a la fsck, which can
cover all this cases instead of adding more complexity to the recovery
path in the kernel. Here, you patch makes sense we fail if something
suspicious has occurred and move the burden to the pblk tool for it to
do the repair. But again, if the goal s adding integrity protection, it
needs to cover the rest of the cases.

Hope this makes sense.

Javier

Download attachment "signature.asc" of type "application/pgp-signature" (834 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ