[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20210226171901.GA3949@redsun51.ssa.fujisawa.hgst.com>
Date: Sat, 27 Feb 2021 02:19:01 +0900
From: Keith Busch <kbusch@...nel.org>
To: Hannes Reinecke <hare@...e.de>
Cc: Daniel Wagner <dwagner@...e.de>, Sagi Grimberg <sagi@...mberg.me>,
Jens Axboe <axboe@...com>, Christoph Hellwig <hch@....de>,
linux-nvme@...ts.infradead.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] nvme-tcp: Check if request has started before processing
it
On Fri, Feb 26, 2021 at 05:42:46PM +0100, Hannes Reinecke wrote:
> On 2/26/21 5:13 PM, Keith Busch wrote:
> >
> > That's just addressing a symptom. You can't fully verify the request is
> > valid this way because the host could have started the same command ID
> > the very moment before the code checks it, incorrectly completing an
> > in-flight command and getting data corruption.
> >
> Oh, I am fully aware.
>
> Bad frames are just that, bad frames.
> We can only fully validate that when digests are enabled, but I gather that
> controllers sending out bad frames wouldn't want to enable digests, either.
> So relying on that is possibly not an option.
>
> So really what I'm trying to avoid is the host crashing on a bad frame.
> That kind of thing always resonates bad with customers.
> And tripping over an uninitialized command is just too stupid IMO.
Crashing is bad, silent data corruption is worse. Is there truly no
defense against that? If not, why should anyone rely on this?
Powered by blists - more mailing lists