Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2738568imm; Tue, 4 Sep 2018 09:13:47 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZpyehMvPuWbmj4IpTuNrTicJuYmWZh3jpJ7nt8IaSeevJvkY5VrEAlvy56UJcMWQ5kBbpt X-Received: by 2002:a62:de04:: with SMTP id h4-v6mr31720239pfg.258.1536077627004; Tue, 04 Sep 2018 09:13:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536077626; cv=none; d=google.com; s=arc-20160816; b=iOqRK9Yu8/VxtYUjMKaWdfGAEDBpLRvtLPBREVAhKokFI8K1Wy08oUEMaWJYZo22ps p3Fa6hTYDly9RthbtI+pcLb7vzL36xmmfNvWHFkyT5rwWgMGNLEcji6W6fLSFxH8uaK2 BFi+anweTmBfyFTw9txklJzuOPbMUhj03etG6UxTdP/DdICs3vnubfotBq7SwfRmCEX2 ra3EdBo3OTXKUlD5Kx2rvERK0yf9MIF3/cqqcVsdia5dviylQj3xgPwFlJqCe0a2xdOD RXnBMxplcgJ7NQXo5YPFMfz6bRKth2VkS3CE7bk4MMSyGoY+18qVB77hE0NM8kq22pZE IFSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:from:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:date:arc-authentication-results; bh=rw2TI4MrB2ZFN+k+cGdC8PIIubIiqxYmV1uF+BmeTsE=; b=qsbEww0v8rTV0iAAkxWfipQMD0SnjpikkmPnEhRIm9w3U1fR+fsQ9MGCHZk85aUVcE l1iIkfzwju6ZGxaKglOHTRZcTKboA1QjQNZCQU2UpQMr4xXr/KmPcMfYTDv56a+uuyCC 10xf6otmn3Yhs0rTM/RVGEt9cUiIcYlsdUHzq7KFl0rML+4d7rc1upKhogS8uUFIdlBO dDBASP4kVasxCqcsxBrOEtJxJcaqbGI3h7MTdYSyWZypyI89jrIhaAnxmA/0P6t3tz7V MptbRnlwRawpwiV6l/GYtW/5ofYR+CybpRUAauqSeu5C5Ib/DKSieKSRgik8jRqnIUDC 8b+A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a9-v6si20773816pgf.380.2018.09.04.09.13.31; Tue, 04 Sep 2018 09:13:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727513AbeIDUhv (ORCPT + 99 others); Tue, 4 Sep 2018 16:37:51 -0400 Received: from fieldses.org ([173.255.197.46]:56328 "EHLO fieldses.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726347AbeIDUhv (ORCPT ); Tue, 4 Sep 2018 16:37:51 -0400 Received: by fieldses.org (Postfix, from userid 2815) id 596301DCB; Tue, 4 Sep 2018 12:12:03 -0400 (EDT) Date: Tue, 4 Sep 2018 12:12:03 -0400 To: Jeff Layton Cc: =?utf-8?B?54Sm5pmT5Yas?= , R.E.Wolff@bitwizard.nl, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: POSIX violation by writeback error Message-ID: <20180904161203.GD17478@fieldses.org> References: <20180904075347.GH11854@BitWizard.nl> <82ffc434137c2ca47a8edefbe7007f5cbecd1cca.camel@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) From: bfields@fieldses.org (J. Bruce Fields) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 04, 2018 at 11:44:20AM -0400, Jeff Layton wrote: > On Tue, 2018-09-04 at 22:56 +0800, 焦晓冬 wrote: > > A practical and concrete example may be, > > A disk cleaner program that first searches for garbage files that won't be used > > anymore and save the list in a file (open()-write()-close()) and wait for the > > user to confirm the list of files to be removed. A writeback error occurs > > and the related page/inode/address_space gets evicted while the user is > > taking a long thought about it. Finally, the user hits enter and the > > cleaner begin > > to open() read() the list again. But what gets removed is the old list > > of files that > > was generated several months ago... > > > > Another example may be, > > An email editor and a busy mail sender. A well written mail to my boss is > > composed by this email editor and is saved in a file (open()-write()-close()). > > The mail sender gets notified with the path of the mail file to queue it and > > send it later. A writeback error occurs and the related > > page/inode/address_space gets evicted while the mail is still waiting in the > > queue of the mail sender. Finally, the mail file is open() read() by the sender, > > but what is sent is the mail to my girlfriend that was composed yesterday... > > > > In both cases, the files are not meant to be persisted onto the disk. > > So, fsync() > > is not likely to be called. > > > > So at what point are you going to give up on keeping the data? The > fundamental problem here is an open-ended commitment. We (justifiably) > avoid those in kernel development because it might leave the system > without a way out of a resource crunch. Well, I think the point was that in the above examples you'd prefer that the read just fail--no need to keep the data. A bit marking the file (or even the entire filesystem) unreadable would satisfy posix, I guess. Whether that's practical, I don't know. > > - If the following read() could be served by a page in memory, just returns the > > data. If the following read() could not be served by a page in memory and the > > inode/address_space has a writeback error mark, returns EIO. > > If there is a writeback error on the file, and the request data could > > not be served > > by a page in memory, it means we are reading a (partically) corrupted > > (out-of-data) > > file. Receiving an EIO is expected. > > > > No, an error on read is not expected there. Consider this: > > Suppose the backend filesystem (maybe an NFSv3 export) is really r/o, > but was mounted r/w. An application queues up a bunch of writes that of > course can't be written back (they get EROFS or something when they're > flushed back to the server), but that application never calls fsync. > > A completely unrelated application is running as a user that can open > the file for read, but not r/w. It then goes to open and read the file > and then gets EIO back or maybe even EROFS. > > Why should that application (which did zero writes) have any reason to > think that the error was due to prior writeback failure by a completely > separate process? Does EROFS make sense when you're attempting to do a > read anyway? > > Moreover, what is that application's remedy in this case? It just wants > to read the file, but may not be able to even open it for write to issue > an fsync to "clear" the error. How do we get things moving again so it > can do what it wants? > > I think your suggestion would open the floodgates for local DoS attacks. Do we really care about processes with write permissions (even only local client-side write permissions) being able to DoS readers? In general readers kinda have to trust writers. --b.