Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp2738568imm;
        Tue, 4 Sep 2018 09:13:47 -0700 (PDT)
X-Google-Smtp-Source: ANB0VdZpyehMvPuWbmj4IpTuNrTicJuYmWZh3jpJ7nt8IaSeevJvkY5VrEAlvy56UJcMWQ5kBbpt
X-Received: by 2002:a62:de04:: with SMTP id h4-v6mr31720239pfg.258.1536077627004;
        Tue, 04 Sep 2018 09:13:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1536077626; cv=none;
        d=google.com; s=arc-20160816;
        b=iOqRK9Yu8/VxtYUjMKaWdfGAEDBpLRvtLPBREVAhKokFI8K1Wy08oUEMaWJYZo22ps
         p3Fa6hTYDly9RthbtI+pcLb7vzL36xmmfNvWHFkyT5rwWgMGNLEcji6W6fLSFxH8uaK2
         BFi+anweTmBfyFTw9txklJzuOPbMUhj03etG6UxTdP/DdICs3vnubfotBq7SwfRmCEX2
         ra3EdBo3OTXKUlD5Kx2rvERK0yf9MIF3/cqqcVsdia5dviylQj3xgPwFlJqCe0a2xdOD
         RXnBMxplcgJ7NQXo5YPFMfz6bRKth2VkS3CE7bk4MMSyGoY+18qVB77hE0NM8kq22pZE
         IFSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:from:user-agent:in-reply-to
         :content-transfer-encoding:content-disposition:mime-version
         :references:message-id:subject:cc:to:date:arc-authentication-results;
        bh=rw2TI4MrB2ZFN+k+cGdC8PIIubIiqxYmV1uF+BmeTsE=;
        b=qsbEww0v8rTV0iAAkxWfipQMD0SnjpikkmPnEhRIm9w3U1fR+fsQ9MGCHZk85aUVcE
         l1iIkfzwju6ZGxaKglOHTRZcTKboA1QjQNZCQU2UpQMr4xXr/KmPcMfYTDv56a+uuyCC
         10xf6otmn3Yhs0rTM/RVGEt9cUiIcYlsdUHzq7KFl0rML+4d7rc1upKhogS8uUFIdlBO
         dDBASP4kVasxCqcsxBrOEtJxJcaqbGI3h7MTdYSyWZypyI89jrIhaAnxmA/0P6t3tz7V
         MptbRnlwRawpwiV6l/GYtW/5ofYR+CybpRUAauqSeu5C5Ib/DKSieKSRgik8jRqnIUDC
         8b+A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a9-v6si20773816pgf.380.2018.09.04.09.13.31;
        Tue, 04 Sep 2018 09:13:46 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727513AbeIDUhv (ORCPT <rfc822;414256we@gmail.com> + 99 others);
        Tue, 4 Sep 2018 16:37:51 -0400
Received: from fieldses.org ([173.255.197.46]:56328 "EHLO fieldses.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726347AbeIDUhv (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 4 Sep 2018 16:37:51 -0400
Received: by fieldses.org (Postfix, from userid 2815)
        id 596301DCB; Tue,  4 Sep 2018 12:12:03 -0400 (EDT)
Date:   Tue, 4 Sep 2018 12:12:03 -0400
To:     Jeff Layton <jlayton@redhat.com>
Cc:     =?utf-8?B?54Sm5pmT5Yas?= <milestonejxd@gmail.com>,
        R.E.Wolff@bitwizard.nl, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: Re: POSIX violation by writeback error
Message-ID: <20180904161203.GD17478@fieldses.org>
References: <CAJDTihz-rFb2SGaxZsQnXGnee_2qW_ynhPe=tZ4yzQBSV_KQ1g@mail.gmail.com>
 <20180904075347.GH11854@BitWizard.nl>
 <CAJDTihzqn3whQ47uUOxGYk4Je4S10ehNEQCtfb=j--iCsdDqgQ@mail.gmail.com>
 <82ffc434137c2ca47a8edefbe7007f5cbecd1cca.camel@redhat.com>
 <CAJDTihw7T8WLme09W8VHCRfiALq4fxg1ZsywcSjn6hXsAw5wRw@mail.gmail.com>
 <cd137e88c9e882200c08c7336aa7b5a1c84a7ba3.camel@redhat.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <cd137e88c9e882200c08c7336aa7b5a1c84a7ba3.camel@redhat.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
From:   bfields@fieldses.org (J. Bruce Fields)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Sep 04, 2018 at 11:44:20AM -0400, Jeff Layton wrote:
> On Tue, 2018-09-04 at 22:56 +0800, 焦晓冬 wrote:
> > A practical and concrete example may be,
> > A disk cleaner program that first searches for garbage files that won't be used
> > anymore and save the list in a file (open()-write()-close()) and wait for the
> > user to confirm the list of files to be removed.  A writeback error occurs
> > and the related page/inode/address_space gets evicted while the user is
> > taking a long thought about it. Finally, the user hits enter and the
> > cleaner begin
> > to open() read() the list again. But what gets removed is the old list
> > of files that
> > was generated several months ago...
> > 
> > Another example may be,
> > An email editor and a busy mail sender. A well written mail to my boss is
> > composed by this email editor and is saved in a file (open()-write()-close()).
> > The mail sender gets notified with the path of the mail file to queue it and
> > send it later. A writeback error occurs and the related
> > page/inode/address_space gets evicted while the mail is still waiting in the
> > queue of the mail sender. Finally, the mail file is open() read() by the sender,
> > but what is sent is the mail to my girlfriend that was composed yesterday...
> > 
> > In both cases, the files are not meant to be persisted onto the disk.
> > So, fsync()
> > is not likely to be called.
> > 
> 
> So at what point are you going to give up on keeping the data? The
> fundamental problem here is an open-ended commitment. We (justifiably)
> avoid those in kernel development because it might leave the system
> without a way out of a resource crunch.

Well, I think the point was that in the above examples you'd prefer that
the read just fail--no need to keep the data.  A bit marking the file
(or even the entire filesystem) unreadable would satisfy posix, I guess.
Whether that's practical, I don't know.

> > - If the following read() could be served by a page in memory, just returns the
> > data. If the following read() could not be served by a page in memory and the
> > inode/address_space has a writeback error mark, returns EIO.
> > If there is a writeback error on the file, and the request data could
> > not be served
> > by a page in memory, it means we are reading a (partically) corrupted
> > (out-of-data)
> > file. Receiving an EIO is expected.
> > 
> 
> No, an error on read is not expected there. Consider this:
> 
> Suppose the backend filesystem (maybe an NFSv3 export) is really r/o,
> but was mounted r/w. An application queues up a bunch of writes that of
> course can't be written back (they get EROFS or something when they're
> flushed back to the server), but that application never calls fsync.
> 
> A completely unrelated application is running as a user that can open
> the file for read, but not r/w. It then goes to open and read the file
> and then gets EIO back or maybe even EROFS.
> 
> Why should that application (which did zero writes) have any reason to
> think that the error was due to prior writeback failure by a completely
> separate process? Does EROFS make sense when you're attempting to do a
> read anyway?
> 
> Moreover, what is that application's remedy in this case? It just wants
> to read the file, but may not be able to even open it for write to issue
> an fsync to "clear" the error. How do we get things moving again so it
> can do what it wants?
> 
> I think your suggestion would open the floodgates for local DoS attacks.

Do we really care about processes with write permissions (even only
local client-side write permissions) being able to DoS readers?  In
general readers kinda have to trust writers.

--b.