Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp3006389imm; Tue, 4 Sep 2018 13:45:07 -0700 (PDT) X-Google-Smtp-Source: ANB0VdYD1ZfR9yYtkbvpiqfjp4Uzr9DYmfqgtjCLLhYFFcMBaiR+brtcUwjUpcnP32ZuIRiSFNmn X-Received: by 2002:a17:902:48c8:: with SMTP id u8-v6mr35995320plh.152.1536093907626; Tue, 04 Sep 2018 13:45:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536093907; cv=none; d=google.com; s=arc-20160816; b=nYBuSuuFoY8OpTbTIiciL/LQcGs3R/s49UAIYPcf5ZAfkbA11sUvKrYdu0YeUgl5dR cW9w4UjaORDSl3qgE2ONElfRHpCBoJqSayqz9Pe8Ucda5mB53OvwxrdsmrLl0ulY5Gbp x9Gti93GwLFlzL9EmIzhF26Fqq5BJ5pl+SkfprP/S8g+OIzn+32SKJv3hEYRIIDmR91P C2ama0gVpt9maYTzk3bWKFm0D6mW7jfRTvqQ5jWbVV8jMFKvCzGqo7es8GbHO/USaLfw E2auy+/H/z1xni9fHHaHloehOeYR7dRmfPe67lS3YSUnwXJCG6Nq9Y10ntxFgiHZO2aK UBJQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-transfer-encoding:content-disposition:mime-version :references:message-id:subject:cc:to:from:date :arc-authentication-results; bh=QpeaJ8KOVjhoYi0v/DYTE0m38S70CesST9KOVAx6Xd4=; b=u6rKvLTlIMyVwAS2wkjvjhZ3izuq5W5p4eJIJ6mk6GwiS/D3fI02kXk9Zf4kCiV8dK BFLwi7/ARqp6aq+1LBX3NWBSOOQ+Rm9dwfJNwP62wQFa9aJbgp1Zl7C2SAG2qZw3CEJo g1OgjCIU/BkKVzDJCNaQbzh0jIUOY6U5owFljDdoLkfSa4wjfeVuvcxy7VD2b/6Qi2vh U2V3cx1ISNCb4OqHLnbtgToCOXYjPNVkWO/WQPs3o/SSwiLd7MbKf7XQaXjXWXf9FnIU RddkimTKy4dgyfJmZWYEAMtkR88yEm89t2PQam4TER7HIQGd8JgK5cXU2dAgQvhJ8yn2 +h7A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d12-v6si23087090pla.421.2018.09.04.13.44.51; Tue, 04 Sep 2018 13:45:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726909AbeIEBKe (ORCPT + 99 others); Tue, 4 Sep 2018 21:10:34 -0400 Received: from shells.gnugeneration.com ([66.240.222.126]:50294 "EHLO shells.gnugeneration.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726231AbeIEBKe (ORCPT ); Tue, 4 Sep 2018 21:10:34 -0400 X-Greylist: delayed 495 seconds by postgrey-1.27 at vger.kernel.org; Tue, 04 Sep 2018 21:10:34 EDT Received: by shells.gnugeneration.com (Postfix, from userid 1000) id 5AA831A403A2; Tue, 4 Sep 2018 13:35:34 -0700 (PDT) Date: Tue, 4 Sep 2018 13:35:34 -0700 From: Vito Caputo To: Jeff Layton Cc: "J. Bruce Fields" , Rogier Wolff , =?utf-8?B?54Sm5pmT5Yas?= , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: POSIX violation by writeback error Message-ID: <20180904203534.yumaest6v5p6izln@shells.gnugeneration.com> References: <20180904075347.GH11854@BitWizard.nl> <82ffc434137c2ca47a8edefbe7007f5cbecd1cca.camel@redhat.com> <20180904161203.GD17478@fieldses.org> <20180904162348.GN17123@BitWizard.nl> <20180904185411.GA22166@fieldses.org> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Sep 04, 2018 at 04:18:18PM -0400, Jeff Layton wrote: > On Tue, 2018-09-04 at 14:54 -0400, J. Bruce Fields wrote: > > On Tue, Sep 04, 2018 at 06:23:48PM +0200, Rogier Wolff wrote: > > > On Tue, Sep 04, 2018 at 12:12:03PM -0400, J. Bruce Fields wrote: > > > > Well, I think the point was that in the above examples you'd prefer that > > > > the read just fail--no need to keep the data. A bit marking the file > > > > (or even the entire filesystem) unreadable would satisfy posix, I guess. > > > > Whether that's practical, I don't know. > > > > > > When you would do it like that (mark the whole filesystem as "in > > > error") things go from bad to worse even faster. The Linux kernel > > > tries to keep the system up even in the face of errors. > > > > > > With that suggestion, having one application run into a writeback > > > error would effectively crash the whole system because the filesystem > > > may be the root filesystem and stuff like "sshd" that you need to > > > diagnose the problem needs to be read from the disk.... > > > > Well, the absolutist position on posix compliance here would be that a > > crash is still preferable to returning the wrong data. And for the > > cases 焦晓冬 gives, that sounds right? Maybe it's the wrong balance in > > general, I don't know. And we do already have filesystems with > > panic-on-error options, so if they aren't used maybe then maybe users > > have already voted against that level of strictness. > > > > Yeah, idk. The problem here is that this is squarely in the domain of > implementation defined behavior. I do think that the current "policy" > (if you call it that) of what to do after a wb error is weird and wrong. > What we probably ought to do is start considering how we'd like it to > behave. > > How about something like this? > > Mark the pages as "uncleanable" after a writeback error. We'll satisfy > reads from the cached data until someone calls fsync, at which point > we'd return the error and invalidate the uncleanable pages. > > If no one calls fsync and scrapes the error, we'll hold on to it for as > long as we can (or up to some predefined limit) and then after that > we'll invalidate the uncleanable pages and start returning errors on > reads. If someone eventually calls fsync afterward, we can return to > normal operation. > > As always though...what about mmap? Would we need to SIGBUS at the point > where we'd start returning errors on read()? > > Would that approximate the current behavior enough and make sense? > Implementing it all sounds non-trivial though... > Here's a crazy and potentially stupid idea: Implement a new class of swap space for backing dirty pages which fail to write back. Pages in this space survive reboots, essentially backing the implicit commitment POSIX establishes in the face of asynchronous writeback errors. Rather than evicting these pages as clean, they are swapped out to the persistent swap. Administrators then decide if they want to throw some cheap storage at enabling this coverage, or live with the existing risks. I think it may be an interesting approach, enabling administrators to repair primary storage while operating in a degraded mode. Then once things are corrected, there would be a way to evict pages from persistent swap for another shot at writeback to primary storage. Regards, Vito Caputo