Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp4344092pxb;
        Tue, 2 Mar 2021 12:39:46 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxGW6pbOAMPd3hwBhjD0/DgLrUPOaH8bzio3ZI164FsJ5uQTFTDLmauZY3KKlffCaI414Qi
X-Received: by 2002:a50:da8b:: with SMTP id q11mr22747459edj.352.1614717586053;
        Tue, 02 Mar 2021 12:39:46 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1614717586; cv=none;
        d=google.com; s=arc-20160816;
        b=jrfl9WX9moJ/b0rqTOVQm6AL/XUbpW/rmBDg0RV9R5Y1sY6wQX/UNXhnU1W6I2TzUi
         lAGzZBuiidvRhOxfzdBOB34DrQmZSxehSyUynmbd+ADbn7fop8GOYlDz+jb815Gs8azR
         ReatMOnTcQ2omtwZVtiND0r3JP4GzKHVkTeY9kiBF9yJZsS2bIaVG5unMYC+9zTjYSbm
         s35nfdOI99tVR2gmdpBycqQtCpXtuRS3qHzlZmOI5nWqZZH4U1y0pxX3PVWw2zhNHRiG
         tLqCWEGq0WsfblvDVMjPeDU26gWFNxN67str/jkyX25DuOkNVx38NId3lVPT0nhA0V2e
         RpmA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:content-language
         :in-reply-to:mime-version:user-agent:date:message-id:subject:from
         :references:cc:to;
        bh=pUSx/2SL6seqqNCa13HFOFzEUalOhWO8NCLRAAk0/w4=;
        b=wb+cmgFnmHwLBj+nMpWLHePeR/o/xPcMybK4GWE9dJEs+Wxeo1h/Yyt91kb3Q0qLyp
         gtneaU7P5Qvcyz/hqrhA3qOePQCO+3XEpqp+D6+H9rOVJMhrJkXZUiV57YIQ5XM0uAge
         38/xXwWVrWqGgpC9sHpU2u0aqCyl84doJTXvpvpEx2+NgAQNWcQ140NZCSbP/UEIk/KK
         WDRq69UOhkAQ9nO/+fKlYuPyff2K74Vm2dLKd75OPvBexF/3DxmD2OgL9QjbH1rc6DuJ
         bEiSiKUUsv6wkKj93aj5G11kQYsScdJ2guH7WaLrSPItdDSJrDzvW61TpyHpZWQMMsPX
         c6cg==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v13si13998474edl.450.2021.03.02.12.39.22;
        Tue, 02 Mar 2021 12:39:46 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S241533AbhCBHoZ (ORCPT <rfc822;luke.ovalle@gmail.com>
        + 99 others); Tue, 2 Mar 2021 02:44:25 -0500
Received: from mx2.suse.de ([195.135.220.15]:60852 "EHLO mx2.suse.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1836643AbhCBHTZ (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 2 Mar 2021 02:19:25 -0500
X-Virus-Scanned: by amavisd-new at test-mx.suse.de
Received: from relay2.suse.de (unknown [195.135.221.27])
        by mx2.suse.de (Postfix) with ESMTP id C64C2AC54;
        Tue,  2 Mar 2021 07:18:40 +0000 (UTC)
To:     Keith Busch <kbusch@kernel.org>
Cc:     Daniel Wagner <dwagner@suse.de>, Sagi Grimberg <sagi@grimberg.me>,
        Jens Axboe <axboe@fb.com>, Christoph Hellwig <hch@lst.de>,
        linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org
References: <a2064070-b511-ba6d-bd64-0b3abc208356@grimberg.me>
 <20210226123534.4oovbzk4wrnfjp64@beryllium.lan>
 <9e209b12-3771-cdca-2c9d-50451061bd2a@suse.de>
 <20210226161355.GG31593@redsun51.ssa.fujisawa.hgst.com>
 <a42d6285-ff32-3e16-b2b1-808d29f2a743@suse.de>
 <20210226171901.GA3949@redsun51.ssa.fujisawa.hgst.com>
 <20210301132639.n3eowtvkms2n5mog@beryllium.lan>
 <786dcef5-148d-ff34-590c-804b331ac519@suse.de>
 <20210301160547.GB17228@redsun51.ssa.fujisawa.hgst.com>
 <b626504c-3427-e8a5-3502-e44a9e79a006@suse.de>
 <20210301205944.GE17228@redsun51.ssa.fujisawa.hgst.com>
From:   Hannes Reinecke <hare@suse.de>
Subject: Re: [PATCH] nvme-tcp: Check if request has started before processing
 it
Message-ID: <8eb26510-03e1-7923-0f47-2a8d3d539963@suse.de>
Date:   Tue, 2 Mar 2021 08:18:40 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.7.1
MIME-Version: 1.0
In-Reply-To: <20210301205944.GE17228@redsun51.ssa.fujisawa.hgst.com>
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 3/1/21 9:59 PM, Keith Busch wrote:
> On Mon, Mar 01, 2021 at 05:53:25PM +0100, Hannes Reinecke wrote:
>> On 3/1/21 5:05 PM, Keith Busch wrote:
>>> On Mon, Mar 01, 2021 at 02:55:30PM +0100, Hannes Reinecke wrote:
>>>> On 3/1/21 2:26 PM, Daniel Wagner wrote:
>>>>> On Sat, Feb 27, 2021 at 02:19:01AM +0900, Keith Busch wrote:
>>>>>> Crashing is bad, silent data corruption is worse. Is there truly no
>>>>>> defense against that? If not, why should anyone rely on this?
>>>>>
>>>>> If we receive an response for which we don't have a started request, we
>>>>> know that something is wrong. Couldn't we in just reset the connection
>>>>> in this case? We don't have to pretend nothing has happened and
>>>>> continuing normally. This would avoid a host crash and would not create
>>>>> (more) data corruption. Or I am just too naive?
>>>>>
>>>> This is actually a sensible solution.
>>>> Please send a patch for that.
>>>
>>> Is a bad frame a problem that can be resolved with a reset?
>>>
>>> Even if so, the reset doesn't indicate to the user if previous commands
>>> completed with bad data, so it still seems unreliable.
>>>
>> We need to distinguish two cases here.
>> The one is use receiving a frame with an invalid tag, leading to a crash.
>> This can be easily resolved by issuing a reset, as clearly the command was
>> garbage and we need to invoke error handling (which is reset).
>>
>> The other case is us receiving a frame with a _duplicate_ tag, ie a tag
>> which is _currently_ valid. This is a case which will fail _even now_, as we
>> have simply no way of detecting this.
>>
>> So what again do we miss by fixing the first case?
>> Apart from a system which does _not_ crash?
> 
> I'm just saying each case is a symptom of the same problem. The only
> difference from observing one vs the other is a race with the host's
> dispatch. And since you're proposing this patch, it sounds like this
> condition does happen on tcp compared to other transports where we don't
> observe it. I just thought the implication that data corruption happens
> is a alarming.
> 
Oh yes, it is.
But sadly TCP inherently suffers from this, as literally anyone can
spoof frames on the network.
Other transports like RDMA or FC do not suffer to that extend as
spoofing frames there is far more elaborate, and not really possible
without dedicated hardware equipment.

That's why there is header and data digest; that will protect you
against accidental frame corruption (as this case clearly is; the
remainder of the frame is filled with zeroes).
It would not protect you against deliberate frame corruption; that's why
there is TPAR 8010 (TLS encryption for NVMe-TCP).

Be it as it may, none of these methods are in use here, and none of
these methods can be made mandatory. So we need to deal with the case at
hand.

And in my opinion crashing is the _worst_ options of all.
Tear the connection down, reset the thing, whatever.

But do not crash.
Customers tend to have a very dim view on crashing machines, and have a
very limited capacity for being susceptible to our reasoning in these cases.

Cheers,

Hannes
-- 
Dr. Hannes Reinecke		           Kernel Storage Architect
hare@suse.de			                  +49 911 74053 688
SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nürnberg
HRB 36809 (AG Nürnberg), GF: Felix Imendörffer