From: Dave Chinner <david-FqsqvQoI3Ljby3iVrkZq2A@public.gmane.org>
To: Linus Torvalds
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Cc: Theodore Ts'o <tytso-3s7WtUTddSA@public.gmane.org>,
Ric Wheeler <rwheeler-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
One Thousand Gnomes
<gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>,
Gregory Farnum <greg-3KCAGdo1P2hBDgjK7y7TUQ@public.gmane.org>,
"Martin K. Petersen"
<martin.petersen-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Christoph Hellwig <hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>,
"Darrick J. Wong"
<darrick.wong-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Jens Axboe <axboe-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Kernel Mailing List
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
shane.seymour-ZPxbGqLxI0U@public.gmane.org,
Bruce Fields <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>,
linux-fsdevel
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Jeff Layton <jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org>,
Eric Sandeen <esandeen-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks
Date: Wed, 16 Mar 2016 09:33:13 +1100 [thread overview]
Message-ID: <20160315223313.GH30721@dastard> (raw)
In-Reply-To: <CA+55aFwHLJffmN-Dw=yZCGKzxe_2Tm9h2GjdaFL3JdvYXNstRw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
On Tue, Mar 15, 2016 at 01:43:01PM -0700, Linus Torvalds wrote:
> On Tue, Mar 15, 2016 at 1:14 PM, Dave Chinner <david-FqsqvQoI3Ljby3iVrkZq2A@public.gmane.org> wrote:
> >
> > Root can still change the group id of a file that has exposed stale
> > data and hence make it visible outside of the group based
> > containment wall.
>
> Ok, Dave, now you're just being ridiculous.
>
> The issue has never been - and *should* never be - that stale data
> cannot get out.
Stale data escaping containment is a security issue. Enabling
generic kernel mechanisms to *enable containment escape* is
fundamentally wrong, and relying on userspace to Do The Right Thing
is even more of a gamble, IMO.
> The only issue is that we shouldn't make it ridiculously easy to make
> silly mistakes.
# sudo rsync -a ....
And now the stale data is on another machine without group-based
access containment.
> There's no "group based containment wall" that is some kind of
> absolute protection border.
Precisely my point - it's being pitched as a generic containment
mechanism, but it really isn't.
> Put another way: this is not about theoretical leaks - because those
> are totally irrelevant (in theory, the original discard writer had
> access to all that stale data anyway). This is about making it a
> practical interface that doesn't have serious hidden gotchas.
>
> So stop making silly theoretical arguments that make no sense.
It's a practical concern because if we enable this functionality in
fallocate because it will get used by more than just special storage
apps. i.e. this can't be waved away with "only properly managed
applications will use it" arguments.
> We should make sure that we have _practical_ rules that are sensible,
> but also not painful enough for the people who want to use this in
> _practice_.
Of course. The fact is that most of the people discussing this issue
have very little domain specific expertise.
In _practice_, XFS has *always* been able to turn off unwritten
extents and expose stale data. e.g. see this speed-racer blog from
2003 (first google hit on "xfs bonnie++ optimisation"):
http://everything2.com/title/Filesystem+performance+tweaking+with+XFS+on+Linux
" The first XFS tweak I'll try relates to XFS' practice of
adding a flag to all unwritten extents. This is a safety
feature, and it can be disabled with an option during
filesystem creation time (mkfs.xfs -d unwritten=0). [....]
A few improvements, a few setbacks, they're all at the level
of statistical noise. Disabling unwritten extent flagging
doesn't seem to be terribly useful here."
I also don't make a habit of publicising the fact that since we
disabled the "-d unwritten=X" mkfs parameter (because of speed racer
blogs such as the above and configuration cargo-culting resulting in
unsuspecting users exposing stale data unintentionally) that the
functionality still exists in the kernel code and that it only takes
a single xfs_db command to turn off unwritten extents in XFS. i.e.
we can easily make fallocate on XFS expose stale data, filesystem
wide, without requiring mount options, kernel or application
modifications.
And, yes, I do know of proprietary and non-public storage
applications that have used this capability for years, even though
it is unsupported and performance benefits have only ever been
marginal.
> Reality trumps everything else.
Yes, it does. The reality is we've enabled people who know what they
are doing to expose stale data through preallocation interfaces on
XFS since 1998 and we haven't required kernel API hacks to do this.
> If google is already using this kind of interface, then that is
> _reality_. Take that into account.
Making Google's hack more widely available through the fallocate
API is entirely dependent on proving that:
a) the performance problem still exists;
b) the performance problem exists across multiple
filesytsems and is not isolated to just ext4 or one specific
set of workloads;
c) the performance problem cannot be fixed;
d) ext4 can't implement a simple feature check to turn off
unwritten extents similar to XFS; and
e) if all else fails, that the API hack does not compromise the
security of general users unaware that applications might
be using this functionality.
a), b), c) and d) have not been demonstrated, discussed or iterated -
we've jumped straight to arguing about e). Before anything else,
we need to work through a)-d) because exposing stale data through a
general purpose API is a *last resort*.
Cheers,
Dave.
--
Dave Chinner
david-FqsqvQoI3Ljby3iVrkZq2A@public.gmane.org
next prev parent reply other threads:[~2016-03-15 22:33 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-02 4:09 [PATCH v5.1 0/2] create BLKZEROOUT ioctl that invalidates page cache Darrick J. Wong
2016-03-02 4:09 ` [PATCH 1/2] block: invalidate the page cache when issuing BLKZEROOUT Darrick J. Wong
2016-03-02 9:19 ` Christoph Hellwig
2016-03-02 4:09 ` [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks Darrick J. Wong
2016-03-02 9:20 ` Christoph Hellwig
[not found] ` <20160302040947.16685.42926.stgit-PTl6brltDGh4DFYR7WNSRA@public.gmane.org>
2016-03-02 18:52 ` Linus Torvalds
2016-03-02 22:56 ` Darrick J. Wong
2016-03-02 23:49 ` Linus Torvalds
2016-03-03 17:02 ` Theodore Ts'o
[not found] ` <20160303170205.GD24012-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-03 17:55 ` Linus Torvalds
[not found] ` <CA+55aFwPA1X8XGTdVZmP5uzkWMwj+X=bjkGVcEkZDme+qskrzQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-03 18:00 ` Christoph Hellwig
2016-03-03 18:14 ` Martin K. Petersen
2016-03-03 18:21 ` Theodore Ts'o
[not found] ` <CA+55aFyNPnjJ-Nsu3bMr+HuLQnkj1B8FMddNnXW7HJqxdUzJmQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-03 18:01 ` Martin K. Petersen
[not found] ` <yq1bn6v8mqg.fsf-+q57XtR/GgMb6DWv4sQWN6xOck334EZe@public.gmane.org>
2016-03-03 18:09 ` Christoph Hellwig
[not found] ` <20160303180924.GA4116-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2016-03-03 18:12 ` Darrick J. Wong
2016-03-03 18:54 ` Martin K. Petersen
[not found] ` <yq1vb5375oh.fsf-+q57XtR/GgMb6DWv4sQWN6xOck334EZe@public.gmane.org>
2016-03-03 22:39 ` Theodore Ts'o
[not found] ` <20160303223952.GE24012-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-03 23:10 ` Dave Chinner
2016-03-04 0:20 ` Theodore Ts'o
2016-03-09 22:20 ` Gregory Farnum
2016-03-09 23:08 ` Theodore Ts'o
2016-03-10 14:58 ` Ric Wheeler
[not found] ` <56E18B9B.5070503-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-03-10 18:33 ` Linus Torvalds
[not found] ` <CA+55aFyw1nN4ze3-AGGE27evOZuXnkJC9C-W5QRUR=zKHqObGg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-10 21:47 ` Theodore Ts'o
2016-03-11 4:42 ` Ric Wheeler
2016-03-11 13:59 ` One Thousand Gnomes
[not found] ` <20160311135952.57a44931-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2016-03-11 15:27 ` Theodore Ts'o
2016-03-11 17:23 ` Linus Torvalds
[not found] ` <CA+55aFwX2GYYN53E9qaTym=gp1aRjSA5f1G+N5WEiRd1dOJhFA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-11 17:30 ` Andy Lutomirski
2016-03-11 18:25 ` Linus Torvalds
[not found] ` <CA+55aFxQOgDjL643J33d-3q7gYGvyN84vCn4qJq-Ox8E-WRx9w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-11 22:30 ` Dave Chinner
2016-03-12 0:33 ` Linus Torvalds
2016-03-12 0:35 ` Theodore Ts'o
[not found] ` <20160312003556.GF32214-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-12 0:44 ` Linus Torvalds
2016-03-12 7:19 ` Theodore Ts'o
[not found] ` <20160312071945.GA3419-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-12 10:11 ` Thomas Schoebel-Theuer
2016-03-13 23:30 ` Dave Chinner
2016-03-14 10:34 ` Ric Wheeler
[not found] ` <56E69398.7030508-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-03-14 14:46 ` Theodore Ts'o
2016-03-15 20:14 ` Dave Chinner
2016-03-15 20:43 ` Linus Torvalds
[not found] ` <CA+55aFwHLJffmN-Dw=yZCGKzxe_2Tm9h2GjdaFL3JdvYXNstRw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-15 21:29 ` Theodore Ts'o
2016-03-15 22:33 ` Dave Chinner [this message]
2016-03-15 22:52 ` Theodore Ts'o
2016-03-16 1:51 ` Darrick J. Wong
[not found] ` <20160316015139.GC5826-PTl6brltDGh4DFYR7WNSRA@public.gmane.org>
2016-03-16 21:45 ` Andreas Dilger
[not found] ` <7674C689-C07E-4D38-85EB-4FD9B55CBB35-m1MBpc4rdrD3fQ9qLvQP4Q@public.gmane.org>
2016-03-17 0:15 ` Theodore Ts'o
[not found] ` <20160317001502.GF23593-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-17 0:33 ` Eric Sandeen
2016-03-17 0:59 ` Theodore Ts'o
[not found] ` <56E9FB73.6040803-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-03-17 5:18 ` Gregory Farnum
2016-03-17 12:36 ` Theodore Ts'o
[not found] ` <CAC6JEv-CGaphHj6hVXUhFS+Dc4jS46nO1yOfKF5yA8AnDwqgOw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-17 17:47 ` Linus Torvalds
2016-03-17 17:50 ` Ric Wheeler
2016-03-17 17:59 ` Linus Torvalds
2016-03-17 18:35 ` Chris Mason
[not found] ` <20160317183512.GA76233-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-17 20:49 ` Andreas Dilger
[not found] ` <819F38A3-51A7-4874-8314-8A6004495716-m1MBpc4rdrD3fQ9qLvQP4Q@public.gmane.org>
2016-03-17 21:00 ` Chris Mason
[not found] ` <20160317210018.GA78710-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-18 3:20 ` Theodore Ts'o
[not found] ` <20160318032023.GK23593-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-18 15:15 ` Jeff Moyer
[not found] ` <x491t7795ro.fsf-RRHT56Q3PSP4kTEheFKJxxDDeQx5vsVwAInAS/Ez/D0@public.gmane.org>
2016-03-18 20:05 ` Martin K. Petersen
[not found] ` <CA+55aFzbzXb9ApP5FnVZihWRpWGO1-YnJj_Giip5LfD6=uvf0w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-18 6:52 ` Gregory Farnum
[not found] ` <CAC6JEv-MuU2sWSvftjHhOhZsE2Fz49Ffv6cm1FMnju5egcyvmQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-18 7:19 ` Linus Torvalds
2016-03-17 1:01 ` Dave Chinner
2016-03-17 2:38 ` Darrick J. Wong
[not found] ` <20160315225224.GD23848-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-18 22:55 ` NeilBrown
2016-03-15 23:06 ` Linus Torvalds
[not found] ` <CA+55aFxCpza3_3J8kP9E0gLKHiSitZHjC4UMS_ZfZ_HBTC9=Bg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-15 23:14 ` Linus Torvalds
[not found] ` <CA+55aFw80NXB9L7ooxV0zr3oaf4zWzZAJcb87ib58n=toiCn7g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-16 0:08 ` Dave Chinner
2016-03-15 23:52 ` Dave Chinner
2016-03-16 0:06 ` Linus Torvalds
[not found] ` <CA+55aFxZ=feGd+QGdhCN28kjd2XJO3PCj9NBoJJZ5E8_WMJiMA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-16 0:30 ` Eric Sandeen
[not found] ` <56E8A916.8050702-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-03-16 0:51 ` Chris Mason
[not found] ` <20160316005117.GA34410-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-16 22:23 ` Chris Mason
[not found] ` <20160316222343.GA53649-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-17 13:49 ` Ric Wheeler
2016-03-15 22:38 ` Eric Sandeen
2016-03-03 22:56 ` Dave Chinner
2016-03-04 2:30 ` Thomas Schoebel-Theuer
2016-03-03 18:14 ` Linus Torvalds
2016-03-02 9:15 ` [PATCH v5.1 0/2] create BLKZEROOUT ioctl that invalidates page cache Arnd Bergmann
2016-03-02 9:44 ` Christoph Hellwig
[not found] ` <20160302094416.GA16631-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2016-03-02 10:55 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160315223313.GH30721@dastard \
--to=david-fqsqvqoi3ljby3ivrkzq2a@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=axboe-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org \
--cc=bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org \
--cc=darrick.wong-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=esandeen-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org \
--cc=greg-3KCAGdo1P2hBDgjK7y7TUQ@public.gmane.org \
--cc=hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org \
--cc=jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=martin.petersen-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=rwheeler-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=shane.seymour-ZPxbGqLxI0U@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=tytso-3s7WtUTddSA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).