From: Ric Wheeler <rwheeler-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
To: Dave Chinner <david-FqsqvQoI3Ljby3iVrkZq2A@public.gmane.org>,
Linus Torvalds
<torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>
Cc: Theodore Ts'o <tytso-3s7WtUTddSA@public.gmane.org>,
Andy Lutomirski <luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org>,
One Thousand Gnomes
<gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>,
Gregory Farnum <greg-3KCAGdo1P2hBDgjK7y7TUQ@public.gmane.org>,
"Martin K. Petersen"
<martin.petersen-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Christoph Hellwig <hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>,
"Darrick J. Wong"
<darrick.wong-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org>,
Jens Axboe <axboe-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org>,
Andrew Morton
<akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org>,
Linux API <linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Linux Kernel Mailing List
<linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
shane.seymour-ZPxbGqLxI0U@public.gmane.org,
Bruce Fields <bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org>,
linux-fsdevel
<linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Jeff Layton <jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org>,
Eric Sandeen <esandeen-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
Subject: Re: [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks
Date: Mon, 14 Mar 2016 06:34:00 -0400 [thread overview]
Message-ID: <56E69398.7030508@redhat.com> (raw)
In-Reply-To: <20160313233049.GA30721@dastard>
On 03/13/2016 07:30 PM, Dave Chinner wrote:
> On Fri, Mar 11, 2016 at 04:44:16PM -0800, Linus Torvalds wrote:
>> On Fri, Mar 11, 2016 at 4:35 PM, Theodore Ts'o <tytso-3s7WtUTddSA@public.gmane.org> wrote:
>>> At the end of the day it's about whether you trust the userspace
>>> program or not.
>> There's a big difference between "give the user rope", and "tie the
>> rope in a noose and put a banana peel so that the user might stumble
>> into the rope and hang himself", though.
>>
>> So I do think that Dave is right that we should also strive to make
>> sure that our interfaces are not just secure in theory, but that they
>> are also good interfaces to make mistakes less likely.
> At which point I have to ask: how do we safely allow filesystems to
> expose stale data in files? There's a big "we need to trust
> userspace" component in ever proposal that has been made so far -
> that's the part I have extreme trouble with.
>
> For example, what happens when a backup process running as root a
> file that has exposed stale data? Yes, we could set the "NODUMP"
> flag on the inode to tell backup programs to skip backing up such
> files, but we're now trusting some random userspace application
> (e.g. tar, rsync, etc) not to do something we don't want it to do
> with the data in that file.
>
> AFAICT, we can't stop root from copying files that have exposed
> stale data or changing their ownership without some kind of special
> handling of "contains stale data" files within the kernel. At this
> point we are back to needing persistent tracking of the "exposed
> stale data" state in the inode as the only safe way to allow us to
> expose stale data. That's fairly ironic given that the stated
> purpose of exposing stale data through fallocate is to avoid the
> overhead of the existing mechanisms we use to track extents
> containing stale data....
I think that once we enter this mode, the local file system has effectively
ceded its role to prevent stale data exposure to the upper layer. In effect,
this ceases to become a normal file system for any enabled process if we control
this through fallocate() or for all processes if we do the brute force mount
option that would be file system wide.
That means we would not need to track this. Extents would be marked as if they
always have had valid data (no more allocated but unwritten state).
In the end, that is the actual goal - move this enforcement up a layer for
overlay/user space file systems that are then responsible for policing this ind
of thing.
Regards,
Ric
>
>> I think we _should_ give users rope, but maybe we should also make
>> sure that there isn't some hidden rapidly spinning saw-blade right
>> next to the rope that the user doesn't even think about.
> IMO we already have a good, safe interface that provides the rope
> without the saw blades. I'm happy to be proven wrong, but IMO I
> don't see that we can provide stale data exposure in a safe,
> non-saw-bladey way without any kernel/filesystem side overhead.....
>
> Cheers,
>
> Dave.
next prev parent reply other threads:[~2016-03-14 10:34 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-02 4:09 [PATCH v5.1 0/2] create BLKZEROOUT ioctl that invalidates page cache Darrick J. Wong
2016-03-02 4:09 ` [PATCH 1/2] block: invalidate the page cache when issuing BLKZEROOUT Darrick J. Wong
2016-03-02 9:19 ` Christoph Hellwig
2016-03-02 4:09 ` [PATCH 2/2] block: create ioctl to discard-or-zeroout a range of blocks Darrick J. Wong
2016-03-02 9:20 ` Christoph Hellwig
[not found] ` <20160302040947.16685.42926.stgit-PTl6brltDGh4DFYR7WNSRA@public.gmane.org>
2016-03-02 18:52 ` Linus Torvalds
2016-03-02 22:56 ` Darrick J. Wong
2016-03-02 23:49 ` Linus Torvalds
2016-03-03 17:02 ` Theodore Ts'o
[not found] ` <20160303170205.GD24012-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-03 17:55 ` Linus Torvalds
[not found] ` <CA+55aFwPA1X8XGTdVZmP5uzkWMwj+X=bjkGVcEkZDme+qskrzQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-03 18:00 ` Christoph Hellwig
2016-03-03 18:14 ` Martin K. Petersen
2016-03-03 18:21 ` Theodore Ts'o
[not found] ` <CA+55aFyNPnjJ-Nsu3bMr+HuLQnkj1B8FMddNnXW7HJqxdUzJmQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-03 18:01 ` Martin K. Petersen
[not found] ` <yq1bn6v8mqg.fsf-+q57XtR/GgMb6DWv4sQWN6xOck334EZe@public.gmane.org>
2016-03-03 18:09 ` Christoph Hellwig
[not found] ` <20160303180924.GA4116-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2016-03-03 18:12 ` Darrick J. Wong
2016-03-03 18:54 ` Martin K. Petersen
[not found] ` <yq1vb5375oh.fsf-+q57XtR/GgMb6DWv4sQWN6xOck334EZe@public.gmane.org>
2016-03-03 22:39 ` Theodore Ts'o
[not found] ` <20160303223952.GE24012-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-03 23:10 ` Dave Chinner
2016-03-04 0:20 ` Theodore Ts'o
2016-03-09 22:20 ` Gregory Farnum
2016-03-09 23:08 ` Theodore Ts'o
2016-03-10 14:58 ` Ric Wheeler
[not found] ` <56E18B9B.5070503-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2016-03-10 18:33 ` Linus Torvalds
[not found] ` <CA+55aFyw1nN4ze3-AGGE27evOZuXnkJC9C-W5QRUR=zKHqObGg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-10 21:47 ` Theodore Ts'o
2016-03-11 4:42 ` Ric Wheeler
2016-03-11 13:59 ` One Thousand Gnomes
[not found] ` <20160311135952.57a44931-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org>
2016-03-11 15:27 ` Theodore Ts'o
2016-03-11 17:23 ` Linus Torvalds
[not found] ` <CA+55aFwX2GYYN53E9qaTym=gp1aRjSA5f1G+N5WEiRd1dOJhFA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-11 17:30 ` Andy Lutomirski
2016-03-11 18:25 ` Linus Torvalds
[not found] ` <CA+55aFxQOgDjL643J33d-3q7gYGvyN84vCn4qJq-Ox8E-WRx9w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-11 22:30 ` Dave Chinner
2016-03-12 0:33 ` Linus Torvalds
2016-03-12 0:35 ` Theodore Ts'o
[not found] ` <20160312003556.GF32214-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-12 0:44 ` Linus Torvalds
2016-03-12 7:19 ` Theodore Ts'o
[not found] ` <20160312071945.GA3419-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-12 10:11 ` Thomas Schoebel-Theuer
2016-03-13 23:30 ` Dave Chinner
2016-03-14 10:34 ` Ric Wheeler [this message]
[not found] ` <56E69398.7030508-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-03-14 14:46 ` Theodore Ts'o
2016-03-15 20:14 ` Dave Chinner
2016-03-15 20:43 ` Linus Torvalds
[not found] ` <CA+55aFwHLJffmN-Dw=yZCGKzxe_2Tm9h2GjdaFL3JdvYXNstRw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-15 21:29 ` Theodore Ts'o
2016-03-15 22:33 ` Dave Chinner
2016-03-15 22:52 ` Theodore Ts'o
2016-03-16 1:51 ` Darrick J. Wong
[not found] ` <20160316015139.GC5826-PTl6brltDGh4DFYR7WNSRA@public.gmane.org>
2016-03-16 21:45 ` Andreas Dilger
[not found] ` <7674C689-C07E-4D38-85EB-4FD9B55CBB35-m1MBpc4rdrD3fQ9qLvQP4Q@public.gmane.org>
2016-03-17 0:15 ` Theodore Ts'o
[not found] ` <20160317001502.GF23593-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-17 0:33 ` Eric Sandeen
2016-03-17 0:59 ` Theodore Ts'o
[not found] ` <56E9FB73.6040803-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-03-17 5:18 ` Gregory Farnum
2016-03-17 12:36 ` Theodore Ts'o
[not found] ` <CAC6JEv-CGaphHj6hVXUhFS+Dc4jS46nO1yOfKF5yA8AnDwqgOw-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-17 17:47 ` Linus Torvalds
2016-03-17 17:50 ` Ric Wheeler
2016-03-17 17:59 ` Linus Torvalds
2016-03-17 18:35 ` Chris Mason
[not found] ` <20160317183512.GA76233-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-17 20:49 ` Andreas Dilger
[not found] ` <819F38A3-51A7-4874-8314-8A6004495716-m1MBpc4rdrD3fQ9qLvQP4Q@public.gmane.org>
2016-03-17 21:00 ` Chris Mason
[not found] ` <20160317210018.GA78710-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-18 3:20 ` Theodore Ts'o
[not found] ` <20160318032023.GK23593-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-18 15:15 ` Jeff Moyer
[not found] ` <x491t7795ro.fsf-RRHT56Q3PSP4kTEheFKJxxDDeQx5vsVwAInAS/Ez/D0@public.gmane.org>
2016-03-18 20:05 ` Martin K. Petersen
[not found] ` <CA+55aFzbzXb9ApP5FnVZihWRpWGO1-YnJj_Giip5LfD6=uvf0w-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-18 6:52 ` Gregory Farnum
[not found] ` <CAC6JEv-MuU2sWSvftjHhOhZsE2Fz49Ffv6cm1FMnju5egcyvmQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-18 7:19 ` Linus Torvalds
2016-03-17 1:01 ` Dave Chinner
2016-03-17 2:38 ` Darrick J. Wong
[not found] ` <20160315225224.GD23848-AKGzg7BKzIDYtjvyW6yDsg@public.gmane.org>
2016-03-18 22:55 ` NeilBrown
2016-03-15 23:06 ` Linus Torvalds
[not found] ` <CA+55aFxCpza3_3J8kP9E0gLKHiSitZHjC4UMS_ZfZ_HBTC9=Bg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-15 23:14 ` Linus Torvalds
[not found] ` <CA+55aFw80NXB9L7ooxV0zr3oaf4zWzZAJcb87ib58n=toiCn7g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-16 0:08 ` Dave Chinner
2016-03-15 23:52 ` Dave Chinner
2016-03-16 0:06 ` Linus Torvalds
[not found] ` <CA+55aFxZ=feGd+QGdhCN28kjd2XJO3PCj9NBoJJZ5E8_WMJiMA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-03-16 0:30 ` Eric Sandeen
[not found] ` <56E8A916.8050702-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-03-16 0:51 ` Chris Mason
[not found] ` <20160316005117.GA34410-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-16 22:23 ` Chris Mason
[not found] ` <20160316222343.GA53649-HIXDwvFErZjFYCXBM6kdu7fOX0fSgVTm@public.gmane.org>
2016-03-17 13:49 ` Ric Wheeler
2016-03-15 22:38 ` Eric Sandeen
2016-03-03 22:56 ` Dave Chinner
2016-03-04 2:30 ` Thomas Schoebel-Theuer
2016-03-03 18:14 ` Linus Torvalds
2016-03-02 9:15 ` [PATCH v5.1 0/2] create BLKZEROOUT ioctl that invalidates page cache Arnd Bergmann
2016-03-02 9:44 ` Christoph Hellwig
[not found] ` <20160302094416.GA16631-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org>
2016-03-02 10:55 ` Arnd Bergmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56E69398.7030508@redhat.com \
--to=rwheeler-h+wxahxf7alqt0dzr+alfa@public.gmane.org \
--cc=akpm-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=axboe-tSWWG44O7X1aa/9Udqfwiw@public.gmane.org \
--cc=bfields-uC3wQj2KruNg9hUCZPvPmw@public.gmane.org \
--cc=darrick.wong-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=david-FqsqvQoI3Ljby3iVrkZq2A@public.gmane.org \
--cc=esandeen-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org \
--cc=gnomes-qBU/x9rampVanCEyBjwyrvXRex20P6io@public.gmane.org \
--cc=greg-3KCAGdo1P2hBDgjK7y7TUQ@public.gmane.org \
--cc=hch-wEGCiKHe2LqWVfeAwA7xHQ@public.gmane.org \
--cc=jlayton-vpEMnDpepFuMZCB2o+C8xQ@public.gmane.org \
--cc=linux-api-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-fsdevel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=linux-kernel-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
--cc=luto-kltTT9wpgjJwATOyAt5JVQ@public.gmane.org \
--cc=martin.petersen-QHcLZuEGTsvQT0dZR+AlfA@public.gmane.org \
--cc=shane.seymour-ZPxbGqLxI0U@public.gmane.org \
--cc=torvalds-de/tnXTf+JLsfHDXvbKv3WD2FQJk+8+b@public.gmane.org \
--cc=tytso-3s7WtUTddSA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).