Andiry
commented
3 years ago Thanks for the findings. Care to send a PR?
Open pcworld opened 3 years ago
Andiry
commented
3 years ago Thanks for the findings. Care to send a PR?
pcworld
commented
2 years ago I'm short on time, but there is the following workaround (it performs unnecessary flushes, but is at least correct hopefully):
--- a/fs/nova/nova.h
+++ b/fs/nova/nova.h
@@ -263,6 +263,9 @@ static inline int memcpy_to_pmem_nocache(void *dst, const void *src,
ret = __copy_from_user_inatomic_nocache(dst, src, size);
+ nova_flush_buffer(dst, size, 1);
+
return ret;
}A better fix would be to only call nova_flush_buffer on beginning/end where alignment does not match. The code for that should be simple, but needs to be carefully written and tested to be completely sure it works in all cases, which is why I haven't submitted a PR yet.
Andiry
commented
2 years ago I think the proposed fix is too heavy. I think for most of the time we do meet the alignment requirements, right? Perhaps performing nova_flush_buffer here with a check of alignments?
pcworld
commented
2 years ago I think for most of the time we do meet the alignment requirements, right?
I have also observed other cases where this bug hits: Symlink creation (target name), and also renaming files to long file names (longer than cache line size) or creating new files with long names.
I have found that PMFS already specifically handles this issue: https://github.com/linux-pmfs/pmfs/blob/28aaf606ff076080a72174e9f5a7be13979a8b97/fs/pmfs/xip.c#L81-L84
Perhaps pmfs_flush_edge_cachelines can just be reused in NOVA.
NOVA's function
memcpy_to_pmem_nocacheis commonly used in NOVA, and is defined as follows: https://github.com/NVSL/linux-nova/blob/587e25223ee415ccd1a7a831d95f7ccfa51b0259/fs/nova/nova.h#L259-L267The naming seems to imply that this function guarantees the cache to be bypassed and thus the data to be persisted without need of explicit flushing. And indeed, this assumption is followed in at least one place of NOVA, as shown later.
Following the definition of
__copy_from_user_inatomic_nocache(on x86_64) to__copy_user_nocache, we find the following documentation: https://github.com/NVSL/linux-nova/blob/587e25223ee415ccd1a7a831d95f7ccfa51b0259/arch/x86/lib/copy_user_64.S#L196-L205Following the assembly code, we find that:
ALIGN_DESTINATIONmacro will perform cached copy) and the size must be a multiple of 4 bytes to ensure that everything is copied using non-temporal instructions.Some places in NOVA use
memcpy_to_pmem_nocachebut still perform explicit flushing, e.g. through thenova_update_entry_csumfunction, which implicitly flushes the buffer. These cases could be considered performance bugs, but do not affect crash consistency.However, at least one place exists in which use of
memcpy_to_pmem_nocachecurrently leads to a violation of crash consistency guarantees (I have not thoroughly looked for other cases so there might be more):nova_cow_file_writecallsdo_nova_cow_file_writewhich callsmemcpy_to_pmem_nocacheto copy file contents to persistent memory and does not perform further flushing.Consider this shell script:
The string
HelloWor(8 bytes) is copied usingmovnti, however the rest of the bytesl,d,\nare copied using a temporalmovinstruction. Thus, the last three bytes are not guaranteed to be persisted. If the system crashes after thesyncsystem call succeeded but the last three bytes have not yet been persisted, recovering the file system and reading /mnt/myfile will only yieldHelloWor\0\0\0as the file content, which violates the guarantees of thesyncsystem call.Suggested fix
In NOVA's
memcpy_to_pmem_nocache, after the call to__copy_from_user_inatomic_nocache: If the function arguments do not fulfill the alignment requirements outlined above, explicitly callnova_flush_bufferwith the bytes at the beginning and/or the end of the buffer.