On Fri, Apr 05, 2019 at 05:02:33PM +0300, Amir Goldstein wrote: > On Fri, Apr 5, 2019 at 12:17 AM Dave Chinner <david@xxxxxxxxxxxxx> wrote: > > > > On Thu, Apr 04, 2019 at 07:57:37PM +0300, Amir Goldstein wrote: > > > This patch improves performance of mixed random rw workload > > > on xfs without relaxing the atomic buffered read/write guaranty > > > that xfs has always provided. > > > > > > We achieve that by calling generic_file_read_iter() twice. > > > Once with a discard iterator to warm up page cache before taking > > > the shared ilock and once again under shared ilock. > > > > This will race with thing like truncate, hole punching, etc that > > serialise IO and invalidate the page cache for data integrity > > reasons under the IOLOCK. These rely on there being no IO to the > > inode in progress at all to work correctly, which this patch > > violates. IOWs, while this is fast, it is not safe and so not a > > viable approach to solving the problem. > > > > This statement leaves me wondering, if ext4 does not takes > i_rwsem on generic_file_read_iter(), how does ext4 (or any other > fs for that matter) guaranty buffered read synchronization with > truncate, hole punching etc? > The answer in ext4 case is i_mmap_sem, which is read locked > in the page fault handler. Nope, the i_mmap_sem is for serialisation of /page faults/ against truncate, holepunching, etc. Completely irrelevant to the read() path. > And xfs does the same type of synchronization with MMAPLOCK, > so while my patch may not be safe, I cannot follow why from your > explanation, so please explain if I am missing something. mmap_sem inversions require independent locks for IO path and page faults - the MMAPLOCK does not protect anything in the read()/write() IO path. > One thing that Darrick mentioned earlier was that IOLOCK is also > used by xfs to synchronization pNFS leases (probably listed under > 'etc' in your explanation). PNFS leases are separate to the IO locking. All the IO locking does is serialise new IO submission against the process of breaking leases so that extent maps that have been shared under the lease are invalidated correctly. i.e. we can't start IO until the lease has been recalled and the external client has guaranteed it won't read/write data from the stale extent map. If you do IO outside the IOLOCK, then you break those serialisation guarantees and risk data corruption and/or stale data exposure... > I consent that my patch does not look safe > w.r.t pNFS leases, but that can be sorted out with a hammer > #ifndef CONFIG_EXPORTFS_BLOCK_OPS > or with finer instruments. All you see is this: truncate: read() IOLOCK_EXCL flush relevant cached data truncate page cache pre-read page cache between new eof and old eof IOLOCK_SHARED <blocks> start transaction ILOCK_EXCL update isize remove extents .... commit xactn IOLOCK unlock <gets lock> sees beyond EOF, returns 0 So you see the read() doing the right thing (detect EOF, returning short read). Great. But what I see is uptodate pages containing stale data being left in the page cache beyond EOF. That is th eproblem here - truncate must not leave stale pages beyond EOF behind - it's the landmine that causes future things to go wrong. e.g. now the app does post-eof preallocation so the range those pages are cached over are allocated as unwritten - the filesystem will do this without even looking at the page cache because it's beyond EOF. Now we extend the file past those cached pages, and iomap_zero() sees the range as unwritten and so does not write zeros to the blocks between the old EOF and the new EOF. Now the app reads from that range (say it does a sub-page write, triggering a page cache RMW cycle). the read goes to instantiate the page cache page, finds a page already in the cache that is uptodate, and uses it without zeroing or reading from disk. And now we have stale data exposure and/or data corruption. If can come up with quite a few scenarios where this particular "populate cache after invalidation" race can cause similar problems for XFS. Hole punch and most of the other fallocate extent manipulations have the same serialisation requirements - no IO over the range of the operation can be *initiated* between the /start/ of the page cache invalidation and the end of the specific extent manipulation operation. So how does ext4 avoid this problem on truncate? History lesson: truncate in Linux (and hence ext4) has traditionally been serialised by the hacky post-page-lock checks that are strewn all through the page cache and mm/ subsystem. i.e. every time you look up and lock a page cache page, you have to check the page->mapping and page->index to ensure that the lookup-and-lock hasn't raced with truncate. This only works because truncate requires the inode size to be updated before invalidating the page cache - that's the "hacky" part of it. IOWs, the burden of detecting truncate races is strewn throughout the mm/ subsystem, rather than being the responisibility of the filesystem. This is made worse by the fact this mechanism simply doesn't work for hole punching because there is no file size change to indicate that the page lookup is racing with an in-progress invalidation. That means the mm/ and page cache code is unable to detect hole punch races, and so the serialisation of invalidation vs page cache instantiation has to be done in the filesystem. And no Linux native filesystem had the infrastructure for such serialisation because they never had to implement anything to ensure truncate was serialised against new and in-progress IO. The result of this is that, AFAICT, ext4 does not protect against read() vs hole punch races - it's hole punching code it does: Hole Punch: read(): inode_lock() inode_dio_wait(inode); down_write(i_mmap_sem) truncate_pagecache_range() ext4_file_iter_read() ext4_map_blocks() down_read(i_data_sem) <gets mapping> <populates page cache over hole> <reads stale data into cache> ..... down_write(i_data_sem) remove extents IOWs, ext4 is safe against truncate because of the change-inode-size-before-invalidation hacks, but the lack of serialise buffered reads means that hole punch and other similar fallocate based extent manipulations can race against reads.... > However, I am still interested to continue the discussion on my POC > patch. One reason is that I am guessing it would be much easier for > distros to backport and pick up to solve performance issues. Upstream first, please. If it's not fit for upstream, then it most definitely is not fit for backporting to distro kernels. Cheers, Dave. -- Dave Chinner david@xxxxxxxxxxxxx