From: Daeho Jeong <daeho43@gmail.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net, kernel-team@android.com,
Daeho Jeong <daehojeong@google.com>
Subject: Re: [f2fs-dev] [PATCH] f2fs: add F2FS_IOC_SEC_TRIM_FILE ioctl
Date: Wed, 10 Jun 2020 12:55:40 +0900 [thread overview]
Message-ID: <CACOAw_wErOPC=Kf3UU8nFGhWRy84ZnCeJbsyPhSCcXv51B_XxQ@mail.gmail.com> (raw)
In-Reply-To: <20200610031532.GA6286@sol.localdomain>
> >
> > To prevent the file data from garbage collecting, the user needs to
> > use pinfile ioctl and fallocate system call after creating the file.
> > The sequence is like below.
> > 1. create an empty file
> > 2. pinfile
> > 3. fallocate()
>
> Is that persistent? So the file will never be moved afterwards?
>
> Is there a place where this is (or should be) documented?
Yes, this is persistent. F2FS_IOC_SET_PIN_FILE ioctl is to prevent
file data from moving and being garbage collected, and further update
to the file will be handled in in-place update manner.
I don't see any document on this, but you can find the below in
Documentation/filesystems/f2fs.rst
However, once F2FS receives ioctl(fd, F2FS_IOC_SET_PIN_FILE) in prior to
fallocate(fd, DEFAULT_MODE), it allocates on-disk blocks addresses having
zero or random data, which is useful to the below scenario where:
1. create(fd)
2. ioctl(fd, F2FS_IOC_SET_PIN_FILE)
3. fallocate(fd, 0, 0, size)
4. address = fibmap(fd, offset)
5. open(blkdev)
6. write(blkdev, address)
> Right, the freezing check is actually still necessary. But getting write access
> to the mount is not necessary. I think you should use file_start_write() and
> file_end_write(), like vfs_write() does.
Yes, agreed.
2020년 6월 10일 (수) 오후 12:15, Eric Biggers <ebiggers@kernel.org>님이 작성:
>
> On Wed, Jun 10, 2020 at 11:05:46AM +0900, Daeho Jeong wrote:
> > > > Added a new ioctl to send discard commands or/and zero out
> > > > to whole data area of a regular file for security reason.
> > >
> > > With this ioctl available, what is the exact procedure to write and then later
> > > securely erase a file on f2fs? In particular, how can the user prevent f2fs
> > > from making multiple copies of file data blocks as part of garbage collection?
> > >
> >
> > To prevent the file data from garbage collecting, the user needs to
> > use pinfile ioctl and fallocate system call after creating the file.
> > The sequence is like below.
> > 1. create an empty file
> > 2. pinfile
> > 3. fallocate()
>
> Is that persistent? So the file will never be moved afterwards?
>
> Is there a place where this is (or should be) documented?
>
> > > > +
> > > > + if (f2fs_readonly(sbi->sb))
> > > > + return -EROFS;
> > >
> > > Isn't this redundant with mnt_want_write_file()?
> > >
> > > Also, shouldn't write access to the file be required, i.e.
> > > (filp->f_mode & FMODE_WRITE)? Then the f2fs_readonly() and
> > > mnt_want_write_file() checks would be unnecessary.
> > >
> >
> > Using FMODE_WRITE is more proper for this case, since we're going to
> > modify the data. But I think mnt_want_write_file() is still required
> > to prevent the filesystem from freezing or something else.
>
> Right, the freezing check is actually still necessary. But getting write access
> to the mount is not necessary. I think you should use file_start_write() and
> file_end_write(), like vfs_write() does.
>
> > >
> > > > +
> > > > + if (get_user(flags, (u32 __user *)arg))
> > > > + return -EFAULT;
> > > > + if (!(flags & F2FS_TRIM_FILE_MASK))
> > > > + return -EINVAL;
> > >
> > > Need to reject unknown flags:
> > >
> > > if (flags & ~F2FS_TRIM_FILE_MASK)
> > > return -EINVAL;
> >
> > I needed a different thing here. This was to check neither discard nor
> > zeroing out are not here. But we still need to check unknown flags,
> > too.
> > The below might be better.
> > if (!flags || flags & ~F2FS_TRIM_FILE_MASK)
> > return -EINVAL;
>
> Sure, but please put parentheses around the second clause:
>
> if (flags == 0 || (flags & ~F2FS_TRIM_FILE_MASK))
> return -EINVAL;
>
> - Eric
next prev parent reply other threads:[~2020-06-10 3:55 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-09 6:01 [PATCH] f2fs: add F2FS_IOC_SEC_TRIM_FILE ioctl Daeho Jeong
2020-06-09 16:51 ` [f2fs-dev] " Eric Biggers
2020-06-10 2:05 ` Daeho Jeong
2020-06-10 3:15 ` Eric Biggers
2020-06-10 3:55 ` Daeho Jeong [this message]
2020-06-10 23:31 ` Daeho Jeong
2020-06-10 23:53 ` Daeho Jeong
2020-06-11 0:00 ` Eric Biggers
2020-06-11 0:23 ` Daeho Jeong
2020-06-11 1:56 ` Eric Biggers
2020-06-11 2:05 ` Daeho Jeong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CACOAw_wErOPC=Kf3UU8nFGhWRy84ZnCeJbsyPhSCcXv51B_XxQ@mail.gmail.com' \
--to=daeho43@gmail.com \
--cc=daehojeong@google.com \
--cc=ebiggers@kernel.org \
--cc=kernel-team@android.com \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).