Re: [PATCH 0/3] mm: Swap checksum
From: Cesar Eduardo Barros
Date: Sun May 23 2010 - 20:57:52 EST
Em 23-05-2010 21:09, Minchan Kim escreveu:
Hi, Cesar.
I am not sure Cesar is first name. :)
Yes, it is.
On Mon, May 24, 2010 at 3:32 AM, Cesar Eduardo Barros<cesarb@xxxxxxxxxx> wrote:
Em 23-05-2010 11:03, Minchan Kim escreveu:
We have been used swap pages without checksum.
First of all, Could you explain why you need checksum on swap pages?
Do you see any problem which swap pages are broken?
The same reason we need checksums in the filesystem.
If you use btrfs as your root filesystem, you are protected by checksums
from damage in the filesystem, but not in the swap partition (which is often
in the same disk, and thus as vulnerable as the filesystem). It is better to
get a checksum error when swapping in than having a silently corrupted page.
Do you mean "vulnerable" is other file system or block I/O operation
invades swap partition and breaks data of swap?
Vulnerable in that the same kind of hardware problems which can silently
damage filesystem data in the disk can damage swap pages in the disk.
This is the reason both btrfs and zfs checksum all their data and
metadata. However, the swap partition is still vulnerable (using a swap
file is not a solution, since the swap code bypasses the filesystem).
And silent data corruption in the swap partition could be even worse
than in the filesystem - while a program might not trust a file it is
reading to not be corrupted, almost all programs will trust their
*memory* to not be corrupted.
The internal ECC of the disk will not save you - a quick Google search
found an instance of someone with silent data corruption caused by a
faulty *power supply*.[1]
And if it is silent corruption, without the checksums you will not
notice it - it will just be dismissed as "oh, Firefox just crashed
again" or similar (the same as bit flips on RAM without ECC).
If it is, I think it's the problem of them. so we have to fix it
before merged into mainline. But I admit human being always take a
mistake so that we can miss it at review time. In such case, it would
be very hard bug when swap pages are broken. I haven't hear about such
problem until now but it might be useful if the problem happens.
(Maybe they can't notice that due to hard bug to find)
But I have a concern about breaking memory which includes crc by
dangling pointer. In this case, swap block is correct but it would
emit crc error.
Do you have an idea making sure memory includes crc is correct?
The swap checksum only protects the page against being silently
corrupted while on the disk and at least to some degree on the I/O path
between the memory and the disk. It does not protect against broken
kernel-mode code writing to the wrong address, nor against broken
hardware (or hardware misconfigured by broken drivers) doing DMA to
wrong addresses. It also does not protect against hardware errors in the
RAM itself (you have ECC memory for that).
That is, the code assumes the memory containing the checksums will not
be corrupted, because if it is, you have worse problems (and the CRC
error here would be a *good* thing, since it would make you notice
something is not quite right).
[1] http://blogs.sun.com/elowe/entry/zfs_saves_the_day_ta
--
Cesar Eduardo Barros
cesarb@xxxxxxxxxx
cesar.barros@xxxxxxxxx
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/