Re: [PATCH] ext4: fix EXT4_IOC_CHECKPOINT

[Theodore Ts'o]

On Wed, Jul 07, 2021 at 10:56:44AM +0200, Christoph Hellwig wrote:
> Issuing a discard for any kind of "contention deletion SLO" is highly
> dangerous as discard as defined by Linux (as well the underlying NVMe,
> SCSI, ATA, eMMC and virtio primitivies) are defined to not guarantee
> erasing of data but just allow optional and nondeterministic reclamation
> of space.  Instead issuing write zeroes is the only think to perform
> such an operation.  Remove the highly dangerous and misleading discard
> mode for EXT4_IOC_CHECKPOINT and only support the write zeroes based
> on, and clean up the resulting mess including the dry run mode.

A discard is not "dangerous"; how it behaves is simply not necessarily
guaranteed by the standards specification.  The userspace which uses
the ioctl simply needs to know how a particular block device might
react when it is given a discard.

I'll note that there is a similar issue with "WRITE SAME" or "ZEROOUT.
A WRITE SAME might take a fraction of a second --- or it might take
days --- depending on how the storage device is implemented.  It is
similarly unspecified by the various standards specification.  Hence,
userspace needs to know something about the block device before
deciding whether or not it would be good idea to issue a "WRITE SAME"
operation for large number of blocks.

This is why the API is implemented in terms of what command will be
issued to the block device, and not what the semantic meaning is for
that particular command.  That's up to the userspace application to
know out of band, and we should be able to give the privileged
application the freedom to decide which command makes the most amount
of sense.

	 	      	  	    		   - Ted