Session

Why Syscalls Fail: Bilateral Commit at the Linux Kernel/Userspace Boundary

Speakers

Paul Borrill
Manav Singhai

Label

Moonshot

Session Type

Talk

Description

Just like conventional Ethernet, system calls are fire-and-forget.

The Unix syscall interface—the boundary between userspace and kernel—operates as a unilateral protocol. The caller transmits a request into the kernel and assumes the operation will complete correctly, the result will be delivered to userspace, and the application will consume it. No bilateral commit protocol governs this boundary. When the assumption fails—through OOM kills, signal delivery during I/O, page cache eviction, completion queue races, or power loss—the failure is typically silent.

This paper introduces the Kernel Acknowledgment Spectrum: a formal framework for classifying kernel-userspace interactions by the highest level of bilateral confirmation they provide. We identify five levels—from Level 0 (fire-and-forget write() to page cache) through Level 4 (bilateral semantic commit with application verification)—and show that the vast majority of syscall interfaces terminate at Level 1 or below.

We connect syscall failure to the Forward-In-Time-Only (FITO) projection error and demonstrate that the same structural absence identified in email (SMTP), messaging (SMS/iMessage), and conventional Ethernet—no commit protocol—is present at the kernel-userspace boundary. Every syscall encodes the FITO assumption: the caller presumes forward progress through the kernel, through the hardware, and back to userspace, with no mechanism to detect or recover from violations of this assumption.

We present forensic case studies including the PostgreSQL fsync catastrophe, io_uring completion queue races, signal coalescing failures, and the Linux memory overcommit design. We survey existing bilateral mechanisms—seL4 synchronous IPC, POSIX fsync(), userfaultfd(), and the failed Windows Transactional NTFS—and propose a taxonomy of bilateral commit strategies at the syscall boundary, drawing on the bilateral link protocol of Open Atomic Ethernet (OAE).