[v4,00/25] fs: fixes for serious clone/dedupe problems

Message ID	153938912912.8361.13446310416406388958.stgit@magnolia (mailing list archive)
Headers	show Return-Path: <linux-cifs-owner@kernel.org> Subject: [PATCH v4 00/25] fs: fixes for serious clone/dedupe problems From: "Darrick J. Wong" <darrick.wong@oracle.com> To: david@fromorbit.com, darrick.wong@oracle.com Cc: sandeen@redhat.com, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-btrfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, ocfs2-devel@oss.oracle.com Date: Fri, 12 Oct 2018 17:05:29 -0700 Message-ID: <153938912912.8361.13446310416406388958.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk
Series	fs: fixes for serious clone/dedupe problems \| expand [v4,00/25] fs: fixes for serious clone/dedupe problems [01/25] xfs: add a per-xfs trace_printk macro [02/25] vfs: vfs_clone_file_prep_inodes should return EINVAL for a clone from beyond EOF [03/25] vfs: check file ranges before cloning files [04/25] vfs: strengthen checking of file range inputs to generic_remap_checks [05/25] vfs: avoid problematic remapping requests into partial EOF block [06/25] vfs: skip zero-length dedupe requests [07/25] vfs: combine the clone and dedupe into a single remap_file_range [08/25] vfs: rename vfs_clone_file_prep to be more descriptive [09/25] vfs: rename clone_verify_area to remap_verify_area [10/25] vfs: create generic_remap_file_range_touch to update inode metadata [11/25] vfs: pass remap flags to generic_remap_file_range_prep [12/25] vfs: pass remap flags to generic_remap_checks [13/25] vfs: make remap_file_range functions take and return bytes completed [14/25] vfs: plumb RFR_* remap flags through the vfs clone functions [15/25] vfs: plumb RFR_* remap flags through the vfs dedupe functions [16/25] vfs: make remapping to source file eof more explicit [17/25] vfs: enable remap callers that can handle short operations [18/25] vfs: hide file range comparison function [19/25] vfs: implement opportunistic short dedupe [20/25] ocfs2: truncate page cache for clone destination file before remapping [21/25] ocfs2: fix pagecache truncation prior to reflink [22/25] ocfs2: support partial clone range and dedupe range [23/25] xfs: fix pagecache truncation prior to reflink [24/25] xfs: support returning partial reflink results [25/25] xfs: remove redundant remap partial EOF block checks

Message ID

153938912912.8361.13446310416406388958.stgit@magnolia (mailing list archive)

Headers

Subject: [PATCH v4 00/25] fs: fixes for serious clone/dedupe problems
From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: david@fromorbit.com, darrick.wong@oracle.com
Cc: sandeen@redhat.com, linux-nfs@vger.kernel.org,
        linux-cifs@vger.kernel.org, linux-unionfs@vger.kernel.org,
        linux-xfs@vger.kernel.org, linux-mm@kvack.org,
        linux-btrfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        ocfs2-devel@oss.oracle.com
Date: Fri, 12 Oct 2018 17:05:29 -0700
Message-ID: <153938912912.8361.13446310416406388958.stgit@magnolia>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Sender: linux-cifs-owner@vger.kernel.org
Precedence: bulk

Series

fs: fixes for serious clone/dedupe problems | expand

Message

Darrick J. Wong Oct. 13, 2018, 12:05 a.m. UTC

Hi all,

Dave, Eric, and I have been chasing a stale data exposure bug in the XFS
reflink implementation, and tracked it down to reflink forgetting to do
some of the file-extending activities that must happen for regular
writes.

We then started auditing the clone, dedupe, and copyfile code and
realized that from a file contents perspective, clonerange isn't any
different from a regular file write. Unfortunately, we also noticed
that *unlike* a regular write, clonerange skips a ton of overflow
checks, such as validating the ranges against s_maxbytes, MAX_NON_LFS,
and RLIMIT_FSIZE. We also observed that cloning into a file did not
strip security privileges (suid, capabilities) like a regular write
would. I also noticed that xfs and ocfs2 need to dump the page cache
before remapping blocks, not after.

In fixing the range checking problems I also realized that both dedupe
and copyfile tell userspace how much of the requested operation was
acted upon. Since the range validation can shorten a clone request (or
we can ENOSPC midway through), we might as well plumb the short
operation reporting back through the VFS indirection code to userspace.

So, here's the whole giant pile of patches[1] that fix all the problems.
This branch is against current upstream (4.19-rc7+). The patch
"generic: test reflink side effects" recently sent to fstests exercises
the fixes in this series. Tests are in [2].

--D

[1] https://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfs-linux.git/log/?h=djwong-devel
[2] https://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfstests-dev.git/log/?h=djwong-devel