From patchwork Tue Oct 16 03:10:37 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 10642743 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id DA856112B for ; Tue, 16 Oct 2018 03:10:43 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id C6C5B29867 for ; Tue, 16 Oct 2018 03:10:43 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id BADA22988C; Tue, 16 Oct 2018 03:10:43 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 36A8429867 for ; Tue, 16 Oct 2018 03:10:43 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 447126B0266; Mon, 15 Oct 2018 23:10:42 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id 3F7446B0269; Mon, 15 Oct 2018 23:10:42 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2E60F6B026A; Mon, 15 Oct 2018 23:10:42 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pf1-f198.google.com (mail-pf1-f198.google.com [209.85.210.198]) by kanga.kvack.org (Postfix) with ESMTP id E50D66B0266 for ; Mon, 15 Oct 2018 23:10:41 -0400 (EDT) Received: by mail-pf1-f198.google.com with SMTP id f4-v6so22279476pff.2 for ; Mon, 15 Oct 2018 20:10:41 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:subject:from:to:cc:date :message-id:in-reply-to:references:user-agent:mime-version :content-transfer-encoding; bh=SHexZ7j4NahuPkzJw7xdjRTs2Ez8K2Od8tzKdBj+sBY=; b=sumvIeIE5cWGeLsS1SZsCb45KEx06+QroKKOubSChSA/jAkZqQDllQlF04Qqp9jFjn 2zFnp7r0db0PJUrIo5cyED5OKF6oNobDLxNrGOV1R4QBBNEapYHPJJHxlAVnZfayEbm7 2gUtefG2WmhIFrkxOhS9Bi+BiKSc77SAjZ5Q979CSY1M3d2xeRti6DOh9CN0vcmg93/V 5aTCYCYOFaQvdR3bbSR46fGr5sHxkgG3M9svsccAn2Dgb7Vo0CtiYIybIc1P1GVNPEE3 T37xIWeDozHGtl7WikTH/Kr3SYKUvE+toRYJhg2zuxPmRhSqppz9PKzT8GUdmxMsb/fy eYUw== X-Gm-Message-State: ABuFfohBmirJ5Tkpg8DLkXkKr3EFwfQ1SSVXGeVlym5M/QmwSFWlroAj typf/2hKxosa4sClbmfICB4X1bTNi0AN5P8npouOLXBG8X/DVtPhDxsmUMN4AFeiVG6MfJMRNS7 Jcvsk4dvcKmc/fU52aicvkkoEvx3DQ7/uZDd4u6+kCh01TxMblNP6EOe3zOn1YxGJJw== X-Received: by 2002:a65:4385:: with SMTP id m5-v6mr17570625pgp.219.1539659441593; Mon, 15 Oct 2018 20:10:41 -0700 (PDT) X-Google-Smtp-Source: ACcGV63WBbDmDUFCmk76d4aN8REHxmiLA9dnzD5pP9X4ptJWgd9tzjUf+AVOfIiZ6GE8wqPi3+9v X-Received: by 2002:a65:4385:: with SMTP id m5-v6mr17570597pgp.219.1539659440838; Mon, 15 Oct 2018 20:10:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539659440; cv=none; d=google.com; s=arc-20160816; b=SjZCtGv+c8htFvFGi0qTXFCcNJQzE1yKmk4+byGvTg6HZY2zzXSPDMuRwiQurLfGSH CkDEZr9Rca3hsdyzUHN4cCC+cgKI189GuWn5rBf87ecuICXd88TXT6/1iKNvKrsdE65s Cvv3i0SGl4O4sFm+RdzpfXWIyOz/6HXqa7VvwSpd4cP97Xsf3CGDiL/Fgfikl1B+t2xx 6BCR9Jo8SM1mWx9/btjBe7rm1WonM9WfSVaWPFhNk1jryr30G7E/07MM4Kmc+4/Dil2n yQXmDPl4G7Db5lKmhVQMvgMrZ08/eO4MoIUhRii3Q83tTIHVr9Zeg5AfTh1TqcQSIc3y 0H7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:dkim-signature; bh=SHexZ7j4NahuPkzJw7xdjRTs2Ez8K2Od8tzKdBj+sBY=; b=s2vGinLvPp66lnDSWhTbBQ+rOXmgi0qv99hAwGHOacEtwMHEXRAnrMxKqQ02JbrPuy XjrZ3qctbVyLpB4WBYBbj29vu1DhKmeStryOuegC4PMgAzT9GSXp7v5cvkLtPyKRRMJm z8pD3nagUGsExC/70nkBpKdbiWPo+TP62b/EOwpXxr1Ul3GgXehP/heE5EE93e8OdhH0 mvlDe2tt9r3L3KSS5BCnVnpcGqno5GYeCao9A7uaQBiG4X6AhNCkgMJ/sp1K++yXkWw+ /ICxsJP99NOqSdOWZPeA8XPontUA2uyGvSMYBZt751wQZkJjefwBC+p2t1BNc7j1L2YB 7/+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=H0ukRTz8; spf=pass (google.com: domain of darrick.wong@oracle.com designates 141.146.126.78 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from aserp2120.oracle.com (aserp2120.oracle.com. [141.146.126.78]) by mx.google.com with ESMTPS id g3-v6si12568405pgj.74.2018.10.15.20.10.40 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 15 Oct 2018 20:10:40 -0700 (PDT) Received-SPF: pass (google.com: domain of darrick.wong@oracle.com designates 141.146.126.78 as permitted sender) client-ip=141.146.126.78; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=H0ukRTz8; spf=pass (google.com: domain of darrick.wong@oracle.com designates 141.146.126.78 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from pps.filterd (aserp2120.oracle.com [127.0.0.1]) by aserp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w9G38WEU053380; Tue, 16 Oct 2018 03:10:40 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : from : to : cc : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=SHexZ7j4NahuPkzJw7xdjRTs2Ez8K2Od8tzKdBj+sBY=; b=H0ukRTz8fmbz+UNjUlWTynWGl8FmMJlmvVkeCt3iD2KS+3j13JoPAZ6DxpdIPgbwnhAi 4SiVZpLOD6yNMXxBGPvKgCRJUsSHv9fqyoZ6taQJfBJLBSk6GnfNaD8M/Zkf3KEpgHFr Bo5cYCuQ97yAJWM5URMC/34YVkaUnIcq6HKXWT0WTeKWL9cB1qVaz828uLlbV9raHXdT rqsqRRp0cCgp5CkqKQ/k0FxAYXw6rhZLudyGP9v3Jdk1vA5AXpbakT36k1MnIjDxBxjw XJ61fLF8ccZ4JRT+cGgHGRpSXgi9qBcK6co9110eKq26CfNLQn+WAAFWbHkLnuCOWHGW Lg== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by aserp2120.oracle.com with ESMTP id 2n38npwuw6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 16 Oct 2018 03:10:39 +0000 Received: from aserv0121.oracle.com (aserv0121.oracle.com [141.146.126.235]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w9G3AdSi010257 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 16 Oct 2018 03:10:39 GMT Received: from abhmp0016.oracle.com (abhmp0016.oracle.com [141.146.116.22]) by aserv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w9G3Advo002407; Tue, 16 Oct 2018 03:10:39 GMT Received: from localhost (/10.159.227.150) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 15 Oct 2018 20:10:39 -0700 Subject: [PATCH 06/26] vfs: avoid problematic remapping requests into partial EOF block From: "Darrick J. Wong" To: david@fromorbit.com, darrick.wong@oracle.com Cc: sandeen@redhat.com, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-btrfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, Christoph Hellwig , ocfs2-devel@oss.oracle.com Date: Mon, 15 Oct 2018 20:10:37 -0700 Message-ID: <153965943770.1256.12251598427341926061.stgit@magnolia> In-Reply-To: <153965939489.1256.7400115244528045860.stgit@magnolia> References: <153965939489.1256.7400115244528045860.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9047 signatures=668706 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=786 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810160026 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong A deduplication data corruption is exposed in XFS and btrfs. It is caused by extending the block match range to include the partial EOF block, but then allowing unknown data beyond EOF to be considered a "match" to data in the destination file because the comparison is only made to the end of the source file. This corrupts the destination file when the source extent is shared with it. The VFS remapping prep functions only support whole block dedupe, but we still need to appear to support whole file dedupe correctly. Hence if the dedupe request includes the last block of the souce file, don't include it in the actual dedupe operation. If the rest of the range dedupes successfully, then reject the entire request. A subsequent patch will enable us to shorten dedupe requests correctly. When reflinking sub-file ranges, a data corruption can occur when the source file range includes a partial EOF block. This shares the unknown data beyond EOF into the second file at a position inside EOF, exposing stale data in the second file. If the reflink request includes the last block of the souce file, only proceed with the reflink operation if it lands at or past the destination file's current EOF. If it lands within the destination file EOF, reject the entire request with -EINVAL and make the caller go the hard way. A subsequent patch will enable us to shorten reflink requests correctly. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig --- fs/read_write.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/fs/read_write.c b/fs/read_write.c index 2456da3f8a41..0f0a6efdd502 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -1708,6 +1708,34 @@ static int clone_verify_area(struct file *file, loff_t pos, u64 len, bool write) return security_file_permission(file, write ? MAY_WRITE : MAY_READ); } +/* + * Ensure that we don't remap a partial EOF block in the middle of something + * else. Assume that the offsets have already been checked for block + * alignment. + * + * For deduplication we always scale down to the previous block because we + * can't meaningfully compare post-EOF contents. + * + * For clone we only link a partial EOF block above the destination file's EOF. + */ +static int generic_remap_check_len(struct inode *inode_in, + struct inode *inode_out, + loff_t pos_out, + u64 *len, + bool is_dedupe) +{ + u64 blkmask = i_blocksize(inode_in) - 1; + + if ((*len & blkmask) == 0) + return 0; + + if (is_dedupe) + *len &= ~blkmask; + else if (pos_out + *len < i_size_read(inode_out)) + return -EINVAL; + + return 0; +} /* * Check that the two inodes are eligible for cloning, the ranges make @@ -1787,6 +1815,11 @@ int vfs_clone_file_prep(struct file *file_in, loff_t pos_in, return -EBADE; } + ret = generic_remap_check_len(inode_in, inode_out, pos_out, len, + is_dedupe); + if (ret) + return ret; + return 1; } EXPORT_SYMBOL(vfs_clone_file_prep);