From patchwork Wed Oct 17 22:44:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "Darrick J. Wong" X-Patchwork-Id: 10646209 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 822C23C13 for ; Wed, 17 Oct 2018 22:45:01 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 73B99288CA for ; Wed, 17 Oct 2018 22:45:01 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 67F90288E7; Wed, 17 Oct 2018 22:45:01 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE, UNPARSEABLE_RELAY autolearn=ham version=3.3.1 Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id DCCF5288CA for ; Wed, 17 Oct 2018 22:45:00 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E29EF6B0271; Wed, 17 Oct 2018 18:44:59 -0400 (EDT) Delivered-To: linux-mm-outgoing@kvack.org Received: by kanga.kvack.org (Postfix, from userid 40) id DD8FB6B0272; Wed, 17 Oct 2018 18:44:59 -0400 (EDT) X-Original-To: int-list-linux-mm@kvack.org X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C7CE76B0273; Wed, 17 Oct 2018 18:44:59 -0400 (EDT) X-Original-To: linux-mm@kvack.org X-Delivered-To: linux-mm@kvack.org Received: from mail-pg1-f198.google.com (mail-pg1-f198.google.com [209.85.215.198]) by kanga.kvack.org (Postfix) with ESMTP id 837F96B0271 for ; Wed, 17 Oct 2018 18:44:59 -0400 (EDT) Received: by mail-pg1-f198.google.com with SMTP id w15-v6so21249696pge.2 for ; Wed, 17 Oct 2018 15:44:59 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:dkim-signature:subject:from:to:cc:date :message-id:in-reply-to:references:user-agent:mime-version :content-transfer-encoding; bh=SHexZ7j4NahuPkzJw7xdjRTs2Ez8K2Od8tzKdBj+sBY=; b=rW+gp22IhHzspMW0AKXeo+WrpQdjrufuQxy9gG9BDqsZjes2KalT4GRvZ0rCTGiKGt JERvEJ202cEkgf4P6KKKO2IVaXJUyWYiE0AAc5b1nd2tNciu4V4c6dbEej6ITBiPT3Vp DYUp/fZjXvW3g7oluM8ryxg1fu4X+dK1ytvspz/hphr9lQzSigw40oCaw/Yp0uMepx/Q BmR+td5wq/X79FobjG/YSXVwQ8vX/Q6871t3W+VzHen8btNX/HNmlJL6PaDqzuVQ68aB bOtvHwS04WUV8Gz6ZAoq12V61qzOFl7OYzi6zdBj0/7HMj8QGO7EhzwMFoYsgqniajEW fohQ== X-Gm-Message-State: ABuFfoidc6L+dhRWZ1BAvLham3bdOsoNQXLOOYnrpxLtAjKQSwFPgmmk 3N6PEpUFFbSEZsRQDjdXXBzJnq3okauJO8Pc27CNgD/5++ZpuK0sBUMIeyx3E5Og4j6cQoj9Kxu fh9LMXdI9IcjhQxzZpvtJfPyzRFxWhcjGO+hnBt+L9FEbEln77ibkG9eO1gh1RCEAlg== X-Received: by 2002:a63:5949:: with SMTP id j9-v6mr26259842pgm.210.1539816299192; Wed, 17 Oct 2018 15:44:59 -0700 (PDT) X-Google-Smtp-Source: ACcGV63iHxzvWgFkw7BUwll76gDVL7G0DR20Pveh2mu8minGf9zDQSCXKMD1BqRVIscDsAShCrXj X-Received: by 2002:a63:5949:: with SMTP id j9-v6mr26259810pgm.210.1539816298447; Wed, 17 Oct 2018 15:44:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539816298; cv=none; d=google.com; s=arc-20160816; b=yZ3FqqDMnm1vhjxxqUb1Zlz+/AisJ7llM5J/OQHx8u5pP7eMXkuTKAHVNnagBCQoMR pwU0VGNLCe3mEqEP7rPNlFjBzCc1mXUUWptBI9YTEqQZtr8Gq8BLav7rMkOjrphMpbuH 3S/P8PLBI1muSh6wC+parIST8ClfyoSD+nWOf/k/HzyW0UIxSEIYO2x7ZV9rcqYBBEUN TNQ93Is25vgEVXVLa+7EyuDKQ6yB0NuWEGhXYnoQqHijYLnVtRFI9XEGA3kAZMUA3gd5 7CBmhLoSgx2eTbv5Nek6Ja8dQyyd15/+2HwrDRkydH7z1Cww8Xmxx1o265kTgTucj0mn pW1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:user-agent:references :in-reply-to:message-id:date:cc:to:from:subject:dkim-signature; bh=SHexZ7j4NahuPkzJw7xdjRTs2Ez8K2Od8tzKdBj+sBY=; b=K/pEiSZ8CaFjTK8deHX5h5SWiaQ/WM5/EmNr7tEjU0rUeNLEZ1toei17fh2vjuppN4 PfsvtfxQa8zI3sC2i0LAI6VB9K6GYjNiXrQfFDJLPq6bA9JZCa0H3zSm3iobIjx12m0O aJ2IlpgOqgNRYAkpfcHniieKHHrDnG9TdwtOE3MaWKyRooEcKWCp+/Ud1UDC8JqWVmOp JseR/7QUZ/MLjwVVFYU3BL2AnotHn9ieTAU6+Zl/NqIQPTq1NEwrJOGqdcsBjMXjNJgC OJzFHDr/f4RpI4iXTo6vJ0RqTuyuz6/Egqh+HpNAbdVz0h4QIm7NqX/sWelx2yD+ZYaN 4N7Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=lOoM4rN5; spf=pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from userp2130.oracle.com (userp2130.oracle.com. [156.151.31.86]) by mx.google.com with ESMTPS id a8-v6si18377894pgm.331.2018.10.17.15.44.58 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 17 Oct 2018 15:44:58 -0700 (PDT) Received-SPF: pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) client-ip=156.151.31.86; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=lOoM4rN5; spf=pass (google.com: domain of darrick.wong@oracle.com designates 156.151.31.86 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: from pps.filterd (userp2130.oracle.com [127.0.0.1]) by userp2130.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w9HMiWfv040580; Wed, 17 Oct 2018 22:44:57 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=subject : from : to : cc : date : message-id : in-reply-to : references : mime-version : content-type : content-transfer-encoding; s=corp-2018-07-02; bh=SHexZ7j4NahuPkzJw7xdjRTs2Ez8K2Od8tzKdBj+sBY=; b=lOoM4rN589fci7BOye8ix6pMQcE6KdksRa2Vti6deEuen1Gw4n8qbt90Dpykir13UikE LKy3fXLal5Oldz0ztrMCIx3hSA9wgL/A0oPB18ZjhQ9DTLTDfRbJ66hiOJb5cQzYoq8l /g9lLpHY4vaneJprNdEgdprWh2iY7yKUD8Amvvt4r/FmTUQRg7vWhLCGjbKeigCawI+q 5gRXmV4TZrORc1B+8GFG4s9GqVUDUS8h42Y5IHYYiAImaXhCtzcJqZ3+pz+hAqXPPwN9 Yb1fSGyI4LLWy4uTdzBeDFGpsSxzs+U423q3a1s8/zutvjeJkSgTin5kIberMNti//4v Tg== Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp2130.oracle.com with ESMTP id 2n384u9yw1-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Oct 2018 22:44:57 +0000 Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by aserv0022.oracle.com (8.14.4/8.14.4) with ESMTP id w9HMip3x000659 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 17 Oct 2018 22:44:51 GMT Received: from abhmp0020.oracle.com (abhmp0020.oracle.com [141.146.116.26]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w9HMipBk014640; Wed, 17 Oct 2018 22:44:51 GMT Received: from localhost (/10.159.132.177) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Wed, 17 Oct 2018 15:44:51 -0700 Subject: [PATCH 05/29] vfs: avoid problematic remapping requests into partial EOF block From: "Darrick J. Wong" To: david@fromorbit.com, darrick.wong@oracle.com Cc: sandeen@redhat.com, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-xfs@vger.kernel.org, linux-mm@kvack.org, linux-btrfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, Christoph Hellwig , ocfs2-devel@oss.oracle.com Date: Wed, 17 Oct 2018 15:44:49 -0700 Message-ID: <153981628984.5568.13713064343145585532.stgit@magnolia> In-Reply-To: <153981625504.5568.2708520119290577378.stgit@magnolia> References: <153981625504.5568.2708520119290577378.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9049 signatures=668683 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=793 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1810170188 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: X-Virus-Scanned: ClamAV using ClamSMTP From: Darrick J. Wong A deduplication data corruption is exposed in XFS and btrfs. It is caused by extending the block match range to include the partial EOF block, but then allowing unknown data beyond EOF to be considered a "match" to data in the destination file because the comparison is only made to the end of the source file. This corrupts the destination file when the source extent is shared with it. The VFS remapping prep functions only support whole block dedupe, but we still need to appear to support whole file dedupe correctly. Hence if the dedupe request includes the last block of the souce file, don't include it in the actual dedupe operation. If the rest of the range dedupes successfully, then reject the entire request. A subsequent patch will enable us to shorten dedupe requests correctly. When reflinking sub-file ranges, a data corruption can occur when the source file range includes a partial EOF block. This shares the unknown data beyond EOF into the second file at a position inside EOF, exposing stale data in the second file. If the reflink request includes the last block of the souce file, only proceed with the reflink operation if it lands at or past the destination file's current EOF. If it lands within the destination file EOF, reject the entire request with -EINVAL and make the caller go the hard way. A subsequent patch will enable us to shorten reflink requests correctly. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig --- fs/read_write.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/fs/read_write.c b/fs/read_write.c index 2456da3f8a41..0f0a6efdd502 100644 --- a/fs/read_write.c +++ b/fs/read_write.c @@ -1708,6 +1708,34 @@ static int clone_verify_area(struct file *file, loff_t pos, u64 len, bool write) return security_file_permission(file, write ? MAY_WRITE : MAY_READ); } +/* + * Ensure that we don't remap a partial EOF block in the middle of something + * else. Assume that the offsets have already been checked for block + * alignment. + * + * For deduplication we always scale down to the previous block because we + * can't meaningfully compare post-EOF contents. + * + * For clone we only link a partial EOF block above the destination file's EOF. + */ +static int generic_remap_check_len(struct inode *inode_in, + struct inode *inode_out, + loff_t pos_out, + u64 *len, + bool is_dedupe) +{ + u64 blkmask = i_blocksize(inode_in) - 1; + + if ((*len & blkmask) == 0) + return 0; + + if (is_dedupe) + *len &= ~blkmask; + else if (pos_out + *len < i_size_read(inode_out)) + return -EINVAL; + + return 0; +} /* * Check that the two inodes are eligible for cloning, the ranges make @@ -1787,6 +1815,11 @@ int vfs_clone_file_prep(struct file *file_in, loff_t pos_in, return -EBADE; } + ret = generic_remap_check_len(inode_in, inode_out, pos_out, len, + is_dedupe); + if (ret) + return ret; + return 1; } EXPORT_SYMBOL(vfs_clone_file_prep);