[v6,00/29] fs: fixes for serious clone/dedupe problems

Message ID	153981625504.5568.2708520119290577378.stgit@magnolia (mailing list archive)
Headers	show Return-Path: <ocfs2-devel-bounces@oss.oracle.com> From: "Darrick J. Wong" <darrick.wong@oracle.com> To: david@fromorbit.com, darrick.wong@oracle.com Date: Wed, 17 Oct 2018 15:44:15 -0700 Message-ID: <153981625504.5568.2708520119290577378.stgit@magnolia> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Cc: sandeen@redhat.com, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org, linux-unionfs@vger.kernel.org, linux-xfs@vger.kernel.org, linux-mm@kvack.org, ocfs2-devel@oss.oracle.com, linux-fsdevel@vger.kernel.org, linux-btrfs@vger.kernel.org Subject: [Ocfs2-devel] [PATCH v6 00/29] fs: fixes for serious clone/dedupe problems Precedence: list Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: ocfs2-devel-bounces@oss.oracle.com Errors-To: ocfs2-devel-bounces@oss.oracle.com
Series	fs: fixes for serious clone/dedupe problems \| expand [v6,00/29] fs: fixes for serious clone/dedupe problems [01/29] vfs: vfs_clone_file_prep_inodes should return EINVAL for a clone from beyond EOF [02/29] vfs: check file ranges before cloning files [03/29] vfs: exit early from zero length remap operations [04/29] vfs: strengthen checking of file range inputs to generic_remap_checks [05/29] vfs: avoid problematic remapping requests into partial EOF block [06/29] vfs: skip zero-length dedupe requests [07/29] vfs: rename vfs_clone_file_prep to be more descriptive [08/29] vfs: rename clone_verify_area to remap_verify_area [09/29] vfs: combine the clone and dedupe into a single remap_file_range [10/29] vfs: pass remap flags to generic_remap_file_range_prep [11/29] vfs: pass remap flags to generic_remap_checks [12/29] vfs: remap helper should update destination inode metadata [13/29] vfs: make remap_file_range functions take and return bytes completed [14/29] vfs: plumb remap flags through the vfs clone functions [15/29] vfs: plumb remap flags through the vfs dedupe functions [16/29] vfs: enable remap callers that can handle short operations [17/29] vfs: hide file range comparison function [18/29] vfs: clean up generic_remap_file_range_prep return value [19/29] ocfs2: truncate page cache for clone destination file before remapping [20/29] ocfs2: fix pagecache truncation prior to reflink [21/29] ocfs2: support partial clone range and dedupe range [22/29] ocfs2: remove ocfs2_reflink_remap_range [23/29] xfs: add a per-xfs trace_printk macro [24/29] xfs: fix pagecache truncation prior to reflink [25/29] xfs: clean up xfs_reflink_remap_blocks call site [26/29] xfs: support returning partial reflink results [27/29] xfs: remove redundant remap partial EOF block checks [28/29] xfs: remove xfs_reflink_remap_range [29/29] xfs: remove [cm]time update from reflink calls

Message ID

153981625504.5568.2708520119290577378.stgit@magnolia (mailing list archive)

Headers

From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: david@fromorbit.com, darrick.wong@oracle.com
Date: Wed, 17 Oct 2018 15:44:15 -0700
Message-ID: <153981625504.5568.2708520119290577378.stgit@magnolia>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
Cc: sandeen@redhat.com, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org,
        linux-unionfs@vger.kernel.org, linux-xfs@vger.kernel.org,
        linux-mm@kvack.org, ocfs2-devel@oss.oracle.com,
        linux-fsdevel@vger.kernel.org, linux-btrfs@vger.kernel.org
Subject: [Ocfs2-devel] [PATCH v6 00/29] fs: fixes for serious clone/dedupe
	problems
Precedence: list
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: ocfs2-devel-bounces@oss.oracle.com
Errors-To: ocfs2-devel-bounces@oss.oracle.com

Series

fs: fixes for serious clone/dedupe problems | expand

Message

Darrick J. Wong Oct. 17, 2018, 10:44 p.m. UTC

Hi all,

Dave, Eric, and I have been chasing a stale data exposure bug in the XFS
reflink implementation, and tracked it down to reflink forgetting to do
some of the file-extending activities that must happen for regular
writes.

We then started auditing the clone, dedupe, and copyfile code and
realized that from a file contents perspective, clonerange isn't any
different from a regular file write. Unfortunately, we also noticed
that *unlike* a regular write, clonerange skips a ton of overflow
checks, such as validating the ranges against s_maxbytes, MAX_NON_LFS,
and RLIMIT_FSIZE. We also observed that cloning into a file did not
strip security privileges (suid, capabilities) like a regular write
would. I also noticed that xfs and ocfs2 need to dump the page cache
before remapping blocks, not after.

In fixing the range checking problems I also realized that both dedupe
and copyfile tell userspace how much of the requested operation was
acted upon. Since the range validation can shorten a clone request (or
we can ENOSPC midway through), we might as well plumb the short
operation reporting back through the VFS indirection code to userspace.
I added a few more cleanups to the xfs code per reviewer suggestions.

So, here's the whole giant pile of patches[1] that fix all the problems.
This branch is against current upstream (4.19-rc8). The patch
"generic: test reflink side effects" recently sent to fstests exercises
the fixes in this series. Tests are in [2].

--D

[1] https://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfs-linux.git/log/?h=djwong-devel
[2] https://git.kernel.org/pub/scm/linux/kernel/git/djwong/xfstests-dev.git/log/?h=djwong-devel