diff mbox series

[V3,03/10] xfs: Check for extent overflow when deleting an extent

Message ID 20200820054349.5525-4-chandanrlinux@gmail.com (mailing list archive)
State New
Headers show
Series Bail out if transaction can cause extent count to overflow | expand

Commit Message

Chandan Babu R Aug. 20, 2020, 5:43 a.m. UTC
Deleting a file range from the middle of an existing extent can cause
the per-inode extent count to increase by 1. This commit checks for
extent count overflow in such cases.

Signed-off-by: Chandan Babu R <chandanrlinux@gmail.com>
---
 fs/xfs/libxfs/xfs_inode_fork.h | 6 ++++++
 fs/xfs/xfs_bmap_item.c         | 4 ++++
 fs/xfs/xfs_bmap_util.c         | 5 +++++
 3 files changed, 15 insertions(+)

Comments

Darrick J. Wong Aug. 31, 2020, 4:34 p.m. UTC | #1
On Thu, Aug 20, 2020 at 11:13:42AM +0530, Chandan Babu R wrote:
> Deleting a file range from the middle of an existing extent can cause
> the per-inode extent count to increase by 1. This commit checks for
> extent count overflow in such cases.
> 
> Signed-off-by: Chandan Babu R <chandanrlinux@gmail.com>
> ---
>  fs/xfs/libxfs/xfs_inode_fork.h | 6 ++++++
>  fs/xfs/xfs_bmap_item.c         | 4 ++++
>  fs/xfs/xfs_bmap_util.c         | 5 +++++
>  3 files changed, 15 insertions(+)
> 
> diff --git a/fs/xfs/libxfs/xfs_inode_fork.h b/fs/xfs/libxfs/xfs_inode_fork.h
> index 7fc2b129a2e7..2642e4847ee0 100644
> --- a/fs/xfs/libxfs/xfs_inode_fork.h
> +++ b/fs/xfs/libxfs/xfs_inode_fork.h
> @@ -39,6 +39,12 @@ struct xfs_ifork {
>   * extent to a fork and there's no possibility of splitting an existing mapping.
>   */
>  #define XFS_IEXT_ADD_NOSPLIT_CNT	(1)
> +/*
> + * Removing an extent from the middle of an existing extent can cause the extent
> + * count to increase by 1.
> + * i.e. | Old extent | Hole | Old extent |
> + */
> +#define XFS_IEXT_REMOVE_CNT		(1)

The first thought that popped into my head after reading the subject
line was "UH-oh, is this going to result in undeletable files when the
extent counts hit max and the user tries to rm?"

Then I realized that "when deleting an extent" actually refers to
punching holes in the middle of files, not truncating them.

So I think at the very least the subject line should be changed to
say that we're talking about hole punching, not general file deletion;
and the constant probably ought to be called XFS_IEXT_PUNCH_CNT to make
that clearer.

Aside from that the logic seems ok to me.

(Also PS I'm not reviewing these patches in order...)

--D

>  
>  /*
>   * Fork handling.
> diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c
> index ec3691372e7c..b9c35fb10de4 100644
> --- a/fs/xfs/xfs_bmap_item.c
> +++ b/fs/xfs/xfs_bmap_item.c
> @@ -519,6 +519,10 @@ xfs_bui_item_recover(
>  	}
>  	xfs_trans_ijoin(tp, ip, 0);
>  
> +	error = xfs_iext_count_may_overflow(ip, whichfork, XFS_IEXT_REMOVE_CNT);
> +	if (error)
> +		goto err_inode;
> +
>  	count = bmap->me_len;
>  	error = xfs_trans_log_finish_bmap_update(tp, budp, type, ip, whichfork,
>  			bmap->me_startoff, bmap->me_startblock, &count, state);
> diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
> index 7b76a48b0885..59d4da38aadf 100644
> --- a/fs/xfs/xfs_bmap_util.c
> +++ b/fs/xfs/xfs_bmap_util.c
> @@ -891,6 +891,11 @@ xfs_unmap_extent(
>  
>  	xfs_trans_ijoin(tp, ip, 0);
>  
> +	error = xfs_iext_count_may_overflow(ip, XFS_DATA_FORK,
> +			XFS_IEXT_REMOVE_CNT);
> +	if (error)
> +		goto out_trans_cancel;
> +
>  	error = xfs_bunmapi(tp, ip, startoffset_fsb, len_fsb, 0, 2, done);
>  	if (error)
>  		goto out_trans_cancel;
> -- 
> 2.28.0
>
Chandan Babu R Sept. 1, 2020, 9:44 a.m. UTC | #2
On Monday 31 August 2020 10:04:51 PM IST Darrick J. Wong wrote:
> On Thu, Aug 20, 2020 at 11:13:42AM +0530, Chandan Babu R wrote:
> > Deleting a file range from the middle of an existing extent can cause
> > the per-inode extent count to increase by 1. This commit checks for
> > extent count overflow in such cases.
> > 
> > Signed-off-by: Chandan Babu R <chandanrlinux@gmail.com>
> > ---
> >  fs/xfs/libxfs/xfs_inode_fork.h | 6 ++++++
> >  fs/xfs/xfs_bmap_item.c         | 4 ++++
> >  fs/xfs/xfs_bmap_util.c         | 5 +++++
> >  3 files changed, 15 insertions(+)
> > 
> > diff --git a/fs/xfs/libxfs/xfs_inode_fork.h b/fs/xfs/libxfs/xfs_inode_fork.h
> > index 7fc2b129a2e7..2642e4847ee0 100644
> > --- a/fs/xfs/libxfs/xfs_inode_fork.h
> > +++ b/fs/xfs/libxfs/xfs_inode_fork.h
> > @@ -39,6 +39,12 @@ struct xfs_ifork {
> >   * extent to a fork and there's no possibility of splitting an existing mapping.
> >   */
> >  #define XFS_IEXT_ADD_NOSPLIT_CNT	(1)
> > +/*
> > + * Removing an extent from the middle of an existing extent can cause the extent
> > + * count to increase by 1.
> > + * i.e. | Old extent | Hole | Old extent |
> > + */
> > +#define XFS_IEXT_REMOVE_CNT		(1)
> 
> The first thought that popped into my head after reading the subject
> line was "UH-oh, is this going to result in undeletable files when the
> extent counts hit max and the user tries to rm?"
> 
> Then I realized that "when deleting an extent" actually refers to
> punching holes in the middle of files, not truncating them.
> 
> So I think at the very least the subject line should be changed to
> say that we're talking about hole punching, not general file deletion;
> and the constant probably ought to be called XFS_IEXT_PUNCH_CNT to make
> that clearer.
>

Sure, I will change the commit message and the name of the constant.

> Aside from that the logic seems ok to me.
> 
> (Also PS I'm not reviewing these patches in order...)
> 
> --D
> 
> >  
> >  /*
> >   * Fork handling.
> > diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c
> > index ec3691372e7c..b9c35fb10de4 100644
> > --- a/fs/xfs/xfs_bmap_item.c
> > +++ b/fs/xfs/xfs_bmap_item.c
> > @@ -519,6 +519,10 @@ xfs_bui_item_recover(
> >  	}
> >  	xfs_trans_ijoin(tp, ip, 0);
> >  
> > +	error = xfs_iext_count_may_overflow(ip, whichfork, XFS_IEXT_REMOVE_CNT);
> > +	if (error)
> > +		goto err_inode;
> > +
> >  	count = bmap->me_len;
> >  	error = xfs_trans_log_finish_bmap_update(tp, budp, type, ip, whichfork,
> >  			bmap->me_startoff, bmap->me_startblock, &count, state);
> > diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
> > index 7b76a48b0885..59d4da38aadf 100644
> > --- a/fs/xfs/xfs_bmap_util.c
> > +++ b/fs/xfs/xfs_bmap_util.c
> > @@ -891,6 +891,11 @@ xfs_unmap_extent(
> >  
> >  	xfs_trans_ijoin(tp, ip, 0);
> >  
> > +	error = xfs_iext_count_may_overflow(ip, XFS_DATA_FORK,
> > +			XFS_IEXT_REMOVE_CNT);
> > +	if (error)
> > +		goto out_trans_cancel;
> > +
> >  	error = xfs_bunmapi(tp, ip, startoffset_fsb, len_fsb, 0, 2, done);
> >  	if (error)
> >  		goto out_trans_cancel;
>
diff mbox series

Patch

diff --git a/fs/xfs/libxfs/xfs_inode_fork.h b/fs/xfs/libxfs/xfs_inode_fork.h
index 7fc2b129a2e7..2642e4847ee0 100644
--- a/fs/xfs/libxfs/xfs_inode_fork.h
+++ b/fs/xfs/libxfs/xfs_inode_fork.h
@@ -39,6 +39,12 @@  struct xfs_ifork {
  * extent to a fork and there's no possibility of splitting an existing mapping.
  */
 #define XFS_IEXT_ADD_NOSPLIT_CNT	(1)
+/*
+ * Removing an extent from the middle of an existing extent can cause the extent
+ * count to increase by 1.
+ * i.e. | Old extent | Hole | Old extent |
+ */
+#define XFS_IEXT_REMOVE_CNT		(1)
 
 /*
  * Fork handling.
diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c
index ec3691372e7c..b9c35fb10de4 100644
--- a/fs/xfs/xfs_bmap_item.c
+++ b/fs/xfs/xfs_bmap_item.c
@@ -519,6 +519,10 @@  xfs_bui_item_recover(
 	}
 	xfs_trans_ijoin(tp, ip, 0);
 
+	error = xfs_iext_count_may_overflow(ip, whichfork, XFS_IEXT_REMOVE_CNT);
+	if (error)
+		goto err_inode;
+
 	count = bmap->me_len;
 	error = xfs_trans_log_finish_bmap_update(tp, budp, type, ip, whichfork,
 			bmap->me_startoff, bmap->me_startblock, &count, state);
diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c
index 7b76a48b0885..59d4da38aadf 100644
--- a/fs/xfs/xfs_bmap_util.c
+++ b/fs/xfs/xfs_bmap_util.c
@@ -891,6 +891,11 @@  xfs_unmap_extent(
 
 	xfs_trans_ijoin(tp, ip, 0);
 
+	error = xfs_iext_count_may_overflow(ip, XFS_DATA_FORK,
+			XFS_IEXT_REMOVE_CNT);
+	if (error)
+		goto out_trans_cancel;
+
 	error = xfs_bunmapi(tp, ip, startoffset_fsb, len_fsb, 0, 2, done);
 	if (error)
 		goto out_trans_cancel;