From patchwork Sun Oct 21 16:15:37 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: "Darrick J. Wong" <darrick.wong@oracle.com>
X-Patchwork-Id: 10650993
Return-Path: <owner-linux-mm@kvack.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
 [172.30.200.125])
	by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 01D8313A9
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Sun, 21 Oct 2018 16:15:46 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id E3CC1287BE
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Sun, 21 Oct 2018 16:15:45 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id D7D2F287C2; Sun, 21 Oct 2018 16:15:45 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.0 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_NONE,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5CCBA287BE
	for <patchwork-linux-mm@patchwork.kernel.org>;
 Sun, 21 Oct 2018 16:15:45 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 5251F6B000E; Sun, 21 Oct 2018 12:15:44 -0400 (EDT)
Delivered-To: linux-mm-outgoing@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 4FB326B0010; Sun, 21 Oct 2018 12:15:44 -0400 (EDT)
X-Original-To: int-list-linux-mm@kvack.org
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 3C3216B0266; Sun, 21 Oct 2018 12:15:44 -0400 (EDT)
X-Original-To: linux-mm@kvack.org
X-Delivered-To: linux-mm@kvack.org
Received: from mail-yb1-f200.google.com (mail-yb1-f200.google.com
 [209.85.219.200])
	by kanga.kvack.org (Postfix) with ESMTP id 1015B6B000E
	for <linux-mm@kvack.org>; Sun, 21 Oct 2018 12:15:44 -0400 (EDT)
Received: by mail-yb1-f200.google.com with SMTP id c6-v6so23253544ybm.10
        for <linux-mm@kvack.org>; Sun, 21 Oct 2018 09:15:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:dkim-signature:subject:from:to:cc:date
         :message-id:in-reply-to:references:user-agent:mime-version
         :content-transfer-encoding;
        bh=SHexZ7j4NahuPkzJw7xdjRTs2Ez8K2Od8tzKdBj+sBY=;
        b=mcYkV6e/WqZ91fO+VtIM8X4ohbRFPYkPeFT7qejQzevrKCi2aeFxkJAWFUwb9tilNF
         Sa34ve9bFL7GSK83q0If64xwDRe5qpK12sf7u/wwsbPQhIY23nSS6GOCl45BDWEYarAi
         /w+P82a4Ehwutyx9PytyZB/X/3HuL2QrhOrtUueKW8ptX9xvXredttRgxbxX7qaWDvNI
         aLsnuz+M2Bo5wOfvd5LpVj/hpkz4Bc0qKy2possg5sgTd1kJUS/D4XJFGsuJ/cDEHpWy
         VkkAjVk2tmsIrkMSr4FlVsgkqro6JysmzCncz/P0id6VPrPhaXmPXYPwVjSIz1NSnOL1
         PDdw==
X-Gm-Message-State: ABuFfogDEmqW/mTo6Bn5NPiN/noPIjMlkCQBGBxKzMasW9isBZuH/QyG
	VuNmwBVHoRwrrWtTEHfHDjDA3wNX+uae7F//KGxpw0iL1mEvkvcM8g1rHjgMe2nwTfc1lCfX+DA
	uykLNsKZ18smvayw8nYxmZ7/6Z5OEkH8hB4Mj18/c1EqgWUohx7uNS+lpYPaMkHF4ag==
X-Received: by 2002:a25:ade5:: with SMTP id
 d37-v6mr15761586ybe.483.1540138543749;
        Sun, 21 Oct 2018 09:15:43 -0700 (PDT)
X-Google-Smtp-Source: 
 ACcGV60fYj9ypYrWbyOfDuc0hwN9vFc9c0yOPIs7KSTZyigeniV1IHdLV+lXDM94lcWpIzCG4U/Q
X-Received: by 2002:a25:ade5:: with SMTP id
 d37-v6mr15761547ybe.483.1540138543042;
        Sun, 21 Oct 2018 09:15:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540138543; cv=none;
        d=google.com; s=arc-20160816;
        b=lYQT1Pvfc9CGRJPe0FTvQAMrAOdxBiboaSoxKSWwD/z8HZr/ETY/qe/KpEEhL8CQGD
         +J/n6+okqgxH8pnC3EIkKFCb0CLQs5bAPJtbE4cBR6xKbabD6HaGEUj7cqZTjlmZlIW5
         eTbflDunBAsBUqivpYDcQ+6EybvxLAihxL3kG0f3GiPFwoQFdJ9jMZ+CiVIrHuxyElu0
         1/+DzkYRz+YRa639uNgmw8YYWbO1c+o4HIZziX58uVd0j+jlXqN2jGhZVkonA/iKivwV
         ip2TljWREojZiwglRcQzUpLKy5zFLJBC0GVC0IiGhQVwVOtgSdONNKxBPy6BtF2ma+5n
         uNuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:user-agent:references
         :in-reply-to:message-id:date:cc:to:from:subject:dkim-signature;
        bh=SHexZ7j4NahuPkzJw7xdjRTs2Ez8K2Od8tzKdBj+sBY=;
        b=xb+AHxJgXyo98NvR0h0p4wSMwf36rlKYPCe+RXwq8L/7668mRmQ58mXkcIosvhsDTY
         1IYfOchGW/RXeVsjQBrbe6S3K8GYv+0Au4B7MMeYDMVkjNifdJ6A0bfjhG/X/plw+PQb
         8CUCmJZbbSSD/BDtDgwU5OPieNo9DUd/MGmPqFY1Xn+F7i+/o49z01kLjA57nfPMzDCj
         cab4mmSMi1l9deO/aV5Yj9u81zEF6S3eyZn2liMmgx+rcv6Jkv2FdPhgChrrlAD6mwmD
         Be9wWLxdbqWrFJ1uX+9Wxm/KTuQMAyTc85bPcGUt17FRfcYcX+zHKlPl1mUkumPOYpHM
         vrYg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2018-07-02
 header.b="hMI/grNS";
       spf=pass (google.com: domain of darrick.wong@oracle.com designates
 156.151.31.85 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: from userp2120.oracle.com (userp2120.oracle.com. [156.151.31.85])
        by mx.google.com with ESMTPS id
 g9-v6si2511560ybi.174.2018.10.21.09.15.42
        for <linux-mm@kvack.org>
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sun, 21 Oct 2018 09:15:42 -0700 (PDT)
Received-SPF: pass (google.com: domain of darrick.wong@oracle.com designates
 156.151.31.85 as permitted sender) client-ip=156.151.31.85;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@oracle.com header.s=corp-2018-07-02
 header.b="hMI/grNS";
       spf=pass (google.com: domain of darrick.wong@oracle.com designates
 156.151.31.85 as permitted sender) smtp.mailfrom=darrick.wong@oracle.com;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com
Received: from pps.filterd (userp2120.oracle.com [127.0.0.1])
	by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w9LGEViE106955;
	Sun, 21 Oct 2018 16:15:42 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com;
 h=subject : from : to :
 cc : date : message-id : in-reply-to : references : mime-version :
 content-type : content-transfer-encoding; s=corp-2018-07-02;
 bh=SHexZ7j4NahuPkzJw7xdjRTs2Ez8K2Od8tzKdBj+sBY=;
 b=hMI/grNS2O9UcylFxo7zNSIRyAyGodsx6RE06/3DCrd+aTxvroP7sa2CkXcbK/OdFYh7
 vwSxFAwjQWBKcod5Hun76y6wwtLB3Tz0WcCR4Gxde49GKFCJEGul6mmc9AVyXUKELfvT
 48Gm5JWoEAta77dJQRZi+3YILYHzDcdhIyFORlB+HUuLJdIhCZMCdx5nHjM7mPNh/UUI
 Pae2Bpw7MfRuLYJXQ7dwChEOmAECK3KKYoeC6Cazl77g2L1jexOXL79NoFos2EIMEoux
 KY0YrdB1kH0v92qV05waorrjRWAvExJMMb07b8mmPTW8iD2V2Q7juYZgpirQKWKdXPlA qg==
Received: from aserv0021.oracle.com (aserv0021.oracle.com [141.146.126.233])
	by userp2120.oracle.com with ESMTP id 2n7w0qaxhc-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Sun, 21 Oct 2018 16:15:42 +0000
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72])
	by aserv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w9LGFerV008090
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK);
	Sun, 21 Oct 2018 16:15:41 GMT
Received: from abhmp0008.oracle.com (abhmp0008.oracle.com [141.146.116.14])
	by userv0121.oracle.com (8.14.4/8.13.8) with ESMTP id w9LGFe89018874;
	Sun, 21 Oct 2018 16:15:40 GMT
Received: from localhost (/10.159.225.70)
	by default (Oracle Beehive Gateway v4.0)
	with ESMTP ; Sun, 21 Oct 2018 09:15:39 -0700
Subject: [PATCH 05/28] vfs: avoid problematic remapping requests into
 partial EOF block
From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: david@fromorbit.com, darrick.wong@oracle.com
Cc: sandeen@redhat.com, linux-nfs@vger.kernel.org, linux-cifs@vger.kernel.org,
        linux-unionfs@vger.kernel.org, linux-xfs@vger.kernel.org,
        linux-mm@kvack.org, linux-btrfs@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
        ocfs2-devel@oss.oracle.com
Date: Sun, 21 Oct 2018 09:15:37 -0700
Message-ID: <154013853780.29026.5441191187672186537.stgit@magnolia>
In-Reply-To: <154013850285.29026.16168387526580596209.stgit@magnolia>
References: <154013850285.29026.16168387526580596209.stgit@magnolia>
User-Agent: StGit/0.17.1-dirty
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=9053
 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0
 malwarescore=0
 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=785
 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.0.1-1807170000 definitions=main-1810210151
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
X-Virus-Scanned: ClamAV using ClamSMTP

From: Darrick J. Wong <darrick.wong@oracle.com>

A deduplication data corruption is exposed in XFS and btrfs. It is
caused by extending the block match range to include the partial EOF
block, but then allowing unknown data beyond EOF to be considered a
"match" to data in the destination file because the comparison is only
made to the end of the source file. This corrupts the destination file
when the source extent is shared with it.

The VFS remapping prep functions  only support whole block dedupe, but
we still need to appear to support whole file dedupe correctly.  Hence
if the dedupe request includes the last block of the souce file, don't
include it in the actual dedupe operation. If the rest of the range
dedupes successfully, then reject the entire request.  A subsequent
patch will enable us to shorten dedupe requests correctly.

When reflinking sub-file ranges, a data corruption can occur when the
source file range includes a partial EOF block. This shares the unknown
data beyond EOF into the second file at a position inside EOF, exposing
stale data in the second file.

If the reflink request includes the last block of the souce file, only
proceed with the reflink operation if it lands at or past the
destination file's current EOF. If it lands within the destination file
EOF, reject the entire request with -EINVAL and make the caller go the
hard way.  A subsequent patch will enable us to shorten reflink requests
correctly.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
---
 fs/read_write.c |   33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/fs/read_write.c b/fs/read_write.c
index 2456da3f8a41..0f0a6efdd502 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1708,6 +1708,34 @@ static int clone_verify_area(struct file *file, loff_t pos, u64 len, bool write)
 
 	return security_file_permission(file, write ? MAY_WRITE : MAY_READ);
 }
+/*
+ * Ensure that we don't remap a partial EOF block in the middle of something
+ * else.  Assume that the offsets have already been checked for block
+ * alignment.
+ *
+ * For deduplication we always scale down to the previous block because we
+ * can't meaningfully compare post-EOF contents.
+ *
+ * For clone we only link a partial EOF block above the destination file's EOF.
+ */
+static int generic_remap_check_len(struct inode *inode_in,
+				   struct inode *inode_out,
+				   loff_t pos_out,
+				   u64 *len,
+				   bool is_dedupe)
+{
+	u64 blkmask = i_blocksize(inode_in) - 1;
+
+	if ((*len & blkmask) == 0)
+		return 0;
+
+	if (is_dedupe)
+		*len &= ~blkmask;
+	else if (pos_out + *len < i_size_read(inode_out))
+		return -EINVAL;
+
+	return 0;
+}
 
 /*
  * Check that the two inodes are eligible for cloning, the ranges make
@@ -1787,6 +1815,11 @@ int vfs_clone_file_prep(struct file *file_in, loff_t pos_in,
 			return -EBADE;
 	}
 
+	ret = generic_remap_check_len(inode_in, inode_out, pos_out, len,
+			is_dedupe);
+	if (ret)
+		return ret;
+
 	return 1;
 }
 EXPORT_SYMBOL(vfs_clone_file_prep);