From: Jeff Layton <jlayton@kernel.org>
To: Andreas Gruenbacher <agruenba@redhat.com>,
"Darrick J. Wong" <darrick.wong@oracle.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Christoph Hellwig <hch@infradead.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-kernel@vger.kernel.org, Sage Weil <sage@redhat.com>,
Ilya Dryomov <idryomov@gmail.com>, Theodore Ts'o <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Jaegeuk Kim <jaegeuk@kernel.org>, Chao Yu <chao@kernel.org>,
linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Richard Weinberger <richard@nod.at>,
Artem Bityutskiy <dedekind1@gmail.com>,
Adrian Hunter <adrian.hunter@intel.com>,
ceph-devel@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org, Chris Mason <clm@fb.com>,
Josef Bacik <josef@toxicpanda.com>,
David Sterba <dsterba@suse.com>,
linux-btrfs@vger.kernel.org, Jan Kara <jack@suse.cz>,
YueHaibing <yuehaibing@huawei.com>, Arnd Bergmann <arnd@arndb.de>,
Chao Yu <yuchao0@huawei.com>
Subject: Re: [PATCH v4] fs: Fix page_mkwrite off-by-one errors
Date: Thu, 09 Jan 2020 08:34:56 -0500 [thread overview]
Message-ID: <03e0e79fefcd9e7985a5defce5d5833d3175847a.camel@kernel.org> (raw)
In-Reply-To: <20200108131528.4279-1-agruenba@redhat.com>
On Wed, 2020-01-08 at 14:15 +0100, Andreas Gruenbacher wrote:
> Hi Darrick,
>
> here's an updated version with the latest feedback incorporated. Hope
> you find that useful.
>
> As far as the f2fs merge conflict goes, I've been told by Linus not to
> resolve those kinds of conflicts but to point them out when sending the
> merge request. So this shouldn't be a big deal.
>
> Changes:
>
> * Turn page_mkwrite_check_truncate into a non-inline function.
> * Get rid of now-unused mapping variable in ext4_page_mkwrite.
> * In btrfs_page_mkwrite, don't ignore the return value of
> block_page_mkwrite_return (no change in behavior).
> * Clean up the f2fs_vm_page_mkwrite changes as suggested by
> Jaegeuk Kim.
>
> Thanks,
> Andreas
>
> --
>
> The check in block_page_mkwrite that is meant to determine whether an
> offset is within the inode size is off by one. This bug has been copied
> into iomap_page_mkwrite and several filesystems (ubifs, ext4, f2fs,
> ceph).
>
> Fix that by introducing a new page_mkwrite_check_truncate helper that
> checks for truncate and computes the bytes in the page up to EOF. Use
> the helper in the above mentioned filesystems.
>
> In addition, use the new helper in btrfs as well.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
> Acked-by: David Sterba <dsterba@suse.com> (btrfs)
> Acked-by: Richard Weinberger <richard@nod.at> (ubifs)
> Acked-by: Theodore Ts'o <tytso@mit.edu> (ext4)
> Acked-by: Chao Yu <yuchao0@huawei.com> (f2fs)
> ---
> fs/btrfs/inode.c | 16 +++++-----------
> fs/buffer.c | 16 +++-------------
> fs/ceph/addr.c | 2 +-
> fs/ext4/inode.c | 15 ++++-----------
> fs/f2fs/file.c | 19 +++++++------------
> fs/iomap/buffered-io.c | 18 +++++-------------
> fs/ubifs/file.c | 3 +--
> include/linux/pagemap.h | 2 ++
> mm/filemap.c | 28 ++++++++++++++++++++++++++++
> 9 files changed, 56 insertions(+), 63 deletions(-)
>
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index e3c76645cad7..23e6f614e000 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -9011,16 +9011,15 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> goto out_noreserve;
> }
>
> - ret = VM_FAULT_NOPAGE; /* make the VM retry the fault */
> again:
> lock_page(page);
> - size = i_size_read(inode);
>
> - if ((page->mapping != inode->i_mapping) ||
> - (page_start >= size)) {
> - /* page got truncated out from underneath us */
> + ret2 = page_mkwrite_check_truncate(page, inode);
> + if (ret2 < 0) {
> + ret = block_page_mkwrite_return(ret2);
> goto out_unlock;
> }
> + zero_start = ret2;
> wait_on_page_writeback(page);
>
> lock_extent_bits(io_tree, page_start, page_end, &cached_state);
> @@ -9041,6 +9040,7 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> goto again;
> }
>
> + size = i_size_read(inode);
> if (page->index == ((size - 1) >> PAGE_SHIFT)) {
> reserved_space = round_up(size - page_start,
> fs_info->sectorsize);
> @@ -9073,12 +9073,6 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> }
> ret2 = 0;
>
> - /* page is wholly or partially inside EOF */
> - if (page_start + PAGE_SIZE > size)
> - zero_start = offset_in_page(size);
> - else
> - zero_start = PAGE_SIZE;
> -
> if (zero_start != PAGE_SIZE) {
> kaddr = kmap(page);
> memset(kaddr + zero_start, 0, PAGE_SIZE - zero_start);
> diff --git a/fs/buffer.c b/fs/buffer.c
> index d8c7242426bb..53aabde57ca7 100644
> --- a/fs/buffer.c
> +++ b/fs/buffer.c
> @@ -2499,23 +2499,13 @@ int block_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf,
> struct page *page = vmf->page;
> struct inode *inode = file_inode(vma->vm_file);
> unsigned long end;
> - loff_t size;
> int ret;
>
> lock_page(page);
> - size = i_size_read(inode);
> - if ((page->mapping != inode->i_mapping) ||
> - (page_offset(page) > size)) {
> - /* We overload EFAULT to mean page got truncated */
> - ret = -EFAULT;
> + ret = page_mkwrite_check_truncate(page, inode);
> + if (ret < 0)
> goto out_unlock;
> - }
> -
> - /* page is wholly or partially inside EOF */
> - if (((page->index + 1) << PAGE_SHIFT) > size)
> - end = size & ~PAGE_MASK;
> - else
> - end = PAGE_SIZE;
> + end = ret;
>
> ret = __block_write_begin(page, 0, end, get_block);
> if (!ret)
> diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
> index 7ab616601141..ef958aa4adb4 100644
> --- a/fs/ceph/addr.c
> +++ b/fs/ceph/addr.c
> @@ -1575,7 +1575,7 @@ static vm_fault_t ceph_page_mkwrite(struct vm_fault *vmf)
> do {
> lock_page(page);
>
> - if ((off > size) || (page->mapping != inode->i_mapping)) {
> + if (page_mkwrite_check_truncate(page, inode) < 0) {
> unlock_page(page);
> ret = VM_FAULT_NOPAGE;
> break;
You can add my Acked-by on the ceph part.
--
Jeff Layton <jlayton@kernel.org>
WARNING: multiple messages have this Message-ID (diff)
From: Jeff Layton <jlayton@kernel.org>
To: Andreas Gruenbacher <agruenba@redhat.com>,
"Darrick J. Wong" <darrick.wong@oracle.com>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
Christoph Hellwig <hch@infradead.org>,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-kernel@vger.kernel.org, Sage Weil <sage@redhat.com>,
Ilya Dryomov <idryomov@gmail.com>, Theodore Ts'o <tytso@mit.edu>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Jaegeuk Kim <jaegeuk@kernel.org>, Chao Yu <chao@kernel.org>,
linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
Richard Weinberger <richard@nod.at>,
Artem Bityutskiy <dedekind1@gmail.com>,
Adrian Hunter <adrian.hunter@intel.com>,
ceph-devel@vger.kernel.org, linux-ext4@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-mtd@lists.infradead.org, Chris Mason <clm@fb.com>,
Josef Bacik <josef@toxicpanda.com>,
David Sterba <dsterba@suse.com>, linux-btrfs@
Subject: Re: [PATCH v4] fs: Fix page_mkwrite off-by-one errors
Date: Thu, 09 Jan 2020 08:34:56 -0500 [thread overview]
Message-ID: <03e0e79fefcd9e7985a5defce5d5833d3175847a.camel@kernel.org> (raw)
In-Reply-To: <20200108131528.4279-1-agruenba@redhat.com>
On Wed, 2020-01-08 at 14:15 +0100, Andreas Gruenbacher wrote:
> Hi Darrick,
>
> here's an updated version with the latest feedback incorporated. Hope
> you find that useful.
>
> As far as the f2fs merge conflict goes, I've been told by Linus not to
> resolve those kinds of conflicts but to point them out when sending the
> merge request. So this shouldn't be a big deal.
>
> Changes:
>
> * Turn page_mkwrite_check_truncate into a non-inline function.
> * Get rid of now-unused mapping variable in ext4_page_mkwrite.
> * In btrfs_page_mkwrite, don't ignore the return value of
> block_page_mkwrite_return (no change in behavior).
> * Clean up the f2fs_vm_page_mkwrite changes as suggested by
> Jaegeuk Kim.
>
> Thanks,
> Andreas
>
> --
>
> The check in block_page_mkwrite that is meant to determine whether an
> offset is within the inode size is off by one. This bug has been copied
> into iomap_page_mkwrite and several filesystems (ubifs, ext4, f2fs,
> ceph).
>
> Fix that by introducing a new page_mkwrite_check_truncate helper that
> checks for truncate and computes the bytes in the page up to EOF. Use
> the helper in the above mentioned filesystems.
>
> In addition, use the new helper in btrfs as well.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
> Acked-by: David Sterba <dsterba@suse.com> (btrfs)
> Acked-by: Richard Weinberger <richard@nod.at> (ubifs)
> Acked-by: Theodore Ts'o <tytso@mit.edu> (ext4)
> Acked-by: Chao Yu <yuchao0@huawei.com> (f2fs)
> ---
> fs/btrfs/inode.c | 16 +++++-----------
> fs/buffer.c | 16 +++-------------
> fs/ceph/addr.c | 2 +-
> fs/ext4/inode.c | 15 ++++-----------
> fs/f2fs/file.c | 19 +++++++------------
> fs/iomap/buffered-io.c | 18 +++++-------------
> fs/ubifs/file.c | 3 +--
> include/linux/pagemap.h | 2 ++
> mm/filemap.c | 28 ++++++++++++++++++++++++++++
> 9 files changed, 56 insertions(+), 63 deletions(-)
>
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index e3c76645cad7..23e6f614e000 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -9011,16 +9011,15 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> goto out_noreserve;
> }
>
> - ret = VM_FAULT_NOPAGE; /* make the VM retry the fault */
> again:
> lock_page(page);
> - size = i_size_read(inode);
>
> - if ((page->mapping != inode->i_mapping) ||
> - (page_start >= size)) {
> - /* page got truncated out from underneath us */
> + ret2 = page_mkwrite_check_truncate(page, inode);
> + if (ret2 < 0) {
> + ret = block_page_mkwrite_return(ret2);
> goto out_unlock;
> }
> + zero_start = ret2;
> wait_on_page_writeback(page);
>
> lock_extent_bits(io_tree, page_start, page_end, &cached_state);
> @@ -9041,6 +9040,7 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> goto again;
> }
>
> + size = i_size_read(inode);
> if (page->index == ((size - 1) >> PAGE_SHIFT)) {
> reserved_space = round_up(size - page_start,
> fs_info->sectorsize);
> @@ -9073,12 +9073,6 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> }
> ret2 = 0;
>
> - /* page is wholly or partially inside EOF */
> - if (page_start + PAGE_SIZE > size)
> - zero_start = offset_in_page(size);
> - else
> - zero_start = PAGE_SIZE;
> -
> if (zero_start != PAGE_SIZE) {
> kaddr = kmap(page);
> memset(kaddr + zero_start, 0, PAGE_SIZE - zero_start);
> diff --git a/fs/buffer.c b/fs/buffer.c
> index d8c7242426bb..53aabde57ca7 100644
> --- a/fs/buffer.c
> +++ b/fs/buffer.c
> @@ -2499,23 +2499,13 @@ int block_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf,
> struct page *page = vmf->page;
> struct inode *inode = file_inode(vma->vm_file);
> unsigned long end;
> - loff_t size;
> int ret;
>
> lock_page(page);
> - size = i_size_read(inode);
> - if ((page->mapping != inode->i_mapping) ||
> - (page_offset(page) > size)) {
> - /* We overload EFAULT to mean page got truncated */
> - ret = -EFAULT;
> + ret = page_mkwrite_check_truncate(page, inode);
> + if (ret < 0)
> goto out_unlock;
> - }
> -
> - /* page is wholly or partially inside EOF */
> - if (((page->index + 1) << PAGE_SHIFT) > size)
> - end = size & ~PAGE_MASK;
> - else
> - end = PAGE_SIZE;
> + end = ret;
>
> ret = __block_write_begin(page, 0, end, get_block);
> if (!ret)
> diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
> index 7ab616601141..ef958aa4adb4 100644
> --- a/fs/ceph/addr.c
> +++ b/fs/ceph/addr.c
> @@ -1575,7 +1575,7 @@ static vm_fault_t ceph_page_mkwrite(struct vm_fault *vmf)
> do {
> lock_page(page);
>
> - if ((off > size) || (page->mapping != inode->i_mapping)) {
> + if (page_mkwrite_check_truncate(page, inode) < 0) {
> unlock_page(page);
> ret = VM_FAULT_NOPAGE;
> break;
You can add my Acked-by on the ceph part.
--
Jeff Layton <jlayton@kernel.org>
WARNING: multiple messages have this Message-ID (diff)
From: Jeff Layton <jlayton@kernel.org>
To: Andreas Gruenbacher <agruenba@redhat.com>,
"Darrick J. Wong" <darrick.wong@oracle.com>
Cc: Jan Kara <jack@suse.cz>, Adrian Hunter <adrian.hunter@intel.com>,
Chris Mason <clm@fb.com>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Sage Weil <sage@redhat.com>, Richard Weinberger <richard@nod.at>,
YueHaibing <yuehaibing@huawei.com>,
Christoph Hellwig <hch@infradead.org>,
Ilya Dryomov <idryomov@gmail.com>,
linux-ext4@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
Josef Bacik <josef@toxicpanda.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
David Sterba <dsterba@suse.com>, Jaegeuk Kim <jaegeuk@kernel.org>,
ceph-devel@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>,
Artem Bityutskiy <dedekind1@gmail.com>,
linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-mtd@lists.infradead.org,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-btrfs@vger.kernel.org
Subject: Re: [f2fs-dev] [PATCH v4] fs: Fix page_mkwrite off-by-one errors
Date: Thu, 09 Jan 2020 08:34:56 -0500 [thread overview]
Message-ID: <03e0e79fefcd9e7985a5defce5d5833d3175847a.camel@kernel.org> (raw)
In-Reply-To: <20200108131528.4279-1-agruenba@redhat.com>
On Wed, 2020-01-08 at 14:15 +0100, Andreas Gruenbacher wrote:
> Hi Darrick,
>
> here's an updated version with the latest feedback incorporated. Hope
> you find that useful.
>
> As far as the f2fs merge conflict goes, I've been told by Linus not to
> resolve those kinds of conflicts but to point them out when sending the
> merge request. So this shouldn't be a big deal.
>
> Changes:
>
> * Turn page_mkwrite_check_truncate into a non-inline function.
> * Get rid of now-unused mapping variable in ext4_page_mkwrite.
> * In btrfs_page_mkwrite, don't ignore the return value of
> block_page_mkwrite_return (no change in behavior).
> * Clean up the f2fs_vm_page_mkwrite changes as suggested by
> Jaegeuk Kim.
>
> Thanks,
> Andreas
>
> --
>
> The check in block_page_mkwrite that is meant to determine whether an
> offset is within the inode size is off by one. This bug has been copied
> into iomap_page_mkwrite and several filesystems (ubifs, ext4, f2fs,
> ceph).
>
> Fix that by introducing a new page_mkwrite_check_truncate helper that
> checks for truncate and computes the bytes in the page up to EOF. Use
> the helper in the above mentioned filesystems.
>
> In addition, use the new helper in btrfs as well.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
> Acked-by: David Sterba <dsterba@suse.com> (btrfs)
> Acked-by: Richard Weinberger <richard@nod.at> (ubifs)
> Acked-by: Theodore Ts'o <tytso@mit.edu> (ext4)
> Acked-by: Chao Yu <yuchao0@huawei.com> (f2fs)
> ---
> fs/btrfs/inode.c | 16 +++++-----------
> fs/buffer.c | 16 +++-------------
> fs/ceph/addr.c | 2 +-
> fs/ext4/inode.c | 15 ++++-----------
> fs/f2fs/file.c | 19 +++++++------------
> fs/iomap/buffered-io.c | 18 +++++-------------
> fs/ubifs/file.c | 3 +--
> include/linux/pagemap.h | 2 ++
> mm/filemap.c | 28 ++++++++++++++++++++++++++++
> 9 files changed, 56 insertions(+), 63 deletions(-)
>
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index e3c76645cad7..23e6f614e000 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -9011,16 +9011,15 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> goto out_noreserve;
> }
>
> - ret = VM_FAULT_NOPAGE; /* make the VM retry the fault */
> again:
> lock_page(page);
> - size = i_size_read(inode);
>
> - if ((page->mapping != inode->i_mapping) ||
> - (page_start >= size)) {
> - /* page got truncated out from underneath us */
> + ret2 = page_mkwrite_check_truncate(page, inode);
> + if (ret2 < 0) {
> + ret = block_page_mkwrite_return(ret2);
> goto out_unlock;
> }
> + zero_start = ret2;
> wait_on_page_writeback(page);
>
> lock_extent_bits(io_tree, page_start, page_end, &cached_state);
> @@ -9041,6 +9040,7 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> goto again;
> }
>
> + size = i_size_read(inode);
> if (page->index == ((size - 1) >> PAGE_SHIFT)) {
> reserved_space = round_up(size - page_start,
> fs_info->sectorsize);
> @@ -9073,12 +9073,6 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> }
> ret2 = 0;
>
> - /* page is wholly or partially inside EOF */
> - if (page_start + PAGE_SIZE > size)
> - zero_start = offset_in_page(size);
> - else
> - zero_start = PAGE_SIZE;
> -
> if (zero_start != PAGE_SIZE) {
> kaddr = kmap(page);
> memset(kaddr + zero_start, 0, PAGE_SIZE - zero_start);
> diff --git a/fs/buffer.c b/fs/buffer.c
> index d8c7242426bb..53aabde57ca7 100644
> --- a/fs/buffer.c
> +++ b/fs/buffer.c
> @@ -2499,23 +2499,13 @@ int block_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf,
> struct page *page = vmf->page;
> struct inode *inode = file_inode(vma->vm_file);
> unsigned long end;
> - loff_t size;
> int ret;
>
> lock_page(page);
> - size = i_size_read(inode);
> - if ((page->mapping != inode->i_mapping) ||
> - (page_offset(page) > size)) {
> - /* We overload EFAULT to mean page got truncated */
> - ret = -EFAULT;
> + ret = page_mkwrite_check_truncate(page, inode);
> + if (ret < 0)
> goto out_unlock;
> - }
> -
> - /* page is wholly or partially inside EOF */
> - if (((page->index + 1) << PAGE_SHIFT) > size)
> - end = size & ~PAGE_MASK;
> - else
> - end = PAGE_SIZE;
> + end = ret;
>
> ret = __block_write_begin(page, 0, end, get_block);
> if (!ret)
> diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
> index 7ab616601141..ef958aa4adb4 100644
> --- a/fs/ceph/addr.c
> +++ b/fs/ceph/addr.c
> @@ -1575,7 +1575,7 @@ static vm_fault_t ceph_page_mkwrite(struct vm_fault *vmf)
> do {
> lock_page(page);
>
> - if ((off > size) || (page->mapping != inode->i_mapping)) {
> + if (page_mkwrite_check_truncate(page, inode) < 0) {
> unlock_page(page);
> ret = VM_FAULT_NOPAGE;
> break;
You can add my Acked-by on the ceph part.
--
Jeff Layton <jlayton@kernel.org>
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
WARNING: multiple messages have this Message-ID (diff)
From: Jeff Layton <jlayton@kernel.org>
To: Andreas Gruenbacher <agruenba@redhat.com>,
"Darrick J. Wong" <darrick.wong@oracle.com>
Cc: Jan Kara <jack@suse.cz>, Chao Yu <yuchao0@huawei.com>,
Adrian Hunter <adrian.hunter@intel.com>, Chris Mason <clm@fb.com>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Sage Weil <sage@redhat.com>, Richard Weinberger <richard@nod.at>,
YueHaibing <yuehaibing@huawei.com>,
Christoph Hellwig <hch@infradead.org>,
Ilya Dryomov <idryomov@gmail.com>,
linux-ext4@vger.kernel.org, Arnd Bergmann <arnd@arndb.de>,
Chao Yu <chao@kernel.org>, Josef Bacik <josef@toxicpanda.com>,
Alexander Viro <viro@zeniv.linux.org.uk>,
David Sterba <dsterba@suse.com>, Jaegeuk Kim <jaegeuk@kernel.org>,
ceph-devel@vger.kernel.org, Theodore Ts'o <tytso@mit.edu>,
Artem Bityutskiy <dedekind1@gmail.com>,
linux-kernel@vger.kernel.org,
linux-f2fs-devel@lists.sourceforge.net,
linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
linux-mtd@lists.infradead.org,
Linus Torvalds <torvalds@linux-foundation.org>,
linux-btrfs@vger.kernel.org
Subject: Re: [PATCH v4] fs: Fix page_mkwrite off-by-one errors
Date: Thu, 09 Jan 2020 08:34:56 -0500 [thread overview]
Message-ID: <03e0e79fefcd9e7985a5defce5d5833d3175847a.camel@kernel.org> (raw)
In-Reply-To: <20200108131528.4279-1-agruenba@redhat.com>
On Wed, 2020-01-08 at 14:15 +0100, Andreas Gruenbacher wrote:
> Hi Darrick,
>
> here's an updated version with the latest feedback incorporated. Hope
> you find that useful.
>
> As far as the f2fs merge conflict goes, I've been told by Linus not to
> resolve those kinds of conflicts but to point them out when sending the
> merge request. So this shouldn't be a big deal.
>
> Changes:
>
> * Turn page_mkwrite_check_truncate into a non-inline function.
> * Get rid of now-unused mapping variable in ext4_page_mkwrite.
> * In btrfs_page_mkwrite, don't ignore the return value of
> block_page_mkwrite_return (no change in behavior).
> * Clean up the f2fs_vm_page_mkwrite changes as suggested by
> Jaegeuk Kim.
>
> Thanks,
> Andreas
>
> --
>
> The check in block_page_mkwrite that is meant to determine whether an
> offset is within the inode size is off by one. This bug has been copied
> into iomap_page_mkwrite and several filesystems (ubifs, ext4, f2fs,
> ceph).
>
> Fix that by introducing a new page_mkwrite_check_truncate helper that
> checks for truncate and computes the bytes in the page up to EOF. Use
> the helper in the above mentioned filesystems.
>
> In addition, use the new helper in btrfs as well.
>
> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
> Acked-by: David Sterba <dsterba@suse.com> (btrfs)
> Acked-by: Richard Weinberger <richard@nod.at> (ubifs)
> Acked-by: Theodore Ts'o <tytso@mit.edu> (ext4)
> Acked-by: Chao Yu <yuchao0@huawei.com> (f2fs)
> ---
> fs/btrfs/inode.c | 16 +++++-----------
> fs/buffer.c | 16 +++-------------
> fs/ceph/addr.c | 2 +-
> fs/ext4/inode.c | 15 ++++-----------
> fs/f2fs/file.c | 19 +++++++------------
> fs/iomap/buffered-io.c | 18 +++++-------------
> fs/ubifs/file.c | 3 +--
> include/linux/pagemap.h | 2 ++
> mm/filemap.c | 28 ++++++++++++++++++++++++++++
> 9 files changed, 56 insertions(+), 63 deletions(-)
>
> diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
> index e3c76645cad7..23e6f614e000 100644
> --- a/fs/btrfs/inode.c
> +++ b/fs/btrfs/inode.c
> @@ -9011,16 +9011,15 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> goto out_noreserve;
> }
>
> - ret = VM_FAULT_NOPAGE; /* make the VM retry the fault */
> again:
> lock_page(page);
> - size = i_size_read(inode);
>
> - if ((page->mapping != inode->i_mapping) ||
> - (page_start >= size)) {
> - /* page got truncated out from underneath us */
> + ret2 = page_mkwrite_check_truncate(page, inode);
> + if (ret2 < 0) {
> + ret = block_page_mkwrite_return(ret2);
> goto out_unlock;
> }
> + zero_start = ret2;
> wait_on_page_writeback(page);
>
> lock_extent_bits(io_tree, page_start, page_end, &cached_state);
> @@ -9041,6 +9040,7 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> goto again;
> }
>
> + size = i_size_read(inode);
> if (page->index == ((size - 1) >> PAGE_SHIFT)) {
> reserved_space = round_up(size - page_start,
> fs_info->sectorsize);
> @@ -9073,12 +9073,6 @@ vm_fault_t btrfs_page_mkwrite(struct vm_fault *vmf)
> }
> ret2 = 0;
>
> - /* page is wholly or partially inside EOF */
> - if (page_start + PAGE_SIZE > size)
> - zero_start = offset_in_page(size);
> - else
> - zero_start = PAGE_SIZE;
> -
> if (zero_start != PAGE_SIZE) {
> kaddr = kmap(page);
> memset(kaddr + zero_start, 0, PAGE_SIZE - zero_start);
> diff --git a/fs/buffer.c b/fs/buffer.c
> index d8c7242426bb..53aabde57ca7 100644
> --- a/fs/buffer.c
> +++ b/fs/buffer.c
> @@ -2499,23 +2499,13 @@ int block_page_mkwrite(struct vm_area_struct *vma, struct vm_fault *vmf,
> struct page *page = vmf->page;
> struct inode *inode = file_inode(vma->vm_file);
> unsigned long end;
> - loff_t size;
> int ret;
>
> lock_page(page);
> - size = i_size_read(inode);
> - if ((page->mapping != inode->i_mapping) ||
> - (page_offset(page) > size)) {
> - /* We overload EFAULT to mean page got truncated */
> - ret = -EFAULT;
> + ret = page_mkwrite_check_truncate(page, inode);
> + if (ret < 0)
> goto out_unlock;
> - }
> -
> - /* page is wholly or partially inside EOF */
> - if (((page->index + 1) << PAGE_SHIFT) > size)
> - end = size & ~PAGE_MASK;
> - else
> - end = PAGE_SIZE;
> + end = ret;
>
> ret = __block_write_begin(page, 0, end, get_block);
> if (!ret)
> diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
> index 7ab616601141..ef958aa4adb4 100644
> --- a/fs/ceph/addr.c
> +++ b/fs/ceph/addr.c
> @@ -1575,7 +1575,7 @@ static vm_fault_t ceph_page_mkwrite(struct vm_fault *vmf)
> do {
> lock_page(page);
>
> - if ((off > size) || (page->mapping != inode->i_mapping)) {
> + if (page_mkwrite_check_truncate(page, inode) < 0) {
> unlock_page(page);
> ret = VM_FAULT_NOPAGE;
> break;
You can add my Acked-by on the ceph part.
--
Jeff Layton <jlayton@kernel.org>
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2020-01-09 13:35 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-01-08 13:15 [PATCH v4] fs: Fix page_mkwrite off-by-one errors Andreas Gruenbacher
2020-01-08 13:15 ` Andreas Gruenbacher
2020-01-08 13:15 ` [f2fs-dev] " Andreas Gruenbacher
2020-01-08 13:15 ` Andreas Gruenbacher
2020-01-08 16:57 ` Christoph Hellwig
2020-01-08 16:57 ` Christoph Hellwig
2020-01-08 16:57 ` [f2fs-dev] " Christoph Hellwig
2020-01-08 16:57 ` Christoph Hellwig
2020-01-15 17:10 ` Darrick J. Wong
2020-01-15 17:10 ` Darrick J. Wong
2020-01-15 17:10 ` [f2fs-dev] " Darrick J. Wong
2020-01-15 17:10 ` Darrick J. Wong
2020-01-08 22:42 ` Jaegeuk Kim
2020-01-08 22:42 ` Jaegeuk Kim
2020-01-08 22:42 ` [f2fs-dev] " Jaegeuk Kim
2020-01-08 22:42 ` Jaegeuk Kim
2020-01-09 13:34 ` Jeff Layton [this message]
2020-01-09 13:34 ` Jeff Layton
2020-01-09 13:34 ` [f2fs-dev] " Jeff Layton
2020-01-09 13:34 ` Jeff Layton
2020-01-10 13:07 ` kbuild test robot
2020-01-10 13:54 ` kbuild test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=03e0e79fefcd9e7985a5defce5d5833d3175847a.camel@kernel.org \
--to=jlayton@kernel.org \
--cc=adilger.kernel@dilger.ca \
--cc=adrian.hunter@intel.com \
--cc=agruenba@redhat.com \
--cc=arnd@arndb.de \
--cc=ceph-devel@vger.kernel.org \
--cc=chao@kernel.org \
--cc=clm@fb.com \
--cc=darrick.wong@oracle.com \
--cc=dedekind1@gmail.com \
--cc=dsterba@suse.com \
--cc=hch@infradead.org \
--cc=idryomov@gmail.com \
--cc=jack@suse.cz \
--cc=jaegeuk@kernel.org \
--cc=josef@toxicpanda.com \
--cc=linux-btrfs@vger.kernel.org \
--cc=linux-ext4@vger.kernel.org \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=linux-xfs@vger.kernel.org \
--cc=richard@nod.at \
--cc=sage@redhat.com \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=viro@zeniv.linux.org.uk \
--cc=yuchao0@huawei.com \
--cc=yuehaibing@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.