From: "Darrick J. Wong" <darrick.wong@oracle.com> To: Amir Goldstein <amir73il@gmail.com> Cc: Dave Chinner <david@fromorbit.com>, linux-xfs <linux-xfs@vger.kernel.org>, linux-fsdevel <linux-fsdevel@vger.kernel.org>, Linux Btrfs <linux-btrfs@vger.kernel.org>, ocfs2-devel@oss.oracle.com, Eric Sandeen <sandeen@redhat.com> Subject: Re: [PATCH 06/15] vfs: strengthen checking of file range inputs to clone/dedupe range Date: Fri, 5 Oct 2018 10:36:07 -0700 [thread overview] Message-ID: <20181005173607.GW19324@magnolia> (raw) In-Reply-To: <CAOQ4uxiVPvNPxTNZ-njeyte6yk3jo3tjNKv78kS9NqA_Xzxc6g@mail.gmail.com> On Fri, Oct 05, 2018 at 09:10:12AM +0300, Amir Goldstein wrote: > On Fri, Oct 5, 2018 at 3:46 AM Darrick J. Wong <darrick.wong@oracle.com> wrote: > > > > From: Darrick J. Wong <darrick.wong@oracle.com> > > > > Clone range is an optimization on a regular file write. File writes > > that extend the file length are subject to various constraints which are > > not checked by clonerange. This is a correctness problem, because we're > > never allowed to touch ranges that the page cache can't support > > (s_maxbytes); we're not supposed to deal with large offsets > > (MAX_NON_LFS) if O_LARGEFILE isn't set; and we must obey resource limits > > (RLIMIT_FSIZE). > > > > Therefore, add these checks to the new generic_clone_checks function so > > that we curtail unexpected behavior. > > > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > > --- > > mm/filemap.c | 31 +++++++++++++++++++++++++++++++ > > 1 file changed, 31 insertions(+) > > > > > > diff --git a/mm/filemap.c b/mm/filemap.c > > index 68ec91d05c7b..f74391721234 100644 > > --- a/mm/filemap.c > > +++ b/mm/filemap.c > > @@ -3015,6 +3015,37 @@ int generic_clone_checks(struct file *file_in, loff_t pos_in, > > return -EINVAL; > > count = min(count, size_in - (uint64_t)pos_in); > > > > + /* Don't exceed RLMIT_FSIZE in the file we're writing into. */ > > + if (limit != RLIM_INFINITY) { > > + if (pos_out >= limit) { > > + send_sig(SIGXFSZ, current, 0); > > + return -EFBIG; > > + } > > + count = min(count, limit - (uint64_t)pos_out); > > + } > > + > > + /* Don't exceed the LFS limits. */ > > + if (unlikely(pos_out + count > MAX_NON_LFS && > > + !(file_out->f_flags & O_LARGEFILE))) { > > + if (pos_out >= MAX_NON_LFS) > > + return -EFBIG; > > + count = min(count, MAX_NON_LFS - (uint64_t)pos_out); > > + } > > + if (unlikely(pos_in + count > MAX_NON_LFS && > > + !(file_in->f_flags & O_LARGEFILE))) { > > + if (pos_in >= MAX_NON_LFS) > > + return -EFBIG; > > + count = min(count, MAX_NON_LFS - (uint64_t)pos_in); > > + } > > + > > + /* Don't operate on ranges the page cache doesn't support. */ > > + if (unlikely(pos_out >= inode_out->i_sb->s_maxbytes || > > + pos_in >= inode_in->i_sb->s_maxbytes)) > > + return -EFBIG; > > + > > Forget my standards, this doesn't abide by your own standards ;-) > Please factor out generic_write_checks() and use it instead of > duplicating the code. The in/out variant doesn't justify not calling > the helper twice IMO. Factor generic_write_checks and generic_clone_checks how? They operate on very different parameter types. Or were you suggeseting refactoring just the "Dont' exceed LFS limits" and "Don't operate on ranges the page cache..." sections of generic_clone_checks to reduce copy paste? That I'll do. --D > > Thanks, > Amir.
WARNING: multiple messages have this Message-ID (diff)
From: Darrick J. Wong <darrick.wong@oracle.com> To: Amir Goldstein <amir73il@gmail.com> Cc: Dave Chinner <david@fromorbit.com>, linux-xfs <linux-xfs@vger.kernel.org>, linux-fsdevel <linux-fsdevel@vger.kernel.org>, Linux Btrfs <linux-btrfs@vger.kernel.org>, ocfs2-devel@oss.oracle.com, Eric Sandeen <sandeen@redhat.com> Subject: [Ocfs2-devel] [PATCH 06/15] vfs: strengthen checking of file range inputs to clone/dedupe range Date: Fri, 5 Oct 2018 10:36:07 -0700 [thread overview] Message-ID: <20181005173607.GW19324@magnolia> (raw) In-Reply-To: <CAOQ4uxiVPvNPxTNZ-njeyte6yk3jo3tjNKv78kS9NqA_Xzxc6g@mail.gmail.com> On Fri, Oct 05, 2018 at 09:10:12AM +0300, Amir Goldstein wrote: > On Fri, Oct 5, 2018 at 3:46 AM Darrick J. Wong <darrick.wong@oracle.com> wrote: > > > > From: Darrick J. Wong <darrick.wong@oracle.com> > > > > Clone range is an optimization on a regular file write. File writes > > that extend the file length are subject to various constraints which are > > not checked by clonerange. This is a correctness problem, because we're > > never allowed to touch ranges that the page cache can't support > > (s_maxbytes); we're not supposed to deal with large offsets > > (MAX_NON_LFS) if O_LARGEFILE isn't set; and we must obey resource limits > > (RLIMIT_FSIZE). > > > > Therefore, add these checks to the new generic_clone_checks function so > > that we curtail unexpected behavior. > > > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > > --- > > mm/filemap.c | 31 +++++++++++++++++++++++++++++++ > > 1 file changed, 31 insertions(+) > > > > > > diff --git a/mm/filemap.c b/mm/filemap.c > > index 68ec91d05c7b..f74391721234 100644 > > --- a/mm/filemap.c > > +++ b/mm/filemap.c > > @@ -3015,6 +3015,37 @@ int generic_clone_checks(struct file *file_in, loff_t pos_in, > > return -EINVAL; > > count = min(count, size_in - (uint64_t)pos_in); > > > > + /* Don't exceed RLMIT_FSIZE in the file we're writing into. */ > > + if (limit != RLIM_INFINITY) { > > + if (pos_out >= limit) { > > + send_sig(SIGXFSZ, current, 0); > > + return -EFBIG; > > + } > > + count = min(count, limit - (uint64_t)pos_out); > > + } > > + > > + /* Don't exceed the LFS limits. */ > > + if (unlikely(pos_out + count > MAX_NON_LFS && > > + !(file_out->f_flags & O_LARGEFILE))) { > > + if (pos_out >= MAX_NON_LFS) > > + return -EFBIG; > > + count = min(count, MAX_NON_LFS - (uint64_t)pos_out); > > + } > > + if (unlikely(pos_in + count > MAX_NON_LFS && > > + !(file_in->f_flags & O_LARGEFILE))) { > > + if (pos_in >= MAX_NON_LFS) > > + return -EFBIG; > > + count = min(count, MAX_NON_LFS - (uint64_t)pos_in); > > + } > > + > > + /* Don't operate on ranges the page cache doesn't support. */ > > + if (unlikely(pos_out >= inode_out->i_sb->s_maxbytes || > > + pos_in >= inode_in->i_sb->s_maxbytes)) > > + return -EFBIG; > > + > > Forget my standards, this doesn't abide by your own standards ;-) > Please factor out generic_write_checks() and use it instead of > duplicating the code. The in/out variant doesn't justify not calling > the helper twice IMO. Factor generic_write_checks and generic_clone_checks how? They operate on very different parameter types. Or were you suggeseting refactoring just the "Dont' exceed LFS limits" and "Don't operate on ranges the page cache..." sections of generic_clone_checks to reduce copy paste? That I'll do. --D > > Thanks, > Amir.
next prev parent reply other threads:[~2018-10-05 17:36 UTC|newest] Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top 2018-10-05 0:44 [PATCH 00/15] fs: fixes for serious clone/dedupe problems Darrick J. Wong 2018-10-05 0:44 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 0:44 ` [PATCH 01/15] xfs: add a per-xfs trace_printk macro Darrick J. Wong 2018-10-05 0:44 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 0:44 ` [PATCH 02/15] xfs: refactor clonerange preparation into a separate helper Darrick J. Wong 2018-10-05 0:44 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 5:28 ` Dave Chinner 2018-10-05 5:28 ` [Ocfs2-devel] " Dave Chinner 2018-10-05 17:06 ` Darrick J. Wong 2018-10-05 17:06 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-06 10:30 ` Christoph Hellwig 2018-10-06 10:30 ` [Ocfs2-devel] " Christoph Hellwig 2018-10-05 7:02 ` Dave Chinner 2018-10-05 7:02 ` [Ocfs2-devel] " Dave Chinner 2018-10-05 9:02 ` Dave Chinner 2018-10-05 9:02 ` [Ocfs2-devel] " Dave Chinner 2018-10-05 17:21 ` Darrick J. Wong 2018-10-05 17:21 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 23:42 ` Dave Chinner 2018-10-05 23:42 ` [Ocfs2-devel] " Dave Chinner 2018-10-05 0:44 ` [PATCH 03/15] xfs: zero posteof blocks when cloning above eof Darrick J. Wong 2018-10-05 0:44 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 5:28 ` Dave Chinner 2018-10-05 5:28 ` [Ocfs2-devel] " Dave Chinner 2018-10-06 10:34 ` Christoph Hellwig 2018-10-06 10:34 ` [Ocfs2-devel] " Christoph Hellwig 2018-10-05 0:45 ` [PATCH 04/15] xfs: update ctime and remove suid before cloning files Darrick J. Wong 2018-10-05 0:45 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 5:30 ` Dave Chinner 2018-10-05 5:30 ` [Ocfs2-devel] " Dave Chinner 2018-10-06 10:35 ` Christoph Hellwig 2018-10-06 10:35 ` [Ocfs2-devel] " Christoph Hellwig 2018-10-05 0:45 ` [PATCH 05/15] vfs: check file ranges " Darrick J. Wong 2018-10-05 0:45 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-06 10:38 ` Christoph Hellwig 2018-10-06 10:38 ` [Ocfs2-devel] " Christoph Hellwig 2018-10-05 0:45 ` [PATCH 06/15] vfs: strengthen checking of file range inputs to clone/dedupe range Darrick J. Wong 2018-10-05 0:45 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 6:10 ` Amir Goldstein 2018-10-05 17:36 ` Darrick J. Wong [this message] 2018-10-05 17:36 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 0:45 ` [PATCH 07/15] vfs: skip zero-length dedupe requests Darrick J. Wong 2018-10-05 0:45 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 8:39 ` Amir Goldstein 2018-10-06 10:39 ` Christoph Hellwig 2018-10-06 10:39 ` [Ocfs2-devel] " Christoph Hellwig 2018-10-05 0:45 ` [PATCH 08/15] vfs: change clone and dedupe range function pointers to return bytes completed Darrick J. Wong 2018-10-05 0:45 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 8:06 ` Amir Goldstein 2018-10-05 21:47 ` Darrick J. Wong 2018-10-05 21:47 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-06 10:41 ` Christoph Hellwig 2018-10-06 10:41 ` [Ocfs2-devel] " Christoph Hellwig 2018-10-08 18:59 ` Darrick J. Wong 2018-10-08 18:59 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 0:45 ` [PATCH 09/15] vfs: pass operation flags to {clone, dedupe}_file_range implementations Darrick J. Wong 2018-10-05 0:45 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 7:07 ` Amir Goldstein 2018-10-05 17:50 ` Darrick J. Wong 2018-10-05 17:50 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-06 10:44 ` Christoph Hellwig 2018-10-06 10:44 ` [Ocfs2-devel] " Christoph Hellwig 2018-10-05 0:45 ` [PATCH 10/15] vfs: make cloning to source file eof more explicit Darrick J. Wong 2018-10-05 0:45 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 6:47 ` Amir Goldstein 2018-10-05 0:45 ` [PATCH 11/15] vfs: allow short clone and dedupe operations Darrick J. Wong 2018-10-05 0:45 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 0:46 ` [PATCH 12/15] vfs: implement opportunistic short dedupe Darrick J. Wong 2018-10-05 0:46 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 6:40 ` Amir Goldstein 2018-10-05 17:42 ` Darrick J. Wong 2018-10-05 17:42 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 0:46 ` [PATCH 13/15] ocfs2: truncate page cache for clone destination file before remapping Darrick J. Wong 2018-10-05 0:46 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 0:46 ` [PATCH 14/15] ocfs2: support partial clone range and dedupe range Darrick J. Wong 2018-10-05 0:46 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 0:46 ` [PATCH 15/15] xfs: support returning partial reflink results Darrick J. Wong 2018-10-05 0:46 ` [Ocfs2-devel] " Darrick J. Wong 2018-10-05 1:17 ` [PATCH 00/15] fs: fixes for serious clone/dedupe problems Dave Chinner 2018-10-05 1:17 ` [Ocfs2-devel] " Dave Chinner 2018-10-05 1:24 ` Darrick J. Wong 2018-10-05 1:24 ` [Ocfs2-devel] " Darrick J. Wong
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20181005173607.GW19324@magnolia \ --to=darrick.wong@oracle.com \ --cc=amir73il@gmail.com \ --cc=david@fromorbit.com \ --cc=linux-btrfs@vger.kernel.org \ --cc=linux-fsdevel@vger.kernel.org \ --cc=linux-xfs@vger.kernel.org \ --cc=ocfs2-devel@oss.oracle.com \ --cc=sandeen@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.