* [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN
@ 2023-03-22 11:11 Shiyang Ruan
2023-03-22 23:03 ` Andrew Morton
0 siblings, 1 reply; 11+ messages in thread
From: Shiyang Ruan @ 2023-03-22 11:11 UTC (permalink / raw)
To: linux-fsdevel, nvdimm; +Cc: dan.j.williams, willy, jack, akpm, djwong
unshare copies data from source to destination. But if the source is
HOLE or UNWRITTEN extents, we should zero the destination, otherwise the
result will be unexpectable.
Fixes: d984648e428b ("fsdax,xfs: port unshare to fsdax")
Signed-off-by: Shiyang Ruan <ruansy.fnst@fujitsu.com>
---
fs/dax.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/fs/dax.c b/fs/dax.c
index 9800b93ee14d..5d2e9b10030e 100644
--- a/fs/dax.c
+++ b/fs/dax.c
@@ -1258,15 +1258,20 @@ static s64 dax_unshare_iter(struct iomap_iter *iter)
/* don't bother with blocks that are not shared to start with */
if (!(iomap->flags & IOMAP_F_SHARED))
return length;
- /* don't bother with holes or unwritten extents */
- if (srcmap->type == IOMAP_HOLE || srcmap->type == IOMAP_UNWRITTEN)
- return length;
id = dax_read_lock();
ret = dax_iomap_direct_access(iomap, pos, length, &daddr, NULL);
if (ret < 0)
goto out_unlock;
+ /* zero the distance if srcmap is HOLE or UNWRITTEN */
+ if (srcmap->flags & IOMAP_F_SHARED || srcmap->type == IOMAP_UNWRITTEN) {
+ memset(daddr, 0, length);
+ dax_flush(iomap->dax_dev, daddr, length);
+ ret = length;
+ goto out_unlock;
+ }
+
ret = dax_iomap_direct_access(srcmap, pos, length, &saddr, NULL);
if (ret < 0)
goto out_unlock;
--
2.39.2
^ permalink raw reply related [flat|nested] 11+ messages in thread
* Re: [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN
2023-03-22 11:11 [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN Shiyang Ruan
@ 2023-03-22 23:03 ` Andrew Morton
2023-03-23 6:50 ` Shiyang Ruan
0 siblings, 1 reply; 11+ messages in thread
From: Andrew Morton @ 2023-03-22 23:03 UTC (permalink / raw)
To: Shiyang Ruan; +Cc: linux-fsdevel, nvdimm, dan.j.williams, willy, jack, djwong
On Wed, 22 Mar 2023 11:11:09 +0000 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
> unshare copies data from source to destination. But if the source is
> HOLE or UNWRITTEN extents, we should zero the destination, otherwise the
> result will be unexpectable.
Please provide much more detail on the user-visible effects of the bug.
For example, are we leaking kernel memory contents to userspace?
Thanks.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN
2023-03-22 23:03 ` Andrew Morton
@ 2023-03-23 6:50 ` Shiyang Ruan
2023-03-23 14:59 ` Darrick J. Wong
2023-03-23 22:11 ` Andrew Morton
0 siblings, 2 replies; 11+ messages in thread
From: Shiyang Ruan @ 2023-03-23 6:50 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-fsdevel, nvdimm, dan.j.williams, willy, jack, djwong
在 2023/3/23 7:03, Andrew Morton 写道:
> On Wed, 22 Mar 2023 11:11:09 +0000 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
>
>> unshare copies data from source to destination. But if the source is
>> HOLE or UNWRITTEN extents, we should zero the destination, otherwise the
>> result will be unexpectable.
>
> Please provide much more detail on the user-visible effects of the bug.
> For example, are we leaking kernel memory contents to userspace?
This fixes fail of generic/649.
--
Thanks,
Ruan.
>
> Thanks.
>
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN
2023-03-23 6:50 ` Shiyang Ruan
@ 2023-03-23 14:59 ` Darrick J. Wong
2023-03-23 22:11 ` Andrew Morton
1 sibling, 0 replies; 11+ messages in thread
From: Darrick J. Wong @ 2023-03-23 14:59 UTC (permalink / raw)
To: Shiyang Ruan
Cc: Andrew Morton, linux-fsdevel, nvdimm, dan.j.williams, willy, jack
On Thu, Mar 23, 2023 at 02:50:38PM +0800, Shiyang Ruan wrote:
>
>
> 在 2023/3/23 7:03, Andrew Morton 写道:
> > On Wed, 22 Mar 2023 11:11:09 +0000 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
> >
> > > unshare copies data from source to destination. But if the source is
> > > HOLE or UNWRITTEN extents, we should zero the destination, otherwise the
> > > result will be unexpectable.
> >
> > Please provide much more detail on the user-visible effects of the bug.
> > For example, are we leaking kernel memory contents to userspace?
>
> This fixes fail of generic/649.
Please make a note of easy(ish) reproducers when you know about them,
e.g.
"Found by running generic/649 while mounting with -o dax=always on
pmem."
So that anyone scanning around for fix backports has an easier time
doing an A/B comparison to assess whether or not they need the fix.
Especially if there's any chance that person is you circa 2024. ;)
--D
>
> --
> Thanks,
> Ruan.
>
> >
> > Thanks.
> >
> >
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN
2023-03-23 6:50 ` Shiyang Ruan
2023-03-23 14:59 ` Darrick J. Wong
@ 2023-03-23 22:11 ` Andrew Morton
2023-03-24 1:50 ` Shiyang Ruan
1 sibling, 1 reply; 11+ messages in thread
From: Andrew Morton @ 2023-03-23 22:11 UTC (permalink / raw)
To: Shiyang Ruan; +Cc: linux-fsdevel, nvdimm, dan.j.williams, willy, jack, djwong
On Thu, 23 Mar 2023 14:50:38 +0800 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
>
>
> 在 2023/3/23 7:03, Andrew Morton 写道:
> > On Wed, 22 Mar 2023 11:11:09 +0000 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
> >
> >> unshare copies data from source to destination. But if the source is
> >> HOLE or UNWRITTEN extents, we should zero the destination, otherwise the
> >> result will be unexpectable.
> >
> > Please provide much more detail on the user-visible effects of the bug.
> > For example, are we leaking kernel memory contents to userspace?
>
> This fixes fail of generic/649.
OK, but this doesn't really help. I'm trying to determine whether this
fix should be backported into -stable kernels and whether it should be
fast-tracked into Linus's current -rc tree.
But to determine this I (and others) need to know what effect the bug
has upon our users.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN
2023-03-23 22:11 ` Andrew Morton
@ 2023-03-24 1:50 ` Shiyang Ruan
2023-03-24 3:33 ` Matthew Wilcox
0 siblings, 1 reply; 11+ messages in thread
From: Shiyang Ruan @ 2023-03-24 1:50 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-fsdevel, nvdimm, dan.j.williams, willy, jack, djwong
在 2023/3/24 6:11, Andrew Morton 写道:
> On Thu, 23 Mar 2023 14:50:38 +0800 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
>
>>
>>
>> 在 2023/3/23 7:03, Andrew Morton 写道:
>>> On Wed, 22 Mar 2023 11:11:09 +0000 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
>>>
>>>> unshare copies data from source to destination. But if the source is
>>>> HOLE or UNWRITTEN extents, we should zero the destination, otherwise the
>>>> result will be unexpectable.
>>>
>>> Please provide much more detail on the user-visible effects of the bug.
>>> For example, are we leaking kernel memory contents to userspace?
>>
>> This fixes fail of generic/649.
>
> OK, but this doesn't really help. I'm trying to determine whether this
> fix should be backported into -stable kernels and whether it should be
> fast-tracked into Linus's current -rc tree.
>
> But to determine this I (and others) need to know what effect the bug
> has upon our users.
I didn't get any bug report form users. I just found this by running
xfstests. The phenomenon of this problem is: if we funshare a reflinked
file which contains HOLE extents, the result of the HOLE extents should
be zero but actually not (unexpectable data).
The other patch also has no reports from users.
--
Thanks,
Ruan.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN
2023-03-24 1:50 ` Shiyang Ruan
@ 2023-03-24 3:33 ` Matthew Wilcox
2023-03-24 3:42 ` Shiyang Ruan
0 siblings, 1 reply; 11+ messages in thread
From: Matthew Wilcox @ 2023-03-24 3:33 UTC (permalink / raw)
To: Shiyang Ruan
Cc: Andrew Morton, linux-fsdevel, nvdimm, dan.j.williams, jack, djwong
On Fri, Mar 24, 2023 at 09:50:54AM +0800, Shiyang Ruan wrote:
>
>
> 在 2023/3/24 6:11, Andrew Morton 写道:
> > On Thu, 23 Mar 2023 14:50:38 +0800 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
> >
> > >
> > >
> > > 在 2023/3/23 7:03, Andrew Morton 写道:
> > > > On Wed, 22 Mar 2023 11:11:09 +0000 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
> > > >
> > > > > unshare copies data from source to destination. But if the source is
> > > > > HOLE or UNWRITTEN extents, we should zero the destination, otherwise the
> > > > > result will be unexpectable.
> > > >
> > > > Please provide much more detail on the user-visible effects of the bug.
> > > > For example, are we leaking kernel memory contents to userspace?
> > >
> > > This fixes fail of generic/649.
> >
> > OK, but this doesn't really help. I'm trying to determine whether this
> > fix should be backported into -stable kernels and whether it should be
> > fast-tracked into Linus's current -rc tree.
> >
> > But to determine this I (and others) need to know what effect the bug
> > has upon our users.
>
> I didn't get any bug report form users. I just found this by running
> xfstests. The phenomenon of this problem is: if we funshare a reflinked
> file which contains HOLE extents, the result of the HOLE extents should be
> zero but actually not (unexpectable data).
You still aren't answering the question. If this did happen to a user,
what would they see in the file? Random data? Something somebody else
wrote some time ago? A copy of /etc/passwd, perhaps? A copy of your
credit card number?
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN
2023-03-24 3:33 ` Matthew Wilcox
@ 2023-03-24 3:42 ` Shiyang Ruan
2023-03-24 4:17 ` Matthew Wilcox
0 siblings, 1 reply; 11+ messages in thread
From: Shiyang Ruan @ 2023-03-24 3:42 UTC (permalink / raw)
To: Matthew Wilcox, Andrew Morton
Cc: linux-fsdevel, nvdimm, dan.j.williams, jack, djwong
在 2023/3/24 11:33, Matthew Wilcox 写道:
> On Fri, Mar 24, 2023 at 09:50:54AM +0800, Shiyang Ruan wrote:
>>
>>
>> 在 2023/3/24 6:11, Andrew Morton 写道:
>>> On Thu, 23 Mar 2023 14:50:38 +0800 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
>>>
>>>>
>>>>
>>>> 在 2023/3/23 7:03, Andrew Morton 写道:
>>>>> On Wed, 22 Mar 2023 11:11:09 +0000 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
>>>>>
>>>>>> unshare copies data from source to destination. But if the source is
>>>>>> HOLE or UNWRITTEN extents, we should zero the destination, otherwise the
>>>>>> result will be unexpectable.
>>>>>
>>>>> Please provide much more detail on the user-visible effects of the bug.
>>>>> For example, are we leaking kernel memory contents to userspace?
>>>>
>>>> This fixes fail of generic/649.
>>>
>>> OK, but this doesn't really help. I'm trying to determine whether this
>>> fix should be backported into -stable kernels and whether it should be
>>> fast-tracked into Linus's current -rc tree.
>>>
>>> But to determine this I (and others) need to know what effect the bug
>>> has upon our users.
>>
>> I didn't get any bug report form users. I just found this by running
>> xfstests. The phenomenon of this problem is: if we funshare a reflinked
>> file which contains HOLE extents, the result of the HOLE extents should be
>> zero but actually not (unexpectable data).
>
> You still aren't answering the question. If this did happen to a user,
> what would they see in the file? Random data? Something somebody else
> wrote some time ago? A copy of /etc/passwd, perhaps? A copy of your
> credit card number?
Ok. If this happenned to a user, the HOLE or UNWRITTEN part will be old
data of the new allocated extent because it didn't be cleared.
--
Thanks,
Ruan.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN
2023-03-24 3:42 ` Shiyang Ruan
@ 2023-03-24 4:17 ` Matthew Wilcox
2023-03-24 4:28 ` Shiyang Ruan
0 siblings, 1 reply; 11+ messages in thread
From: Matthew Wilcox @ 2023-03-24 4:17 UTC (permalink / raw)
To: Shiyang Ruan
Cc: Andrew Morton, linux-fsdevel, nvdimm, dan.j.williams, jack, djwong
On Fri, Mar 24, 2023 at 11:42:53AM +0800, Shiyang Ruan wrote:
>
>
> 在 2023/3/24 11:33, Matthew Wilcox 写道:
> > On Fri, Mar 24, 2023 at 09:50:54AM +0800, Shiyang Ruan wrote:
> > >
> > >
> > > 在 2023/3/24 6:11, Andrew Morton 写道:
> > > > On Thu, 23 Mar 2023 14:50:38 +0800 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
> > > >
> > > > >
> > > > >
> > > > > 在 2023/3/23 7:03, Andrew Morton 写道:
> > > > > > On Wed, 22 Mar 2023 11:11:09 +0000 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
> > > > > >
> > > > > > > unshare copies data from source to destination. But if the source is
> > > > > > > HOLE or UNWRITTEN extents, we should zero the destination, otherwise the
> > > > > > > result will be unexpectable.
> > > > > >
> > > > > > Please provide much more detail on the user-visible effects of the bug.
> > > > > > For example, are we leaking kernel memory contents to userspace?
> > > > >
> > > > > This fixes fail of generic/649.
> > > >
> > > > OK, but this doesn't really help. I'm trying to determine whether this
> > > > fix should be backported into -stable kernels and whether it should be
> > > > fast-tracked into Linus's current -rc tree.
> > > >
> > > > But to determine this I (and others) need to know what effect the bug
> > > > has upon our users.
> > >
> > > I didn't get any bug report form users. I just found this by running
> > > xfstests. The phenomenon of this problem is: if we funshare a reflinked
> > > file which contains HOLE extents, the result of the HOLE extents should be
> > > zero but actually not (unexpectable data).
> >
> > You still aren't answering the question. If this did happen to a user,
> > what would they see in the file? Random data? Something somebody else
> > wrote some time ago? A copy of /etc/passwd, perhaps? A copy of your
> > credit card number?
>
> Ok. If this happenned to a user, the HOLE or UNWRITTEN part will be old
> data of the new allocated extent because it didn't be cleared.
ie it's the data that was in whatever file happened to use that space
last, so this is a security bug because it's a data leak, and a backport
is needed, and you should have indicated that by putting a cc: stable
tag on the patch?
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN
2023-03-24 4:17 ` Matthew Wilcox
@ 2023-03-24 4:28 ` Shiyang Ruan
2023-03-24 20:44 ` Andrew Morton
0 siblings, 1 reply; 11+ messages in thread
From: Shiyang Ruan @ 2023-03-24 4:28 UTC (permalink / raw)
To: Matthew Wilcox, Andrew Morton
Cc: linux-fsdevel, nvdimm, dan.j.williams, jack, djwong
在 2023/3/24 12:17, Matthew Wilcox 写道:
> On Fri, Mar 24, 2023 at 11:42:53AM +0800, Shiyang Ruan wrote:
>>
>>
>> 在 2023/3/24 11:33, Matthew Wilcox 写道:
>>> On Fri, Mar 24, 2023 at 09:50:54AM +0800, Shiyang Ruan wrote:
>>>>
>>>>
>>>> 在 2023/3/24 6:11, Andrew Morton 写道:
>>>>> On Thu, 23 Mar 2023 14:50:38 +0800 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
>>>>>
>>>>>>
>>>>>>
>>>>>> 在 2023/3/23 7:03, Andrew Morton 写道:
>>>>>>> On Wed, 22 Mar 2023 11:11:09 +0000 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
>>>>>>>
>>>>>>>> unshare copies data from source to destination. But if the source is
>>>>>>>> HOLE or UNWRITTEN extents, we should zero the destination, otherwise the
>>>>>>>> result will be unexpectable.
>>>>>>>
>>>>>>> Please provide much more detail on the user-visible effects of the bug.
>>>>>>> For example, are we leaking kernel memory contents to userspace?
>>>>>>
>>>>>> This fixes fail of generic/649.
>>>>>
>>>>> OK, but this doesn't really help. I'm trying to determine whether this
>>>>> fix should be backported into -stable kernels and whether it should be
>>>>> fast-tracked into Linus's current -rc tree.
>>>>>
>>>>> But to determine this I (and others) need to know what effect the bug
>>>>> has upon our users.
>>>>
>>>> I didn't get any bug report form users. I just found this by running
>>>> xfstests. The phenomenon of this problem is: if we funshare a reflinked
>>>> file which contains HOLE extents, the result of the HOLE extents should be
>>>> zero but actually not (unexpectable data).
>>>
>>> You still aren't answering the question. If this did happen to a user,
>>> what would they see in the file? Random data? Something somebody else
>>> wrote some time ago? A copy of /etc/passwd, perhaps? A copy of your
>>> credit card number?
>>
>> Ok. If this happenned to a user, the HOLE or UNWRITTEN part will be old
>> data of the new allocated extent because it didn't be cleared.
>
> ie it's the data that was in whatever file happened to use that space
> last, so this is a security bug because it's a data leak, and a backport
> is needed, and you should have indicated that by putting a cc: stable
> tag on the patch?
Yes, cc stable is needed. Then should I send a new patch with the tag
added?
--
Thanks,
Ruan.
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN
2023-03-24 4:28 ` Shiyang Ruan
@ 2023-03-24 20:44 ` Andrew Morton
0 siblings, 0 replies; 11+ messages in thread
From: Andrew Morton @ 2023-03-24 20:44 UTC (permalink / raw)
To: Shiyang Ruan
Cc: Matthew Wilcox, linux-fsdevel, nvdimm, dan.j.williams, jack, djwong
On Fri, 24 Mar 2023 12:28:07 +0800 Shiyang Ruan <ruansy.fnst@fujitsu.com> wrote:
> > ie it's the data that was in whatever file happened to use that space
> > last, so this is a security bug because it's a data leak, and a backport
> > is needed, and you should have indicated that by putting a cc: stable
> > tag on the patch?
>
> Yes, cc stable is needed. Then should I send a new patch with the tag
> added?
Thanks. I updated the changelog and added cc:stable.
: unshare copies data from source to destination. But if the source is
: HOLE or UNWRITTEN extents, we should zero the destination, otherwise
: the HOLE or UNWRITTEN part will be user-visible old data of the new
: allocated extent because it wasn't cleared.
:
: Found by running generic/649 while mounting with -o dax=always on pmem.
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2023-03-24 20:44 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-03-22 11:11 [PATCH] fsdax: unshare: zero destination if srcmap is HOLE or UNWRITTEN Shiyang Ruan
2023-03-22 23:03 ` Andrew Morton
2023-03-23 6:50 ` Shiyang Ruan
2023-03-23 14:59 ` Darrick J. Wong
2023-03-23 22:11 ` Andrew Morton
2023-03-24 1:50 ` Shiyang Ruan
2023-03-24 3:33 ` Matthew Wilcox
2023-03-24 3:42 ` Shiyang Ruan
2023-03-24 4:17 ` Matthew Wilcox
2023-03-24 4:28 ` Shiyang Ruan
2023-03-24 20:44 ` Andrew Morton
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.