mmap and FUSE on 32bit systems

mmap and FUSE on 32bit systems

[Antonio SJ Musumeci]

I had a user of my FUSE based filesystem report corruption while using
an app which used mmap for file IO on a Raspberry Pi 3B. Files would
be corrupted only if greater than 4GB. I replicated the behavior with
a simple test app[0] on a RPi2 using the latest Raspbian (Linux
raspberrypi 4.14.98-v7+ #1200 SMP Tue Feb 12 20:27:48 GMT 2019 armv7l
GNU/Linux) and i686 Debian 9 in a VM (Linux debian 4.9.0-8-686 #1 SMP
Debian 4.9.144-3.1 (2019-02-19) i686 GNU/Linux).

What appears to happen is that after the offset reaches (st_size &
0xFFFFFFFF) bytes the FUSE server no longer receives write requests
for modified pages. If the file size is exactly 4GB it won't ever
receive a write. Reads still come in for all addresses and there are
no errors on the client's side.

Easiest way to reproduce is probably the following:

$ sudo apt install mergerfs
$ mkdir /tmp/mergerfs
$ sudo mergerfs -d -o allow_other,default_permissions ~/ /tmp/mergerfs
$ # in another shell
$ cd /tmp
$ wget https://gist.githubusercontent.com/trapexit/82187c6a74a3df66753caa74df8c8232/raw/47bb6f1085ca847c15c7c31a57f822c3b72ed982/mmap-test.c
$ gcc -D_FILE_OFFSET_BITS=64 -o mmap-test mmap-test.c
$ cd mergerfs
$ ../mmap-test 8
offset: 0x0
offset: 0x20000
offset: 0x40000
offset: 0x60000
offset: 0x80000
offset: 0xa0000
offset: 0xc0000
offset: 0xe0000
$ hexdump test.img
0000000 ffff ffff ffff ffff ffff ffff ffff ffff
*
0020000 0000 0000 0000 0000 0000 0000 0000 0000
*
100020000

In the mergerfs terminal you'll see libfuse debug info which should
include reads (and initially some writes).

[0] https://gist.githubusercontent.com/trapexit/82187c6a74a3df66753caa74df8c8232/raw/47bb6f1085ca847c15c7c31a57f822c3b72ed982/mmap-test.c

Re: mmap and FUSE on 32bit systems

[Miklos Szeredi]

[-- Attachment #1: Type: text/plain, Size: 1201 bytes --]

On Tue, Apr 9, 2019 at 12:01 AM Antonio SJ Musumeci <trapexit@spawn.link> wrote:
>
> I had a user of my FUSE based filesystem report corruption while using
> an app which used mmap for file IO on a Raspberry Pi 3B. Files would
> be corrupted only if greater than 4GB. I replicated the behavior with
> a simple test app[0] on a RPi2 using the latest Raspbian (Linux
> raspberrypi 4.14.98-v7+ #1200 SMP Tue Feb 12 20:27:48 GMT 2019 armv7l
> GNU/Linux) and i686 Debian 9 in a VM (Linux debian 4.9.0-8-686 #1 SMP
> Debian 4.9.144-3.1 (2019-02-19) i686 GNU/Linux).
>
> What appears to happen is that after the offset reaches (st_size &
> 0xFFFFFFFF) bytes the FUSE server no longer receives write requests
> for modified pages. If the file size is exactly 4GB it won't ever
> receive a write. Reads still come in for all addresses and there are
> no errors on the client's side.

Hi,

Thanks for the report.

The attached patch almost certainly should fix this, but I've not
tested due to the extra effort needed for 32bit kernel testing.

If you can easily test it, than that would be good, otherwise I'll
just queue the patch as being obviously correct and likely fixing the
bug as well.

Thanks,
Miklos

[-- Attachment #2: fuse-fix-writepages-on-32bit.patch --]
[-- Type: text/x-patch, Size: 949 bytes --]

From: Miklos Szeredi <mszeredi@redhat.com>
Subject: fuse: fix writepages on 32bit

Writepage requests were cropped to i_size & 0xffffffff, which meant that
mmaped writes to any file larger than 4G might be silently discarded.

Fix by storing the file size in a properly sized variable (loff_t instead
of size_t).

Reported-by: Antonio SJ Musumeci <trapexit@spawn.link>
Fixes: 6eaf4782eb09 ("fuse: writepages: crop secondary requests")
Cc: <stable@vger.kernel.org> # v3.13
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
---
 fs/fuse/file.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1586,7 +1586,7 @@ __acquires(fi->lock)
 {
 	struct fuse_conn *fc = get_fuse_conn(inode);
 	struct fuse_inode *fi = get_fuse_inode(inode);
-	size_t crop = i_size_read(inode);
+	loff_t crop = i_size_read(inode);
 	struct fuse_req *req;
 
 	while (fi->writectr >= 0 && !list_empty(&fi->queued_writes)) {

Re: mmap and FUSE on 32bit systems

[Antonio SJ Musumeci]

On Wed, Apr 17, 2019 at 9:30 AM Miklos Szeredi <miklos@szeredi.hu> wrote:
> If you can easily test it, than that would be good, otherwise I'll
> just queue the patch as being obviously correct and likely fixing the
> bug as well.

Thanks. I'll try to test it this evening.

Re: mmap and FUSE on 32bit systems

[Antonio SJ Musumeci]

On Wed, Apr 17, 2019 at 1:53 PM Antonio SJ Musumeci <trapexit@spawn.link> wrote:
>
> On Wed, Apr 17, 2019 at 9:30 AM Miklos Szeredi <miklos@szeredi.hu> wrote:
> > If you can easily test it, than that would be good, otherwise I'll
> > just queue the patch as being obviously correct and likely fixing the
> > bug as well.
>
> Thanks. I'll try to test it this evening.

That was it. Seems to be working fine now. Thanks.