| Message ID | 20230529152645.32680-1-lhenriques@suse.de |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:994d:0:b0:3d9:f83d:47d9 with SMTP id k13csp1600819vqr;
Mon, 29 May 2023 08:35:46 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ5pG19YdbTq988XEgjgkRgsz3ST6R6rSHvitNtcP4ttwHd12T9LeNZX1HgZuWnHuD3u/TY+
X-Received: by 2002:a17:902:b204:b0:1af:b97c:2353 with SMTP id
t4-20020a170902b20400b001afb97c2353mr10520096plr.15.1685374546215;
Mon, 29 May 2023 08:35:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1685374546; cv=none;
d=google.com; s=arc-20160816;
b=Sd9mh9sErdfrCiPbez2rWR0CwUtniBrNWi6L4XoT4oCqRuzJgMd6Py9TTysUdvEg69
0ydKX0EwdE3BBR3cUngoaF42iNKGnpueGFj2rkJVR04xbqlOFQzdVpOLc8mBzjfM4U0d
wu17ZORnvrJneAda8ganXAVSCXIfoPQTT007Sa58OtNkeL0w4bNyXeidD0M4cevj38Tf
B5di7N6CJZ+Y97zBN4BOs2YU074pVCucagJOu8+Nkmw0Um11hFzGEMk/rEEOQq/vpJ7I
+9Fs8WIaVvMzVm2v1RB2foztxs2+yt9Ratm9pvIaSuF8az9FhB6BI2VjaZ915j9Lzd0M
bnfg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature:dkim-signature;
bh=9LThTdNc3l0TTfcqKHMZIFh55bGZbjKiI/0a+5Ltvg0=;
b=Tjs56m+PoucTkNKkC4lYtuIgY9TCV8BvEc9nD9wVepa/hJQVWohrhnezJCHd0JC1xe
/dk7qEsReHlsXaFwi56lQxVfsDwy0jtP0yyA4lvMZYbvmzN9qXyVZQp5qmOo+BczhvVi
LfuUK1453aiOxc01dQ0yIQmOEgypfEknZ9vq0v1iywmYgzf+Qhj/SBXtWUhOpqxKOGPu
4JEyC954AUFKdAEUC6pn47PN26l5iikzrnxfPMowBEZ/k6IKarbD46Y3Qzdh90IAFB9S
uT4LQThRNY7gpW4x8VmZQ98U7g9Io/SObypc4uYfcwdY8YNdy/yRt88t3Wbmh+IF6Avg
yW0w==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=Kw3Hx4Cw;
dkim=neutral (no key) header.i=@suse.de;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
j9-20020a170903024900b001ac528e3f1bsi10127358plh.154.2023.05.29.08.35.31;
Mon, 29 May 2023 08:35:46 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=Kw3Hx4Cw;
dkim=neutral (no key) header.i=@suse.de;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S229875AbjE2P0x (ORCPT <rfc822;zhuangel570@gmail.com>
+ 99 others); Mon, 29 May 2023 11:26:53 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59116 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S229790AbjE2P0w (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 29 May 2023 11:26:52 -0400
Received: from smtp-out1.suse.de (smtp-out1.suse.de
[IPv6:2001:67c:2178:6::1c])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DACAC9
for <linux-kernel@vger.kernel.org>;
Mon, 29 May 2023 08:26:48 -0700 (PDT)
Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de
[192.168.254.73])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by smtp-out1.suse.de (Postfix) with ESMTPS id C3E0321A87;
Mon, 29 May 2023 15:26:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_rsa;
t=1685374006;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=9LThTdNc3l0TTfcqKHMZIFh55bGZbjKiI/0a+5Ltvg0=;
b=Kw3Hx4Cw+ZLE4wLRr0B8J/5bebN+MgZiyXz0l64lvJWZKfXbfET9SGYyeKxwuTRMW3jHMg
w5aVMp3s85avm5mAvvfRkNJY7M3mIn8uOg8AQ6Fex031QYbhbl7eQh3HDlbxcWNX21XhcO
VjpivPLoYAgB6qYPfMHP5iIjqrfF4Gc=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_ed25519; t=1685374006;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:content-type:content-type:
content-transfer-encoding:content-transfer-encoding;
bh=9LThTdNc3l0TTfcqKHMZIFh55bGZbjKiI/0a+5Ltvg0=;
b=B6ic1MO724bMQ4Ipm8jiEo4Uw9SO23DnqV1lKHbwVuf3A3nsbgK8pM/MfqY/xC1gZz2T2P
6KvrMhcXHeOSGgCQ==
Received: from imap1.suse-dmz.suse.de (imap1.suse-dmz.suse.de
[192.168.254.73])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by imap1.suse-dmz.suse.de (Postfix) with ESMTPS id 3CB31134BC;
Mon, 29 May 2023 15:26:46 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
by imap1.suse-dmz.suse.de with ESMTPSA
id Abn3CjbEdGToAQAAGKfGzw
(envelope-from <lhenriques@suse.de>); Mon, 29 May 2023 15:26:46 +0000
Received: from localhost (brahms.olymp [local])
by brahms.olymp (OpenSMTPD) with ESMTPA id 757b2d04;
Mon, 29 May 2023 15:26:45 +0000 (UTC)
From: =?utf-8?q?Lu=C3=ADs_Henriques?= <lhenriques@suse.de>
To: Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>,
Joseph Qi <joseph.qi@linux.alibaba.com>,
Heming Zhao <heming.zhao@suse.com>
Cc: ocfs2-devel@oss.oracle.com, linux-kernel@vger.kernel.org, =?utf-8?q?Lu?=
=?utf-8?q?=C3=ADs_Henriques?= <lhenriques@suse.de>
Subject: [PATCH] ocfs2: check new file size on fallocate call
Date: Mon, 29 May 2023 16:26:45 +0100
Message-Id: <20230529152645.32680-1-lhenriques@suse.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1767243300335453301?=
X-GMAIL-MSGID: =?utf-8?q?1767243300335453301?=
|
| Series |
ocfs2: check new file size on fallocate call
|
|
Commit Message
Luis Henriques
May 29, 2023, 3:26 p.m. UTC
When changing a file size with fallocate() the new size isn't being
checked. In particular, the FSIZE ulimit isn't being checked, which makes
fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes
this issue.
Signed-off-by: Luís Henriques <lhenriques@suse.de>
---
fs/ocfs2/file.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
Comments
On Mon, May 29, 2023 at 8:26 AM Luís Henriques <lhenriques@suse.de> wrote: > > When changing a file size with fallocate() the new size isn't being > checked. In particular, the FSIZE ulimit isn't being checked, which makes > fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes > this issue. > > Signed-off-by: Luís Henriques <lhenriques@suse.de> Looks good, thanks Luis. Reviewed-by: Mark Fasheh <mark@fasheh.com>
On 5/29/23 11:26 PM, Luís Henriques wrote: > When changing a file size with fallocate() the new size isn't being > checked. In particular, the FSIZE ulimit isn't being checked, which makes > fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes > this issue. > > Signed-off-by: Luís Henriques <lhenriques@suse.de> > --- > fs/ocfs2/file.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c > index efb09de4343d..b173c36bcab3 100644 > --- a/fs/ocfs2/file.c > +++ b/fs/ocfs2/file.c > @@ -2100,14 +2100,20 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset, > struct ocfs2_space_resv sr; > int change_size = 1; > int cmd = OCFS2_IOC_RESVSP64; > + int ret = 0; > > if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) > return -EOPNOTSUPP; This means we only support keep-size and pouch_hole. And it seems pouch_hole will also imply keep-size. > if (!ocfs2_writes_unwritten_extents(osb)) > return -EOPNOTSUPP; > > - if (mode & FALLOC_FL_KEEP_SIZE) > + if (mode & FALLOC_FL_KEEP_SIZE) { > change_size = 0; > + } else { Seems this will be a dead branch? Thanks, Joseph > + ret = inode_newsize_ok(inode, offset + len); > + if (ret) > + return ret; > + } > > if (mode & FALLOC_FL_PUNCH_HOLE) > cmd = OCFS2_IOC_UNRESVSP64;
Joseph Qi <joseph.qi@linux.alibaba.com> writes: > On 5/29/23 11:26 PM, Luís Henriques wrote: >> When changing a file size with fallocate() the new size isn't being >> checked. In particular, the FSIZE ulimit isn't being checked, which makes >> fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes >> this issue. >> >> Signed-off-by: Luís Henriques <lhenriques@suse.de> >> --- >> fs/ocfs2/file.c | 8 +++++++- >> 1 file changed, 7 insertions(+), 1 deletion(-) >> >> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c >> index efb09de4343d..b173c36bcab3 100644 >> --- a/fs/ocfs2/file.c >> +++ b/fs/ocfs2/file.c >> @@ -2100,14 +2100,20 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset, >> struct ocfs2_space_resv sr; >> int change_size = 1; >> int cmd = OCFS2_IOC_RESVSP64; >> + int ret = 0; >> >> if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) >> return -EOPNOTSUPP; > > This means we only support keep-size and pouch_hole. > And it seems pouch_hole will also imply keep-size. I think you're forgetting about mode = 0, which is also valid. And the default '0' will allow size to be changed. >> if (!ocfs2_writes_unwritten_extents(osb)) >> return -EOPNOTSUPP; >> >> - if (mode & FALLOC_FL_KEEP_SIZE) >> + if (mode & FALLOC_FL_KEEP_SIZE) { >> change_size = 0; >> + } else { > > Seems this will be a dead branch? Again, you need to consider '0' as a valid mode value. If you run generic/228 without this patch you'll see that test failing because it *does* hit this branch. Cheers,
On 5/31/23 4:29 PM, Luís Henriques wrote: > Joseph Qi <joseph.qi@linux.alibaba.com> writes: > >> On 5/29/23 11:26 PM, Luís Henriques wrote: >>> When changing a file size with fallocate() the new size isn't being >>> checked. In particular, the FSIZE ulimit isn't being checked, which makes >>> fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes >>> this issue. >>> >>> Signed-off-by: Luís Henriques <lhenriques@suse.de> >>> --- >>> fs/ocfs2/file.c | 8 +++++++- >>> 1 file changed, 7 insertions(+), 1 deletion(-) >>> >>> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c >>> index efb09de4343d..b173c36bcab3 100644 >>> --- a/fs/ocfs2/file.c >>> +++ b/fs/ocfs2/file.c >>> @@ -2100,14 +2100,20 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset, >>> struct ocfs2_space_resv sr; >>> int change_size = 1; >>> int cmd = OCFS2_IOC_RESVSP64; >>> + int ret = 0; >>> >>> if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) >>> return -EOPNOTSUPP; >> >> This means we only support keep-size and pouch_hole. >> And it seems pouch_hole will also imply keep-size. > > I think you're forgetting about mode = 0, which is also valid. And the > default '0' will allow size to be changed. > Oops... You are right. >>> if (!ocfs2_writes_unwritten_extents(osb)) >>> return -EOPNOTSUPP; >>> >>> - if (mode & FALLOC_FL_KEEP_SIZE) >>> + if (mode & FALLOC_FL_KEEP_SIZE) { >>> change_size = 0; >>> + } else { >> >> Seems this will be a dead branch? > > Again, you need to consider '0' as a valid mode value. If you run > generic/228 without this patch you'll see that test failing because it > *does* hit this branch. > > Cheers,
On 5/29/23 11:26 PM, Luís Henriques wrote: > When changing a file size with fallocate() the new size isn't being > checked. In particular, the FSIZE ulimit isn't being checked, which makes > fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes > this issue. > > Signed-off-by: Luís Henriques <lhenriques@suse.de> Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com> > --- > fs/ocfs2/file.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c > index efb09de4343d..b173c36bcab3 100644 > --- a/fs/ocfs2/file.c > +++ b/fs/ocfs2/file.c > @@ -2100,14 +2100,20 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset, > struct ocfs2_space_resv sr; > int change_size = 1; > int cmd = OCFS2_IOC_RESVSP64; > + int ret = 0; > > if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) > return -EOPNOTSUPP; > if (!ocfs2_writes_unwritten_extents(osb)) > return -EOPNOTSUPP; > > - if (mode & FALLOC_FL_KEEP_SIZE) > + if (mode & FALLOC_FL_KEEP_SIZE) { > change_size = 0; > + } else { > + ret = inode_newsize_ok(inode, offset + len); > + if (ret) > + return ret; > + } > > if (mode & FALLOC_FL_PUNCH_HOLE) > cmd = OCFS2_IOC_UNRESVSP64;
On Mon, 29 May 2023 16:26:45 +0100 Luís Henriques via Ocfs2-devel <ocfs2-devel@oss.oracle.com> wrote: > When changing a file size with fallocate() the new size isn't being > checked. In particular, the FSIZE ulimit isn't being checked, which makes > fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes > this issue. > > ... > > --- a/fs/ocfs2/file.c > +++ b/fs/ocfs2/file.c > @@ -2100,14 +2100,20 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset, > struct ocfs2_space_resv sr; > int change_size = 1; > int cmd = OCFS2_IOC_RESVSP64; > + int ret = 0; > > if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) > return -EOPNOTSUPP; > if (!ocfs2_writes_unwritten_extents(osb)) > return -EOPNOTSUPP; > > - if (mode & FALLOC_FL_KEEP_SIZE) > + if (mode & FALLOC_FL_KEEP_SIZE) { > change_size = 0; > + } else { > + ret = inode_newsize_ok(inode, offset + len); > + if (ret) > + return ret; > + } > So userspace can exceed rlimit(RLIMIT_FSIZE). Do we think this flaw is serious enough to justify backporting the fix into earlier -stable kernels?
On 6/1/23 6:11 AM, Andrew Morton wrote: > On Mon, 29 May 2023 16:26:45 +0100 Luís Henriques via Ocfs2-devel <ocfs2-devel@oss.oracle.com> wrote: > >> When changing a file size with fallocate() the new size isn't being >> checked. In particular, the FSIZE ulimit isn't being checked, which makes >> fstest generic/228 fail. Simply adding a call to inode_newsize_ok() fixes >> this issue. >> >> ... >> >> --- a/fs/ocfs2/file.c >> +++ b/fs/ocfs2/file.c >> @@ -2100,14 +2100,20 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset, >> struct ocfs2_space_resv sr; >> int change_size = 1; >> int cmd = OCFS2_IOC_RESVSP64; >> + int ret = 0; >> >> if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) >> return -EOPNOTSUPP; >> if (!ocfs2_writes_unwritten_extents(osb)) >> return -EOPNOTSUPP; >> >> - if (mode & FALLOC_FL_KEEP_SIZE) >> + if (mode & FALLOC_FL_KEEP_SIZE) { >> change_size = 0; >> + } else { >> + ret = inode_newsize_ok(inode, offset + len); >> + if (ret) >> + return ret; >> + } >> > > So userspace can exceed rlimit(RLIMIT_FSIZE). > > Do we think this flaw is serious enough to justify backporting the fix > into earlier -stable kernels? I think it's worth ccing stable kernel as well. Thanks, Joseph
diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c index efb09de4343d..b173c36bcab3 100644 --- a/fs/ocfs2/file.c +++ b/fs/ocfs2/file.c @@ -2100,14 +2100,20 @@ static long ocfs2_fallocate(struct file *file, int mode, loff_t offset, struct ocfs2_space_resv sr; int change_size = 1; int cmd = OCFS2_IOC_RESVSP64; + int ret = 0; if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE)) return -EOPNOTSUPP; if (!ocfs2_writes_unwritten_extents(osb)) return -EOPNOTSUPP; - if (mode & FALLOC_FL_KEEP_SIZE) + if (mode & FALLOC_FL_KEEP_SIZE) { change_size = 0; + } else { + ret = inode_newsize_ok(inode, offset + len); + if (ret) + return ret; + } if (mode & FALLOC_FL_PUNCH_HOLE) cmd = OCFS2_IOC_UNRESVSP64;