Message ID | 20230321013721.89818-1-chengzhihao1@huawei.com |
---|---|
State | New |
Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org> Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:604a:0:0:0:0:0 with SMTP id j10csp1538007wrt; Mon, 20 Mar 2023 18:52:15 -0700 (PDT) X-Google-Smtp-Source: AK7set86rAAlP1bfwnNvXmlw5q57oAP0LNM/o4nGLkmhF+uM8S+7097SRMRjtCQDc+S3jmxJUhD4 X-Received: by 2002:a05:6a20:c754:b0:da:6dd4:84a2 with SMTP id hj20-20020a056a20c75400b000da6dd484a2mr557149pzb.13.1679363534732; Mon, 20 Mar 2023 18:52:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1679363534; cv=none; d=google.com; s=arc-20160816; b=zARpMg7mIIK8GV6Sf7aukG8AdpP/CB0CnRTNC/R0R9BW5wTzssOvYAIJs66POrcXcv 2KGhPTgD196YS2HI0RGRjnS5opqVqr+bYEofpr7wnfnyxOb4zl0C54L4Xb2B3F91eGRA QlIlXzFFIPAQkIFp6cJqvQs1u/ElWulhQCuLBTq+rU3R7xJsmCPBl/RaDv+ZqPVUpUGX ZGcKM5qe9GtAJFfGHi/Bc1jpE+oHuLguHOXXZCc+BxEYZnJQGe3Ay1t5fLOTK9k3SAWz XMoOsDsaUZuQHmwfIqgPNGehzp6TilenGt7+ephmusbJKi/J4PO7RywZwNfA5thzo22J XM6A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=X0FdOxeMUZy+tGqGRHykeV74Zc0tSFrD6ZamNbFyqlg=; b=BfNXQDOVmtAzPzDhHSAUkvdhpkrfJilijh+epFkcc9d7V0slmiBmY1ZZiYJFZp+YCm O8ppVpUnBRipZLJuazaWcI8Ll8JbYdJIzKOPtzr5eAZ4kSNYuvkisufUX8oe3UR4pv3q g1NG226xe3FNzRWHTZbSkhxToXNqnbRnX8s6mJGXbj2vzhcsyFra6uqXN7PLjG7eAI1N q7JKdFkBBIftyemzLRFBggxNPJQ1rNFuYSFPfPcPX3z2Hm4MNAMxSefLLvIc7axODMQF kQ8nASGCpG0avfyTgKDivM1uA/D8oXHiUeIopofmaoLossBfcoklny6V/Etx0vD+l0aJ DInw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x24-20020a63db58000000b0050c0549c4c8si11569863pgi.441.2023.03.20.18.51.59; Mon, 20 Mar 2023 18:52:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229889AbjCUBiX (ORCPT <rfc822;pusanteemu@gmail.com> + 99 others); Mon, 20 Mar 2023 21:38:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48040 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229755AbjCUBiV (ORCPT <rfc822;linux-kernel@vger.kernel.org>); Mon, 20 Mar 2023 21:38:21 -0400 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1E0A1BB94; Mon, 20 Mar 2023 18:38:18 -0700 (PDT) Received: from kwepemm600013.china.huawei.com (unknown [172.30.72.54]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4PgZ443Zc8z9thY; Tue, 21 Mar 2023 09:37:56 +0800 (CST) Received: from huawei.com (10.175.127.227) by kwepemm600013.china.huawei.com (7.193.23.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.21; Tue, 21 Mar 2023 09:38:16 +0800 From: Zhihao Cheng <chengzhihao1@huawei.com> To: <tytso@mit.edu>, <adilger.kernel@dilger.ca>, <jack@suse.com>, <tudor.ambarus@linaro.org> CC: <linux-ext4@vger.kernel.org>, <linux-kernel@vger.kernel.org>, <chengzhihao1@huawei.com>, <yi.zhang@huawei.com> Subject: [PATCH v2] ext4: Fix i_disksize exceeding i_size problem in paritally written case Date: Tue, 21 Mar 2023 09:37:21 +0800 Message-ID: <20230321013721.89818-1-chengzhihao1@huawei.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems703-chm.china.huawei.com (10.3.19.180) To kwepemm600013.china.huawei.com (7.193.23.68) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: <linux-kernel.vger.kernel.org> X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1760940297666488200?= X-GMAIL-MSGID: =?utf-8?q?1760940297666488200?= |
Series |
[v2] ext4: Fix i_disksize exceeding i_size problem in paritally written case
|
|
Commit Message
Zhihao Cheng
March 21, 2023, 1:37 a.m. UTC
Following process makes i_disksize exceed i_size:
generic_perform_write
copied = iov_iter_copy_from_user_atomic(len) // copied < len
ext4_da_write_end
| ext4_update_i_disksize
| new_i_size = pos + copied;
| WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize
| generic_write_end
| copied = block_write_end(copied, len) // copied = 0
| if (unlikely(copied < len))
| if (!PageUptodate(page))
| copied = 0;
| if (pos + copied > inode->i_size) // return false
if (unlikely(copied == 0))
goto again;
if (unlikely(iov_iter_fault_in_readable(i, bytes))) {
status = -EFAULT;
break;
}
We get i_disksize greater than i_size here, which could trigger WARNING
check 'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio:
ext4_dio_write_iter
iomap_dio_rw
__iomap_dio_rw // return err, length is not aligned to 512
ext4_handle_inode_extension
WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops
WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319
CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2
RIP: 0010:ext4_file_write_iter+0xbc7
Call Trace:
vfs_write+0x3b1
ksys_write+0x77
do_syscall_64+0x39
Fix it by updating 'copied' value before updating i_disksize just like
ext4_write_inline_data_end() does.
Fetch a reproducer in [Link].
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217209
Fixes: 64769240bd07 ("ext4: Add delayed allocation support in data=writeback mode")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
---
v1->v2: Check and update 'copied' value before updating i_disksize rather
than opencoding generic_write_end().
fs/ext4/inode.c | 3 +++
1 file changed, 3 insertions(+)
Comments
On Tue 21-03-23 09:37:21, Zhihao Cheng wrote: > Following process makes i_disksize exceed i_size: > > generic_perform_write > copied = iov_iter_copy_from_user_atomic(len) // copied < len > ext4_da_write_end > | ext4_update_i_disksize > | new_i_size = pos + copied; > | WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize > | generic_write_end > | copied = block_write_end(copied, len) // copied = 0 > | if (unlikely(copied < len)) > | if (!PageUptodate(page)) > | copied = 0; > | if (pos + copied > inode->i_size) // return false > if (unlikely(copied == 0)) > goto again; > if (unlikely(iov_iter_fault_in_readable(i, bytes))) { > status = -EFAULT; > break; > } > > We get i_disksize greater than i_size here, which could trigger WARNING > check 'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio: > > ext4_dio_write_iter > iomap_dio_rw > __iomap_dio_rw // return err, length is not aligned to 512 > ext4_handle_inode_extension > WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops > > WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319 > CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2 > RIP: 0010:ext4_file_write_iter+0xbc7 > Call Trace: > vfs_write+0x3b1 > ksys_write+0x77 > do_syscall_64+0x39 > > Fix it by updating 'copied' value before updating i_disksize just like > ext4_write_inline_data_end() does. > > Fetch a reproducer in [Link]. > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=217209 > Fixes: 64769240bd07 ("ext4: Add delayed allocation support in data=writeback mode") > Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com> Looks good to me. Feel free to add: Reviewed-by: Jan Kara <jack@suse.cz> Honza > --- > v1->v2: Check and update 'copied' value before updating i_disksize rather > than opencoding generic_write_end(). > fs/ext4/inode.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c > index bf0b7dea4900..41ba1c432844 100644 > --- a/fs/ext4/inode.c > +++ b/fs/ext4/inode.c > @@ -3148,6 +3148,9 @@ static int ext4_da_write_end(struct file *file, > ext4_has_inline_data(inode)) > return ext4_write_inline_data_end(inode, pos, len, copied, page); > > + if (unlikely(copied < len) && !PageUptodate(page)) > + copied = 0; > + > start = pos & (PAGE_SIZE - 1); > end = start + copied - 1; > > -- > 2.31.1 >
On Tue, 21 Mar 2023 09:37:21 +0800, Zhihao Cheng wrote: > Following process makes i_disksize exceed i_size: > > generic_perform_write > copied = iov_iter_copy_from_user_atomic(len) // copied < len > ext4_da_write_end > | ext4_update_i_disksize > | new_i_size = pos + copied; > | WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize > | generic_write_end > | copied = block_write_end(copied, len) // copied = 0 > | if (unlikely(copied < len)) > | if (!PageUptodate(page)) > | copied = 0; > | if (pos + copied > inode->i_size) // return false > if (unlikely(copied == 0)) > goto again; > if (unlikely(iov_iter_fault_in_readable(i, bytes))) { > status = -EFAULT; > break; > } > > [...] Applied, thanks! [1/1] ext4: Fix i_disksize exceeding i_size problem in paritally written case commit: 1dedde690303c05ef732b7c5c8356fdf60a4ade3 Best regards,
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index bf0b7dea4900..41ba1c432844 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -3148,6 +3148,9 @@ static int ext4_da_write_end(struct file *file, ext4_has_inline_data(inode)) return ext4_write_inline_data_end(inode, pos, len, copied, page); + if (unlikely(copied < len) && !PageUptodate(page)) + copied = 0; + start = pos & (PAGE_SIZE - 1); end = start + copied - 1;