lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <71990726-c677-34df-d29b-a0fec1a6f68c@huawei.com>
Date:   Sat, 18 Mar 2023 16:51:00 +0800
From:   Zhihao Cheng <chengzhihao1@...wei.com>
To:     Jan Kara <jack@...e.cz>
CC:     <tytso@....edu>, <adilger.kernel@...ger.ca>, <jack@...e.com>,
        <tudor.ambarus@...aro.org>, <linux-ext4@...r.kernel.org>,
        <linux-kernel@...r.kernel.org>, <yi.zhang@...wei.com>
Subject: Re: [PATCH] ext4: Fix i_disksize exceeding i_size problem in
 paritally written case

> Hi, Jan
>> On Fri 17-03-23 09:35:53, Zhihao Cheng wrote:
>>> Following process makes i_disksize exceed i_size:
>>>
>>> generic_perform_write
>>>   copied = iov_iter_copy_from_user_atomic(len) // copied < len
>>>   ext4_da_write_end
>>>   | ext4_update_i_disksize
>>>   |  new_i_size = pos + copied;
>>>   |  WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize
>>>   | generic_write_end
>>>   |  copied = block_write_end(copied, len) // copied = 0
>>>   |   if (unlikely(copied < len))
>>>   |    if (!PageUptodate(page))
>>>   |     copied = 0;
>>>   |  if (pos + copied > inode->i_size) // return false
>>>   if (unlikely(copied == 0))
>>>    goto again;
>>>   if (unlikely(iov_iter_fault_in_readable(i, bytes))) {
>>>    status = -EFAULT;
>>>    break;
>>>   }
>>>
>>> We get i_disksize greater than i_size here, which could trigger WARNING
>>> check 'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio:
>>>
>>> ext4_dio_write_iter
>>>   iomap_dio_rw
>>>    __iomap_dio_rw // return err, length is not aligned to 512
>>>   ext4_handle_inode_extension
>>>    WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops
>>>
>>>   WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319
>>>   CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2
>>>   RIP: 0010:ext4_file_write_iter+0xbc7
>>>   Call Trace:
>>>    vfs_write+0x3b1
>>>    ksys_write+0x77
>>>    do_syscall_64+0x39
>>>
>>> Fix it by putting block_write_end() before i_disksize updating just
>>> like ext4_write_end() does.
>>>
>>> Fetch a reproducer in [Link].
>>>
>>> Link: https://bugzilla.kernel.org/show_bug.cgi?id=217209
>>> Fixes: 64769240bd07f ("ext4: Add delayed allocation support in 
>>> data=writeback mode")
>>> Signed-off-by: Zhihao Cheng <chengzhihao1@...wei.com>
>>
>> Good catch (although practically this will hardly have any negative
>> effect). But rather than opencoding generic_write_end() I'd do:
>>
>>          if (unlikely(copied < len) && !PageUptodate(page))
>>                  copied = 0;
>>
>> at the beginning of ext4_da_write_end() and that should solve these
>> problems as well?
>>
> 
> Yes, your suggestion looks good, and I think we can put the checking 
> just after ext4_write_inline_data_end(Line 3150)? On the one hand, we 
> can pass original 'copied' value in trace_ext4_da_write_end(), one the 
> other hand, ext4_write_inline_data_end() already has this checking.
> .

BTW, I want send another patch as follows:
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index bf0b7dea4900..570a687ae847 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -3149,7 +3149,7 @@ static int ext4_da_write_end(struct file *file,
                 return ext4_write_inline_data_end(inode, pos, len, 
copied, page);

         start = pos & (PAGE_SIZE - 1);
-       end = start + copied - 1;
+       end = start + (copied ? copied - 1 : copied);

         /*
          * Since we are holding inode lock, we are sure i_disksize <=
@@ -3167,7 +3167,7 @@ static int ext4_da_write_end(struct file *file,
          * ext4_da_write_inline_data_end().
          */
         new_i_size = pos + copied;
-       if (copied && new_i_size > inode->i_size &&
+       if (new_i_size > inode->i_size &&
             ext4_da_should_update_i_disksize(page, end))
                 ext4_update_i_disksize(inode, new_i_size);

This modification handle unconsistent i_size and i_disksize imported by 
ea51d132dbf9 ("ext4: avoid hangs in ext4_da_should_update_i_disksize()").

Paritially written may display a fake inode size for user, for example: 

 

i_disksize=1 

generic_perform_write 

  copied = iov_iter_copy_from_user_atomic(len) // copied = 0 

  ext4_da_write_end // skip updating i_disksize 

  generic_write_end 

   if (pos + copied > inode->i_size) {  // 10 + 0 > 1, true 

    i_size_write(inode, pos + copied);  // i_size = 10 

   } 

 

    0 1      10                4096 

    |_|_______|_________..._____| 

      |       | 

     i_size  pos 

 

Now, user see the i_size is 10 (i_disksize is still 1). After inode 

destroyed, user will get the i_size is 1 read from disk.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ