lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20200114190057.GB7871@iweiny-DESK2.sc.intel.com>
Date:   Tue, 14 Jan 2020 11:00:57 -0800
From:   Ira Weiny <ira.weiny@...el.com>
To:     "Darrick J. Wong" <darrick.wong@...cle.com>
Cc:     linux-kernel@...r.kernel.org,
        Alexander Viro <viro@...iv.linux.org.uk>,
        Dan Williams <dan.j.williams@...el.com>,
        Dave Chinner <david@...morbit.com>,
        Christoph Hellwig <hch@....de>,
        "Theodore Y. Ts'o" <tytso@....edu>, Jan Kara <jack@...e.cz>,
        linux-ext4@...r.kernel.org, linux-xfs@...r.kernel.org,
        linux-fsdevel@...r.kernel.org
Subject: Re: [RFC PATCH V2 10/12] fs/xfs: Fix truncate up

On Mon, Jan 13, 2020 at 05:14:07PM -0800, Darrick J. Wong wrote:
> On Mon, Jan 13, 2020 at 04:40:47PM -0800, Ira Weiny wrote:
> > On Mon, Jan 13, 2020 at 02:27:55PM -0800, Darrick J. Wong wrote:
> > > On Fri, Jan 10, 2020 at 11:29:40AM -0800, ira.weiny@...el.com wrote:
> > > > From: Ira Weiny <ira.weiny@...el.com>
> > > > 
> > > > When zeroing the end of a file we must account for bytes contained in
> > > > the final page which are past EOF.
> > > > 
> > > > Extend the range passed to iomap_zero_range() to reach LLONG_MAX which
> > > > will include all bytes of the final page.
> > > > 
> > > > Signed-off-by: Ira Weiny <ira.weiny@...el.com>
> > > > ---
> > > >  fs/xfs/xfs_iops.c | 2 +-
> > > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > > 
> > > > diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
> > > > index a2f2604c3187..a34b04e8ac9c 100644
> > > > --- a/fs/xfs/xfs_iops.c
> > > > +++ b/fs/xfs/xfs_iops.c
> > > > @@ -910,7 +910,7 @@ xfs_setattr_size(
> > > >  	 */
> > > >  	if (newsize > oldsize) {
> > > >  		trace_xfs_zero_eof(ip, oldsize, newsize - oldsize);
> > > > -		error = iomap_zero_range(inode, oldsize, newsize - oldsize,
> > > > +		error = iomap_zero_range(inode, oldsize, LLONG_MAX - oldsize,
> > > 
> > > Huh?  Won't this cause the file size to be set to LLONG_MAX?
> > 
> > Not as I understand the code.
> 
> iomap_zero_range uses the standard iomap_write_{begin,end} functions,
> which means that if you pass it an (offset, length) that extend beyond
> EOF it will change isize to offset+length.

I don't see that but I'll take your word for it...  That is unfortunate because
I would have thought that the full page would have been zero'ed by something
already.

I found code in xfs_free_file_space() with this comment:

        /*
         * If we zeroed right up to EOF and EOF straddles a page boundary we
         * must make sure that the post-EOF area is also zeroed because the
         * page could be mmap'd and iomap_zero_range doesn't do that for us.
         * Writeback of the eof page will do this, albeit clumsily.
         */

But that just calls filemap_write_and_wait_range()...  :-/

> 
> > But as I said in the cover I am not 100% sure of
> > this fix.
> 
> > From what I can tell xfs_ioctl_setattr_dax_invalidate() should invalidate the
> > mappings and the page cache and the traces I have indicate that the DAX mode
> > is not changing or was properly held off.
> 
> Hmm, that implies the invalidation didn't work.  Can you find a way to
> report the contents of the page cache after the dax mode change
> invalidation fails?  I wonder if this is something dorky like rounding
> down such that the EOF page doesn't actually get invalidated?
> 
> Hmm, no, xfs_ioctl_setattr_dax_invalidate should be nuking all the
> pages... do you have a quick reproducer?

I thought I did...

What I have done is take this patch:

https://www.spinics.net/lists/fstests/msg13313.html

and put [run_fsx ""] in a loop... (diff below) And without this truncate fix
patch it was failing in about 5 - 10 iterations.  But I'm running it right now
and it has gone for 30+...  :-(

I am 90% confident that this series works for 100% of the use cases we have.  I
think this is an existing bug which I've just managed to find.  And again I'm
not comfortable with this patch either.  So I'm not trying to argue for it but
I just don't know what could be wrong...

Ira

diff --git a/tests/generic/999 b/tests/generic/999
index 6dd5529dbc65..929c20c6db04 100755
--- a/tests/generic/999
+++ b/tests/generic/999
@@ -274,7 +274,9 @@ function run_fsx {
        pid=""
 }
 
-run_fsx ""
+while [ 1 ]; do
+       run_fsx ""
+done
 run_fsx "-A"
 run_fsx "-Z -r 4096 -w 4096"

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ