lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230320112038.3q2eqpv6xsmj22br@quack3>
Date:   Mon, 20 Mar 2023 12:20:38 +0100
From:   Jan Kara <jack@...e.cz>
To:     Zhihao Cheng <chengzhihao1@...wei.com>
Cc:     Jan Kara <jack@...e.cz>, tytso@....edu, adilger.kernel@...ger.ca,
        jack@...e.com, tudor.ambarus@...aro.org,
        linux-ext4@...r.kernel.org, linux-kernel@...r.kernel.org,
        yi.zhang@...wei.com
Subject: Re: [PATCH] ext4: Fix i_disksize exceeding i_size problem in
 paritally written case

On Sat 18-03-23 16:51:00, Zhihao Cheng wrote:
> > Hi, Jan
> > > On Fri 17-03-23 09:35:53, Zhihao Cheng wrote:
> > > > Following process makes i_disksize exceed i_size:
> > > > 
> > > > generic_perform_write
> > > >   copied = iov_iter_copy_from_user_atomic(len) // copied < len
> > > >   ext4_da_write_end
> > > >   | ext4_update_i_disksize
> > > >   |  new_i_size = pos + copied;
> > > >   |  WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize) // update i_disksize
> > > >   | generic_write_end
> > > >   |  copied = block_write_end(copied, len) // copied = 0
> > > >   |   if (unlikely(copied < len))
> > > >   |    if (!PageUptodate(page))
> > > >   |     copied = 0;
> > > >   |  if (pos + copied > inode->i_size) // return false
> > > >   if (unlikely(copied == 0))
> > > >    goto again;
> > > >   if (unlikely(iov_iter_fault_in_readable(i, bytes))) {
> > > >    status = -EFAULT;
> > > >    break;
> > > >   }
> > > > 
> > > > We get i_disksize greater than i_size here, which could trigger WARNING
> > > > check 'i_size_read(inode) < EXT4_I(inode)->i_disksize' while doing dio:
> > > > 
> > > > ext4_dio_write_iter
> > > >   iomap_dio_rw
> > > >    __iomap_dio_rw // return err, length is not aligned to 512
> > > >   ext4_handle_inode_extension
> > > >    WARN_ON_ONCE(i_size_read(inode) < EXT4_I(inode)->i_disksize) // Oops
> > > > 
> > > >   WARNING: CPU: 2 PID: 2609 at fs/ext4/file.c:319
> > > >   CPU: 2 PID: 2609 Comm: aa Not tainted 6.3.0-rc2
> > > >   RIP: 0010:ext4_file_write_iter+0xbc7
> > > >   Call Trace:
> > > >    vfs_write+0x3b1
> > > >    ksys_write+0x77
> > > >    do_syscall_64+0x39
> > > > 
> > > > Fix it by putting block_write_end() before i_disksize updating just
> > > > like ext4_write_end() does.
> > > > 
> > > > Fetch a reproducer in [Link].
> > > > 
> > > > Link: https://bugzilla.kernel.org/show_bug.cgi?id=217209
> > > > Fixes: 64769240bd07f ("ext4: Add delayed allocation support in
> > > > data=writeback mode")
> > > > Signed-off-by: Zhihao Cheng <chengzhihao1@...wei.com>
> > > 
> > > Good catch (although practically this will hardly have any negative
> > > effect). But rather than opencoding generic_write_end() I'd do:
> > > 
> > >          if (unlikely(copied < len) && !PageUptodate(page))
> > >                  copied = 0;
> > > 
> > > at the beginning of ext4_da_write_end() and that should solve these
> > > problems as well?
> > > 
> > 
> > Yes, your suggestion looks good, and I think we can put the checking
> > just after ext4_write_inline_data_end(Line 3150)? On the one hand, we
> > can pass original 'copied' value in trace_ext4_da_write_end(), one the
> > other hand, ext4_write_inline_data_end() already has this checking.
> > .
> 
> BTW, I want send another patch as follows:
> diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
> index bf0b7dea4900..570a687ae847 100644
> --- a/fs/ext4/inode.c
> +++ b/fs/ext4/inode.c
> @@ -3149,7 +3149,7 @@ static int ext4_da_write_end(struct file *file,
>                 return ext4_write_inline_data_end(inode, pos, len, copied,
> page);
> 
>         start = pos & (PAGE_SIZE - 1);
> -       end = start + copied - 1;
> +       end = start + (copied ? copied - 1 : copied);
> 
>         /*
>          * Since we are holding inode lock, we are sure i_disksize <=
> @@ -3167,7 +3167,7 @@ static int ext4_da_write_end(struct file *file,
>          * ext4_da_write_inline_data_end().
>          */
>         new_i_size = pos + copied;
> -       if (copied && new_i_size > inode->i_size &&
> +       if (new_i_size > inode->i_size &&
>             ext4_da_should_update_i_disksize(page, end))
>                 ext4_update_i_disksize(inode, new_i_size);
> 
> This modification handle unconsistent i_size and i_disksize imported by
> ea51d132dbf9 ("ext4: avoid hangs in ext4_da_should_update_i_disksize()").
> 
> Paritially written may display a fake inode size for user, for example:
> 
> 
> 
> i_disksize=1
> 
> generic_perform_write
> 
>  copied = iov_iter_copy_from_user_atomic(len) // copied = 0
> 
>  ext4_da_write_end // skip updating i_disksize
> 
>  generic_write_end
> 
>   if (pos + copied > inode->i_size) {  // 10 + 0 > 1, true
> 
>    i_size_write(inode, pos + copied);  // i_size = 10
> 
>   }
> 
> 
> 
>    0 1      10                4096
> 
>    |_|_______|_________..._____|
> 
>      |       |
> 
>     i_size  pos
> 
> 
> 
> Now, user see the i_size is 10 (i_disksize is still 1). After inode
> 
> destroyed, user will get the i_size is 1 read from disk.

OK, but shouldn't we rather change generic_write_end() to not increase
i_size if no write happened? Because that is what seems somewhat
problematic...

								Honza
-- 
Jan Kara <jack@...e.com>
SUSE Labs, CR

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ