Received: by 2002:a25:7ec1:0:0:0:0:0 with SMTP id z184csp5984288ybc;
        Wed, 27 Nov 2019 12:54:29 -0800 (PST)
X-Google-Smtp-Source: APXvYqyAMaU8ERPVVcj/fbNw2CX3j8f74Y+r9oOolI24dnP3EF3BcYKZWov7V6hwZIDVehGQ3Kk9
X-Received: by 2002:a17:906:601:: with SMTP id s1mr51807954ejb.287.1574888069271;
        Wed, 27 Nov 2019 12:54:29 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1574888069; cv=none;
        d=google.com; s=arc-20160816;
        b=fbaUdoyTTtrMVwBLxctYoTDrNH5+BMpzhUCQHReEgsX6PqjpQWXjgLMX3DZY+yq1AL
         eYo3THPJjcuCxSVw1jdoH1nrSuF9xofFcVQwqwskkTsUFHsP/E85YZ/eM5iOM3aV7z+/
         +wPMl+pQ2+zO3IJoiYYXuGTaE/VIRqTgRTnXRQ+oKeHd8I9evqM3lg4yxDe0ZzXkgcWC
         2EGAALHU8jLct6FrUtaCzW4q2vUgElduK3MsU8T7FXPf9NWwc0wb/MNVXF8ibdbA7BNp
         oizln0TivSw4xJ7vtSKKBp+S9q2xOdA4rS15lSjPxeD7Q+PiXw7889E3fK3g4QPv2TNh
         YaqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=dykMt0uJnJW0F0UxLTkOqd4jy8YcKvgpGmg1DZtnKQc=;
        b=f6k6NQhQvmqo9U/6YsX/swJ+s+fT3GWHw1HIogR472R/NWwTWZUBuOcAbF0KuJqxe6
         Y7a4PnDQzCVbjacGYKufOBbPc+Py5zPrynv1Nni3fGj9CWDV9AdVCYOg7um2cDDdaTiO
         5k4U+uWNryaRt0KNaOJj4c3JNlOuuhA7ethAMMg3cVzuw55yxX+oqFHFwruS+ywBnJD6
         ZrMEXLTt5u+omLBLXLZ14OYiOjw+GqyTUYKm7HyxPacPR4ebVJFApDI6hO8ZUEBRhwAR
         3u5UlNa8YcIRi5Xl4DEqhlzTkV0OW25cC38FCncMc+QFrPo1K6SnTldXht5Klw4odH0z
         a7uw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=UaKCYUwo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 4si13483915edc.4.2019.11.27.12.54.05;
        Wed, 27 Nov 2019 12:54:29 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=UaKCYUwo;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729914AbfK0UuL (ORCPT <rfc822;lunatang2017@gmail.com>
        + 99 others); Wed, 27 Nov 2019 15:50:11 -0500
Received: from mail.kernel.org ([198.145.29.99]:35848 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1729592AbfK0UuF (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 27 Nov 2019 15:50:05 -0500
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 651C021844;
        Wed, 27 Nov 2019 20:50:04 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1574887804;
        bh=QnaxnzstfPmSHF7Mv7k/QGomLz291pM/Xc9KcCmOD6Q=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=UaKCYUwoyTpg2YjNSjy4FoS1fnOsJIs0SxOsAaJBYEtkCoi8HLej1rqlxZBUYRJxF
         AQgRkH625jWpGsW9jz7AQRAg1WKCZf6DJTJFc+KdWhZm8OCJRtbeVq5PYla+OiQBdM
         le7P/IOxcpEnY6bLrfYesTWeeCH8PKEy5ZiwAj/g=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        "Darrick J. Wong" <darrick.wong@oracle.com>,
        Christoph Hellwig <hch@lst.de>,
        Dave Chinner <david@fromorbit.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 102/211] vfs: avoid problematic remapping requests into partial EOF block
Date:   Wed, 27 Nov 2019 21:30:35 +0100
Message-Id: <20191127203103.352347432@linuxfoundation.org>
X-Mailer: git-send-email 2.24.0
In-Reply-To: <20191127203049.431810767@linuxfoundation.org>
References: <20191127203049.431810767@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Darrick J. Wong <darrick.wong@oracle.com>

[ Upstream commit 07d19dc9fbe9128378b9e226abe886fd8fd473df ]

A deduplication data corruption is exposed in XFS and btrfs. It is
caused by extending the block match range to include the partial EOF
block, but then allowing unknown data beyond EOF to be considered a
"match" to data in the destination file because the comparison is only
made to the end of the source file. This corrupts the destination file
when the source extent is shared with it.

The VFS remapping prep functions  only support whole block dedupe, but
we still need to appear to support whole file dedupe correctly.  Hence
if the dedupe request includes the last block of the souce file, don't
include it in the actual dedupe operation. If the rest of the range
dedupes successfully, then reject the entire request.  A subsequent
patch will enable us to shorten dedupe requests correctly.

When reflinking sub-file ranges, a data corruption can occur when the
source file range includes a partial EOF block. This shares the unknown
data beyond EOF into the second file at a position inside EOF, exposing
stale data in the second file.

If the reflink request includes the last block of the souce file, only
proceed with the reflink operation if it lands at or past the
destination file's current EOF. If it lands within the destination file
EOF, reject the entire request with -EINVAL and make the caller go the
hard way.  A subsequent patch will enable us to shorten reflink requests
correctly.

Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Dave Chinner <david@fromorbit.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/read_write.c | 33 +++++++++++++++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/fs/read_write.c b/fs/read_write.c
index 38a8bcccf0dd0..e8136a72c13f3 100644
--- a/fs/read_write.c
+++ b/fs/read_write.c
@@ -1709,6 +1709,34 @@ static int clone_verify_area(struct file *file, loff_t pos, u64 len, bool write)
 
 	return security_file_permission(file, write ? MAY_WRITE : MAY_READ);
 }
+/*
+ * Ensure that we don't remap a partial EOF block in the middle of something
+ * else.  Assume that the offsets have already been checked for block
+ * alignment.
+ *
+ * For deduplication we always scale down to the previous block because we
+ * can't meaningfully compare post-EOF contents.
+ *
+ * For clone we only link a partial EOF block above the destination file's EOF.
+ */
+static int generic_remap_check_len(struct inode *inode_in,
+				   struct inode *inode_out,
+				   loff_t pos_out,
+				   u64 *len,
+				   bool is_dedupe)
+{
+	u64 blkmask = i_blocksize(inode_in) - 1;
+
+	if ((*len & blkmask) == 0)
+		return 0;
+
+	if (is_dedupe)
+		*len &= ~blkmask;
+	else if (pos_out + *len < i_size_read(inode_out))
+		return -EINVAL;
+
+	return 0;
+}
 
 /*
  * Check that the two inodes are eligible for cloning, the ranges make
@@ -1815,6 +1843,11 @@ int vfs_clone_file_prep_inodes(struct inode *inode_in, loff_t pos_in,
 			return -EBADE;
 	}
 
+	ret = generic_remap_check_len(inode_in, inode_out, pos_out, len,
+			is_dedupe);
+	if (ret)
+		return ret;
+
 	return 1;
 }
 EXPORT_SYMBOL(vfs_clone_file_prep_inodes);
-- 
2.20.1