Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp5233096ybi; Tue, 28 May 2019 09:32:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqy6YdfuvNVxuCgRRCLMWwLAb2LabLOqtvFFdRkvV8JKyclVDjAUaKnlwZZOHtPdTj3XL9dI X-Received: by 2002:a17:90a:fa15:: with SMTP id cm21mr6986682pjb.122.1559061174236; Tue, 28 May 2019 09:32:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559061174; cv=none; d=google.com; s=arc-20160816; b=vpa4hmARlX70PN510MGK7nEi79wf72/Na3lJHItjlIi7mdebC8og85L/DKDCfwSQNa RJGjr/SxyiZhXlyY6o9ZqAkSLu0FdtmMZg+M+jEHGSItzM/2avi+VCpNhSoLCO0p1tql 51l4a00/O981QGwz2xJaVaHJXpJ3RWUOtS3MqEQgq1FXxDxdways2QUvR9a/DPWcWSx2 0uB9X946BzGBddtJ48p8nmse//MyMc5mI4GJkaNTNj1F+afum1iaKBP5P+1Clk6D0dYS JzAqKOYW0bXVesy/89L5bzk7U4o6guED6SU2mmjFSO+bU/iYoInj+FQN0ZqxOH3MByqA RTAA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=hojCBGvGd49QPWjjv991gv8ncr/i5kwhr+SPu6Dmw54=; b=k6LoM/ZdT2lKW7WB5tEUfYKmVvLUADP/CSQfywhLTOtN9Vfsosb7o9C/NTVTtGRp7g 8utRpwRz6Ajl3SpKDtgRJ8hMFnpmZ/RDcVoSR5v68x7opmLudIxKgo1YCSgjnKSQG8qY fJuRPH7/WHHtNg+Rcfe3LbWQs8/tp4OO79g+UuZdI/qamtFwLUEQeiRiaXL3f60j/fng mqulAJprDE82Pa9ojXJdtNSnJTfewXXpe1HBWdDSW7lldX5YOJPkJ92UM0UmQE6Qal6o jYjLN64nOfvfjbQU6T96xVKXDZfssoijQaqxKj1yDIDH9LccuuxchruUtSZ6NcZguII2 RiqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=imeuKgXP; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l59si4126855pjb.38.2019.05.28.09.32.39; Tue, 28 May 2019 09:32:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2018-07-02 header.b=imeuKgXP; spf=pass (google.com: best guess record for domain of linux-nfs-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-nfs-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726802AbfE1Qbz (ORCPT + 99 others); Tue, 28 May 2019 12:31:55 -0400 Received: from aserp2130.oracle.com ([141.146.126.79]:55486 "EHLO aserp2130.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726313AbfE1Qbz (ORCPT ); Tue, 28 May 2019 12:31:55 -0400 Received: from pps.filterd (aserp2130.oracle.com [127.0.0.1]) by aserp2130.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4SGSqjm182812; Tue, 28 May 2019 16:31:14 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=date : from : to : cc : subject : message-id : references : mime-version : content-type : in-reply-to; s=corp-2018-07-02; bh=hojCBGvGd49QPWjjv991gv8ncr/i5kwhr+SPu6Dmw54=; b=imeuKgXPtOHNJ6xNDaZ0plOjIReb3+ESVPRA4Mq/QbJtPW880Y57BLsPrDc5GNEhJcfA 2OkKEh/SMdqvSSHSsNKXoBtzE8k8jQR5Js+J8wuomx14a9SYFbEGNMRJ1T2gJ5d9qTps FT2MwMzzu7z8fcZHSV5QRvld95YHIohVxC7rNCGamyLjATDVi+B/uVq2xyCBtnsPK0hn 5VeWTvadX/5P+yN0UsRLQP/2bGjR91HLuTOqw2ZIhnuK6vAYdm9FTqotsAy1i9EgxJ6V LVlnarZEpIUVqWZLk22OcGGZ29gYEWhXCz7Z0ID1h5eroHD/r6x2v3y6Z+3cPGMuYqVe pQ== Received: from aserp3030.oracle.com (aserp3030.oracle.com [141.146.126.71]) by aserp2130.oracle.com with ESMTP id 2spu7dcn9g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 28 May 2019 16:31:14 +0000 Received: from pps.filterd (aserp3030.oracle.com [127.0.0.1]) by aserp3030.oracle.com (8.16.0.27/8.16.0.27) with SMTP id x4SGTn2w135690; Tue, 28 May 2019 16:31:14 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by aserp3030.oracle.com with ESMTP id 2srbdww45j-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 28 May 2019 16:31:14 +0000 Received: from abhmp0001.oracle.com (abhmp0001.oracle.com [141.146.116.7]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id x4SGVCO5014795; Tue, 28 May 2019 16:31:12 GMT Received: from localhost (/67.169.218.210) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Tue, 28 May 2019 09:31:11 -0700 Date: Tue, 28 May 2019 09:31:10 -0700 From: "Darrick J. Wong" To: Amir Goldstein Cc: Dave Chinner , Christoph Hellwig , Olga Kornievskaia , Luis Henriques , Al Viro , linux-fsdevel , linux-xfs , Linux NFS Mailing List , CIFS , ceph-devel@vger.kernel.org, linux-api@vger.kernel.org, Dave Chinner Subject: Re: [PATCH v2 4/8] vfs: add missing checks to copy_file_range Message-ID: <20190528163110.GG5221@magnolia> References: <20190526061100.21761-1-amir73il@gmail.com> <20190526061100.21761-5-amir73il@gmail.com> <20190528161829.GD5221@magnolia> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.9.4 (2018-02-28) X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9270 signatures=668687 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905280105 X-Proofpoint-Virus-Version: vendor=nai engine=6000 definitions=9270 signatures=668687 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1905280105 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org On Tue, May 28, 2019 at 07:26:29PM +0300, Amir Goldstein wrote: > On Tue, May 28, 2019 at 7:18 PM Darrick J. Wong wrote: > > > > On Sun, May 26, 2019 at 09:10:55AM +0300, Amir Goldstein wrote: > > > Like the clone and dedupe interfaces we've recently fixed, the > > > copy_file_range() implementation is missing basic sanity, limits and > > > boundary condition tests on the parameters that are passed to it > > > from userspace. Create a new "generic_copy_file_checks()" function > > > modelled on the generic_remap_checks() function to provide this > > > missing functionality. > > > > > > [Amir] Shorten copy length instead of checking pos_in limits > > > because input file size already abides by the limits. > > > > > > Signed-off-by: Dave Chinner > > > Signed-off-by: Amir Goldstein > > > --- > > > fs/read_write.c | 3 ++- > > > include/linux/fs.h | 3 +++ > > > mm/filemap.c | 53 ++++++++++++++++++++++++++++++++++++++++++++++ > > > 3 files changed, 58 insertions(+), 1 deletion(-) > > > > > > diff --git a/fs/read_write.c b/fs/read_write.c > > > index f1900bdb3127..b0fb1176b628 100644 > > > --- a/fs/read_write.c > > > +++ b/fs/read_write.c > > > @@ -1626,7 +1626,8 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in, > > > if (file_inode(file_in)->i_sb != file_inode(file_out)->i_sb) > > > return -EXDEV; > > > > > > - ret = generic_file_rw_checks(file_in, file_out); > > > + ret = generic_copy_file_checks(file_in, pos_in, file_out, pos_out, &len, > > > + flags); > > > if (unlikely(ret)) > > > return ret; > > > > > > diff --git a/include/linux/fs.h b/include/linux/fs.h > > > index 89b9b73eb581..e4d382c4342a 100644 > > > --- a/include/linux/fs.h > > > +++ b/include/linux/fs.h > > > @@ -3050,6 +3050,9 @@ extern int generic_remap_checks(struct file *file_in, loff_t pos_in, > > > struct file *file_out, loff_t pos_out, > > > loff_t *count, unsigned int remap_flags); > > > extern int generic_file_rw_checks(struct file *file_in, struct file *file_out); > > > +extern int generic_copy_file_checks(struct file *file_in, loff_t pos_in, > > > + struct file *file_out, loff_t pos_out, > > > + size_t *count, unsigned int flags); > > > extern ssize_t generic_file_read_iter(struct kiocb *, struct iov_iter *); > > > extern ssize_t __generic_file_write_iter(struct kiocb *, struct iov_iter *); > > > extern ssize_t generic_file_write_iter(struct kiocb *, struct iov_iter *); > > > diff --git a/mm/filemap.c b/mm/filemap.c > > > index 798aac92cd76..1852fbf08eeb 100644 > > > --- a/mm/filemap.c > > > +++ b/mm/filemap.c > > > @@ -3064,6 +3064,59 @@ int generic_file_rw_checks(struct file *file_in, struct file *file_out) > > > return 0; > > > } > > > > > > +/* > > > + * Performs necessary checks before doing a file copy > > > + * > > > + * Can adjust amount of bytes to copy > > > > That's the @req_count parameter, correct? > > Correct. Same as generic_remap_checks() Ok. Would you mind updating the comment? > > > > > + * Returns appropriate error code that caller should return or > > > + * zero in case the copy should be allowed. > > > + */ > > > +int generic_copy_file_checks(struct file *file_in, loff_t pos_in, > > > + struct file *file_out, loff_t pos_out, > > > + size_t *req_count, unsigned int flags) > > > +{ > > > + struct inode *inode_in = file_inode(file_in); > > > + struct inode *inode_out = file_inode(file_out); > > > + uint64_t count = *req_count; > > > + loff_t size_in; > > > + int ret; > > > + > > > + ret = generic_file_rw_checks(file_in, file_out); > > > + if (ret) > > > + return ret; > > > + > > > + /* Don't touch certain kinds of inodes */ > > > + if (IS_IMMUTABLE(inode_out)) > > > + return -EPERM; > > > + > > > + if (IS_SWAPFILE(inode_in) || IS_SWAPFILE(inode_out)) > > > + return -ETXTBSY; > > > + > > > + /* Ensure offsets don't wrap. */ > > > + if (pos_in + count < pos_in || pos_out + count < pos_out) > > > + return -EOVERFLOW; > > > + > > > + /* Shorten the copy to EOF */ > > > + size_in = i_size_read(inode_in); > > > + if (pos_in >= size_in) > > > + count = 0; > > > + else > > > + count = min(count, size_in - (uint64_t)pos_in); > > > > Do we need a call to generic_access_check_limits(file_in...) here to > > prevent copies from ranges that the page cache doesn't support? > > No. Because i_size cannot be of an illegal size and we cap > the read to i_size. > I also removed generic_access_check_limits() from generic_remap_checks() > for a similar reason in patch #8. --D > Thanks, > Amir.