On Tue, Oct 09, 2018 at 05:10:38PM -0700, Darrick J. Wong wrote: > Hi all, > > Dave, Eric, and I have been chasing a stale data exposure bug in the XFS > reflink implementation, and tracked it down to reflink forgetting to do > some of the file-extending activities that must happen for regular > writes. > > We then started auditing the clone, dedupe, and copyfile code and > realized that from a file contents perspective, clonerange isn't any > different from a regular file write. Unfortunately, we also noticed > that *unlike* a regular write, clonerange skips a ton of overflow > checks, such as validating the ranges against s_maxbytes, MAX_NON_LFS, > and RLIMIT_FSIZE. We also observed that cloning into a file did not > strip security privileges (suid, capabilities) like a regular write > would. I also noticed that xfs and ocfs2 need to dump the page cache > before remapping blocks, not after. > > In fixing the range checking problems I also realized that both dedupe > and copyfile tell userspace how much of the requested operation was > acted upon. Since the range validation can shorten a clone request (or > we can ENOSPC midway through), we might as well plumb the short > operation reporting back through the VFS indirection code to userspace. > > So, here's the whole giant pile of patches[1] that fix all the problems. > The patch "generic: test reflink side effects" recently sent to fstests > exercises the fixes in this series. Tests are in [2]. Can you rebase this on the for-next branch on the xfs tree which already contains some of the initial fixes in the series and a couple of other reflink/dedupe data corruption fixes? I'm planning on pushing them to Greg tomorrow, so you'll have to do this soon anyway.... Cheers, Dave. -- Dave Chinner david@xxxxxxxxxxxxx
