On Fri, Jan 25, 2019 at 03:10:37PM -0500, J. Bruce Fields wrote: > Yeah. I was assuming it could happen in the case you ask to clone > beyond the end of the source file. But looking at the code, there's a > check for that case in generic_remap_checks() before doing the clone, > and while holding a write lock on i_rwsem (I assume that's enough to > hold the file size constant). At least that's true in the cases (btrfs > & xfs) that I checked. > > So, I don't know, maybe that check is just dead code. In the xfs case it looks like the main work of the clone is done in xfs_reflink_remap_blocks(), where there's a loop like: while (len) { ... mysterious code that clones range_len worth of extents? if (fatal_signal_pending(current)) { error =-EINTR; break; } ... len -= range_len; remapped_len += range_len; } And then it ends up returning remapped_len if it's positive. So it looks to me like if you do a big clone on xfs and kill the process, it can clone part of the range, return the amount cloned, and then the ioctl code will throw away that amount and just return EINVAL, with the result that the application thinks the operation failed completely actually it cloned a bunch of data. --b.