Skip to content

Commit 06a7c3c

Browse files
Maxim PatlasovMiklos Szeredi
authored andcommitted
fuse: hotfix truncate_pagecache() issue
The way how fuse calls truncate_pagecache() from fuse_change_attributes() is completely wrong. Because, w/o i_mutex held, we never sure whether 'oldsize' and 'attr->size' are valid by the time of execution of truncate_pagecache(inode, oldsize, attr->size). In fact, as soon as we released fc->lock in the middle of fuse_change_attributes(), we completely loose control of actions which may happen with given inode until we reach truncate_pagecache. The list of potentially dangerous actions includes mmap-ed reads and writes, ftruncate(2) and write(2) extending file size. The typical outcome of doing truncate_pagecache() with outdated arguments is data corruption from user point of view. This is (in some sense) acceptable in cases when the issue is triggered by a change of the file on the server (i.e. externally wrt fuse operation), but it is absolutely intolerable in scenarios when a single fuse client modifies a file without any external intervention. A real life case I discovered by fsx-linux looked like this: 1. Shrinking ftruncate(2) comes to fuse_do_setattr(). The latter sends FUSE_SETATTR to the server synchronously, but before getting fc->lock ... 2. fuse_dentry_revalidate() is asynchronously called. It sends FUSE_LOOKUP to the server synchronously, then calls fuse_change_attributes(). The latter updates i_size, releases fc->lock, but before comparing oldsize vs attr->size.. 3. fuse_do_setattr() from the first step proceeds by acquiring fc->lock and updating attributes and i_size, but now oldsize is equal to outarg.attr.size because i_size has just been updated (step 2). Hence, fuse_do_setattr() returns w/o calling truncate_pagecache(). 4. As soon as ftruncate(2) completes, the user extends file size by write(2) making a hole in the middle of file, then reads data from the hole either by read(2) or mmap-ed read. The user expects to get zero data from the hole, but gets stale data because truncate_pagecache() is not executed yet. The scenario above illustrates one side of the problem: not truncating the page cache even though we should. Another side corresponds to truncating page cache too late, when the state of inode changed significantly. Theoretically, the following is possible: 1. As in the previous scenario fuse_dentry_revalidate() discovered that i_size changed (due to our own fuse_do_setattr()) and is going to call truncate_pagecache() for some 'new_size' it believes valid right now. But by the time that particular truncate_pagecache() is called ... 2. fuse_do_setattr() returns (either having called truncate_pagecache() or not -- it doesn't matter). 3. The file is extended either by write(2) or ftruncate(2) or fallocate(2). 4. mmap-ed write makes a page in the extended region dirty. The result will be the lost of data user wrote on the fourth step. The patch is a hotfix resolving the issue in a simplistic way: let's skip dangerous i_size update and truncate_pagecache if an operation changing file size is in progress. This simplistic approach looks correct for the cases w/o external changes. And to handle them properly, more sophisticated and intrusive techniques (e.g. NFS-like one) would be required. I'd like to postpone it until the issue is well discussed on the mailing list(s). Changed in v2: - improved patch description to cover both sides of the issue. Signed-off-by: Maxim Patlasov <mpatlasov@parallels.com> Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Cc: stable@vger.kernel.org
1 parent d331a41 commit 06a7c3c

File tree

4 files changed

+17
-3
lines changed

4 files changed

+17
-3
lines changed

fs/fuse/dir.c

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1590,6 +1590,7 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr,
15901590
struct file *file)
15911591
{
15921592
struct fuse_conn *fc = get_fuse_conn(inode);
1593+
struct fuse_inode *fi = get_fuse_inode(inode);
15931594
struct fuse_req *req;
15941595
struct fuse_setattr_in inarg;
15951596
struct fuse_attr_out outarg;
@@ -1617,8 +1618,10 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr,
16171618
if (IS_ERR(req))
16181619
return PTR_ERR(req);
16191620

1620-
if (is_truncate)
1621+
if (is_truncate) {
16211622
fuse_set_nowrite(inode);
1623+
set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
1624+
}
16221625

16231626
memset(&inarg, 0, sizeof(inarg));
16241627
memset(&outarg, 0, sizeof(outarg));
@@ -1680,12 +1683,14 @@ int fuse_do_setattr(struct inode *inode, struct iattr *attr,
16801683
invalidate_inode_pages2(inode->i_mapping);
16811684
}
16821685

1686+
clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
16831687
return 0;
16841688

16851689
error:
16861690
if (is_truncate)
16871691
fuse_release_nowrite(inode);
16881692

1693+
clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
16891694
return err;
16901695
}
16911696

fs/fuse/file.c

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -629,7 +629,8 @@ static void fuse_read_update_size(struct inode *inode, loff_t size,
629629
struct fuse_inode *fi = get_fuse_inode(inode);
630630

631631
spin_lock(&fc->lock);
632-
if (attr_ver == fi->attr_version && size < inode->i_size) {
632+
if (attr_ver == fi->attr_version && size < inode->i_size &&
633+
!test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {
633634
fi->attr_version = ++fc->attr_version;
634635
i_size_write(inode, size);
635636
}
@@ -1032,12 +1033,16 @@ static ssize_t fuse_perform_write(struct file *file,
10321033
{
10331034
struct inode *inode = mapping->host;
10341035
struct fuse_conn *fc = get_fuse_conn(inode);
1036+
struct fuse_inode *fi = get_fuse_inode(inode);
10351037
int err = 0;
10361038
ssize_t res = 0;
10371039

10381040
if (is_bad_inode(inode))
10391041
return -EIO;
10401042

1043+
if (inode->i_size < pos + iov_iter_count(ii))
1044+
set_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
1045+
10411046
do {
10421047
struct fuse_req *req;
10431048
ssize_t count;
@@ -1073,6 +1078,7 @@ static ssize_t fuse_perform_write(struct file *file,
10731078
if (res > 0)
10741079
fuse_write_update_size(inode, pos);
10751080

1081+
clear_bit(FUSE_I_SIZE_UNSTABLE, &fi->state);
10761082
fuse_invalidate_attr(inode);
10771083

10781084
return res > 0 ? res : err;

fs/fuse/fuse_i.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -115,6 +115,8 @@ struct fuse_inode {
115115
enum {
116116
/** Advise readdirplus */
117117
FUSE_I_ADVISE_RDPLUS,
118+
/** An operation changing file size is in progress */
119+
FUSE_I_SIZE_UNSTABLE,
118120
};
119121

120122
struct fuse_conn;

fs/fuse/inode.c

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -201,7 +201,8 @@ void fuse_change_attributes(struct inode *inode, struct fuse_attr *attr,
201201
struct timespec old_mtime;
202202

203203
spin_lock(&fc->lock);
204-
if (attr_version != 0 && fi->attr_version > attr_version) {
204+
if ((attr_version != 0 && fi->attr_version > attr_version) ||
205+
test_bit(FUSE_I_SIZE_UNSTABLE, &fi->state)) {
205206
spin_unlock(&fc->lock);
206207
return;
207208
}

0 commit comments

Comments
 (0)