Commit 9ecd10b7 authored by Eryu Guan's avatar Eryu Guan Committed by Linus Torvalds

direct-io: fix direct write stale data exposure from concurrent buffered read

Currently direct writes inside i_size on a DIO_SKIP_HOLES filesystem are
not allowed to allocate blocks(get_more_blocks() sets 'create' to 0
before calling get_block() callback), if it's a sparse file, direct
writes fall back to buffered writes to avoid stale data exposure from
concurrent buffered read.  But there're two cases that can result in
stale data exposure are not correctly detected.

1. The detection for "writing inside i_size" is not sufficient,
   writes can be treated as "extending writes" wrongly.  For example,
   direct write 1FSB (file system block) to a 1FSB sparse file on
   ext2/3/4, starting from offset 0, in this case it's writing inside
   i_size, but 'create' is non-zero, because 'block_in_file' and
   '(i_size_read(inode) >> blkbits' are both zero.

2. Direct writes starting from or beyong i_size (not inside i_size)
   also could trigger block allocation and expose stale data.  For
   example, consider a sparse file with i_size of 2k, and a write to
   offset 2k or 3k into the file, with a filesystem block size of 4k.
   (Thanks to Jeff Moyer for pointing this case out in his review.)

The first problem can be demostrated by running ltp-aiodio test ADSP045
many times.  When testing on extN filesystems, I see test failures
occasionally, buffered read could read non-zero (stale) data.

ADSP045: dio_sparse -a 4k -w 4k -s 2k -n 1

dio_sparse    0  TINFO  :  Dirtying free blocks
dio_sparse    0  TINFO  :  Starting I/O tests
non zero buffer at buf[0] => 0xffffffaa,ffffffaa,ffffffaa,ffffffaa
non-zero read at offset 0
dio_sparse    0  TINFO  :  Killing childrens(s)
dio_sparse    1  TFAIL  :  dio_sparse.c:191: 1 children(s) exited abnormally

The second problem can also be reproduced easily by a hacked dio_sparse
program, which accepts an option to specify the write offset.

What we should really do is to disable block allocation for writes that
could result in filling holes inside i_size.

Link: http://lkml.kernel.org/r/1463156728-13357-1-git-send-email-guaneryu@gmail.comReviewed-by: default avatarJan Kara <jack@suse.cz>
Signed-off-by: default avatarEryu Guan <guaneryu@gmail.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
parent 38b52efd
...@@ -628,11 +628,11 @@ static int get_more_blocks(struct dio *dio, struct dio_submit *sdio, ...@@ -628,11 +628,11 @@ static int get_more_blocks(struct dio *dio, struct dio_submit *sdio,
map_bh->b_size = fs_count << i_blkbits; map_bh->b_size = fs_count << i_blkbits;
/* /*
* For writes inside i_size on a DIO_SKIP_HOLES filesystem we * For writes that could fill holes inside i_size on a
* forbid block creations: only overwrites are permitted. * DIO_SKIP_HOLES filesystem we forbid block creations: only
* We will return early to the caller once we see an * overwrites are permitted. We will return early to the caller
* unmapped buffer head returned, and the caller will fall * once we see an unmapped buffer head returned, and the caller
* back to buffered I/O. * will fall back to buffered I/O.
* *
* Otherwise the decision is left to the get_blocks method, * Otherwise the decision is left to the get_blocks method,
* which may decide to handle it or also return an unmapped * which may decide to handle it or also return an unmapped
...@@ -640,8 +640,8 @@ static int get_more_blocks(struct dio *dio, struct dio_submit *sdio, ...@@ -640,8 +640,8 @@ static int get_more_blocks(struct dio *dio, struct dio_submit *sdio,
*/ */
create = dio->rw & WRITE; create = dio->rw & WRITE;
if (dio->flags & DIO_SKIP_HOLES) { if (dio->flags & DIO_SKIP_HOLES) {
if (sdio->block_in_file < (i_size_read(dio->inode) >> if (fs_startblk <= ((i_size_read(dio->inode) - 1) >>
sdio->blkbits)) i_blkbits))
create = 0; create = 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment