diff options
| author | Dave Chinner <dchinner@redhat.com> | 2018-11-19 16:31:11 -0500 |
|---|---|---|
| committer | Darrick J. Wong <darrick.wong@oracle.com> | 2018-11-21 13:10:53 -0500 |
| commit | 4721a6010990971440b4ffefbdf014976b8eda2f (patch) | |
| tree | a46df06954e1d079a2a592e5dccc7429fa2a9f8b /fs/iomap.c | |
| parent | b450672fb66b4a991a5b55ee24209ac7ae7690ce (diff) | |
iomap: dio data corruption and spurious errors when pipes fill
When doing direct IO to a pipe for do_splice_direct(), then pipe is
trivial to fill up and overflow as it can only hold 16 pages. At
this point bio_iov_iter_get_pages() then returns -EFAULT, and we
abort the IO submission process. Unfortunately, iomap_dio_rw()
propagates the error back up the stack.
The error is converted from the EFAULT to EAGAIN in
generic_file_splice_read() to tell the splice layers that the pipe
is full. do_splice_direct() completely fails to handle EAGAIN errors
(it aborts on error) and returns EAGAIN to the caller.
copy_file_write() then completely fails to handle EAGAIN as well,
and so returns EAGAIN to userspace, having failed to copy the data
it was asked to.
Avoid this whole steaming pile of fail by having iomap_dio_rw()
silently swallow EFAULT errors and so do short reads.
To make matters worse, iomap_dio_actor() has a stale data exposure
bug bio_iov_iter_get_pages() fails - it does not zero the tail block
that it may have been left uncovered by partial IO. Fix the error
handling case to drop to the sub-block zeroing rather than
immmediately returning the -EFAULT error.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Diffstat (limited to 'fs/iomap.c')
| -rw-r--r-- | fs/iomap.c | 22 |
1 files changed, 19 insertions, 3 deletions
diff --git a/fs/iomap.c b/fs/iomap.c index 77c214194edf..d51e7a2ae641 100644 --- a/fs/iomap.c +++ b/fs/iomap.c | |||
| @@ -1580,7 +1580,7 @@ iomap_dio_bio_actor(struct inode *inode, loff_t pos, loff_t length, | |||
| 1580 | struct bio *bio; | 1580 | struct bio *bio; |
| 1581 | bool need_zeroout = false; | 1581 | bool need_zeroout = false; |
| 1582 | bool use_fua = false; | 1582 | bool use_fua = false; |
| 1583 | int nr_pages, ret; | 1583 | int nr_pages, ret = 0; |
| 1584 | size_t copied = 0; | 1584 | size_t copied = 0; |
| 1585 | 1585 | ||
| 1586 | if ((pos | length | align) & ((1 << blkbits) - 1)) | 1586 | if ((pos | length | align) & ((1 << blkbits) - 1)) |
| @@ -1645,8 +1645,14 @@ iomap_dio_bio_actor(struct inode *inode, loff_t pos, loff_t length, | |||
| 1645 | 1645 | ||
| 1646 | ret = bio_iov_iter_get_pages(bio, &iter); | 1646 | ret = bio_iov_iter_get_pages(bio, &iter); |
| 1647 | if (unlikely(ret)) { | 1647 | if (unlikely(ret)) { |
| 1648 | /* | ||
| 1649 | * We have to stop part way through an IO. We must fall | ||
| 1650 | * through to the sub-block tail zeroing here, otherwise | ||
| 1651 | * this short IO may expose stale data in the tail of | ||
| 1652 | * the block we haven't written data to. | ||
| 1653 | */ | ||
| 1648 | bio_put(bio); | 1654 | bio_put(bio); |
| 1649 | return copied ? copied : ret; | 1655 | goto zero_tail; |
| 1650 | } | 1656 | } |
| 1651 | 1657 | ||
| 1652 | n = bio->bi_iter.bi_size; | 1658 | n = bio->bi_iter.bi_size; |
| @@ -1683,6 +1689,7 @@ iomap_dio_bio_actor(struct inode *inode, loff_t pos, loff_t length, | |||
| 1683 | * the block tail in the latter case, we can expose stale data via mmap | 1689 | * the block tail in the latter case, we can expose stale data via mmap |
| 1684 | * reads of the EOF block. | 1690 | * reads of the EOF block. |
| 1685 | */ | 1691 | */ |
| 1692 | zero_tail: | ||
| 1686 | if (need_zeroout || | 1693 | if (need_zeroout || |
| 1687 | ((dio->flags & IOMAP_DIO_WRITE) && pos >= i_size_read(inode))) { | 1694 | ((dio->flags & IOMAP_DIO_WRITE) && pos >= i_size_read(inode))) { |
| 1688 | /* zero out from the end of the write to the end of the block */ | 1695 | /* zero out from the end of the write to the end of the block */ |
| @@ -1690,7 +1697,7 @@ iomap_dio_bio_actor(struct inode *inode, loff_t pos, loff_t length, | |||
| 1690 | if (pad) | 1697 | if (pad) |
| 1691 | iomap_dio_zero(dio, iomap, pos, fs_block_size - pad); | 1698 | iomap_dio_zero(dio, iomap, pos, fs_block_size - pad); |
| 1692 | } | 1699 | } |
| 1693 | return copied; | 1700 | return copied ? copied : ret; |
| 1694 | } | 1701 | } |
| 1695 | 1702 | ||
| 1696 | static loff_t | 1703 | static loff_t |
| @@ -1865,6 +1872,15 @@ iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter, | |||
| 1865 | dio->wait_for_completion = true; | 1872 | dio->wait_for_completion = true; |
| 1866 | ret = 0; | 1873 | ret = 0; |
| 1867 | } | 1874 | } |
| 1875 | |||
| 1876 | /* | ||
| 1877 | * Splicing to pipes can fail on a full pipe. We have to | ||
| 1878 | * swallow this to make it look like a short IO | ||
| 1879 | * otherwise the higher splice layers will completely | ||
| 1880 | * mishandle the error and stop moving data. | ||
| 1881 | */ | ||
| 1882 | if (ret == -EFAULT) | ||
| 1883 | ret = 0; | ||
| 1868 | break; | 1884 | break; |
| 1869 | } | 1885 | } |
| 1870 | pos += ret; | 1886 | pos += ret; |