Re: [PATCH 3/3] xfs: Fix stale data exposure when readahead races with hole punch

["Darrick J. Wong" <darrick.wong@oracle.com>]

On Fri, Aug 30, 2019 at 05:24:49PM +0200, Jan Kara wrote:
> On Thu 29-08-19 08:52:04, Darrick J. Wong wrote:
> > On Thu, Aug 29, 2019 at 03:10:34PM +0200, Jan Kara wrote:
> > > Hole puching currently evicts pages from page cache and then goes on to
> > > remove blocks from the inode. This happens under both XFS_IOLOCK_EXCL
> > > and XFS_MMAPLOCK_EXCL which provides appropriate serialization with
> > > racing reads or page faults. However there is currently nothing that
> > > prevents readahead triggered by fadvise() or madvise() from racing with
> > > the hole punch and instantiating page cache page after hole punching has
> > > evicted page cache in xfs_flush_unmap_range() but before it has removed
> > > blocks from the inode. This page cache page will be mapping soon to be
> > > freed block and that can lead to returning stale data to userspace or
> > > even filesystem corruption.
> > > 
> > > Fix the problem by protecting handling of readahead requests by
> > > XFS_IOLOCK_SHARED similarly as we protect reads.
> > > 
> > > CC: stable@vger.kernel.org
> > > Link: https://lore.kernel.org/linux-fsdevel/CAOQ4uxjQNmxqmtA_VbYW0Su9rKRk2zobJmahcyeaEVOFKVQ5dw@mail.gmail.com/
> > > Reported-by: Amir Goldstein <amir73il@gmail.com>
> > > Signed-off-by: Jan Kara <jack@suse.cz>
> > 
> > Is there a test on xfstests to demonstrate this race?
> 
> No, but I can try to create one.

<nod> I imgaine this race was hard to spot in the first place...

> > Will test it out though...
> > 
> > Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
> 
> Thanks. BTW, will you pick up these patches please?

Yeah, they looked fine.

--D

> 								Honza
> 
> > 
> > --D
> > 
> > > ---
> > >  fs/xfs/xfs_file.c | 26 ++++++++++++++++++++++++++
> > >  1 file changed, 26 insertions(+)
> > > 
> > > diff --git a/fs/xfs/xfs_file.c b/fs/xfs/xfs_file.c
> > > index 28101bbc0b78..d952d5962e93 100644
> > > --- a/fs/xfs/xfs_file.c
> > > +++ b/fs/xfs/xfs_file.c
> > > @@ -28,6 +28,7 @@
> > >  #include <linux/falloc.h>
> > >  #include <linux/backing-dev.h>
> > >  #include <linux/mman.h>
> > > +#include <linux/fadvise.h>
> > >  
> > >  static const struct vm_operations_struct xfs_file_vm_ops;
> > >  
> > > @@ -933,6 +934,30 @@ xfs_file_fallocate(
> > >  	return error;
> > >  }
> > >  
> > > +STATIC int
> > > +xfs_file_fadvise(
> > > +	struct file	*file,
> > > +	loff_t		start,
> > > +	loff_t		end,
> > > +	int		advice)
> > > +{
> > > +	struct xfs_inode *ip = XFS_I(file_inode(file));
> > > +	int ret;

> > > +	int lockflags = 0;
> > > +
> > > +	/*
> > > +	 * Operations creating pages in page cache need protection from hole
> > > +	 * punching and similar ops
> > > +	 */
> > > +	if (advice == POSIX_FADV_WILLNEED) {
> > > +		lockflags = XFS_IOLOCK_SHARED;
> > > +		xfs_ilock(ip, lockflags);
> > > +	}
> > > +	ret = generic_fadvise(file, start, end, advice);
> > > +	if (lockflags)
> > > +		xfs_iunlock(ip, lockflags);
> > > +	return ret;
> > > +}
> > >  
> > >  STATIC loff_t
> > >  xfs_file_remap_range(
> > > @@ -1232,6 +1257,7 @@ const struct file_operations xfs_file_operations = {
> > >  	.fsync		= xfs_file_fsync,
> > >  	.get_unmapped_area = thp_get_unmapped_area,
> > >  	.fallocate	= xfs_file_fallocate,
> > > +	.fadvise	= xfs_file_fadvise,
> > >  	.remap_file_range = xfs_file_remap_range,
> > >  };
> > >  
> > > -- 
> > > 2.16.4
> > > 
> -- 
> Jan Kara <jack@suse.com>
> SUSE Labs, CR