fix-reservation-overflow-in-ext4_da_write_begin

   1 ext4: fix reservation overflow in ext4_da_write_begin
   2
   3 From: Eric Sandeen <sandeen@redhat.com>
   4
   5 Delalloc write journal reservations only reserve 1 credit,
   6 to update the inode if necessary.  However, it may happen
   7 once in a filesystem's lifetime that a file will cross
   8 the 2G threshold, and require the LARGE_FILE feature to
   9 be set in the superblock as well, if it was not set already.
  10
  11 This overruns the transaction reservation, and can be
  12 demonstrated simply on any ext4 filesystem without the LARGE_FILE
  13 feature already set:
  14
  15 dd if=/dev/zero of=testfile bs=1 seek=2147483646 count=1 \
  16         conv=notrunc of=testfile
  17 sync
  18 dd if=/dev/zero of=testfile bs=1 seek=2147483647 count=1 \
  19         conv=notrunc of=testfile
  20
  21 leads to:
  22
  23 EXT4-fs: ext4_do_update_inode:4296: aborting transaction: error 28 in __ext4_handle_dirty_super
  24 EXT4-fs error (device loop0) in ext4_do_update_inode:4301: error 28
  25 EXT4-fs error (device loop0) in ext4_reserve_inode_write:4757: Readonly filesystem
  26 EXT4-fs error (device loop0) in ext4_dirty_inode:4876: error 28
  27 EXT4-fs error (device loop0) in ext4_da_write_end:2685: error 28
  28
  29 Adjust the number of credits based on whether the flag is
  30 already set, and whether the current write may extend past the
  31 LARGE_FILE limit.
  32
  33 Signed-off-by: Eric Sandeen <sandeen@redhat.com>
  34 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  35 Reviewed-by: Andreas Dilger <adilger@dilger.ca>
  36 Cc: stable@vger.kernel.org
  37 ---
  38  fs/ext4/inode.c | 17 ++++++++++++++++-
  39  1 file changed, 16 insertions(+), 1 deletion(-)
  40
  41 diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
  42 index e204d8a..0dd9150 100644
  43 --- a/fs/ext4/inode.c
  44 +++ b/fs/ext4/inode.c
  45 @@ -2495,6 +2495,20 @@ static int ext4_nonda_switch(struct super_block *sb)
  46         return 0;
  47  }
  48
  49 +/* We always reserve for an inode update; the superblock could be there too */
  50 +static int ext4_da_write_credits(struct inode *inode, loff_t pos, unsigned len)
  51 +{
  52 +       if (likely(EXT4_HAS_RO_COMPAT_FEATURE(inode->i_sb,
  53 +                               EXT4_FEATURE_RO_COMPAT_LARGE_FILE)))
  54 +               return 1;
  55 +
  56 +       if (pos + len <= 0x7fffffffULL)
  57 +               return 1;
  58 +
  59 +       /* We might need to update the superblock to set LARGE_FILE */
  60 +       return 2;
  61 +}
  62 +
  63  static int ext4_da_write_begin(struct file *file, struct address_space *mapping,
  64                                loff_t pos, unsigned len, unsigned flags,
  65                                struct page **pagep, void **fsdata)
  66 @@ -2545,7 +2559,8 @@ retry_grab:
  67          * of file which has an already mapped buffer.
  68          */
  69  retry_journal:
  70 -       handle = ext4_journal_start(inode, EXT4_HT_WRITE_PAGE, 1);
  71 +       handle = ext4_journal_start(inode, EXT4_HT_WRITE_PAGE,
  72 +                               ext4_da_write_credits(inode, pos, len));
  73         if (IS_ERR(handle)) {
  74                 page_cache_release(page);
  75                 return PTR_ERR(handle);