fs: Fix page_mkwrite off-by-one errors

The check in block_page_mkwrite that is meant to determine whether an
offset is within the inode size is off by one.  This bug has been copied
into iomap_page_mkwrite and several filesystems (ubifs, ext4, f2fs,
ceph).

Fix that by introducing a new page_mkwrite_check_truncate helper that
checks for truncate and computes the bytes in the page up to EOF.  Use
the helper in iomap.

NOTE from Darrick: The original patch fixed a number of filesystems, but
then there were merge conflicts with the f2fs for-next tree; a
subsequent re-submission of the patch had different btrfs changes with
no explanation; and Christoph complained that each per-fs fix should be
a separate patch.  In my view that's too much risk to take on, so I
decided to drop all the hunks except for iomap, since I've actually QA'd
XFS.

Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
[darrick: drop everything but the iomap parts]
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>

diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index 828444e..7c84c4c 100644 (file)
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -1077,24 +1077,16 @@ vm_fault_t iomap_page_mkwrite(struct vm_fault *vmf, const struct iomap_ops *ops)
        struct page *page = vmf->page;
        struct inode *inode = file_inode(vmf->vma->vm_file);
        unsigned long length;
-       loff_t offset, size;
+       loff_t offset;
        ssize_t ret;
 
        lock_page(page);
-       size = i_size_read(inode);
-       offset = page_offset(page);
-       if (page->mapping != inode->i_mapping || offset > size) {
-               /* We overload EFAULT to mean page got truncated */
-               ret = -EFAULT;
+       ret = page_mkwrite_check_truncate(page, inode);
+       if (ret < 0)
                goto out_unlock;
-       }
-
-       /* page is wholly or partially inside EOF */
-       if (offset > size - PAGE_SIZE)
-               length = offset_in_page(size);
-       else
-               length = PAGE_SIZE;
+       length = ret;
 
+       offset = page_offset(page);
        while (length > 0) {
                ret = iomap_apply(inode, offset, length,
                                IOMAP_WRITE | IOMAP_FAULT, ops, page,

diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
index 37a4d9e..ccb14b6 100644 (file)
--- a/include/linux/pagemap.h
+++ b/include/linux/pagemap.h
@@ -636,4 +636,32 @@ static inline unsigned long dir_pages(struct inode *inode)
                               PAGE_SHIFT;
 }
 
+/**
+ * page_mkwrite_check_truncate - check if page was truncated
+ * @page: the page to check
+ * @inode: the inode to check the page against
+ *
+ * Returns the number of bytes in the page up to EOF,
+ * or -EFAULT if the page was truncated.
+ */
+static inline int page_mkwrite_check_truncate(struct page *page,
+                                             struct inode *inode)
+{
+       loff_t size = i_size_read(inode);
+       pgoff_t index = size >> PAGE_SHIFT;
+       int offset = offset_in_page(size);
+
+       if (page->mapping != inode->i_mapping)
+               return -EFAULT;
+
+       /* page is wholly inside EOF */
+       if (page->index < index)
+               return PAGE_SIZE;
+       /* page is wholly past EOF */
+       if (page->index > index || !offset)
+               return -EFAULT;
+       /* page is partially inside EOF */
+       return offset;
+}
+
 #endif /* _LINUX_PAGEMAP_H */