1 // SPDX-License-Identifier: GPL-2.0-or-later
2 /*
3 * Copyright (c) 2020-2024 Oracle. All Rights Reserved.
4 * Author: Darrick J. Wong <djwong@kernel.org>
5 */
6 #include "xfs.h"
7 #include "xfs_shared.h"
8 #include "xfs_format.h"
9 #include "xfs_log_format.h"
10 #include "xfs_trans_resv.h"
11 #include "xfs_mount.h"
12 #include "xfs_defer.h"
13 #include "xfs_inode.h"
14 #include "xfs_trans.h"
15 #include "xfs_quota.h"
16 #include "xfs_bmap_util.h"
17 #include "xfs_reflink.h"
18 #include "xfs_trace.h"
19 #include "xfs_exchrange.h"
20 #include "xfs_exchmaps.h"
21 #include "xfs_sb.h"
22 #include "xfs_icache.h"
23 #include "xfs_log.h"
24 #include "xfs_rtbitmap.h"
25 #include <linux/fsnotify.h>
26
27 /* Lock (and optionally join) two inodes for a file range exchange. */
28 void
xfs_exchrange_ilock(struct xfs_trans * tp,struct xfs_inode * ip1,struct xfs_inode * ip2)29 xfs_exchrange_ilock(
30 struct xfs_trans *tp,
31 struct xfs_inode *ip1,
32 struct xfs_inode *ip2)
33 {
34 if (ip1 != ip2)
35 xfs_lock_two_inodes(ip1, XFS_ILOCK_EXCL,
36 ip2, XFS_ILOCK_EXCL);
37 else
38 xfs_ilock(ip1, XFS_ILOCK_EXCL);
39 if (tp) {
40 xfs_trans_ijoin(tp, ip1, 0);
41 if (ip2 != ip1)
42 xfs_trans_ijoin(tp, ip2, 0);
43 }
44
45 }
46
47 /* Unlock two inodes after a file range exchange operation. */
48 void
xfs_exchrange_iunlock(struct xfs_inode * ip1,struct xfs_inode * ip2)49 xfs_exchrange_iunlock(
50 struct xfs_inode *ip1,
51 struct xfs_inode *ip2)
52 {
53 if (ip2 != ip1)
54 xfs_iunlock(ip2, XFS_ILOCK_EXCL);
55 xfs_iunlock(ip1, XFS_ILOCK_EXCL);
56 }
57
58 /*
59 * Estimate the resource requirements to exchange file contents between the two
60 * files. The caller is required to hold the IOLOCK and the MMAPLOCK and to
61 * have flushed both inodes' pagecache and active direct-ios.
62 */
63 int
xfs_exchrange_estimate(struct xfs_exchmaps_req * req)64 xfs_exchrange_estimate(
65 struct xfs_exchmaps_req *req)
66 {
67 int error;
68
69 xfs_exchrange_ilock(NULL, req->ip1, req->ip2);
70 error = xfs_exchmaps_estimate(req);
71 xfs_exchrange_iunlock(req->ip1, req->ip2);
72 return error;
73 }
74
75 /*
76 * Check that file2's metadata agree with the snapshot that we took for the
77 * range commit request.
78 *
79 * This should be called after the filesystem has locked /all/ inode metadata
80 * against modification.
81 */
82 STATIC int
xfs_exchrange_check_freshness(const struct xfs_exchrange * fxr,struct xfs_inode * ip2)83 xfs_exchrange_check_freshness(
84 const struct xfs_exchrange *fxr,
85 struct xfs_inode *ip2)
86 {
87 struct inode *inode2 = VFS_I(ip2);
88 struct timespec64 ctime = inode_get_ctime(inode2);
89 struct timespec64 mtime = inode_get_mtime(inode2);
90
91 trace_xfs_exchrange_freshness(fxr, ip2);
92
93 /* Check that file2 hasn't otherwise been modified. */
94 if (fxr->file2_ino != ip2->i_ino ||
95 fxr->file2_gen != inode2->i_generation ||
96 !timespec64_equal(&fxr->file2_ctime, &ctime) ||
97 !timespec64_equal(&fxr->file2_mtime, &mtime))
98 return -EBUSY;
99
100 return 0;
101 }
102
103 #define QRETRY_IP1 (0x1)
104 #define QRETRY_IP2 (0x2)
105
106 /*
107 * Obtain a quota reservation to make sure we don't hit EDQUOT. We can skip
108 * this if quota enforcement is disabled or if both inodes' dquots are the
109 * same. The qretry structure must be initialized to zeroes before the first
110 * call to this function.
111 */
112 STATIC int
xfs_exchrange_reserve_quota(struct xfs_trans * tp,const struct xfs_exchmaps_req * req,unsigned int * qretry)113 xfs_exchrange_reserve_quota(
114 struct xfs_trans *tp,
115 const struct xfs_exchmaps_req *req,
116 unsigned int *qretry)
117 {
118 int64_t ddelta, rdelta;
119 int ip1_error = 0;
120 int error;
121
122 /*
123 * Don't bother with a quota reservation if we're not enforcing them
124 * or the two inodes have the same dquots.
125 */
126 if (!XFS_IS_QUOTA_ON(tp->t_mountp) || req->ip1 == req->ip2 ||
127 (req->ip1->i_udquot == req->ip2->i_udquot &&
128 req->ip1->i_gdquot == req->ip2->i_gdquot &&
129 req->ip1->i_pdquot == req->ip2->i_pdquot))
130 return 0;
131
132 *qretry = 0;
133
134 /*
135 * For each file, compute the net gain in the number of regular blocks
136 * that will be mapped into that file and reserve that much quota. The
137 * quota counts must be able to absorb at least that much space.
138 */
139 ddelta = req->ip2_bcount - req->ip1_bcount;
140 rdelta = req->ip2_rtbcount - req->ip1_rtbcount;
141 if (ddelta > 0 || rdelta > 0) {
142 error = xfs_trans_reserve_quota_nblks(tp, req->ip1,
143 ddelta > 0 ? ddelta : 0,
144 rdelta > 0 ? rdelta : 0,
145 false);
146 if (error == -EDQUOT || error == -ENOSPC) {
147 /*
148 * Save this error and see what happens if we try to
149 * reserve quota for ip2. Then report both.
150 */
151 *qretry |= QRETRY_IP1;
152 ip1_error = error;
153 error = 0;
154 }
155 if (error)
156 return error;
157 }
158 if (ddelta < 0 || rdelta < 0) {
159 error = xfs_trans_reserve_quota_nblks(tp, req->ip2,
160 ddelta < 0 ? -ddelta : 0,
161 rdelta < 0 ? -rdelta : 0,
162 false);
163 if (error == -EDQUOT || error == -ENOSPC)
164 *qretry |= QRETRY_IP2;
165 if (error)
166 return error;
167 }
168 if (ip1_error)
169 return ip1_error;
170
171 /*
172 * For each file, forcibly reserve the gross gain in mapped blocks so
173 * that we don't trip over any quota block reservation assertions.
174 * We must reserve the gross gain because the quota code subtracts from
175 * bcount the number of blocks that we unmap; it does not add that
176 * quantity back to the quota block reservation.
177 */
178 error = xfs_trans_reserve_quota_nblks(tp, req->ip1, req->ip1_bcount,
179 req->ip1_rtbcount, true);
180 if (error)
181 return error;
182
183 return xfs_trans_reserve_quota_nblks(tp, req->ip2, req->ip2_bcount,
184 req->ip2_rtbcount, true);
185 }
186
187 /* Exchange the mappings (and hence the contents) of two files' forks. */
188 STATIC int
xfs_exchrange_mappings(const struct xfs_exchrange * fxr,struct xfs_inode * ip1,struct xfs_inode * ip2)189 xfs_exchrange_mappings(
190 const struct xfs_exchrange *fxr,
191 struct xfs_inode *ip1,
192 struct xfs_inode *ip2)
193 {
194 struct xfs_mount *mp = ip1->i_mount;
195 struct xfs_exchmaps_req req = {
196 .ip1 = ip1,
197 .ip2 = ip2,
198 .startoff1 = XFS_B_TO_FSBT(mp, fxr->file1_offset),
199 .startoff2 = XFS_B_TO_FSBT(mp, fxr->file2_offset),
200 .blockcount = XFS_B_TO_FSB(mp, fxr->length),
201 };
202 struct xfs_trans *tp;
203 unsigned int qretry;
204 bool retried = false;
205 int error;
206
207 trace_xfs_exchrange_mappings(fxr, ip1, ip2);
208
209 if (fxr->flags & XFS_EXCHANGE_RANGE_TO_EOF)
210 req.flags |= XFS_EXCHMAPS_SET_SIZES;
211 if (fxr->flags & XFS_EXCHANGE_RANGE_FILE1_WRITTEN)
212 req.flags |= XFS_EXCHMAPS_INO1_WRITTEN;
213
214 /*
215 * Round the request length up to the nearest file allocation unit.
216 * The prep function already checked that the request offsets and
217 * length in @fxr are safe to round up.
218 */
219 if (xfs_inode_has_bigrtalloc(ip2))
220 req.blockcount = xfs_rtb_roundup_rtx(mp, req.blockcount);
221
222 error = xfs_exchrange_estimate(&req);
223 if (error)
224 return error;
225
226 retry:
227 /* Allocate the transaction, lock the inodes, and join them. */
228 error = xfs_trans_alloc(mp, &M_RES(mp)->tr_write, req.resblks, 0,
229 XFS_TRANS_RES_FDBLKS, &tp);
230 if (error)
231 return error;
232
233 xfs_exchrange_ilock(tp, ip1, ip2);
234
235 trace_xfs_exchrange_before(ip2, 2);
236 trace_xfs_exchrange_before(ip1, 1);
237
238 error = xfs_exchmaps_check_forks(mp, &req);
239 if (error)
240 goto out_trans_cancel;
241
242 /*
243 * Reserve ourselves some quota if any of them are in enforcing mode.
244 * In theory we only need enough to satisfy the change in the number
245 * of blocks between the two ranges being remapped.
246 */
247 error = xfs_exchrange_reserve_quota(tp, &req, &qretry);
248 if ((error == -EDQUOT || error == -ENOSPC) && !retried) {
249 xfs_trans_cancel(tp);
250 xfs_exchrange_iunlock(ip1, ip2);
251 if (qretry & QRETRY_IP1)
252 xfs_blockgc_free_quota(ip1, 0);
253 if (qretry & QRETRY_IP2)
254 xfs_blockgc_free_quota(ip2, 0);
255 retried = true;
256 goto retry;
257 }
258 if (error)
259 goto out_trans_cancel;
260
261 /* If we got this far on a dry run, all parameters are ok. */
262 if (fxr->flags & XFS_EXCHANGE_RANGE_DRY_RUN)
263 goto out_trans_cancel;
264
265 /* Update the mtime and ctime of both files. */
266 if (fxr->flags & __XFS_EXCHANGE_RANGE_UPD_CMTIME1)
267 xfs_trans_ichgtime(tp, ip1, XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG);
268 if (fxr->flags & __XFS_EXCHANGE_RANGE_UPD_CMTIME2)
269 xfs_trans_ichgtime(tp, ip2, XFS_ICHGTIME_MOD | XFS_ICHGTIME_CHG);
270
271 xfs_exchange_mappings(tp, &req);
272
273 /*
274 * Force the log to persist metadata updates if the caller or the
275 * administrator requires this. The generic prep function already
276 * flushed the relevant parts of the page cache.
277 */
278 if (xfs_has_wsync(mp) || (fxr->flags & XFS_EXCHANGE_RANGE_DSYNC))
279 xfs_trans_set_sync(tp);
280
281 error = xfs_trans_commit(tp);
282
283 trace_xfs_exchrange_after(ip2, 2);
284 trace_xfs_exchrange_after(ip1, 1);
285
286 if (error)
287 goto out_unlock;
288
289 /*
290 * If the caller wanted us to exchange the contents of two complete
291 * files of unequal length, exchange the incore sizes now. This should
292 * be safe because we flushed both files' page caches, exchanged all
293 * the mappings, and updated the ondisk sizes.
294 */
295 if (fxr->flags & XFS_EXCHANGE_RANGE_TO_EOF) {
296 loff_t temp;
297
298 temp = i_size_read(VFS_I(ip2));
299 i_size_write(VFS_I(ip2), i_size_read(VFS_I(ip1)));
300 i_size_write(VFS_I(ip1), temp);
301 }
302
303 out_unlock:
304 xfs_exchrange_iunlock(ip1, ip2);
305 return error;
306
307 out_trans_cancel:
308 xfs_trans_cancel(tp);
309 goto out_unlock;
310 }
311
312 /*
313 * Generic code for exchanging ranges of two files via XFS_IOC_EXCHANGE_RANGE.
314 * This part deals with struct file objects and byte ranges and does not deal
315 * with XFS-specific data structures such as xfs_inodes and block ranges. This
316 * separation may some day facilitate porting to another filesystem.
317 *
318 * The goal is to exchange fxr.length bytes starting at fxr.file1_offset in
319 * file1 with the same number of bytes starting at fxr.file2_offset in file2.
320 * Implementations must call xfs_exchange_range_prep to prepare the two
321 * files prior to taking locks; and they must update the inode change and mod
322 * times of both files as part of the metadata update. The timestamp update
323 * and freshness checks must be done atomically as part of the data exchange
324 * operation to ensure correctness of the freshness check.
325 * xfs_exchange_range_finish must be called after the operation completes
326 * successfully but before locks are dropped.
327 */
328
329 /* Verify that we have security clearance to perform this operation. */
330 static int
xfs_exchange_range_verify_area(struct xfs_exchrange * fxr)331 xfs_exchange_range_verify_area(
332 struct xfs_exchrange *fxr)
333 {
334 int ret;
335
336 ret = remap_verify_area(fxr->file1, fxr->file1_offset, fxr->length,
337 true);
338 if (ret)
339 return ret;
340
341 return remap_verify_area(fxr->file2, fxr->file2_offset, fxr->length,
342 true);
343 }
344
345 /*
346 * Performs necessary checks before doing a range exchange, having stabilized
347 * mutable inode attributes via i_rwsem.
348 */
349 static inline int
xfs_exchange_range_checks(struct xfs_exchrange * fxr,unsigned int alloc_unit)350 xfs_exchange_range_checks(
351 struct xfs_exchrange *fxr,
352 unsigned int alloc_unit)
353 {
354 struct inode *inode1 = file_inode(fxr->file1);
355 struct inode *inode2 = file_inode(fxr->file2);
356 uint64_t allocmask = alloc_unit - 1;
357 int64_t test_len;
358 uint64_t blen;
359 loff_t size1, size2, tmp;
360 int error;
361
362 /* Don't touch certain kinds of inodes */
363 if (IS_IMMUTABLE(inode1) || IS_IMMUTABLE(inode2))
364 return -EPERM;
365 if (IS_SWAPFILE(inode1) || IS_SWAPFILE(inode2))
366 return -ETXTBSY;
367
368 size1 = i_size_read(inode1);
369 size2 = i_size_read(inode2);
370
371 /* Ranges cannot start after EOF. */
372 if (fxr->file1_offset > size1 || fxr->file2_offset > size2)
373 return -EINVAL;
374
375 /*
376 * If the caller said to exchange to EOF, we set the length of the
377 * request large enough to cover everything to the end of both files.
378 */
379 if (fxr->flags & XFS_EXCHANGE_RANGE_TO_EOF) {
380 fxr->length = max_t(int64_t, size1 - fxr->file1_offset,
381 size2 - fxr->file2_offset);
382
383 error = xfs_exchange_range_verify_area(fxr);
384 if (error)
385 return error;
386 }
387
388 /*
389 * The start of both ranges must be aligned to the file allocation
390 * unit.
391 */
392 if (!IS_ALIGNED(fxr->file1_offset, alloc_unit) ||
393 !IS_ALIGNED(fxr->file2_offset, alloc_unit))
394 return -EINVAL;
395
396 /* Ensure offsets don't wrap. */
397 if (check_add_overflow(fxr->file1_offset, fxr->length, &tmp) ||
398 check_add_overflow(fxr->file2_offset, fxr->length, &tmp))
399 return -EINVAL;
400
401 /*
402 * We require both ranges to end within EOF, unless we're exchanging
403 * to EOF.
404 */
405 if (!(fxr->flags & XFS_EXCHANGE_RANGE_TO_EOF) &&
406 (fxr->file1_offset + fxr->length > size1 ||
407 fxr->file2_offset + fxr->length > size2))
408 return -EINVAL;
409
410 /*
411 * Make sure we don't hit any file size limits. If we hit any size
412 * limits such that test_length was adjusted, we abort the whole
413 * operation.
414 */
415 test_len = fxr->length;
416 error = generic_write_check_limits(fxr->file2, fxr->file2_offset,
417 &test_len);
418 if (error)
419 return error;
420 error = generic_write_check_limits(fxr->file1, fxr->file1_offset,
421 &test_len);
422 if (error)
423 return error;
424 if (test_len != fxr->length)
425 return -EINVAL;
426
427 /*
428 * If the user wanted us to exchange up to the infile's EOF, round up
429 * to the next allocation unit boundary for this check. Do the same
430 * for the outfile.
431 *
432 * Otherwise, reject the range length if it's not aligned to an
433 * allocation unit.
434 */
435 if (fxr->file1_offset + fxr->length == size1)
436 blen = ALIGN(size1, alloc_unit) - fxr->file1_offset;
437 else if (fxr->file2_offset + fxr->length == size2)
438 blen = ALIGN(size2, alloc_unit) - fxr->file2_offset;
439 else if (!IS_ALIGNED(fxr->length, alloc_unit))
440 return -EINVAL;
441 else
442 blen = fxr->length;
443
444 /* Don't allow overlapped exchanges within the same file. */
445 if (inode1 == inode2 &&
446 fxr->file2_offset + blen > fxr->file1_offset &&
447 fxr->file1_offset + blen > fxr->file2_offset)
448 return -EINVAL;
449
450 /*
451 * Ensure that we don't exchange a partial EOF block into the middle of
452 * another file.
453 */
454 if ((fxr->length & allocmask) == 0)
455 return 0;
456
457 blen = fxr->length;
458 if (fxr->file2_offset + blen < size2)
459 blen &= ~allocmask;
460
461 if (fxr->file1_offset + blen < size1)
462 blen &= ~allocmask;
463
464 return blen == fxr->length ? 0 : -EINVAL;
465 }
466
467 /*
468 * Check that the two inodes are eligible for range exchanges, the ranges make
469 * sense, and then flush all dirty data. Caller must ensure that the inodes
470 * have been locked against any other modifications.
471 */
472 static inline int
xfs_exchange_range_prep(struct xfs_exchrange * fxr,unsigned int alloc_unit)473 xfs_exchange_range_prep(
474 struct xfs_exchrange *fxr,
475 unsigned int alloc_unit)
476 {
477 struct inode *inode1 = file_inode(fxr->file1);
478 struct inode *inode2 = file_inode(fxr->file2);
479 bool same_inode = (inode1 == inode2);
480 int error;
481
482 /* Check that we don't violate system file offset limits. */
483 error = xfs_exchange_range_checks(fxr, alloc_unit);
484 if (error || fxr->length == 0)
485 return error;
486
487 /* Wait for the completion of any pending IOs on both files */
488 inode_dio_wait(inode1);
489 if (!same_inode)
490 inode_dio_wait(inode2);
491
492 error = filemap_write_and_wait_range(inode1->i_mapping,
493 fxr->file1_offset,
494 fxr->file1_offset + fxr->length - 1);
495 if (error)
496 return error;
497
498 error = filemap_write_and_wait_range(inode2->i_mapping,
499 fxr->file2_offset,
500 fxr->file2_offset + fxr->length - 1);
501 if (error)
502 return error;
503
504 /*
505 * If the files or inodes involved require synchronous writes, amend
506 * the request to force the filesystem to flush all data and metadata
507 * to disk after the operation completes.
508 */
509 if (((fxr->file1->f_flags | fxr->file2->f_flags) & O_SYNC) ||
510 IS_SYNC(inode1) || IS_SYNC(inode2))
511 fxr->flags |= XFS_EXCHANGE_RANGE_DSYNC;
512
513 return 0;
514 }
515
516 /*
517 * Finish a range exchange operation, if it was successful. Caller must ensure
518 * that the inodes are still locked against any other modifications.
519 */
520 static inline int
xfs_exchange_range_finish(struct xfs_exchrange * fxr)521 xfs_exchange_range_finish(
522 struct xfs_exchrange *fxr)
523 {
524 int error;
525
526 error = file_remove_privs(fxr->file1);
527 if (error)
528 return error;
529 if (file_inode(fxr->file1) == file_inode(fxr->file2))
530 return 0;
531
532 return file_remove_privs(fxr->file2);
533 }
534
535 /*
536 * Check the alignment of an exchange request when the allocation unit size
537 * isn't a power of two. The generic file-level helpers use (fast)
538 * bitmask-based alignment checks, but here we have to use slow long division.
539 */
540 static int
xfs_exchrange_check_rtalign(const struct xfs_exchrange * fxr,struct xfs_inode * ip1,struct xfs_inode * ip2,unsigned int alloc_unit)541 xfs_exchrange_check_rtalign(
542 const struct xfs_exchrange *fxr,
543 struct xfs_inode *ip1,
544 struct xfs_inode *ip2,
545 unsigned int alloc_unit)
546 {
547 uint64_t length = fxr->length;
548 uint64_t blen;
549 loff_t size1, size2;
550
551 size1 = i_size_read(VFS_I(ip1));
552 size2 = i_size_read(VFS_I(ip2));
553
554 /* The start of both ranges must be aligned to a rt extent. */
555 if (!isaligned_64(fxr->file1_offset, alloc_unit) ||
556 !isaligned_64(fxr->file2_offset, alloc_unit))
557 return -EINVAL;
558
559 if (fxr->flags & XFS_EXCHANGE_RANGE_TO_EOF)
560 length = max_t(int64_t, size1 - fxr->file1_offset,
561 size2 - fxr->file2_offset);
562
563 /*
564 * If the user wanted us to exchange up to the infile's EOF, round up
565 * to the next rt extent boundary for this check. Do the same for the
566 * outfile.
567 *
568 * Otherwise, reject the range length if it's not rt extent aligned.
569 * We already confirmed the starting offsets' rt extent block
570 * alignment.
571 */
572 if (fxr->file1_offset + length == size1)
573 blen = roundup_64(size1, alloc_unit) - fxr->file1_offset;
574 else if (fxr->file2_offset + length == size2)
575 blen = roundup_64(size2, alloc_unit) - fxr->file2_offset;
576 else if (!isaligned_64(length, alloc_unit))
577 return -EINVAL;
578 else
579 blen = length;
580
581 /* Don't allow overlapped exchanges within the same file. */
582 if (ip1 == ip2 &&
583 fxr->file2_offset + blen > fxr->file1_offset &&
584 fxr->file1_offset + blen > fxr->file2_offset)
585 return -EINVAL;
586
587 /*
588 * Ensure that we don't exchange a partial EOF rt extent into the
589 * middle of another file.
590 */
591 if (isaligned_64(length, alloc_unit))
592 return 0;
593
594 blen = length;
595 if (fxr->file2_offset + length < size2)
596 blen = rounddown_64(blen, alloc_unit);
597
598 if (fxr->file1_offset + blen < size1)
599 blen = rounddown_64(blen, alloc_unit);
600
601 return blen == length ? 0 : -EINVAL;
602 }
603
604 /* Prepare two files to have their data exchanged. */
605 STATIC int
xfs_exchrange_prep(struct xfs_exchrange * fxr,struct xfs_inode * ip1,struct xfs_inode * ip2)606 xfs_exchrange_prep(
607 struct xfs_exchrange *fxr,
608 struct xfs_inode *ip1,
609 struct xfs_inode *ip2)
610 {
611 struct xfs_mount *mp = ip2->i_mount;
612 unsigned int alloc_unit = xfs_inode_alloc_unitsize(ip2);
613 int error;
614
615 trace_xfs_exchrange_prep(fxr, ip1, ip2);
616
617 /* Verify both files are either real-time or non-realtime */
618 if (XFS_IS_REALTIME_INODE(ip1) != XFS_IS_REALTIME_INODE(ip2))
619 return -EINVAL;
620
621 /* Check non-power of two alignment issues, if necessary. */
622 if (!is_power_of_2(alloc_unit)) {
623 error = xfs_exchrange_check_rtalign(fxr, ip1, ip2, alloc_unit);
624 if (error)
625 return error;
626
627 /*
628 * Do the generic file-level checks with the regular block
629 * alignment.
630 */
631 alloc_unit = mp->m_sb.sb_blocksize;
632 }
633
634 error = xfs_exchange_range_prep(fxr, alloc_unit);
635 if (error || fxr->length == 0)
636 return error;
637
638 if (fxr->flags & __XFS_EXCHANGE_RANGE_CHECK_FRESH2) {
639 error = xfs_exchrange_check_freshness(fxr, ip2);
640 if (error)
641 return error;
642 }
643
644 /* Attach dquots to both inodes before changing block maps. */
645 error = xfs_qm_dqattach(ip2);
646 if (error)
647 return error;
648 error = xfs_qm_dqattach(ip1);
649 if (error)
650 return error;
651
652 trace_xfs_exchrange_flush(fxr, ip1, ip2);
653
654 /* Flush the relevant ranges of both files. */
655 error = xfs_flush_unmap_range(ip2, fxr->file2_offset, fxr->length);
656 if (error)
657 return error;
658 error = xfs_flush_unmap_range(ip1, fxr->file1_offset, fxr->length);
659 if (error)
660 return error;
661
662 /*
663 * Cancel CoW fork preallocations for the ranges of both files. The
664 * prep function should have flushed all the dirty data, so the only
665 * CoW mappings remaining should be speculative.
666 */
667 if (xfs_inode_has_cow_data(ip1)) {
668 error = xfs_reflink_cancel_cow_range(ip1, fxr->file1_offset,
669 fxr->length, true);
670 if (error)
671 return error;
672 }
673
674 if (xfs_inode_has_cow_data(ip2)) {
675 error = xfs_reflink_cancel_cow_range(ip2, fxr->file2_offset,
676 fxr->length, true);
677 if (error)
678 return error;
679 }
680
681 return 0;
682 }
683
684 /*
685 * Exchange contents of files. This is the binding between the generic
686 * file-level concepts and the XFS inode-specific implementation.
687 */
688 STATIC int
xfs_exchrange_contents(struct xfs_exchrange * fxr)689 xfs_exchrange_contents(
690 struct xfs_exchrange *fxr)
691 {
692 struct inode *inode1 = file_inode(fxr->file1);
693 struct inode *inode2 = file_inode(fxr->file2);
694 struct xfs_inode *ip1 = XFS_I(inode1);
695 struct xfs_inode *ip2 = XFS_I(inode2);
696 struct xfs_mount *mp = ip1->i_mount;
697 int error;
698
699 if (!xfs_has_exchange_range(mp))
700 return -EOPNOTSUPP;
701
702 if (fxr->flags & ~(XFS_EXCHANGE_RANGE_ALL_FLAGS |
703 XFS_EXCHANGE_RANGE_PRIV_FLAGS))
704 return -EINVAL;
705
706 if (xfs_is_shutdown(mp))
707 return -EIO;
708
709 /* Lock both files against IO */
710 error = xfs_ilock2_io_mmap(ip1, ip2);
711 if (error)
712 goto out_err;
713
714 /* Prepare and then exchange file contents. */
715 error = xfs_exchrange_prep(fxr, ip1, ip2);
716 if (error)
717 goto out_unlock;
718
719 error = xfs_exchrange_mappings(fxr, ip1, ip2);
720 if (error)
721 goto out_unlock;
722
723 /*
724 * Finish the exchange by removing special file privileges like any
725 * other file write would do. This may involve turning on support for
726 * logged xattrs if either file has security capabilities.
727 */
728 error = xfs_exchange_range_finish(fxr);
729 if (error)
730 goto out_unlock;
731
732 out_unlock:
733 xfs_iunlock2_io_mmap(ip1, ip2);
734 out_err:
735 if (error)
736 trace_xfs_exchrange_error(ip2, error, _RET_IP_);
737 return error;
738 }
739
740 /* Exchange parts of two files. */
741 static int
xfs_exchange_range(struct xfs_exchrange * fxr)742 xfs_exchange_range(
743 struct xfs_exchrange *fxr)
744 {
745 struct inode *inode1 = file_inode(fxr->file1);
746 struct inode *inode2 = file_inode(fxr->file2);
747 int ret;
748
749 BUILD_BUG_ON(XFS_EXCHANGE_RANGE_ALL_FLAGS &
750 XFS_EXCHANGE_RANGE_PRIV_FLAGS);
751
752 /* Both files must be on the same mount/filesystem. */
753 if (fxr->file1->f_path.mnt != fxr->file2->f_path.mnt)
754 return -EXDEV;
755
756 if (fxr->flags & ~(XFS_EXCHANGE_RANGE_ALL_FLAGS |
757 __XFS_EXCHANGE_RANGE_CHECK_FRESH2))
758 return -EINVAL;
759
760 /* Userspace requests only honored for regular files. */
761 if (S_ISDIR(inode1->i_mode) || S_ISDIR(inode2->i_mode))
762 return -EISDIR;
763 if (!S_ISREG(inode1->i_mode) || !S_ISREG(inode2->i_mode))
764 return -EINVAL;
765
766 /* Both files must be opened for read and write. */
767 if (!(fxr->file1->f_mode & FMODE_READ) ||
768 !(fxr->file1->f_mode & FMODE_WRITE) ||
769 !(fxr->file2->f_mode & FMODE_READ) ||
770 !(fxr->file2->f_mode & FMODE_WRITE))
771 return -EBADF;
772
773 /* Neither file can be opened append-only. */
774 if ((fxr->file1->f_flags & O_APPEND) ||
775 (fxr->file2->f_flags & O_APPEND))
776 return -EBADF;
777
778 /*
779 * If we're not exchanging to EOF, we can check the areas before
780 * stabilizing both files' i_size.
781 */
782 if (!(fxr->flags & XFS_EXCHANGE_RANGE_TO_EOF)) {
783 ret = xfs_exchange_range_verify_area(fxr);
784 if (ret)
785 return ret;
786 }
787
788 /* Update cmtime if the fd/inode don't forbid it. */
789 if (!(fxr->file1->f_mode & FMODE_NOCMTIME) && !IS_NOCMTIME(inode1))
790 fxr->flags |= __XFS_EXCHANGE_RANGE_UPD_CMTIME1;
791 if (!(fxr->file2->f_mode & FMODE_NOCMTIME) && !IS_NOCMTIME(inode2))
792 fxr->flags |= __XFS_EXCHANGE_RANGE_UPD_CMTIME2;
793
794 file_start_write(fxr->file2);
795 ret = xfs_exchrange_contents(fxr);
796 file_end_write(fxr->file2);
797 if (ret)
798 return ret;
799
800 fsnotify_modify(fxr->file1);
801 if (fxr->file2 != fxr->file1)
802 fsnotify_modify(fxr->file2);
803 return 0;
804 }
805
806 /* Collect exchange-range arguments from userspace. */
807 long
xfs_ioc_exchange_range(struct file * file,struct xfs_exchange_range __user * argp)808 xfs_ioc_exchange_range(
809 struct file *file,
810 struct xfs_exchange_range __user *argp)
811 {
812 struct xfs_exchrange fxr = {
813 .file2 = file,
814 };
815 struct xfs_exchange_range args;
816 struct fd file1;
817 int error;
818
819 if (copy_from_user(&args, argp, sizeof(args)))
820 return -EFAULT;
821 if (memchr_inv(&args.pad, 0, sizeof(args.pad)))
822 return -EINVAL;
823 if (args.flags & ~XFS_EXCHANGE_RANGE_ALL_FLAGS)
824 return -EINVAL;
825
826 fxr.file1_offset = args.file1_offset;
827 fxr.file2_offset = args.file2_offset;
828 fxr.length = args.length;
829 fxr.flags = args.flags;
830
831 file1 = fdget(args.file1_fd);
832 if (!fd_file(file1))
833 return -EBADF;
834 fxr.file1 = fd_file(file1);
835
836 error = xfs_exchange_range(&fxr);
837 fdput(file1);
838 return error;
839 }
840
841 /* Opaque freshness blob for XFS_IOC_COMMIT_RANGE */
842 struct xfs_commit_range_fresh {
843 xfs_fsid_t fsid; /* m_fixedfsid */
844 __u64 file2_ino; /* inode number */
845 __s64 file2_mtime; /* modification time */
846 __s64 file2_ctime; /* change time */
847 __s32 file2_mtime_nsec; /* mod time, nsec */
848 __s32 file2_ctime_nsec; /* change time, nsec */
849 __u32 file2_gen; /* inode generation */
850 __u32 magic; /* zero */
851 };
852 #define XCR_FRESH_MAGIC 0x444F524B /* DORK */
853
854 /* Set up a commitrange operation by sampling file2's write-related attrs */
855 long
xfs_ioc_start_commit(struct file * file,struct xfs_commit_range __user * argp)856 xfs_ioc_start_commit(
857 struct file *file,
858 struct xfs_commit_range __user *argp)
859 {
860 struct xfs_commit_range args = { };
861 struct timespec64 ts;
862 struct xfs_commit_range_fresh *kern_f;
863 struct xfs_commit_range_fresh __user *user_f;
864 struct inode *inode2 = file_inode(file);
865 struct xfs_inode *ip2 = XFS_I(inode2);
866 const unsigned int lockflags = XFS_IOLOCK_SHARED |
867 XFS_MMAPLOCK_SHARED |
868 XFS_ILOCK_SHARED;
869
870 BUILD_BUG_ON(sizeof(struct xfs_commit_range_fresh) !=
871 sizeof(args.file2_freshness));
872
873 kern_f = (struct xfs_commit_range_fresh *)&args.file2_freshness;
874
875 memcpy(&kern_f->fsid, ip2->i_mount->m_fixedfsid, sizeof(xfs_fsid_t));
876
877 xfs_ilock(ip2, lockflags);
878 ts = inode_get_ctime(inode2);
879 kern_f->file2_ctime = ts.tv_sec;
880 kern_f->file2_ctime_nsec = ts.tv_nsec;
881 ts = inode_get_mtime(inode2);
882 kern_f->file2_mtime = ts.tv_sec;
883 kern_f->file2_mtime_nsec = ts.tv_nsec;
884 kern_f->file2_ino = ip2->i_ino;
885 kern_f->file2_gen = inode2->i_generation;
886 kern_f->magic = XCR_FRESH_MAGIC;
887 xfs_iunlock(ip2, lockflags);
888
889 user_f = (struct xfs_commit_range_fresh __user *)&argp->file2_freshness;
890 if (copy_to_user(user_f, kern_f, sizeof(*kern_f)))
891 return -EFAULT;
892
893 return 0;
894 }
895
896 /*
897 * Exchange file1 and file2 contents if file2 has not been written since the
898 * start commit operation.
899 */
900 long
xfs_ioc_commit_range(struct file * file,struct xfs_commit_range __user * argp)901 xfs_ioc_commit_range(
902 struct file *file,
903 struct xfs_commit_range __user *argp)
904 {
905 struct xfs_exchrange fxr = {
906 .file2 = file,
907 };
908 struct xfs_commit_range args;
909 struct xfs_commit_range_fresh *kern_f;
910 struct xfs_inode *ip2 = XFS_I(file_inode(file));
911 struct xfs_mount *mp = ip2->i_mount;
912 struct fd file1;
913 int error;
914
915 kern_f = (struct xfs_commit_range_fresh *)&args.file2_freshness;
916
917 if (copy_from_user(&args, argp, sizeof(args)))
918 return -EFAULT;
919 if (args.flags & ~XFS_EXCHANGE_RANGE_ALL_FLAGS)
920 return -EINVAL;
921 if (kern_f->magic != XCR_FRESH_MAGIC)
922 return -EBUSY;
923 if (memcmp(&kern_f->fsid, mp->m_fixedfsid, sizeof(xfs_fsid_t)))
924 return -EBUSY;
925
926 fxr.file1_offset = args.file1_offset;
927 fxr.file2_offset = args.file2_offset;
928 fxr.length = args.length;
929 fxr.flags = args.flags | __XFS_EXCHANGE_RANGE_CHECK_FRESH2;
930 fxr.file2_ino = kern_f->file2_ino;
931 fxr.file2_gen = kern_f->file2_gen;
932 fxr.file2_mtime.tv_sec = kern_f->file2_mtime;
933 fxr.file2_mtime.tv_nsec = kern_f->file2_mtime_nsec;
934 fxr.file2_ctime.tv_sec = kern_f->file2_ctime;
935 fxr.file2_ctime.tv_nsec = kern_f->file2_ctime_nsec;
936
937 file1 = fdget(args.file1_fd);
938 if (fd_empty(file1))
939 return -EBADF;
940 fxr.file1 = fd_file(file1);
941
942 error = xfs_exchange_range(&fxr);
943 fdput(file1);
944 return error;
945 }
946