Merge: vfs: fix copy_file_range() averts filesystem freeze protection

MR: https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9/-/merge_requests/7429

vfs: fix copy_file_range() averts filesystem freeze protection

JIRA: https://issues.redhat.com/browse/RHEL-76048
Conflicts:
 - Dropping fs/ksmbd hunk as we don't have this in RHEL
 - RHEL also does not have the work to "Tidy up file permission hooks":
        https://lore.kernel.org/all/20231122122715.2561213-1-amir73il@gmail.com/
   so this patch drops the upstream hunk for lockdep_assert() check for the
   superblock's s_writers.rw_sem, which would cause a build problem for
   RHEL debug kernels.

commit 10bc8e4
Author: Amir Goldstein <amir73il@gmail.com>
Date:   Thu Nov 17 22:52:49 2022 +0200

    vfs: fix copy_file_range() averts filesystem freeze protection

    Commit 868f9f2 ("vfs: fix copy_file_range() regression in cross-fs
    copies") removed fallback to generic_copy_file_range() for cross-fs
    cases inside vfs_copy_file_range().

    To preserve behavior of nfsd and ksmbd server-side-copy, the fallback to
    generic_copy_file_range() was added in nfsd and ksmbd code, but that
    call is missing sb_start_write(), fsnotify hooks and more.

    Ideally, nfsd and ksmbd would pass a flag to vfs_copy_file_range() that
    will take care of the fallback, but that code would be subtle and we got
    vfs_copy_file_range() logic wrong too many times already.

    Instead, add a flag to explicitly request vfs_copy_file_range() to
    perform only generic_copy_file_range() and let nfsd and ksmbd use this
    flag only in the fallback path.

    This choise keeps the logic changes to minimum in the non-nfsd/ksmbd code
    paths to reduce the risk of further regressions.

    Fixes: 868f9f2 ("vfs: fix copy_file_range() regression in cross-fs copies")
    Tested-by: Namjae Jeon <linkinjeon@kernel.org>
    Tested-by: Luis Henriques <lhenriques@suse.de>
    Signed-off-by: Amir Goldstein <amir73il@gmail.com>
    Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Signed-off-by: Benjamin Coddington <bcodding@redhat.com>

Approved-by: Jay Shin <jaeshin@redhat.com>
Approved-by: Scott Mayhew <smayhew@redhat.com>
Approved-by: Olga Kornievskaia <okorniev@redhat.com>
Approved-by: CKI KWF Bot <cki-ci-bot+kwf-gitlab-com@redhat.com>

Merged-by: CKI GitLab Kmaint Pipeline Bot <26919896-cki-kmaint-pipeline-bot@users.noreply.gitlab.com>

Author: CKI KWF Bot

fs/nfsd/vfs.c

@@ -709,8 +709,8 @@ ssize_t nfsd_copy_file_range(struct file *src, u64 src_pos, struct file *dst,
 	ret = vfs_copy_file_range(src, src_pos, dst, dst_pos, count, 0);
 
 	if (ret == -EOPNOTSUPP || ret == -EXDEV)
-		ret = generic_copy_file_range(src, src_pos, dst, dst_pos,
-					      count, 0);
+		ret = vfs_copy_file_range(src, src_pos, dst, dst_pos, count,
+					  COPY_FILE_SPLICE);
 	return ret;
 }
 

fs/read_write.c

@@ -1420,7 +1420,9 @@ static int generic_copy_file_checks(struct file *file_in, loff_t pos_in,
 	 * and several different sets of file_operations, but they all end up
 	 * using the same ->copy_file_range() function pointer.
 	 */
-	if (file_out->f_op->copy_file_range) {
+	if (flags & COPY_FILE_SPLICE) {
+		/* cross sb splice is allowed */
+	} else if (file_out->f_op->copy_file_range) {
 		if (file_in->f_op->copy_file_range !=
 		    file_out->f_op->copy_file_range)
 			return -EXDEV;
@@ -1470,8 +1472,9 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
 			    size_t len, unsigned int flags)
 {
 	ssize_t ret;
+	bool splice = flags & COPY_FILE_SPLICE;
 
-	if (flags != 0)
+	if (flags & ~COPY_FILE_SPLICE)
 		return -EINVAL;
 
 	ret = generic_copy_file_checks(file_in, pos_in, file_out, pos_out, &len,
@@ -1497,14 +1500,14 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
 	 * same sb using clone, but for filesystems where both clone and copy
 	 * are supported (e.g. nfs,cifs), we only call the copy method.
 	 */
-	if (file_out->f_op->copy_file_range) {
+	if (!splice && file_out->f_op->copy_file_range) {
 		ret = file_out->f_op->copy_file_range(file_in, pos_in,
 						      file_out, pos_out,
 						      len, flags);
 		goto done;
 	}
 
-	if (file_in->f_op->remap_file_range &&
+	if (!splice && file_in->f_op->remap_file_range &&
 	    file_inode(file_in)->i_sb == file_inode(file_out)->i_sb) {
 		ret = file_in->f_op->remap_file_range(file_in, pos_in,
 				file_out, pos_out,
@@ -1524,6 +1527,8 @@ ssize_t vfs_copy_file_range(struct file *file_in, loff_t pos_in,
 	 * consistent story about which filesystems support copy_file_range()
 	 * and which filesystems do not, that will allow userspace tools to
 	 * make consistent desicions w.r.t using copy_file_range().
+	 *
+	 * We also get here if caller (e.g. nfsd) requested COPY_FILE_SPLICE.
 	 */
 	ret = generic_copy_file_range(file_in, pos_in, file_out, pos_out, len,
 				      flags);
@@ -1578,6 +1583,10 @@ SYSCALL_DEFINE6(copy_file_range, int, fd_in, loff_t __user *, off_in,
 		pos_out = f_out.file->f_pos;
 	}
 
+	ret = -EINVAL;
+	if (flags != 0)
+		goto out;
+
 	ret = vfs_copy_file_range(f_in.file, pos_in, f_out.file, pos_out, len,
 				  flags);
 	if (ret > 0) {

include/linux/fs.h

@@ -1907,6 +1907,14 @@ struct dir_context {
  */
 #define REMAP_FILE_ADVISORY		(REMAP_FILE_CAN_SHORTEN)
 
+/*
+ * These flags control the behavior of vfs_copy_file_range().
+ * They are not available to the user via syscall.
+ *
+ * COPY_FILE_SPLICE: call splice direct instead of fs clone/copy ops
+ */
+#define COPY_FILE_SPLICE		(1 << 0)
+
 struct iov_iter;
 struct io_uring_cmd;