lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Pine.LNX.4.64.0610031330400.31975@localhost.localdomain>
Date:	Tue, 3 Oct 2006 13:51:49 -0400 (EDT)
From:	Chip Coldwell <coldwell@...hat.com>
To:	linux-kernel@...r.kernel.org
cc:	akpm@...l.org
Subject: direct IO regression in 2.6.18

Hi,

The following commit caused a regression in direct IO:

commit 016eb4a0ed06a3677d67a584da901f0e9a63c666
Author: Andrew Morton <akpm@...l.org>
Date:   Fri Sep 8 09:48:38 2006 -0700

     [PATCH] invalidate_complete_page() race fix

     If a CPU faults this page into pagetables after invalidate_mapping_pages()
     checked page_mapped(), invalidate_complete_page() will still proceed to remove
     the page from pagecache.  This leaves the page-faulting process with a
     detached page.  If it was MAP_SHARED then file data loss will ensue.

     Fix that up by checking the page's refcount after taking tree_lock.

     Cc: Nick Piggin <nickpiggin@...oo.com.au>
     Cc: Hugh Dickins <hugh@...itas.com>
     Cc: <stable@...nel.org>
     Signed-off-by: Andrew Morton <akpm@...l.org>
     Signed-off-by: Linus Torvalds <torvalds@...l.org>

diff --git a/mm/truncate.c b/mm/truncate.c
index cf1b015..c6ab55e 100644
--- a/mm/truncate.c
+++ b/mm/truncate.c
@@ -68,10 +68,10 @@ invalidate_complete_page(struct address_
  		return 0;

  	write_lock_irq(&mapping->tree_lock);
-	if (PageDirty(page)) {
-		write_unlock_irq(&mapping->tree_lock);
-		return 0;
-	}
+	if (PageDirty(page))
+		goto failed;
+	if (page_count(page) != 2)	/* caller's ref + pagecache ref */
+		goto failed;

  	BUG_ON(PagePrivate(page));
  	__remove_from_page_cache(page);
@@ -79,6 +79,9 @@ invalidate_complete_page(struct address_
  	ClearPageUptodate(page);
  	page_cache_release(page);	/* pagecache ref */
  	return 1;
+failed:
+	write_unlock_irq(&mapping->tree_lock);
+	return 0;
  }

  /**


The issue is that invalidate_complete_page is in two different code
paths, the normal one (prune_icache calls invalidate_inode_pages calls
invalidate_mapping_pages calls invalidate_complete_page) and also via
direct IO (generic_file_direct_write calls generic_file_direct_IO
calls invalidate_inode_pages2_range calls invalidate_complete_page).
In the latter case, the page is (usually) not even in the page cache
and the refcount can legitimately != 2.

Chip

-- 
Charles M. "Chip" Coldwell
Senior Software Engineer
Red Hat, Inc
978-392-2426

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ