lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sun, 29 Jul 2018 14:02:59 +0800
From:   Chao Yu <chao@...nel.org>
To:     Jaegeuk Kim <jaegeuk@...nel.org>, Chao Yu <yuchao0@...wei.com>
Cc:     linux-f2fs-devel@...ts.sourceforge.net,
        linux-kernel@...r.kernel.org
Subject: Re: [PATCH 3/4] f2fs: fix avoid race between truncate and background
 GC

On 2018/7/29 9:58, Jaegeuk Kim wrote:
> On 07/27, Chao Yu wrote:
>> Thread A				Background GC
>> - f2fs_setattr isize to 0
>>  - truncate_setsize
>> 					- gc_data_segment
>> 					 - f2fs_get_read_data_page page #0
>> 					  - set_page_dirty
>> 					  - set_cold_data
>>  - f2fs_truncate
>>
>> - f2fs_setattr isize to 4k
>> - read 4k <--- hit data in cached page #0
>>
>> Above race condition can cause read out invalid data in a truncated
>> page, fix it by i_gc_rwsem[WRITE] lock.
> 
> We can truncate pages again after f2fs_truncate()?

I think it can fix this issue, although it looks a little strange to truncate
page cache twice.

Thanks,

> 
>>
>> Signed-off-by: Chao Yu <yuchao0@...wei.com>
>> ---
>>  fs/f2fs/data.c |  4 ++++
>>  fs/f2fs/file.c | 33 +++++++++++++++++++--------------
>>  2 files changed, 23 insertions(+), 14 deletions(-)
>>
>> diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
>> index 071224ded5f4..a29f3162b887 100644
>> --- a/fs/f2fs/data.c
>> +++ b/fs/f2fs/data.c
>> @@ -2214,10 +2214,14 @@ static void f2fs_write_failed(struct address_space *mapping, loff_t to)
>>  	loff_t i_size = i_size_read(inode);
>>  
>>  	if (to > i_size) {
>> +		down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
>>  		down_write(&F2FS_I(inode)->i_mmap_sem);
>> +
>>  		truncate_pagecache(inode, i_size);
>>  		f2fs_truncate_blocks(inode, i_size, true);
>> +
>>  		up_write(&F2FS_I(inode)->i_mmap_sem);
>> +		up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
>>  	}
>>  }
>>  
>> diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
>> index 7bd2412a8c37..ed5c9b0e0d0c 100644
>> --- a/fs/f2fs/file.c
>> +++ b/fs/f2fs/file.c
>> @@ -796,22 +796,25 @@ int f2fs_setattr(struct dentry *dentry, struct iattr *attr)
>>  	}
>>  
>>  	if (attr->ia_valid & ATTR_SIZE) {
>> -		if (attr->ia_size <= i_size_read(inode)) {
>> -			down_write(&F2FS_I(inode)->i_mmap_sem);
>> -			truncate_setsize(inode, attr->ia_size);
>> +		bool to_smaller = (attr->ia_size <= i_size_read(inode));
>> +
>> +		down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
>> +		down_write(&F2FS_I(inode)->i_mmap_sem);
>> +
>> +		truncate_setsize(inode, attr->ia_size);
>> +
>> +		if (to_smaller)
>>  			err = f2fs_truncate(inode);
>> -			up_write(&F2FS_I(inode)->i_mmap_sem);
>> -			if (err)
>> -				return err;
>> -		} else {
>> -			/*
>> -			 * do not trim all blocks after i_size if target size is
>> -			 * larger than i_size.
>> -			 */
>> -			down_write(&F2FS_I(inode)->i_mmap_sem);
>> -			truncate_setsize(inode, attr->ia_size);
>> -			up_write(&F2FS_I(inode)->i_mmap_sem);
>> +		/*
>> +		 * do not trim all blocks after i_size if target size is
>> +		 * larger than i_size.
>> +		 */
>> +		up_write(&F2FS_I(inode)->i_mmap_sem);
>> +		up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
>> +		if (err)
>> +			return err;
>>  
>> +		if (!to_smaller) {
>>  			/* should convert inline inode here */
>>  			if (!f2fs_may_inline_data(inode)) {
>>  				err = f2fs_convert_inline_inode(inode);
>> @@ -958,6 +961,7 @@ static int punch_hole(struct inode *inode, loff_t offset, loff_t len)
>>  
>>  			blk_start = (loff_t)pg_start << PAGE_SHIFT;
>>  			blk_end = (loff_t)pg_end << PAGE_SHIFT;
>> +			down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
>>  			down_write(&F2FS_I(inode)->i_mmap_sem);
>>  			truncate_inode_pages_range(mapping, blk_start,
>>  					blk_end - 1);
>> @@ -966,6 +970,7 @@ static int punch_hole(struct inode *inode, loff_t offset, loff_t len)
>>  			ret = f2fs_truncate_hole(inode, pg_start, pg_end);
>>  			f2fs_unlock_op(sbi);
>>  			up_write(&F2FS_I(inode)->i_mmap_sem);
>> +			up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
>>  		}
>>  	}
>>  
>> -- 
>> 2.18.0.rc1

Powered by blists - more mailing lists