lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YRl33SHZYkonh+ED@casper.infradead.org>
Date:   Sun, 15 Aug 2021 21:23:57 +0100
From:   Matthew Wilcox <willy@...radead.org>
To:     Vlastimil Babka <vbabka@...e.cz>
Cc:     linux-kernel@...r.kernel.org, linux-mm@...ck.org,
        linux-fsdevel@...r.kernel.org
Subject: Re: [PATCH v14 078/138] mm/filemap: Add
 folio_mkwrite_check_truncate()

On Thu, Aug 12, 2021 at 07:08:33PM +0200, Vlastimil Babka wrote:
> > +/**
> > + * folio_mkwrite_check_truncate - check if folio was truncated
> > + * @folio: the folio to check
> > + * @inode: the inode to check the folio against
> > + *
> > + * Return: the number of bytes in the folio up to EOF,
> > + * or -EFAULT if the folio was truncated.
> > + */
> > +static inline ssize_t folio_mkwrite_check_truncate(struct folio *folio,
> > +					      struct inode *inode)
> > +{
> > +	loff_t size = i_size_read(inode);
> > +	pgoff_t index = size >> PAGE_SHIFT;
> > +	size_t offset = offset_in_folio(folio, size);
> > +
> > +	if (!folio->mapping)
> 
> The check in the page_ version is
> if (page->mapping != inode->i_mapping)
> 
> Why is the one above sufficient?

Oh, good question!

We know that at some point this page belonged to this file.  The caller
has a reference on it (and at the time they acquired a refcount on the
page, the page was part of the file).  The caller also has the page
locked, but has not checked that the page is still part of the file.
That's where we come in.

The truncate path looks up the page, locks it, removes it from i_pages,
unmaps it, sets the page->mapping to NULL, unlocks it and puts the page.

Because the folio_mkwrite_check_truncate() caller holds a reference on
the page, the truncate path will not free the page.  So there are only
two possibilities for the value of page->mapping; either it's the same
as inode->i_mapping, or it's NULL.

Now, maybe this is a bit subtle.  For robustness, perhaps we should
check that it's definitely still part of this file instead of checking
whether it is currently part of no file.  Perhaps at some point in the
future, we might get the reference to the page without checking that
it's still part of this file.  Opinions?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ