From: Peter Zijlstra <a.p.zijlstra@chello.nl>
To: Nick Piggin <npiggin@suse.de>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@osdl.org>,
Christoph Lameter <clameter@engr.sgi.com>,
Jens Axboe <axboe@suse.de>,
Linux Memory Management List <linux-mm@kvack.org>
Subject: Re: [patch] rfc: fix splice mapping race?
Date: Sun, 18 Jun 2006 12:02:45 +0200 [thread overview]
Message-ID: <1150624965.28517.55.camel@lappy> (raw)
In-Reply-To: <20060618094157.GD14452@wotan.suse.de>
On Sun, 2006-06-18 at 11:41 +0200, Nick Piggin wrote:
> Hi, I would be interested in confirmation/comments for this patch.
>
> I believe splice is unsafe to access the page mapping obtained
> when the page was unlocked: the page could subsequently be truncated
> and the mapping reclaimed (see set_page_dirty_lock comments).
>
> Modify the remove_mapping precondition to ensure the caller has
> locked the page and obtained the correct mapping. Modify callers to
> ensure the mapping is the correct one.
>
> In page migration, detect the missing mapping early and bail out if
> that is the case: the page is not going to get un-truncated, so
> retrying is just a waste of time.
>
> Signed-off-by: Nick Piggin <npiggin@suse.de>
Looks sane, except the change in migrate (comment there). I like the
remove_mapping() pre-conditions.
>
> Index: linux-2.6/fs/splice.c
> ===================================================================
> --- linux-2.6.orig/fs/splice.c
> +++ linux-2.6/fs/splice.c
> @@ -55,9 +55,12 @@ static int page_cache_pipe_buf_steal(str
> struct pipe_buffer *buf)
> {
> struct page *page = buf->page;
> - struct address_space *mapping = page_mapping(page);
> + struct address_space *mapping;
>
> lock_page(page);
> + mapping = page_mapping(page);
> + if (!mapping)
> + goto out_failed;
>
> WARN_ON(!PageUptodate(page));
>
> @@ -74,6 +77,7 @@ static int page_cache_pipe_buf_steal(str
> try_to_release_page(page, mapping_gfp_mask(mapping));
>
> if (!remove_mapping(mapping, page)) {
> +out_failed:
> unlock_page(page);
> return 1;
> }
> Index: linux-2.6/mm/migrate.c
> ===================================================================
> --- linux-2.6.orig/mm/migrate.c
> +++ linux-2.6/mm/migrate.c
> @@ -136,9 +136,13 @@ static int swap_page(struct page *page)
> {
> struct address_space *mapping = page_mapping(page);
>
> - if (page_mapped(page) && mapping)
> + if (!mapping)
> + return -EINVAL; /* page truncated. signal permanent failure */
Here, I think you need to unlock the page too.
> +
> + if (page_mapped(page)) {
> if (try_to_unmap(page, 1) != SWAP_SUCCESS)
> goto unlock_retry;
> + }
>
> if (PageDirty(page)) {
> /* Page is dirty, try to write it out here */
> Index: linux-2.6/mm/vmscan.c
> ===================================================================
> --- linux-2.6.orig/mm/vmscan.c
> +++ linux-2.6/mm/vmscan.c
> @@ -362,8 +362,8 @@ pageout_t pageout(struct page *page, str
>
> int remove_mapping(struct address_space *mapping, struct page *page)
> {
> - if (!mapping)
> - return 0; /* truncate got there first */
> + BUG_ON(!PageLocked(page));
> + BUG_ON(mapping != page->mapping);
>
> write_lock_irq(&mapping->tree_lock);
>
> @@ -532,7 +532,7 @@ static unsigned long shrink_page_list(st
> goto free_it;
> }
>
> - if (!remove_mapping(mapping, page))
> + if (!mapping || !remove_mapping(mapping, page))
> goto keep_locked;
>
> free_it:
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
WARNING: multiple messages have this Message-ID (diff)
From: Peter Zijlstra <a.p.zijlstra@chello.nl>
To: Nick Piggin <npiggin@suse.de>
Cc: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
Andrew Morton <akpm@osdl.org>,
Christoph Lameter <clameter@engr.sgi.com>,
Jens Axboe <axboe@suse.de>,
Linux Memory Management List <linux-mm@kvack.org>
Subject: Re: [patch] rfc: fix splice mapping race?
Date: Sun, 18 Jun 2006 12:02:45 +0200 [thread overview]
Message-ID: <1150624965.28517.55.camel@lappy> (raw)
In-Reply-To: <20060618094157.GD14452@wotan.suse.de>
On Sun, 2006-06-18 at 11:41 +0200, Nick Piggin wrote:
> Hi, I would be interested in confirmation/comments for this patch.
>
> I believe splice is unsafe to access the page mapping obtained
> when the page was unlocked: the page could subsequently be truncated
> and the mapping reclaimed (see set_page_dirty_lock comments).
>
> Modify the remove_mapping precondition to ensure the caller has
> locked the page and obtained the correct mapping. Modify callers to
> ensure the mapping is the correct one.
>
> In page migration, detect the missing mapping early and bail out if
> that is the case: the page is not going to get un-truncated, so
> retrying is just a waste of time.
>
> Signed-off-by: Nick Piggin <npiggin@suse.de>
Looks sane, except the change in migrate (comment there). I like the
remove_mapping() pre-conditions.
>
> Index: linux-2.6/fs/splice.c
> ===================================================================
> --- linux-2.6.orig/fs/splice.c
> +++ linux-2.6/fs/splice.c
> @@ -55,9 +55,12 @@ static int page_cache_pipe_buf_steal(str
> struct pipe_buffer *buf)
> {
> struct page *page = buf->page;
> - struct address_space *mapping = page_mapping(page);
> + struct address_space *mapping;
>
> lock_page(page);
> + mapping = page_mapping(page);
> + if (!mapping)
> + goto out_failed;
>
> WARN_ON(!PageUptodate(page));
>
> @@ -74,6 +77,7 @@ static int page_cache_pipe_buf_steal(str
> try_to_release_page(page, mapping_gfp_mask(mapping));
>
> if (!remove_mapping(mapping, page)) {
> +out_failed:
> unlock_page(page);
> return 1;
> }
> Index: linux-2.6/mm/migrate.c
> ===================================================================
> --- linux-2.6.orig/mm/migrate.c
> +++ linux-2.6/mm/migrate.c
> @@ -136,9 +136,13 @@ static int swap_page(struct page *page)
> {
> struct address_space *mapping = page_mapping(page);
>
> - if (page_mapped(page) && mapping)
> + if (!mapping)
> + return -EINVAL; /* page truncated. signal permanent failure */
Here, I think you need to unlock the page too.
> +
> + if (page_mapped(page)) {
> if (try_to_unmap(page, 1) != SWAP_SUCCESS)
> goto unlock_retry;
> + }
>
> if (PageDirty(page)) {
> /* Page is dirty, try to write it out here */
> Index: linux-2.6/mm/vmscan.c
> ===================================================================
> --- linux-2.6.orig/mm/vmscan.c
> +++ linux-2.6/mm/vmscan.c
> @@ -362,8 +362,8 @@ pageout_t pageout(struct page *page, str
>
> int remove_mapping(struct address_space *mapping, struct page *page)
> {
> - if (!mapping)
> - return 0; /* truncate got there first */
> + BUG_ON(!PageLocked(page));
> + BUG_ON(mapping != page->mapping);
>
> write_lock_irq(&mapping->tree_lock);
>
> @@ -532,7 +532,7 @@ static unsigned long shrink_page_list(st
> goto free_it;
> }
>
> - if (!remove_mapping(mapping, page))
> + if (!mapping || !remove_mapping(mapping, page))
> goto keep_locked;
>
> free_it:
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at http://www.tux.org/lkml/
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2006-06-18 10:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-18 9:41 [patch] rfc: fix splice mapping race? Nick Piggin
2006-06-18 9:41 ` Nick Piggin
2006-06-18 10:02 ` Peter Zijlstra [this message]
2006-06-18 10:02 ` Peter Zijlstra
2006-06-18 10:11 ` Nick Piggin
2006-06-18 10:11 ` Nick Piggin
2006-06-19 7:29 ` Jens Axboe
2006-06-19 7:29 ` Jens Axboe
2006-06-19 15:35 ` Christoph Lameter
2006-06-19 15:35 ` Christoph Lameter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1150624965.28517.55.camel@lappy \
--to=a.p.zijlstra@chello.nl \
--cc=akpm@osdl.org \
--cc=axboe@suse.de \
--cc=clameter@engr.sgi.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=npiggin@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.