[patch 1/10] fs: libfs buffered write leak fix

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Nick Piggin <npiggin@suse.de>
To: Linux Memory Management <linux-mm@kvack.org>
Cc: Linux Kernel <linux-kernel@vger.kernel.org>,
	Linux Filesystems <linux-fsdevel@vger.kernel.org>,
	Nick Piggin <npiggin@suse.de>, Andrew Morton <akpm@osdl.org>
Subject: [patch 1/10] fs: libfs buffered write leak fix
Date: Sat, 13 Jan 2007 04:24:24 +0100 (CET)	[thread overview]
Message-ID: <20070113011208.9449.4985.sendpatchset@linux.site> (raw)
In-Reply-To: <20070113011159.9449.4327.sendpatchset@linux.site>

simple_prepare_write and nobh_prepare_write leak uninitialised kernel data.
Fix the former, make a note of the latter. Several other filesystems seem
to be iffy here, too.

Signed-off-by: Nick Piggin <npiggin@suse.de>

Index: linux-2.6/fs/libfs.c
===================================================================
--- linux-2.6.orig/fs/libfs.c
+++ linux-2.6/fs/libfs.c
@@ -327,32 +327,35 @@ int simple_readpage(struct file *file, s
 int simple_prepare_write(struct file *file, struct page *page,
 			unsigned from, unsigned to)
 {
-	if (!PageUptodate(page)) {
-		if (to - from != PAGE_CACHE_SIZE) {
-			void *kaddr = kmap_atomic(page, KM_USER0);
-			memset(kaddr, 0, from);
-			memset(kaddr + to, 0, PAGE_CACHE_SIZE - to);
-			flush_dcache_page(page);
-			kunmap_atomic(kaddr, KM_USER0);
-		}
+	if (PageUptodate(page))
+		return 0;
+
+	if (to - from != PAGE_CACHE_SIZE) {
+		clear_highpage(page);
+		flush_dcache_page(page);
 		SetPageUptodate(page);
 	}
+
 	return 0;
 }
 
 int simple_commit_write(struct file *file, struct page *page,
-			unsigned offset, unsigned to)
+			unsigned from, unsigned to)
 {
-	struct inode *inode = page->mapping->host;
-	loff_t pos = ((loff_t)page->index << PAGE_CACHE_SHIFT) + to;
-
-	/*
-	 * No need to use i_size_read() here, the i_size
-	 * cannot change under us because we hold the i_mutex.
-	 */
-	if (pos > inode->i_size)
-		i_size_write(inode, pos);
-	set_page_dirty(page);
+	if (to > from) {
+		struct inode *inode = page->mapping->host;
+		loff_t pos = ((loff_t)page->index << PAGE_CACHE_SHIFT) + to;
+
+		if (to - from == PAGE_CACHE_SIZE)
+			SetPageUptodate(page);
+		/*
+		 * No need to use i_size_read() here, the i_size
+		 * cannot change under us because we hold the i_mutex.
+		 */
+		if (pos > inode->i_size)
+			i_size_write(inode, pos);
+		set_page_dirty(page);
+	}
 	return 0;
 }
 
Index: linux-2.6/fs/buffer.c
===================================================================
--- linux-2.6.orig/fs/buffer.c
+++ linux-2.6/fs/buffer.c
@@ -2344,6 +2344,8 @@ int nobh_prepare_write(struct page *page
 
 	if (is_mapped_to_disk)
 		SetPageMappedToDisk(page);
+
+	/* XXX: information leak vs read(2) */
 	SetPageUptodate(page);
 
 	/*

WARNING: multiple messages have this Message-ID (diff)

From: Nick Piggin <npiggin@suse.de>
To: Linux Memory Management <linux-mm@kvack.org>
Cc: Linux Kernel <linux-kernel@vger.kernel.org>,
	Linux Filesystems <linux-fsdevel@vger.kernel.org>,
	Nick Piggin <npiggin@suse.de>, Andrew Morton <akpm@osdl.org>
Subject: [patch 1/10] fs: libfs buffered write leak fix
Date: Sat, 13 Jan 2007 04:24:24 +0100 (CET)	[thread overview]
Message-ID: <20070113011208.9449.4985.sendpatchset@linux.site> (raw)
In-Reply-To: <20070113011159.9449.4327.sendpatchset@linux.site>

simple_prepare_write and nobh_prepare_write leak uninitialised kernel data.
Fix the former, make a note of the latter. Several other filesystems seem
to be iffy here, too.

Signed-off-by: Nick Piggin <npiggin@suse.de>

Index: linux-2.6/fs/libfs.c
===================================================================
--- linux-2.6.orig/fs/libfs.c
+++ linux-2.6/fs/libfs.c
@@ -327,32 +327,35 @@ int simple_readpage(struct file *file, s
 int simple_prepare_write(struct file *file, struct page *page,
 			unsigned from, unsigned to)
 {
-	if (!PageUptodate(page)) {
-		if (to - from != PAGE_CACHE_SIZE) {
-			void *kaddr = kmap_atomic(page, KM_USER0);
-			memset(kaddr, 0, from);
-			memset(kaddr + to, 0, PAGE_CACHE_SIZE - to);
-			flush_dcache_page(page);
-			kunmap_atomic(kaddr, KM_USER0);
-		}
+	if (PageUptodate(page))
+		return 0;
+
+	if (to - from != PAGE_CACHE_SIZE) {
+		clear_highpage(page);
+		flush_dcache_page(page);
 		SetPageUptodate(page);
 	}
+
 	return 0;
 }
 
 int simple_commit_write(struct file *file, struct page *page,
-			unsigned offset, unsigned to)
+			unsigned from, unsigned to)
 {
-	struct inode *inode = page->mapping->host;
-	loff_t pos = ((loff_t)page->index << PAGE_CACHE_SHIFT) + to;
-
-	/*
-	 * No need to use i_size_read() here, the i_size
-	 * cannot change under us because we hold the i_mutex.
-	 */
-	if (pos > inode->i_size)
-		i_size_write(inode, pos);
-	set_page_dirty(page);
+	if (to > from) {
+		struct inode *inode = page->mapping->host;
+		loff_t pos = ((loff_t)page->index << PAGE_CACHE_SHIFT) + to;
+
+		if (to - from == PAGE_CACHE_SIZE)
+			SetPageUptodate(page);
+		/*
+		 * No need to use i_size_read() here, the i_size
+		 * cannot change under us because we hold the i_mutex.
+		 */
+		if (pos > inode->i_size)
+			i_size_write(inode, pos);
+		set_page_dirty(page);
+	}
 	return 0;
 }
 
Index: linux-2.6/fs/buffer.c
===================================================================
--- linux-2.6.orig/fs/buffer.c
+++ linux-2.6/fs/buffer.c
@@ -2344,6 +2344,8 @@ int nobh_prepare_write(struct page *page
 
 	if (is_mapped_to_disk)
 		SetPageMappedToDisk(page);
+
+	/* XXX: information leak vs read(2) */
 	SetPageUptodate(page);
 
 	/*

--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org.  For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>

next prev parent reply	other threads:[~2007-01-13  3:24 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-01-13  3:24 [patch 0/10] buffered write deadlock fix Nick Piggin
2007-01-13  3:24 ` Nick Piggin
2007-01-13  3:24 ` Nick Piggin [this message]
2007-01-13  3:24   ` [patch 1/10] fs: libfs buffered write leak fix Nick Piggin
2007-01-13  3:24 ` [patch 2/10] mm: revert "generic_file_buffered_write(): handle zero length iovec segments" Nick Piggin
2007-01-13  3:24   ` Nick Piggin, Andrew Morton
2007-01-13  3:24 ` [patch 3/10] mm: revert "generic_file_buffered_write(): deadlock on vectored write" Nick Piggin
2007-01-13  3:24   ` Nick Piggin, Andrew Morton
2007-01-13  3:24 ` [patch 4/10] mm: generic_file_buffered_write cleanup Nick Piggin
2007-01-13  3:24   ` Nick Piggin, Andrew Morton
2007-01-13  3:25 ` [patch 5/10] mm: debug write deadlocks Nick Piggin
2007-01-13  3:25   ` Nick Piggin
2007-01-13  3:25 ` [patch 6/10] mm: be sure to trim blocks Nick Piggin
2007-01-13  3:25   ` Nick Piggin
2007-01-14 14:25   ` Dmitriy Monakhov
2007-01-14 14:25     ` Dmitriy Monakhov
2007-01-20  3:50     ` Nick Piggin
2007-01-20  3:50       ` Nick Piggin
2007-01-16 17:36   ` Peter Zijlstra
2007-01-16 17:36     ` Peter Zijlstra
2007-01-16 19:14     ` Peter Zijlstra
2007-01-16 19:14       ` Peter Zijlstra
2007-01-20  3:52       ` Nick Piggin
2007-01-20  3:52         ` Nick Piggin
2007-01-13  3:25 ` [patch 7/10] mm: cleanup pagecache insertion operations Nick Piggin
2007-01-13  3:25   ` Nick Piggin
2007-01-13  3:25 ` [patch 8/10] mm: generic_file_buffered_write cleanup more Nick Piggin
2007-01-13  3:25   ` Nick Piggin
2007-01-13  3:25 ` [patch 9/10] mm: generic_file_buffered_write iovec cleanup Nick Piggin
2007-01-13  3:25   ` Nick Piggin
2007-01-13  3:25 ` [patch 10/10] mm: fix pagecache write deadlocks Nick Piggin
2007-01-13  3:25   ` Nick Piggin
2007-01-14  3:59   ` Nick Piggin
2007-01-14  3:59     ` Nick Piggin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20070113011208.9449.4985.sendpatchset@linux.site \
    --to=npiggin@suse.de \
    --cc=akpm@osdl.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.