[ 27/28] fuse: postpone end_page_writeback() in fuse_writepage_locked()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Maxim Patlasov <mpatlasov@parallels.com>,
	Miklos Szeredi <mszeredi@suse.cz>
Subject: [ 27/28] fuse: postpone end_page_writeback() in fuse_writepage_locked()
Date: Tue, 24 Sep 2013 17:07:58 -0700	[thread overview]
Message-ID: <20130925000654.871694135@linuxfoundation.org> (raw)
In-Reply-To: <20130925000648.404447782@linuxfoundation.org>

3.0-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maxim Patlasov <MPatlasov@parallels.com>

commit 4a4ac4eba1010ef9a804569058ab29e3450c0315 upstream.

The patch fixes a race between ftruncate(2), mmap-ed write and write(2):

1) An user makes a page dirty via mmap-ed write.
2) The user performs shrinking truncate(2) intended to purge the page.
3) Before fuse_do_setattr calls truncate_pagecache, the page goes to
   writeback. fuse_writepage_locked fills FUSE_WRITE request and releases
   the original page by end_page_writeback.
4) fuse_do_setattr() completes and successfully returns. Since now, i_mutex
   is free.
5) Ordinary write(2) extends i_size back to cover the page. Note that
   fuse_send_write_pages do wait for fuse writeback, but for another
   page->index.
6) fuse_writepage_locked proceeds by queueing FUSE_WRITE request.
   fuse_send_writepage is supposed to crop inarg->size of the request,
   but it doesn't because i_size has already been extended back.

Moving end_page_writeback to the end of fuse_writepage_locked fixes the
race because now the fact that truncate_pagecache is successfully returned
infers that fuse_writepage_locked has already called end_page_writeback.
And this, in turn, infers that fuse_flush_writepages has already called
fuse_send_writepage, and the latter used valid (shrunk) i_size. write(2)
could not extend it because of i_mutex held by ftruncate(2).

Signed-off-by: Maxim Patlasov <mpatlasov@parallels.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 fs/fuse/file.c |    3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1298,7 +1298,6 @@ static int fuse_writepage_locked(struct

 	inc_bdi_stat(mapping->backing_dev_info, BDI_WRITEBACK);
 	inc_zone_page_state(tmp_page, NR_WRITEBACK_TEMP);
-	end_page_writeback(page);

 	spin_lock(&fc->lock);
 	list_add(&req->writepages_entry, &fi->writepages);
@@ -1306,6 +1305,8 @@ static int fuse_writepage_locked(struct
 	fuse_flush_writepages(inode);
 	spin_unlock(&fc->lock);

+	end_page_writeback(page);
+
 	return 0;

 err_free:

next prev parent reply	other threads:[~2013-09-25  1:42 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-25  0:07 [ 00/28] 3.0.97-stable review Greg Kroah-Hartman
2013-09-25  0:07 ` [ 01/28] SCSI: sd: Fix potential out-of-bounds access Greg Kroah-Hartman
2013-09-25  0:07 ` [ 02/28] crypto: api - Fix race condition in larval lookup Greg Kroah-Hartman
2013-09-25  0:07   ` Greg Kroah-Hartman
2013-09-25  0:07 ` [ 03/28] powerpc: Handle unaligned ldbrx/stdbrx Greg Kroah-Hartman
2013-09-25  0:07 ` [ 04/28] xen-gnt: prevent adding duplicate gnt callbacks Greg Kroah-Hartman
2013-09-25  0:07 ` [ 05/28] ARM: PCI: versatile: Fix SMAP register offsets Greg Kroah-Hartman
2013-09-25  0:07 ` [ 06/28] usb: xhci: Disable runtime PM suspend for quirky controllers Greg Kroah-Hartman
2013-09-25  0:07 ` [ 07/28] cifs: ensure that srv_mutex is held when dealing with ssocket pointer Greg Kroah-Hartman
2013-09-25  0:07 ` [ 08/28] staging: comedi: dt282x: dt282x_ai_insn_read() always fails Greg Kroah-Hartman
2013-09-25  0:07 ` [ 09/28] USB: mos7720: use GFP_ATOMIC under spinlock Greg Kroah-Hartman
2013-09-25  0:07 ` [ 10/28] USB: mos7720: fix big-endian control requests Greg Kroah-Hartman
2013-09-25  0:07 ` [ 11/28] USB: cdc-wdm: fix race between interrupt handler and tasklet Greg Kroah-Hartman
2013-09-25  0:07 ` [ 12/28] usb: config->desc.bLength may not exceed amount of data returned by the device Greg Kroah-Hartman
2013-09-25  0:07 ` [ 13/28] rculist: list_first_or_null_rcu() should use list_entry_rcu() Greg Kroah-Hartman
2013-09-25  0:07 ` [ 14/28] ASoC: wm8960: Fix PLL register writes Greg Kroah-Hartman
2013-09-25  0:07 ` [ 15/28] ALSA: hda - Add Toshiba Satellite C870 to MSI blacklist Greg Kroah-Hartman
2013-09-25  0:07 ` [ 16/28] ath9k: always clear ps filter bit on new assoc Greg Kroah-Hartman
2013-09-25  0:07 ` [ 17/28] ath9k: avoid accessing MRC registers on single-chain devices Greg Kroah-Hartman
2013-09-25  0:07 ` [ 18/28] HID: pantherlord: validate output report details Greg Kroah-Hartman
2013-09-25  0:07 ` [ 19/28] HID: validate HID report id size Greg Kroah-Hartman
2013-09-25  0:07 ` [ 20/28] HID: ntrig: validate feature report details Greg Kroah-Hartman
2013-09-25  0:07 ` [ 21/28] HID: check for NULL field when setting values Greg Kroah-Hartman
2013-09-25  0:07 ` [ 22/28] ocfs2: fix the end cluster offset of FIEMAP Greg Kroah-Hartman
2013-09-25  0:07 ` [ 23/28] memcg: fix multiple large threshold notifications Greg Kroah-Hartman
2013-09-25  0:07 ` [ 24/28] mm/huge_memory.c: fix potential NULL pointer dereference Greg Kroah-Hartman
2013-09-25  0:07 ` [ 25/28] isofs: Refuse RW mount of the filesystem instead of making it RO Greg Kroah-Hartman
2013-09-25  0:07 ` [ 26/28] mmc: tmio_mmc_dma: fix PIO fallback on SDHI Greg Kroah-Hartman
2013-09-25  0:07 ` Greg Kroah-Hartman [this message]
2013-09-25  0:07 ` [ 28/28] fuse: invalidate inode attributes on xattr modification Greg Kroah-Hartman
2013-09-26  2:22 ` [ 00/28] 3.0.97-stable review Shuah Khan
2013-09-26  2:45   ` Greg Kroah-Hartman
2013-09-27 18:52     ` Teck Choon Giam
2013-09-27 19:21       ` Shuah Khan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20130925000654.871694135@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mpatlasov@parallels.com \
    --cc=mszeredi@suse.cz \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.