From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Baokun Li <libaokun1@huawei.com>,
Jan Kara <jack@suse.cz>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Christoph Hellwig <hch@infradead.org>,
Dave Chinner <david@fromorbit.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
"Ritesh Harjani (IBM)" <ritesh.list@gmail.com>,
Theodore Tso <tytso@mit.edu>, yangerkun <yangerkun@huawei.com>,
Yu Kuai <yukuai3@huawei.com>, Zhang Yi <yi.zhang@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 6.6 39/49] mm/filemap: avoid buffered read/write race to read inconsistent data
Date: Wed, 3 Jan 2024 17:55:59 +0100 [thread overview]
Message-ID: <20240103164841.053830651@linuxfoundation.org> (raw)
In-Reply-To: <20240103164834.970234661@linuxfoundation.org>
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit e2c27b803bb664748e090d99042ac128b3f88d92 upstream.
The following concurrency may cause the data read to be inconsistent with
the data on disk:
cpu1 cpu2
------------------------------|------------------------------
// Buffered write 2048 from 0
ext4_buffered_write_iter
generic_perform_write
copy_page_from_iter_atomic
ext4_da_write_end
ext4_da_do_write_end
block_write_end
__block_commit_write
folio_mark_uptodate
// Buffered read 4096 from 0 smp_wmb()
ext4_file_read_iter set_bit(PG_uptodate, folio_flags)
generic_file_read_iter i_size_write // 2048
filemap_read unlock_page(page)
filemap_get_pages
filemap_get_read_batch
folio_test_uptodate(folio)
ret = test_bit(PG_uptodate, folio_flags)
if (ret)
smp_rmb();
// Ensure that the data in page 0-2048 is up-to-date.
// New buffered write 2048 from 2048
ext4_buffered_write_iter
generic_perform_write
copy_page_from_iter_atomic
ext4_da_write_end
ext4_da_do_write_end
block_write_end
__block_commit_write
folio_mark_uptodate
smp_wmb()
set_bit(PG_uptodate, folio_flags)
i_size_write // 4096
unlock_page(page)
isize = i_size_read(inode) // 4096
// Read the latest isize 4096, but without smp_rmb(), there may be
// Load-Load disorder resulting in the data in the 2048-4096 range
// in the page is not up-to-date.
copy_page_to_iter
// copyout 4096
In the concurrency above, we read the updated i_size, but there is no read
barrier to ensure that the data in the page is the same as the i_size at
this point, so we may copy the unsynchronized page out. Hence adding the
missing read memory barrier to fix this.
This is a Load-Load reordering issue, which only occurs on some weak
mem-ordering architectures (e.g. ARM64, ALPHA), but not on strong
mem-ordering architectures (e.g. X86). And theoretically the problem
doesn't only happen on ext4, filesystems that call filemap_read() but
don't hold inode lock (e.g. btrfs, f2fs, ubifs ...) will have this
problem, while filesystems with inode lock (e.g. xfs, nfs) won't have
this problem.
Link: https://lkml.kernel.org/r/20231213062324.739009-1-libaokun1@huawei.com
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: yangerkun <yangerkun@huawei.com>
Cc: Yu Kuai <yukuai3@huawei.com>
Cc: Zhang Yi <yi.zhang@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/filemap.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2667,6 +2667,15 @@ ssize_t filemap_read(struct kiocb *iocb,
end_offset = min_t(loff_t, isize, iocb->ki_pos + iter->count);
/*
+ * Pairs with a barrier in
+ * block_write_end()->mark_buffer_dirty() or other page
+ * dirtying routines like iomap_write_end() to ensure
+ * changes to page contents are visible before we see
+ * increased inode size.
+ */
+ smp_rmb();
+
+ /*
* Once we start copying data, we don't want to be touching any
* cachelines that might be contended:
*/
next prev parent reply other threads:[~2024-01-03 17:14 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-03 16:55 [PATCH 6.6 00/49] 6.6.10-rc1 review Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 01/49] ksmbd: Remove unused field in ksmbd_user struct Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 02/49] ksmbd: reorganize ksmbd_iov_pin_rsp() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 03/49] ksmbd: fix kernel-doc comment of ksmbd_vfs_setxattr() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 04/49] ksmbd: fix missing RDMA-capable flag for IPoIB device in ksmbd_rdma_capable_netdev() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 05/49] ksmbd: add support for surrogate pair conversion Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 06/49] ksmbd: no need to wait for binded connection termination at logoff Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 07/49] ksmbd: fix kernel-doc comment of ksmbd_vfs_kern_path_locked() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 08/49] ksmbd: prevent memory leak on error return Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 09/49] ksmbd: separately allocate ci per dentry Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 10/49] ksmbd: move oplock handling after unlock parent dir Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 11/49] ksmbd: release interim response after sending status pending response Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 12/49] ksmbd: move setting SMB2_FLAGS_ASYNC_COMMAND and AsyncId Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 13/49] ksmbd: dont update ->op_state as OPLOCK_STATE_NONE on error Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 14/49] ksmbd: set epoch in create context v2 lease Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 15/49] ksmbd: set v2 lease capability Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 16/49] ksmbd: downgrade RWH lease caching state to RH for directory Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 17/49] ksmbd: send v2 lease break notification " Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 18/49] ksmbd: lazy v2 lease break on smb2_write() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 19/49] ksmbd: avoid duplicate opinfo_put() call on error of smb21_lease_break_ack() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 20/49] fs: new accessor methods for atime and mtime Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 21/49] client: convert to new timestamp accessors Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 22/49] fs: cifs: Fix atime update check Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 23/49] virtio_ring: fix syncs DMA memory with different direction Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 24/49] kexec: fix KEXEC_FILE dependencies Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 25/49] kexec: select CRYPTO from KEXEC_FILE instead of depending on it Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 26/49] linux/export: Fix alignment for 64-bit ksymtab entries Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 27/49] linux/export: Ensure natural alignment of kcrctab array Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 28/49] mptcp: refactor sndbuf auto-tuning Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 29/49] mptcp: fix possible NULL pointer dereference on close Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 30/49] mptcp: fix inconsistent state on fastopen race Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 31/49] block: renumber QUEUE_FLAG_HW_WC Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 32/49] platform/x86/intel/pmc: Add suspend callback Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 33/49] platform/x86/intel/pmc: Allow reenabling LTRs Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 34/49] platform/x86/intel/pmc: Move GBE LTR ignore to suspend callback Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 35/49] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 36/49] platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe Greg Kroah-Hartman
2024-01-04 9:01 ` Shinichiro Kawasaki
2024-01-03 16:55 ` [PATCH 6.6 37/49] maple_tree: do not preallocate nodes for slot stores Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.6 38/49] selftests: secretmem: floor the memory size to the multiple of page_size Greg Kroah-Hartman
2024-01-03 16:55 ` Greg Kroah-Hartman [this message]
2024-01-03 16:56 ` [PATCH 6.6 40/49] mm: migrate high-order folios in swap cache correctly Greg Kroah-Hartman
2024-01-03 16:56 ` [PATCH 6.6 41/49] mm/memory-failure: cast index to loff_t before shifting it Greg Kroah-Hartman
2024-01-03 16:56 ` [PATCH 6.6 42/49] mm/memory-failure: check the mapcount of the precise page Greg Kroah-Hartman
2024-01-03 16:56 ` [PATCH 6.6 43/49] Revert "nvme-fc: fix race between error recovery and creating association" Greg Kroah-Hartman
2024-01-03 16:56 ` [PATCH 6.6 44/49] ring-buffer: Fix wake ups when buffer_percent is set to 100 Greg Kroah-Hartman
2024-01-03 16:56 ` [PATCH 6.6 45/49] ftrace: Fix modification of direct_function hash while in use Greg Kroah-Hartman
2024-01-03 16:56 ` [PATCH 6.6 46/49] tracing: Fix blocked reader of snapshot buffer Greg Kroah-Hartman
2024-01-03 16:56 ` [PATCH 6.6 47/49] wifi: cfg80211: fix CQM for non-range use Greg Kroah-Hartman
2024-01-03 16:56 ` [PATCH 6.6 48/49] wifi: nl80211: fix deadlock in nl80211_set_cqm_rssi (6.6.x) Greg Kroah-Hartman
2024-01-03 16:56 ` [PATCH 6.6 49/49] netfilter: nf_tables: skip set commit for deleted/destroyed sets Greg Kroah-Hartman
2024-01-03 17:44 ` [PATCH 6.6 00/49] 6.6.10-rc1 review Nam Cao
2024-01-03 18:57 ` SeongJae Park
2024-01-03 22:04 ` Florian Fainelli
2024-01-03 23:35 ` Kelsey Steele
2024-01-04 0:18 ` Shuah Khan
2024-01-04 2:24 ` Takeshi Ogasawara
2024-01-04 4:10 ` Daniel Díaz
2024-01-04 7:15 ` Daniel Díaz
2024-01-04 7:58 ` Greg Kroah-Hartman
2024-01-04 8:21 ` Johannes Berg
2024-01-04 12:39 ` Naresh Kamboju
2024-01-04 12:58 ` Greg Kroah-Hartman
2024-01-04 5:20 ` Bagas Sanjaya
2024-01-04 7:55 ` Luna Jernberg
2024-01-04 7:57 ` Greg Kroah-Hartman
2024-01-04 10:26 ` Ron Economos
2024-01-04 11:53 ` Harshit Mogalapalli
2024-01-04 16:52 ` Jon Hunter
2024-01-04 17:12 ` Allen
2024-01-05 1:04 ` Guenter Roeck
2024-01-05 2:43 ` Namjae Jeon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240103164841.053830651@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=adilger.kernel@dilger.ca \
--cc=akpm@linux-foundation.org \
--cc=david@fromorbit.com \
--cc=hch@infradead.org \
--cc=jack@suse.cz \
--cc=libaokun1@huawei.com \
--cc=patches@lists.linux.dev \
--cc=ritesh.list@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=willy@infradead.org \
--cc=yangerkun@huawei.com \
--cc=yi.zhang@huawei.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox