From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Baokun Li <libaokun1@huawei.com>,
Jan Kara <jack@suse.cz>,
Andreas Dilger <adilger.kernel@dilger.ca>,
Christoph Hellwig <hch@infradead.org>,
Dave Chinner <david@fromorbit.com>,
"Matthew Wilcox (Oracle)" <willy@infradead.org>,
"Ritesh Harjani (IBM)" <ritesh.list@gmail.com>,
Theodore Tso <tytso@mit.edu>, yangerkun <yangerkun@huawei.com>,
Yu Kuai <yukuai3@huawei.com>, Zhang Yi <yi.zhang@huawei.com>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 6.1 087/100] mm/filemap: avoid buffered read/write race to read inconsistent data
Date: Wed, 3 Jan 2024 17:55:16 +0100 [thread overview]
Message-ID: <20240103164909.170384396@linuxfoundation.org> (raw)
In-Reply-To: <20240103164856.169912722@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit e2c27b803bb664748e090d99042ac128b3f88d92 upstream.
The following concurrency may cause the data read to be inconsistent with
the data on disk:
cpu1 cpu2
------------------------------|------------------------------
// Buffered write 2048 from 0
ext4_buffered_write_iter
generic_perform_write
copy_page_from_iter_atomic
ext4_da_write_end
ext4_da_do_write_end
block_write_end
__block_commit_write
folio_mark_uptodate
// Buffered read 4096 from 0 smp_wmb()
ext4_file_read_iter set_bit(PG_uptodate, folio_flags)
generic_file_read_iter i_size_write // 2048
filemap_read unlock_page(page)
filemap_get_pages
filemap_get_read_batch
folio_test_uptodate(folio)
ret = test_bit(PG_uptodate, folio_flags)
if (ret)
smp_rmb();
// Ensure that the data in page 0-2048 is up-to-date.
// New buffered write 2048 from 2048
ext4_buffered_write_iter
generic_perform_write
copy_page_from_iter_atomic
ext4_da_write_end
ext4_da_do_write_end
block_write_end
__block_commit_write
folio_mark_uptodate
smp_wmb()
set_bit(PG_uptodate, folio_flags)
i_size_write // 4096
unlock_page(page)
isize = i_size_read(inode) // 4096
// Read the latest isize 4096, but without smp_rmb(), there may be
// Load-Load disorder resulting in the data in the 2048-4096 range
// in the page is not up-to-date.
copy_page_to_iter
// copyout 4096
In the concurrency above, we read the updated i_size, but there is no read
barrier to ensure that the data in the page is the same as the i_size at
this point, so we may copy the unsynchronized page out. Hence adding the
missing read memory barrier to fix this.
This is a Load-Load reordering issue, which only occurs on some weak
mem-ordering architectures (e.g. ARM64, ALPHA), but not on strong
mem-ordering architectures (e.g. X86). And theoretically the problem
doesn't only happen on ext4, filesystems that call filemap_read() but
don't hold inode lock (e.g. btrfs, f2fs, ubifs ...) will have this
problem, while filesystems with inode lock (e.g. xfs, nfs) won't have
this problem.
Link: https://lkml.kernel.org/r/20231213062324.739009-1-libaokun1@huawei.com
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Cc: Andreas Dilger <adilger.kernel@dilger.ca>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Dave Chinner <david@fromorbit.com>
Cc: Matthew Wilcox (Oracle) <willy@infradead.org>
Cc: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Cc: Theodore Ts'o <tytso@mit.edu>
Cc: yangerkun <yangerkun@huawei.com>
Cc: Yu Kuai <yukuai3@huawei.com>
Cc: Zhang Yi <yi.zhang@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/filemap.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -2745,6 +2745,15 @@ ssize_t filemap_read(struct kiocb *iocb,
end_offset = min_t(loff_t, isize, iocb->ki_pos + iter->count);
/*
+ * Pairs with a barrier in
+ * block_write_end()->mark_buffer_dirty() or other page
+ * dirtying routines like iomap_write_end() to ensure
+ * changes to page contents are visible before we see
+ * increased inode size.
+ */
+ smp_rmb();
+
+ /*
* Once we start copying data, we don't want to be touching any
* cachelines that might be contended:
*/
next prev parent reply other threads:[~2024-01-03 17:01 UTC|newest]
Thread overview: 121+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-03 16:53 [PATCH 6.1 000/100] 6.1.71-rc1 review Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 001/100] ksmbd: replace one-element arrays with flexible-array members Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 002/100] ksmbd: set SMB2_SESSION_FLAG_ENCRYPT_DATA when enforcing data encryption for this share Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 003/100] ksmbd: use F_SETLK when unlocking a file Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 004/100] ksmbd: Fix resource leak in smb2_lock() Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 005/100] ksmbd: Convert to use sysfs_emit()/sysfs_emit_at() APIs Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 006/100] ksmbd: Implements sess->rpc_handle_list as xarray Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 007/100] ksmbd: fix typo, syncronous->synchronous Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 008/100] ksmbd: Remove duplicated codes Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 009/100] ksmbd: update Kconfig to note Kerberos support and fix indentation Greg Kroah-Hartman
2024-01-03 16:53 ` [PATCH 6.1 010/100] ksmbd: Fix spelling mistake "excceed" -> "exceeded" Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 011/100] ksmbd: Fix parameter name and comment mismatch Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 012/100] ksmbd: remove unused is_char_allowed function Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 013/100] ksmbd: delete asynchronous work from list Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 014/100] ksmbd: set NegotiateContextCount once instead of every inc Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 015/100] ksmbd: avoid duplicate negotiate ctx offset increments Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 016/100] ksmbd: remove unused compression negotiate ctx packing Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 017/100] fs: introduce lock_rename_child() helper Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 018/100] ksmbd: fix racy issue from using ->d_parent and ->d_name Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 019/100] ksmbd: fix uninitialized pointer read in ksmbd_vfs_rename() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 020/100] ksmbd: fix uninitialized pointer read in smb2_create_link() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 021/100] ksmbd: call putname after using the last component Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 022/100] ksmbd: fix posix_acls and acls dereferencing possible ERR_PTR() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 023/100] ksmbd: add mnt_want_write to ksmbd vfs functions Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 024/100] ksmbd: remove unused ksmbd_tree_conn_share function Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 025/100] ksmbd: use kzalloc() instead of __GFP_ZERO Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 026/100] ksmbd: return a literal instead of err in ksmbd_vfs_kern_path_locked() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 027/100] ksmbd: Change the return value of ksmbd_vfs_query_maximal_access to void Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 028/100] ksmbd: use kvzalloc instead of kvmalloc Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 029/100] ksmbd: Replace the ternary conditional operator with min() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 030/100] ksmbd: Use struct_size() helper in ksmbd_negotiate_smb_dialect() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 031/100] ksmbd: Replace one-element array with flexible-array member Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 032/100] ksmbd: Fix unsigned expression compared with zero Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 033/100] ksmbd: check if a mount point is crossed during path lookup Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 034/100] ksmbd: switch to use kmemdup_nul() helper Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 035/100] ksmbd: add support for read compound Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 036/100] ksmbd: fix wrong interim response on compound Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 037/100] ksmbd: fix `force create mode and `force directory mode Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 038/100] ksmbd: Fix one kernel-doc comment Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 039/100] ksmbd: add missing calling smb2_set_err_rsp() on error Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 040/100] ksmbd: remove experimental warning Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 041/100] ksmbd: remove unneeded mark_inode_dirty in set_info_sec() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 042/100] ksmbd: fix passing freed memory aux_payload_buf Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 043/100] ksmbd: return invalid parameter error response if smb2 request is invalid Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 044/100] ksmbd: check iov vector index in ksmbd_conn_write() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 045/100] ksmbd: fix race condition with fp Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 046/100] ksmbd: fix race condition from parallel smb2 logoff requests Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 047/100] ksmbd: fix race condition from parallel smb2 lock requests Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 048/100] ksmbd: fix race condition between tree conn lookup and disconnect Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 049/100] ksmbd: fix wrong error response status by using set_smb2_rsp_status() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 050/100] ksmbd: fix Null pointer dereferences in ksmbd_update_fstate() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 051/100] ksmbd: fix potential double free on smb2_read_pipe() error path Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 052/100] ksmbd: Remove unused field in ksmbd_user struct Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 053/100] ksmbd: reorganize ksmbd_iov_pin_rsp() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 054/100] ksmbd: fix kernel-doc comment of ksmbd_vfs_setxattr() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 055/100] ksmbd: fix recursive locking in vfs helpers Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 056/100] ksmbd: fix missing RDMA-capable flag for IPoIB device in ksmbd_rdma_capable_netdev() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 057/100] ksmbd: add support for surrogate pair conversion Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 058/100] ksmbd: no need to wait for binded connection termination at logoff Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 059/100] ksmbd: fix kernel-doc comment of ksmbd_vfs_kern_path_locked() Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 060/100] ksmbd: prevent memory leak on error return Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 061/100] ksmbd: fix possible deadlock in smb2_open Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 062/100] ksmbd: separately allocate ci per dentry Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 063/100] ksmbd: move oplock handling after unlock parent dir Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 064/100] ksmbd: release interim response after sending status pending response Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 065/100] ksmbd: move setting SMB2_FLAGS_ASYNC_COMMAND and AsyncId Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 066/100] ksmbd: dont update ->op_state as OPLOCK_STATE_NONE on error Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 067/100] ksmbd: set epoch in create context v2 lease Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 068/100] ksmbd: set v2 lease capability Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 069/100] ksmbd: downgrade RWH lease caching state to RH for directory Greg Kroah-Hartman
2024-01-03 16:54 ` [PATCH 6.1 070/100] ksmbd: send v2 lease break notification " Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 071/100] ksmbd: lazy v2 lease break on smb2_write() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 072/100] ksmbd: avoid duplicate opinfo_put() call on error of smb21_lease_break_ack() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 073/100] ksmbd: fix wrong allocation size update in smb2_open() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 074/100] ARM: dts: Fix occasional boot hang for am3 usb Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 075/100] usb: fotg210-hcd: delete an incorrect bounds test Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 076/100] spi: Introduce spi_get_device_match_data() helper Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 077/100] iio: imu: adis16475: add spi_device_id table Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 078/100] nfsd: separate nfsd_last_thread() from nfsd_put() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 079/100] nfsd: call nfsd_last_thread() before final nfsd_put() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 080/100] linux/export: Ensure natural alignment of kcrctab array Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 081/100] spi: Reintroduce spi_set_cs_timing() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 082/100] spi: Add APIs in spi core to set/get spi->chip_select and spi->cs_gpiod Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 083/100] spi: atmel: Fix clock issue when using devices with different polarities Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 084/100] block: renumber QUEUE_FLAG_HW_WC Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 085/100] ksmbd: fix slab-out-of-bounds in smb_strndup_from_utf16() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 086/100] platform/x86: p2sb: Allow p2sb_bar() calls during PCI device probe Greg Kroah-Hartman
2024-01-04 8:54 ` Shinichiro Kawasaki
2024-01-04 8:58 ` Greg Kroah-Hartman
2024-01-04 9:11 ` Shinichiro Kawasaki
2024-01-04 9:20 ` Greg Kroah-Hartman
2024-01-04 12:17 ` Shinichiro Kawasaki
2024-01-04 17:02 ` Ilpo Järvinen
2024-01-04 18:20 ` Greg Kroah-Hartman
2024-01-04 18:34 ` Ilpo Järvinen
2024-01-03 16:55 ` Greg Kroah-Hartman [this message]
2024-01-03 16:55 ` [PATCH 6.1 088/100] mm: migrate high-order folios in swap cache correctly Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 089/100] mm/memory-failure: cast index to loff_t before shifting it Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 090/100] mm/memory-failure: check the mapcount of the precise page Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 091/100] ring-buffer: Fix wake ups when buffer_percent is set to 100 Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 092/100] tracing: Fix blocked reader of snapshot buffer Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 093/100] ring-buffer: Remove useless update to write_stamp in rb_try_to_discard() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 094/100] netfilter: nf_tables: skip set commit for deleted/destroyed sets Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 095/100] ring-buffer: Fix slowpath of interrupted event Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 096/100] NFSD: fix possible oops when nfsd/pool_stats is closed Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 097/100] spi: Constify spi parameters of chip select APIs Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 098/100] device property: Allow const parameter to dev_fwnode() Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 099/100] kallsyms: Make module_kallsyms_on_each_symbol generally available Greg Kroah-Hartman
2024-01-03 16:55 ` [PATCH 6.1 100/100] tracing/kprobes: Fix symbol counting logic by looking at modules as well Greg Kroah-Hartman
2024-01-03 18:56 ` [PATCH 6.1 000/100] 6.1.71-rc1 review SeongJae Park
2024-01-03 19:55 ` Florian Fainelli
2024-01-03 23:37 ` Kelsey Steele
2024-01-04 0:15 ` Shuah Khan
2024-01-04 10:49 ` Naresh Kamboju
2024-01-04 12:12 ` Jon Hunter
2024-01-04 12:15 ` Pavel Machek
2024-01-04 21:45 ` Ron Economos
2024-01-05 1:03 ` Guenter Roeck
2024-01-05 2:42 ` Namjae Jeon
2024-01-05 10:02 ` Yann Sionneau
2024-01-05 11:13 ` Shreeya Patel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240103164909.170384396@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=adilger.kernel@dilger.ca \
--cc=akpm@linux-foundation.org \
--cc=david@fromorbit.com \
--cc=hch@infradead.org \
--cc=jack@suse.cz \
--cc=libaokun1@huawei.com \
--cc=patches@lists.linux.dev \
--cc=ritesh.list@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
--cc=willy@infradead.org \
--cc=yangerkun@huawei.com \
--cc=yi.zhang@huawei.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox