[PATCH] fix set_page_dirty vs truncate&free races

set_page_dirty() is racy if the caller has no reference against page->mapping->host, and if the page is unlocked. This is because another CPU could truncate the page off the mapping and then free the mapping. Usually, the page _is_ locked, or the caller is a user-space process which holds a reference on the inode by having an open file. The exceptional cases are where the page was obtained via get_user_pages(). The patch changes those to lock the page around the set_page_dirty() call.

[PATCH] fix set_page_dirty vs truncate&free races
set_page_dirty() is racy if the caller has no reference against page->mapping->host, and if the page is unlocked. This is because another CPU could truncate the page off the mapping and then free the mapping. Usually, the page _is_ locked, or the caller is a user-space process which holds a reference on the inode by having an open file. The exceptional cases are where the page was obtained via get_user_pages(). The patch changes those to lock the page around the set_page_dirty() call.
5ba2948d · Andrew Morton · Richard Henderson · 0c682373 · 5ba2948d · 5ba2948d
Commit 5ba2948d authored Jan 10, 2003 by Andrew Morton Committed by Richard Henderson Jan 10, 2003
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 3 deletions

fs/bio.c fs/bio.c +4 -2

fs/direct-io.c fs/direct-io.c +1 -1

include/linux/mm.h include/linux/mm.h +1 -0

mm/page-writeback.c mm/page-writeback.c +20 -0

No files found.
--- a/fs/bio.c
+++ b/fs/bio.c
@@ -538,6 +538,8 @@ struct bio *bio_map_user(struct block_device *bdev, unsigned long uaddr,
 *	Unmap a bio previously mapped by bio_map_user(). The @write_to_vm
 *	must be the same as passed into bio_map_user(). Must be called with
 *	a process context.
+ *
+ *	bio_unmap_user() may sleep.
 */
 void bio_unmap_user(struct bio *bio, int write_to_vm)
 {
@@ -561,7 +563,7 @@ void bio_unmap_user(struct bio *bio, int write_to_vm)
 	 */
 	__bio_for_each_segment(bvec, bio, i, 0) {
 		if (write_to_vm)
-			set_page_dirty(bvec->bv_page);
+			set_page_dirty_lock(bvec->bv_page);

 		page_cache_release(bvec->bv_page);
 	}
@@ -601,7 +603,7 @@ void bio_set_pages_dirty(struct bio *bio)
 		struct page *page = bvec[i].bv_page;

 		if (page)
-			set_page_dirty(bvec[i].bv_page);
+			set_page_dirty_lock(bvec[i].bv_page);
 	}
 }


--- a/fs/direct-io.c
+++ b/fs/direct-io.c
@@ -343,7 +343,7 @@ static int dio_bio_complete(struct dio *dio, struct bio *bio)
 			struct page *page = bvec[page_no].bv_page;

 			if (dio->rw == READ)
-				set_page_dirty(page);
+				set_page_dirty_lock(page);
 			page_cache_release(page);
 		}
 		bio_put(bio);

--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -396,6 +396,7 @@ int get_user_pages(struct task_struct *tsk, struct mm_struct *mm, unsigned long

 int __set_page_dirty_buffers(struct page *page);
 int __set_page_dirty_nobuffers(struct page *page);
+int set_page_dirty_lock(struct page *page);

 /*
 * Prototype to add a shrinker callback for ageable caches.

--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -562,6 +562,26 @@ int __set_page_dirty_nobuffers(struct page *page)
 }
 EXPORT_SYMBOL(__set_page_dirty_nobuffers);

+/*
+ * set_page_dirty() is racy if the caller has no reference against
+ * page->mapping->host, and if the page is unlocked.  This is because another
+ * CPU could truncate the page off the mapping and then free the mapping.
+ *
+ * Usually, the page _is_ locked, or the caller is a user-space process which
+ * holds a reference on the inode by having an open file.
+ *
+ * In other cases, the page should be locked before running set_page_dirty().
+ */
+int set_page_dirty_lock(struct page *page)
+{
+	int ret;
+
+	lock_page(page);
+	ret = set_page_dirty(page);
+	unlock_page(page);
+	return ret;
+}
+
 /*
 * Clear a page's dirty flag, while caring for dirty memory accounting. 
 * Returns true if the page was previously dirty.