[PATCH] fix set_page_dirty vs truncate&free races
set_page_dirty() is racy if the caller has no reference against page->mapping->host, and if the page is unlocked. This is because another CPU could truncate the page off the mapping and then free the mapping. Usually, the page _is_ locked, or the caller is a user-space process which holds a reference on the inode by having an open file. The exceptional cases are where the page was obtained via get_user_pages(). The patch changes those to lock the page around the set_page_dirty() call.
Showing
Please register or sign in to comment