diff options
| author | Jan Kara <jack@suse.cz> | 2017-05-25 11:46:22 -0400 |
|---|---|---|
| committer | Mister Oyster <oysterized@gmail.com> | 2017-12-31 02:51:24 +0100 |
| commit | e5983e9c4e1c61b347aeda7243266bee387a40e1 (patch) | |
| tree | bac38b73898ee8585cc06881421622dee6f1c6a7 /fs/ext4 | |
| parent | a1bac3c7c00397f50a3479c26fe1bd760bea7fc9 (diff) | |
ext4: Fix data corruption for mmap writes
mpage_submit_page() can race with another process growing i_size and
writing data via mmap to the written-back page. As mpage_submit_page()
samples i_size too early, it may happen that ext4_bio_write_page()
zeroes out too large tail of the page and thus corrupts user data.
Fix the problem by sampling i_size only after the page has been
write-protected in page tables by clear_page_dirty_for_io() call.
Reported-by: Michael Zimmer <michael@swarm64.com>
CC: stable@vger.kernel.org
Fixes: cb20d5188366f04d96d2e07b1240cc92170ade40
Signed-off-by: Jan Kara <jack@suse.cz>
[@nathanchance: fixed conflicts]
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Joe Maples <joe@frap129.org>
Diffstat (limited to 'fs/ext4')
| -rw-r--r-- | fs/ext4/inode.c | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 1580220e9..334ea011d 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -1938,15 +1938,29 @@ static int ext4_writepage(struct page *page, static int mpage_submit_page(struct mpage_da_data *mpd, struct page *page) { int len; - loff_t size = i_size_read(mpd->inode); + loff_t size; int err; BUG_ON(page->index != mpd->first_page); + clear_page_dirty_for_io(page); + /* + * We have to be very careful here! Nothing protects writeback path + * against i_size changes and the page can be writeably mapped into + * page tables. So an application can be growing i_size and writing + * data through mmap while writeback runs. clear_page_dirty_for_io() + * write-protects our page in page tables and the page cannot get + * written to again until we release page lock. So only after + * clear_page_dirty_for_io() we are safe to sample i_size for + * ext4_bio_write_page() to zero-out tail of the written page. We rely + * on the barrier provided by TestClearPageDirty in + * clear_page_dirty_for_io() to make sure i_size is really sampled only + * after page tables are updated. + */ + size = i_size_read(mpd->inode); if (page->index == size >> PAGE_CACHE_SHIFT) len = size & ~PAGE_CACHE_MASK; else len = PAGE_CACHE_SIZE; - clear_page_dirty_for_io(page); err = ext4_bio_write_page(&mpd->io_submit, page, len, mpd->wbc, false); if (!err) mpd->wbc->nr_to_write--; |