From: Nick Piggin <npiggin@suse.de>
To: Andrew Morton <akpm@osdl.org>
Cc: Linux Memory Management <linux-mm@kvack.org>,
Neil Brown <neilb@suse.de>, Anton Altaparmakov <aia21@cam.ac.uk>,
Chris Mason <chris.mason@oracle.com>,
Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: [patch 6/6] mm: fix pagecache write deadlocks
Date: Sat, 14 Oct 2006 06:30:41 +0200 [thread overview]
Message-ID: <20061014043041.GC14467@wotan.suse.de> (raw)
In-Reply-To: <20061014041927.GA14467@wotan.suse.de>
On Sat, Oct 14, 2006 at 06:19:27AM +0200, Nick Piggin wrote:
> On Fri, Oct 13, 2006 at 03:14:57PM -0700, Andrew Morton wrote:
> > On Fri, 13 Oct 2006 18:44:52 +0200 (CEST)
> > Nick Piggin <npiggin@suse.de> wrote:
> > >
> > > - This also showed up a number of buggy prepare_write / commit_write
> > > implementations that were setting the page uptodate in the prepare_write
> > > side: bad! this allows uninitialised data to be read. Fix these.
> >
> > Well. It's non-buggy under the current protocol because the page remains
> > locked throughout. This patch would make these ->prepare_write()
> > implementations buggy.
>
> But if it becomes uptodate, then do_generic_mapping_read can read it
> without locking it (and so can filemap_nopage at present, although it
> looks like that's going to take the page lock soon).
So the simple_prepare_write bug is an uninitialised data loeak. If
you read the part of the file which is about to be written to (and thus
does not get memset()ed), you can read junk.
I was able to trigger this with a simple test on ramfs.
--
To unsubscribe, send a message with 'unsubscribe linux-mm' in
the body to majordomo@kvack.org. For more info on Linux MM,
see: http://www.linux-mm.org/ .
Don't email: <a href=mailto:"dont@kvack.org"> email@kvack.org </a>
next prev parent reply other threads:[~2006-10-14 4:30 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-10-13 16:43 [rfc] buffered write deadlock fix Nick Piggin
2006-10-13 16:44 ` [patch 1/6] mm: revert "generic_file_buffered_write(): handle zero length iovec segments" Nick Piggin, Andrew Morton
2006-10-13 16:44 ` [patch 2/6] mm: revert "generic_file_buffered_write(): deadlock on vectored write" Nick Piggin, Andrew Morton
2006-10-13 16:44 ` [patch 3/6] mm: generic_file_buffered_write cleanup Nick Piggin, Andrew Morton
2006-10-13 16:44 ` [patch 4/6] mm: comment mmap_sem / lock_page lockorder Nick Piggin
2006-10-13 16:44 ` [patch 5/6] mm: debug write deadlocks Nick Piggin
2006-10-13 16:44 ` [patch 6/6] mm: fix pagecache " Nick Piggin, Andrew Morton
2006-10-13 22:14 ` Andrew Morton
2006-10-14 4:19 ` Nick Piggin
2006-10-14 4:30 ` Nick Piggin [this message]
2006-10-15 11:35 ` Peter Zijlstra
2006-10-14 5:04 ` Nick Piggin
2006-10-15 11:37 ` Peter Zijlstra
2006-10-15 11:56 ` Nick Piggin
2006-10-15 13:51 ` Peter Zijlstra
2006-10-15 14:19 ` SPAM: " Nick Piggin
2006-10-15 15:47 ` Peter Zijlstra
2006-10-15 15:57 ` RRe: " Nick Piggin
2006-10-15 16:13 ` Peter Zijlstra
2006-10-16 15:24 ` pagefault_disable (was Re: [patch 6/6] mm: fix pagecache write deadlocks) Nick Piggin
2006-10-16 16:05 ` Peter Zijlstra
2006-10-16 16:12 ` Nick Piggin
2006-10-18 14:25 ` [patch 6/6] mm: fix pagecache write deadlocks Chris Mason
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20061014043041.GC14467@wotan.suse.de \
--to=npiggin@suse.de \
--cc=aia21@cam.ac.uk \
--cc=akpm@osdl.org \
--cc=chris.mason@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=neilb@suse.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox