Fixes for 5.5-rc1:
- Fix a UAF when reporting writeback errors
- Fix a race condition when handling page uptodate on a blocksize <
pagesize file that is also fragmented
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEEUzaAxoMeQq6m2jMV+H93GTRKtOsFAl3pJVwACgkQ+H93GTRK
tOue8RAAklPs+kV4l1JQudPkd/lXIPCqyRKBEjNDQRfj27v5s7h/3fMqMsV6/RIs
zTkrRc/N5Uu6SMnvMIHvTx1nAk6ZnTiN3gUHenoUQgQuxZ4jtGhIvHmyiOGgI27j
Xd2g+aE8wdhZDnD2b+4AsnJmtvffX0g3DNDZ4KJn1d/Ejs2qQIHgeaoyj56Fz8vh
4dqQxSg5RvL25k3qqHSVogsfxSRJxvYJefcARUL25a58UzE6DLJqeb3v41RVLc4l
lDOX/o4lavqo1lmptWjsTn4bqqyeRfNWp2M2EGE4a411aEaNTkFB7xzQ9Y1v04kK
VHq6XK3vieAv6VOuqZ3ySx6ihQcb9dQWXiMkJ9HDVDv4rmaLlrHECM19A5toZN/6
0Xy6xLDqbimckyWDZLBUnkfcoCsI+uWTdNIBxkjEYFdDuL33ovUlKu+Cn63vYzoQ
aCWnNA4NdKOBYps9aKCQV35IU1ODmOYWqkxkpSaVYKApi8Q6+2HUXOf+fXFBiV91
zO0/nWq8RU7fGQxk8YJtMO2E0lGMaMAt03vgp+pMkd0aIo0NWFLV0q3tko5VlWNv
v8BGkphgrOOqfsCFh8wua5x8bIXOBBElOSUjU0wBrAHb0ZXkQ3zi0nUt+sj7RFUX
a+ojaRrXvuyZZArOvQbrHEC0HWchVmvfiyXRAPbxbLi1BiLfPW8=
=+LzI
-----END PGP SIGNATURE-----
Merge tag 'iomap-5.5-merge-14' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Pull iomap fixes from Darrick Wong:
"Fix a race condition and a use-after-free error:
- Fix a UAF when reporting writeback errors
- Fix a race condition when handling page uptodate on fragmented file
with blocksize < pagesize"
* tag 'iomap-5.5-merge-14' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
iomap: stop using ioend after it's been freed in iomap_finish_ioend()
iomap: fix sub-page uptodate handling
This commit is contained in:
Linus Torvalds
commit
95207d554b
|
|
@ -28,6 +28,7 @@
|
|||
struct iomap_page {
|
||||
atomic_t read_count;
|
||||
atomic_t write_count;
|
||||
spinlock_t uptodate_lock;
|
||||
DECLARE_BITMAP(uptodate, PAGE_SIZE / 512);
|
||||
};
|
||||
|
||||
|
|
@ -51,6 +52,7 @@ iomap_page_create(struct inode *inode, struct page *page)
|
|||
iop = kmalloc(sizeof(*iop), GFP_NOFS | __GFP_NOFAIL);
|
||||
atomic_set(&iop->read_count, 0);
|
||||
atomic_set(&iop->write_count, 0);
|
||||
spin_lock_init(&iop->uptodate_lock);
|
||||
bitmap_zero(iop->uptodate, PAGE_SIZE / SECTOR_SIZE);
|
||||
|
||||
/*
|
||||
|
|
@ -139,25 +141,38 @@ iomap_adjust_read_range(struct inode *inode, struct iomap_page *iop,
|
|||
}
|
||||
|
||||
static void
|
||||
iomap_set_range_uptodate(struct page *page, unsigned off, unsigned len)
|
||||
iomap_iop_set_range_uptodate(struct page *page, unsigned off, unsigned len)
|
||||
{
|
||||
struct iomap_page *iop = to_iomap_page(page);
|
||||
struct inode *inode = page->mapping->host;
|
||||
unsigned first = off >> inode->i_blkbits;
|
||||
unsigned last = (off + len - 1) >> inode->i_blkbits;
|
||||
unsigned int i;
|
||||
bool uptodate = true;
|
||||
unsigned long flags;
|
||||
unsigned int i;
|
||||
|
||||
if (iop) {
|
||||
for (i = 0; i < PAGE_SIZE / i_blocksize(inode); i++) {
|
||||
if (i >= first && i <= last)
|
||||
set_bit(i, iop->uptodate);
|
||||
else if (!test_bit(i, iop->uptodate))
|
||||
uptodate = false;
|
||||
}
|
||||
spin_lock_irqsave(&iop->uptodate_lock, flags);
|
||||
for (i = 0; i < PAGE_SIZE / i_blocksize(inode); i++) {
|
||||
if (i >= first && i <= last)
|
||||
set_bit(i, iop->uptodate);
|
||||
else if (!test_bit(i, iop->uptodate))
|
||||
uptodate = false;
|
||||
}
|
||||
|
||||
if (uptodate && !PageError(page))
|
||||
if (uptodate)
|
||||
SetPageUptodate(page);
|
||||
spin_unlock_irqrestore(&iop->uptodate_lock, flags);
|
||||
}
|
||||
|
||||
static void
|
||||
iomap_set_range_uptodate(struct page *page, unsigned off, unsigned len)
|
||||
{
|
||||
if (PageError(page))
|
||||
return;
|
||||
|
||||
if (page_has_private(page))
|
||||
iomap_iop_set_range_uptodate(page, off, len);
|
||||
else
|
||||
SetPageUptodate(page);
|
||||
}
|
||||
|
||||
|
|
@ -1128,6 +1143,7 @@ iomap_finish_ioend(struct iomap_ioend *ioend, int error)
|
|||
struct bio *bio = &ioend->io_inline_bio;
|
||||
struct bio *last = ioend->io_bio, *next;
|
||||
u64 start = bio->bi_iter.bi_sector;
|
||||
loff_t offset = ioend->io_offset;
|
||||
bool quiet = bio_flagged(bio, BIO_QUIET);
|
||||
|
||||
for (bio = &ioend->io_inline_bio; bio; bio = next) {
|
||||
|
|
@ -1148,12 +1164,12 @@ iomap_finish_ioend(struct iomap_ioend *ioend, int error)
|
|||
iomap_finish_page_writeback(inode, bv->bv_page, error);
|
||||
bio_put(bio);
|
||||
}
|
||||
/* The ioend has been freed by bio_put() */
|
||||
|
||||
if (unlikely(error && !quiet)) {
|
||||
printk_ratelimited(KERN_ERR
|
||||
"%s: writeback error on inode %lu, offset %lld, sector %llu",
|
||||
inode->i_sb->s_id, inode->i_ino, ioend->io_offset,
|
||||
start);
|
||||
inode->i_sb->s_id, inode->i_ino, offset, start);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue