stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Luis Henriques <luis.henriques@canonical.com>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org,
	kernel-team@lists.ubuntu.com
Cc: Maxim Patlasov <mpatlasov@parallels.com>,
	Miklos Szeredi <mszeredi@suse.cz>,
	Luis Henriques <luis.henriques@canonical.com>
Subject: [PATCH 075/104] fuse: postpone end_page_writeback() in fuse_writepage_locked()
Date: Mon, 30 Sep 2013 11:10:52 +0100	[thread overview]
Message-ID: <1380535881-9239-76-git-send-email-luis.henriques@canonical.com> (raw)
In-Reply-To: <1380535881-9239-1-git-send-email-luis.henriques@canonical.com>

3.5.7.22 -stable review patch.  If anyone has any objections, please let me know.

------------------

From: Maxim Patlasov <MPatlasov@parallels.com>

commit 4a4ac4eba1010ef9a804569058ab29e3450c0315 upstream.

The patch fixes a race between ftruncate(2), mmap-ed write and write(2):

1) An user makes a page dirty via mmap-ed write.
2) The user performs shrinking truncate(2) intended to purge the page.
3) Before fuse_do_setattr calls truncate_pagecache, the page goes to
   writeback. fuse_writepage_locked fills FUSE_WRITE request and releases
   the original page by end_page_writeback.
4) fuse_do_setattr() completes and successfully returns. Since now, i_mutex
   is free.
5) Ordinary write(2) extends i_size back to cover the page. Note that
   fuse_send_write_pages do wait for fuse writeback, but for another
   page->index.
6) fuse_writepage_locked proceeds by queueing FUSE_WRITE request.
   fuse_send_writepage is supposed to crop inarg->size of the request,
   but it doesn't because i_size has already been extended back.

Moving end_page_writeback to the end of fuse_writepage_locked fixes the
race because now the fact that truncate_pagecache is successfully returned
infers that fuse_writepage_locked has already called end_page_writeback.
And this, in turn, infers that fuse_flush_writepages has already called
fuse_send_writepage, and the latter used valid (shrunk) i_size. write(2)
could not extend it because of i_mutex held by ftruncate(2).

Signed-off-by: Maxim Patlasov <mpatlasov@parallels.com>
Signed-off-by: Miklos Szeredi <mszeredi@suse.cz>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
---
 fs/fuse/file.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 514f12a..e7785e4 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -1296,7 +1296,6 @@ static int fuse_writepage_locked(struct page *page)
 
 	inc_bdi_stat(mapping->backing_dev_info, BDI_WRITEBACK);
 	inc_zone_page_state(tmp_page, NR_WRITEBACK_TEMP);
-	end_page_writeback(page);
 
 	spin_lock(&fc->lock);
 	list_add(&req->writepages_entry, &fi->writepages);
@@ -1304,6 +1303,8 @@ static int fuse_writepage_locked(struct page *page)
 	fuse_flush_writepages(inode);
 	spin_unlock(&fc->lock);
 
+	end_page_writeback(page);
+
 	return 0;
 
 err_free:
-- 
1.8.3.2


  parent reply	other threads:[~2013-09-30 10:10 UTC|newest]

Thread overview: 113+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-30 10:09 [ 3.5.y.z extended stable ] Linux 3.5.7.22 stable review Luis Henriques
2013-09-30 10:09 ` [PATCH 001/104] iwl4965: fix rfkill set state regression Luis Henriques
2013-09-30 10:09 ` [PATCH 002/104] ath9k_htc: Restore skb headroom when returning skb to mac80211 Luis Henriques
2013-09-30 10:09 ` [PATCH 003/104] ALSA: opti9xx: Fix conflicting driver object name Luis Henriques
2013-09-30 10:09 ` [PATCH 004/104] SUNRPC: Fix memory corruption issue on 32-bit highmem systems Luis Henriques
2013-09-30 10:09 ` [PATCH 005/104] drm/i915: ivb: fix edp voltage swing reg val Luis Henriques
2013-09-30 10:09 ` [PATCH 006/104] drm/vmwgfx: Split GMR2_REMAP commands if they are to large Luis Henriques
2013-09-30 10:09 ` [PATCH 007/104] ALSA: ak4xx-adda: info leak in ak4xxx_capture_source_info() Luis Henriques
2013-09-30 10:09 ` [PATCH 008/104] Bluetooth: Add support for Foxconn/Hon Hai [0489:e04d] Luis Henriques
2013-09-30 10:09 ` [PATCH 009/104] [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a signal Luis Henriques
2013-09-30 10:09 ` [PATCH 010/104] xen-gnt: prevent adding duplicate gnt callbacks Luis Henriques
2013-09-30 10:09 ` [PATCH 011/104] usb: config->desc.bLength may not exceed amount of data returned by the device Luis Henriques
2013-09-30 10:09 ` [PATCH 012/104] USB: cdc-wdm: fix race between interrupt handler and tasklet Luis Henriques
2013-09-30 10:09 ` [PATCH 013/104] USB: handle LPM errors during device suspend correctly Luis Henriques
2013-09-30 10:09 ` [PATCH 014/104] xhci-plat: Don't enable legacy PCI interrupts Luis Henriques
2013-09-30 10:09 ` [PATCH 015/104] ASoC: wm8960: Fix PLL register writes Luis Henriques
2013-09-30 10:09 ` [PATCH 016/104] rculist: list_first_or_null_rcu() should use list_entry_rcu() Luis Henriques
2013-09-30 10:09 ` [PATCH 017/104] USB: mos7720: use GFP_ATOMIC under spinlock Luis Henriques
2013-09-30 10:09 ` [PATCH 018/104] USB: mos7720: fix big-endian control requests Luis Henriques
2013-09-30 10:09 ` [PATCH 019/104] staging: comedi: dt282x: dt282x_ai_insn_read() always fails Luis Henriques
2013-09-30 10:09 ` [PATCH 020/104] usb: ehci-mxc: check for pdata before dereferencing Luis Henriques
2013-09-30 10:09 ` [PATCH 021/104] usb: xhci: Disable runtime PM suspend for quirky controllers Luis Henriques
2013-09-30 10:09 ` [PATCH 022/104] USB: OHCI: Allow runtime PM without system sleep Luis Henriques
2013-09-30 10:10 ` [PATCH 023/104] ACPI / EC: Add HP Folio 13 to ec_dmi_table in order to skip DSDT scan Luis Henriques
2013-09-30 10:10 ` [PATCH 024/104] ACPI / EC: Add ASUSTEK L4R to quirk list in order to validate ECDT Luis Henriques
2013-09-30 10:10 ` [PATCH 025/104] USB: fix build error when CONFIG_PM_SLEEP isn't enabled Luis Henriques
2013-09-30 10:10 ` [PATCH 026/104] ALSA: hda - hdmi: Refactor hdmi_eld into parsed_hdmi_eld Luis Henriques
2013-09-30 10:29   ` David Henningsson
2013-09-30 11:10     ` Luis Henriques
2013-09-30 11:37       ` David Henningsson
2013-09-30 10:10 ` [PATCH 027/104] ALSA: hda - hdmi: Fallback to ALSA allocation when selecting CA Luis Henriques
2013-09-30 10:10 ` [PATCH 028/104] regmap: silence GCC warning Luis Henriques
2013-09-30 10:10 ` [PATCH 029/104] target: Fix trailing ASCII space usage in INQUIRY vendor+model Luis Henriques
2013-09-30 10:10 ` [PATCH 030/104] iwlwifi: dvm: don't send BT_CONFIG on devices w/o Bluetooth Luis Henriques
2013-09-30 10:10 ` [PATCH 031/104] Bluetooth: Add support for Mediatek Bluetooth device [0e8d:763f] Luis Henriques
2013-09-30 10:10 ` [PATCH 032/104] Bluetooth: ath3k: Add support for Fujitsu Lifebook UH5x2 [04c5:1330] Luis Henriques
2013-09-30 10:10 ` [PATCH 033/104] Bluetooth: ath3k: Add support for ID 0x13d3/0x3402 Luis Henriques
2013-09-30 10:10 ` [PATCH 034/104] Bluetooth: Add support for Atheros [0cf3:e003] Luis Henriques
2013-09-30 10:10 ` [PATCH 035/104] cifs: don't instantiate new dentries in readdir for inodes that need to be revalidated immediately Luis Henriques
2013-09-30 10:10 ` [PATCH 036/104] xen/events: mask events when changing their VCPU binding Luis Henriques
2013-09-30 10:10 ` [PATCH 037/104] tipc: fix lockdep warning during bearer initialization Luis Henriques
2013-09-30 10:10 ` [PATCH 038/104] htb: fix sign extension bug Luis Henriques
2013-09-30 10:10 ` [PATCH 039/104] net: check net.core.somaxconn sysctl values Luis Henriques
2013-09-30 10:10 ` [PATCH 040/104] neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup Luis Henriques
2013-09-30 10:10 ` [PATCH 041/104] bonding: modify only neigh_parms owned by us Luis Henriques
2013-09-30 10:10 ` [PATCH 042/104] fib_trie: remove potential out of bound access Luis Henriques
2013-09-30 10:10 ` [PATCH 043/104] tcp: cubic: fix overflow error in bictcp_update() Luis Henriques
2013-09-30 10:10 ` [PATCH 044/104] tcp: cubic: fix bug in bictcp_acked() Luis Henriques
2013-09-30 10:10 ` [PATCH 045/104] macvtap: do not zerocopy if iov needs more pages than MAX_SKB_FRAGS Luis Henriques
2013-09-30 10:10 ` [PATCH 046/104] ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not match Luis Henriques
2013-09-30 10:10 ` [PATCH 047/104] 8139cp: Fix skb leak in rx_status_loop failure path Luis Henriques
2013-09-30 10:10 ` [PATCH 048/104] tun: signedness bug in tun_get_user() Luis Henriques
2013-09-30 10:10 ` [PATCH 049/104] ipv6: remove max_addresses check from ipv6_create_tempaddr Luis Henriques
2013-09-30 10:10 ` [PATCH 050/104] ipv6: drop packets with multiple fragmentation headers Luis Henriques
2013-09-30 10:10 ` [PATCH 051/104] net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for max_delay Luis Henriques
2013-09-30 10:10 ` [PATCH 052/104] ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO Luis Henriques
2013-09-30 10:10 ` [PATCH 053/104] ipv6: Don't depend on per socket memory for neighbour discovery messages Luis Henriques
2013-09-30 10:10 ` [PATCH 054/104] net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv Luis Henriques
2013-09-30 10:10 ` [PATCH 055/104] ath9k: always clear ps filter bit on new assoc Luis Henriques
2013-09-30 10:10 ` [PATCH 056/104] libceph: unregister request in __map_request failed and nofail == false Luis Henriques
2013-09-30 10:10 ` [PATCH 057/104] powerpc: Handle unaligned ldbrx/stdbrx Luis Henriques
2013-09-30 10:10 ` [PATCH 058/104] ath9k: fix rx descriptor related race condition Luis Henriques
2013-09-30 10:10 ` [PATCH 059/104] ath9k: avoid accessing MRC registers on single-chain devices Luis Henriques
2013-09-30 10:10 ` [PATCH 060/104] brcmsmac: Fix WARNING caused by lack of calls to dma_mapping_error() Luis Henriques
2013-09-30 10:10 ` [PATCH 061/104] mmc: tmio_mmc_dma: fix PIO fallback on SDHI Luis Henriques
2013-09-30 10:10 ` [PATCH 062/104] HID: validate HID report id size Luis Henriques
2013-09-30 10:10 ` [PATCH 063/104] of: Fix missing memory initialization on FDT unflattening Luis Henriques
2013-09-30 10:10 ` [PATCH 064/104] drm/edid: add quirk for Medion MD30217PG Luis Henriques
2013-09-30 10:10 ` [PATCH 065/104] drm/radeon: fix endian bugs in hw i2c atom routines Luis Henriques
2013-09-30 10:10 ` [PATCH 066/104] drm/radeon: update line buffer allocation for dce4.1/5 Luis Henriques
2013-09-30 10:10 ` [PATCH 067/104] drm/radeon: update line buffer allocation for dce6 Luis Henriques
2013-09-30 10:10 ` [PATCH 068/104] drm/radeon: fix LCD record parsing Luis Henriques
2013-09-30 10:10 ` [PATCH 069/104] drm/radeon: fix resume on some rs4xx boards (v2) Luis Henriques
2013-09-30 10:10 ` [PATCH 070/104] drm/radeon: fix handling of variable sized arrays for router objects Luis Henriques
2013-09-30 10:10 ` [PATCH 071/104] radeon kms: fix uninitialised hotplug work usage in r100_irq_process() Luis Henriques
2013-09-30 10:10 ` [PATCH 072/104] drm/radeon: fix init ordering for r600+ Luis Henriques
2013-09-30 10:10 ` [PATCH 073/104] HID: input: return ENODATA if reading battery attrs fails Luis Henriques
2013-09-30 10:10 ` [PATCH 074/104] HID: battery: don't do DMA from stack Luis Henriques
2013-09-30 10:10 ` Luis Henriques [this message]
2013-09-30 10:10 ` [PATCH 076/104] fuse: invalidate inode attributes on xattr modification Luis Henriques
2013-09-30 10:10 ` [PATCH 077/104] s5p-g2d: Fix registration failure Luis Henriques
2013-09-30 10:10 ` [PATCH 078/104] DocBook: upgrade media_api DocBook version to 4.2 Luis Henriques
2013-09-30 10:10 ` [PATCH 079/104] v4l2: added missing mutex.h include to v4l2-ctrls.h Luis Henriques
2013-09-30 10:10 ` [PATCH 080/104] hdpvr: fix iteration over uninitialized lists in hdpvr_probe() Luis Henriques
2013-09-30 10:10 ` [PATCH 081/104] exynos4-is: Fix fimc-lite bayer formats Luis Henriques
2013-09-30 10:10 ` [PATCH 082/104] exynos4-is: Fix entity unregistration on error path Luis Henriques
2013-09-30 10:11 ` [PATCH 083/104] libceph: use pg_num_mask instead of pgp_num_mask for pg.seed calc Luis Henriques
2013-09-30 10:11 ` [PATCH 084/104] HID: pantherlord: validate output report details Luis Henriques
2013-09-30 10:11 ` [PATCH 085/104] HID: ntrig: validate feature " Luis Henriques
2013-09-30 10:11 ` [PATCH 086/104] HID: picolcd_core: validate output " Luis Henriques
2013-09-30 10:11 ` [PATCH 087/104] HID: check for NULL field when setting values Luis Henriques
2013-09-30 10:11 ` [PATCH 088/104] drm/i915: try not to lose backlight CBLV precision Luis Henriques
2013-09-30 10:11 ` [PATCH 089/104] powerpc: Default arch idle could cede processor on pseries Luis Henriques
2013-09-30 10:11 ` [PATCH 090/104] ocfs2: fix the end cluster offset of FIEMAP Luis Henriques
2013-09-30 10:11 ` [PATCH 091/104] mm/huge_memory.c: fix potential NULL pointer dereference Luis Henriques
2013-09-30 10:11 ` [PATCH 092/104] mm: fix aio performance regression for database caused by THP Luis Henriques
2013-09-30 13:14   ` Jack Wang
2013-09-30 13:26     ` Greg Kroah-Hartman
2013-09-30 13:31       ` Khalid Aziz
2013-09-30 15:00         ` Greg Kroah-Hartman
2013-10-03  2:33           ` Greg Kroah-Hartman
2013-09-30 10:11 ` [PATCH 093/104] memcg: fix multiple large threshold notifications Luis Henriques
2013-09-30 10:11 ` [PATCH 094/104] intel-iommu: Fix leaks in pagetable freeing Luis Henriques
2013-09-30 10:11 ` [PATCH 095/104] MIPS: ath79: Fix ar933x watchdog clock Luis Henriques
2013-09-30 10:11 ` [PATCH 096/104] ARM: PCI: versatile: Fix map_irq function to match hardware Luis Henriques
2013-09-30 10:11 ` [PATCH 097/104] ARM: PCI: versatile: Fix SMAP register offsets Luis Henriques
2013-09-30 10:11 ` [PATCH 098/104] crypto: api - Fix race condition in larval lookup Luis Henriques
2013-09-30 10:11 ` [PATCH 099/104] cifs: ensure that srv_mutex is held when dealing with ssocket pointer Luis Henriques
2013-09-30 10:11 ` [PATCH 100/104] ALSA: hda - Add Toshiba Satellite C870 to MSI blacklist Luis Henriques
2013-09-30 10:11 ` [PATCH 101/104] ASoC: mc13783: add spi errata fix Luis Henriques
2013-09-30 10:11 ` [PATCH 102/104] [SCSI] sd: Fix potential out-of-bounds access Luis Henriques
2013-09-30 10:11 ` [PATCH 103/104] Revert "zram: use zram->lock to protect zram_free_page() in swap free notify path" Luis Henriques
2013-09-30 10:11 ` [PATCH 104/104] kernel-doc: bugfix - multi-line macros Luis Henriques

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1380535881-9239-76-git-send-email-luis.henriques@canonical.com \
    --to=luis.henriques@canonical.com \
    --cc=kernel-team@lists.ubuntu.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mpatlasov@parallels.com \
    --cc=mszeredi@suse.cz \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).