On Fri 30-08-19 17:24:49, Jan Kara wrote:
On Thu 29-08-19 08:52:04, Darrick J. Wong wrote:
On Thu, Aug 29, 2019 at 03:10:34PM +0200, Jan Kara wrote:
Hole puching currently evicts pages from page cache and then goes on to remove blocks from the inode. This happens under both XFS_IOLOCK_EXCL and XFS_MMAPLOCK_EXCL which provides appropriate serialization with racing reads or page faults. However there is currently nothing that prevents readahead triggered by fadvise() or madvise() from racing with the hole punch and instantiating page cache page after hole punching has evicted page cache in xfs_flush_unmap_range() but before it has removed blocks from the inode. This page cache page will be mapping soon to be freed block and that can lead to returning stale data to userspace or even filesystem corruption.
Fix the problem by protecting handling of readahead requests by XFS_IOLOCK_SHARED similarly as we protect reads.
CC: stable@vger.kernel.org Link: https://lore.kernel.org/linux-fsdevel/CAOQ4uxjQNmxqmtA_VbYW0Su9rKRk2zobJmahc... Reported-by: Amir Goldstein amir73il@gmail.com Signed-off-by: Jan Kara jack@suse.cz
Is there a test on xfstests to demonstrate this race?
No, but I can try to create one.
I was experimenting with this but I could not reproduce the issue in my test VM without inserting artificial delay at appropriate place... So I don't think there's much point in the fstest for this.
Honza