FAILED: patch "[PATCH] ext4: close race between direct IO and ext4_break_layouts()" failed to apply to 4.14-stable tree
The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From b1f382178d150f256c1cf95b9341fda6eb764459 Mon Sep 17 00:00:00 2001
From: Ross Zwisler zwisler@kernel.org Date: Tue, 11 Sep 2018 13:31:16 -0400 Subject: [PATCH] ext4: close race between direct IO and ext4_break_layouts()
If the refcount of a page is lowered between the time that it is returned by dax_busy_page() and when the refcount is again checked in ext4_break_layouts() => ___wait_var_event(), the waiting function ext4_wait_dax_page() will never be called. This means that ext4_break_layouts() will still have 'retry' set to false, so we'll stop looping and never check the refcount of other pages in this inode.
Instead, always continue looping as long as dax_layout_busy_page() gives us a page which it found with an elevated refcount.
Signed-off-by: Ross Zwisler ross.zwisler@linux.intel.com Reviewed-by: Jan Kara jack@suse.cz Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Theodore Ts'o tytso@mit.edu Cc: stable@vger.kernel.org
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 694f31364206..723058bfe43b 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4195,9 +4195,8 @@ int ext4_update_disksize_before_punch(struct inode *inode, loff_t offset, return 0; }
-static void ext4_wait_dax_page(struct ext4_inode_info *ei, bool *did_unlock) +static void ext4_wait_dax_page(struct ext4_inode_info *ei) { - *did_unlock = true; up_write(&ei->i_mmap_sem); schedule(); down_write(&ei->i_mmap_sem); @@ -4207,14 +4206,12 @@ int ext4_break_layouts(struct inode *inode) { struct ext4_inode_info *ei = EXT4_I(inode); struct page *page; - bool retry; int error;
if (WARN_ON_ONCE(!rwsem_is_locked(&ei->i_mmap_sem))) return -EINVAL;
do { - retry = false; page = dax_layout_busy_page(inode->i_mapping); if (!page) return 0; @@ -4222,8 +4219,8 @@ int ext4_break_layouts(struct inode *inode) error = ___wait_var_event(&page->_refcount, atomic_read(&page->_refcount) == 1, TASK_INTERRUPTIBLE, 0, 0, - ext4_wait_dax_page(ei, &retry)); - } while (error == 0 && retry); + ext4_wait_dax_page(ei)); + } while (error == 0);
return error; }
On Wed, Sep 26, 2018 at 6:12 AM gregkh@linuxfoundation.org wrote:
The patch below does not apply to the 4.14-stable tree. If someone wants it applied there, or to any other stable or longterm tree, then please email the backport, including the original git commit id to stable@vger.kernel.org.
This patch is a fix for commit 430657b6be89 ("ext4: handle layout changes to pinned DAX mappings") which went in during the v4.19 merge window. It should not have been marked as stable as there is nothing to backport to earlier kernels.
Sorry for the noise.
thanks,
greg k-h
------------------ original commit in Linus's tree ------------------
From b1f382178d150f256c1cf95b9341fda6eb764459 Mon Sep 17 00:00:00 2001 From: Ross Zwisler zwisler@kernel.org Date: Tue, 11 Sep 2018 13:31:16 -0400 Subject: [PATCH] ext4: close race between direct IO and ext4_break_layouts()
If the refcount of a page is lowered between the time that it is returned by dax_busy_page() and when the refcount is again checked in ext4_break_layouts() => ___wait_var_event(), the waiting function ext4_wait_dax_page() will never be called. This means that ext4_break_layouts() will still have 'retry' set to false, so we'll stop looping and never check the refcount of other pages in this inode.
Instead, always continue looping as long as dax_layout_busy_page() gives us a page which it found with an elevated refcount.
Signed-off-by: Ross Zwisler ross.zwisler@linux.intel.com Reviewed-by: Jan Kara jack@suse.cz Signed-off-by: Jan Kara jack@suse.cz Signed-off-by: Theodore Ts'o tytso@mit.edu Cc: stable@vger.kernel.org
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c index 694f31364206..723058bfe43b 100644 --- a/fs/ext4/inode.c +++ b/fs/ext4/inode.c @@ -4195,9 +4195,8 @@ int ext4_update_disksize_before_punch(struct inode *inode, loff_t offset, return 0; }
-static void ext4_wait_dax_page(struct ext4_inode_info *ei, bool *did_unlock) +static void ext4_wait_dax_page(struct ext4_inode_info *ei) {
*did_unlock = true; up_write(&ei->i_mmap_sem); schedule(); down_write(&ei->i_mmap_sem);@@ -4207,14 +4206,12 @@ int ext4_break_layouts(struct inode *inode) { struct ext4_inode_info *ei = EXT4_I(inode); struct page *page;
bool retry; int error; if (WARN_ON_ONCE(!rwsem_is_locked(&ei->i_mmap_sem))) return -EINVAL; do {retry = false; page = dax_layout_busy_page(inode->i_mapping); if (!page) return 0;@@ -4222,8 +4219,8 @@ int ext4_break_layouts(struct inode *inode) error = ___wait_var_event(&page->_refcount, atomic_read(&page->_refcount) == 1, TASK_INTERRUPTIBLE, 0, 0,
ext4_wait_dax_page(ei, &retry));} while (error == 0 && retry);
ext4_wait_dax_page(ei));} while (error == 0); return error;}
linux-stable-mirror@lists.linaro.org
-
gregkh@linuxfoundation.org -
Ross Zwisler