summaryrefslogtreecommitdiffstats
path: root/mm
diff options
context:
space:
mode:
authorAndrew Morton <akpm@osdl.org>2006-09-08 09:48:38 -0700
committerLinus Torvalds <torvalds@g5.osdl.org>2006-09-08 10:22:50 -0700
commit016eb4a0ed06a3677d67a584da901f0e9a63c666 (patch)
tree574ead6bd03d31ca7036ff2389cb0400f3fd63fc /mm
parent3665d0e58fa44f50c744f85c7e8ad21d5b10e206 (diff)
downloadlinux-016eb4a0ed06a3677d67a584da901f0e9a63c666.tar.gz
linux-016eb4a0ed06a3677d67a584da901f0e9a63c666.tar.bz2
linux-016eb4a0ed06a3677d67a584da901f0e9a63c666.zip
[PATCH] invalidate_complete_page() race fix
If a CPU faults this page into pagetables after invalidate_mapping_pages() checked page_mapped(), invalidate_complete_page() will still proceed to remove the page from pagecache. This leaves the page-faulting process with a detached page. If it was MAP_SHARED then file data loss will ensue. Fix that up by checking the page's refcount after taking tree_lock. Cc: Nick Piggin <nickpiggin@yahoo.com.au> Cc: Hugh Dickins <hugh@veritas.com> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'mm')
-rw-r--r--mm/truncate.c11
1 files changed, 7 insertions, 4 deletions
diff --git a/mm/truncate.c b/mm/truncate.c
index cf1b015df4a7..c6ab55ec6883 100644
--- a/mm/truncate.c
+++ b/mm/truncate.c
@@ -68,10 +68,10 @@ invalidate_complete_page(struct address_space *mapping, struct page *page)
return 0;
write_lock_irq(&mapping->tree_lock);
- if (PageDirty(page)) {
- write_unlock_irq(&mapping->tree_lock);
- return 0;
- }
+ if (PageDirty(page))
+ goto failed;
+ if (page_count(page) != 2) /* caller's ref + pagecache ref */
+ goto failed;
BUG_ON(PagePrivate(page));
__remove_from_page_cache(page);
@@ -79,6 +79,9 @@ invalidate_complete_page(struct address_space *mapping, struct page *page)
ClearPageUptodate(page);
page_cache_release(page); /* pagecache ref */
return 1;
+failed:
+ write_unlock_irq(&mapping->tree_lock);
+ return 0;
}
/**