nommu: fix shared mmap after truncate shrinkage problems

Fix a problem in NOMMU mmap with ramfs whereby a shared mmap can happen over the end of a truncation. The problem is that ramfs_nommu_check_mappings() checks that the reduced file size against the VMA tree, but not the vm_region tree. The following sequence of events can cause the problem: fd = open("/tmp/x", O_RDWR|O_TRUNC|O_CREAT, 0600); ftruncate(fd, 32 * 1024); a = mmap(NULL, 32 * 1024, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); b = mmap(NULL, 16 * 1024, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); munmap(a, 32 * 1024); ftruncate(fd, 16 * 1024); c = mmap(NULL, 32 * 1024, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); Mapping 'a' creates a vm_region covering 32KB of the file. Mapping 'b' sees that the vm_region from 'a' is covering the region it wants and so shares it, pinning it in memory. Mapping 'a' then goes away and the file is truncated to the end of VMA 'b'. However, the region allocated by 'a' is still in effect, and has _not_ been reduced. Mapping 'c' is then created, and because there's a vm_region covering the desired region, get_unmapped_area() is _not_ called to repeat the check, and the mapping is granted, even though the pages from the latter half of the mapping have been discarded. However: d = mmap(NULL, 16 * 1024, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0); Mapping 'd' should work, and should end up sharing the region allocated by 'a'. To deal with this, we shrink the vm_region struct during the truncation, lest do_mmap_pgoff() take it as licence to share the full region automatically without calling the get_unmapped_area() file op again. Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Cc: Greg Ungerer <gerg@snapgear.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: David Howells <dhowells@redhat.com> 2010-01-15 20:01:39 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2010-01-16 15:15:40 -0500
commit: 7e6608724c640924aad1d556d17df33ebaa6124d (patch)
tree: b2d90646f5ee52f5b7807bbc0abe09db9adbe478
parent: 81759b5b221107488bda99fe7beeb7b734f61133 (diff)
3 files changed, 64 insertions, 30 deletions
diff --git a/fs/ramfs/file-nommu.c b/fs/ramfs/file-nommu.c
index 266531343aae..1739a4aba25f 100644
--- a/fs/ramfs/file-nommu.c
+++ b/fs/ramfs/file-nommu.c
@@ -123,35 +123,6 @@ add_error:
 /*****************************************************************************/
 /*
- * check that file shrinkage doesn't leave any VMAs dangling in midair
- */
-static int ramfs_nommu_check_mappings(struct inode *inode,
-                                      size_t newsize, size_t size)
-{
-        struct vm_area_struct *vma;
-        struct prio_tree_iter iter;
-        down_write(&nommu_region_sem);
-        /* search for VMAs that fall within the dead zone */
-        vma_prio_tree_foreach(vma, &iter, &inode->i_mapping->i_mmap,
-                              newsize >> PAGE_SHIFT,
-                              (size + PAGE_SIZE - 1) >> PAGE_SHIFT
-                              ) {
-                /* found one - only interested if it's shared out of the page
-                 * cache */
-                if (vma->vm_flags & VM_SHARED) {
-                        up_write(&nommu_region_sem);
-                        return -ETXTBSY; /* not quite true, but near enough */
-                }
-        }
-        up_write(&nommu_region_sem);
-        return 0;
-}
-/*****************************************************************************/
-/*
 *
 */
 static int ramfs_nommu_resize(struct inode *inode, loff_t newsize, loff_t size)
@@ -169,7 +140,7 @@ static int ramfs_nommu_resize(struct inode *inode, loff_t newsize, loff_t size)
        /* check that a decrease in size doesn't cut off any shared mappings */
        if (newsize < size) {
-                ret = ramfs_nommu_check_mappings(inode, newsize, size);
+                ret = nommu_shrink_inode_mappings(inode, size, newsize);
                if (ret < 0)
                        return ret;
        }
diff --git a/include/linux/mm.h b/include/linux/mm.h
index 2265f28eb47a..60c467bfbabd 100644
--- a/include/linux/mm.h
+++ b/include/linux/mm.h
@@ -1089,6 +1089,7 @@ extern void zone_pcp_update(struct zone *zone);
 /* nommu.c */
 extern atomic_long_t mmap_pages_allocated;
+extern int nommu_shrink_inode_mappings(struct inode *, size_t, size_t);
 /* prio_tree.c */
 void vma_prio_tree_add(struct vm_area_struct *, struct vm_area_struct *old);
diff --git a/mm/nommu.c b/mm/nommu.c
index 32be0cf51ba6..48a2ecfaf059 100644
--- a/mm/nommu.c
+++ b/mm/nommu.c
@@ -1914,3 +1914,65 @@ int access_process_vm(struct task_struct *tsk, unsigned long addr, void *buf, in
        mmput(mm);
        return len;
 }
+/**
+ * nommu_shrink_inode_mappings - Shrink the shared mappings on an inode
+ * @inode: The inode to check
+ * @size: The current filesize of the inode
+ * @newsize: The proposed filesize of the inode
+ *
+ * Check the shared mappings on an inode on behalf of a shrinking truncate to
+ * make sure that that any outstanding VMAs aren't broken and then shrink the
+ * vm_regions that extend that beyond so that do_mmap_pgoff() doesn't
+ * automatically grant mappings that are too large.
+ */
+int nommu_shrink_inode_mappings(struct inode *inode, size_t size,
+                                size_t newsize)
+{
+        struct vm_area_struct *vma;
+        struct prio_tree_iter iter;
+        struct vm_region *region;
+        pgoff_t low, high;
+        size_t r_size, r_top;
+        low = newsize >> PAGE_SHIFT;
+        high = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
+        down_write(&nommu_region_sem);
+        /* search for VMAs that fall within the dead zone */
+        vma_prio_tree_foreach(vma, &iter, &inode->i_mapping->i_mmap,
+                              low, high) {
+                /* found one - only interested if it's shared out of the page
+                 * cache */
+                if (vma->vm_flags & VM_SHARED) {
+                        up_write(&nommu_region_sem);
+                        return -ETXTBSY; /* not quite true, but near enough */
+                }
+        }
+        /* reduce any regions that overlap the dead zone - if in existence,
+         * these will be pointed to by VMAs that don't overlap the dead zone
+         *
+         * we don't check for any regions that start beyond the EOF as there
+         * shouldn't be any
+         */
+        vma_prio_tree_foreach(vma, &iter, &inode->i_mapping->i_mmap,
+                              0, ULONG_MAX) {
+                if (!(vma->vm_flags & VM_SHARED))
+                        continue;
+                region = vma->vm_region;
+                r_size = region->vm_top - region->vm_start;
+                r_top = (region->vm_pgoff << PAGE_SHIFT) + r_size;
+                if (r_top > newsize) {
+                        region->vm_top -= r_top - newsize;
+                        if (region->vm_end > region->vm_top)
+                                region->vm_end = region->vm_top;
+                }
+        }
+        up_write(&nommu_region_sem);
+        return 0;
+}
author	David Howells <dhowells@redhat.com>	2010-01-15 20:01:39 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2010-01-16 15:15:40 -0500
commit	7e6608724c640924aad1d556d17df33ebaa6124d (patch)
tree	b2d90646f5ee52f5b7807bbc0abe09db9adbe478
parent	81759b5b221107488bda99fe7beeb7b734f61133 (diff)

diff --git a/fs/ramfs/file-nommu.c b/fs/ramfs/file-nommu.c index 266531343aae..1739a4aba25f 100644 --- a/fs/ramfs/file-nommu.c +++ b/fs/ramfs/file-nommu.c
@@ -123,35 +123,6 @@ add_error:
123		123
124	/*****************************************************************************/	124	/*****************************************************************************/
125	/*	125	/*
126	* check that file shrinkage doesn't leave any VMAs dangling in midair
127	*/
128	static int ramfs_nommu_check_mappings(struct inode *inode,
129	size_t newsize, size_t size)
130	{
131	struct vm_area_struct *vma;
132	struct prio_tree_iter iter;
133
134	down_write(&nommu_region_sem);
135
136	/* search for VMAs that fall within the dead zone */
137	vma_prio_tree_foreach(vma, &iter, &inode->i_mapping->i_mmap,
138	newsize >> PAGE_SHIFT,
139	(size + PAGE_SIZE - 1) >> PAGE_SHIFT
140	) {
141	/* found one - only interested if it's shared out of the page
142	* cache */
143	if (vma->vm_flags & VM_SHARED) {
144	up_write(&nommu_region_sem);
145	return -ETXTBSY; /* not quite true, but near enough */
146	}
147	}
148
149	up_write(&nommu_region_sem);
150	return 0;
151	}
152
153	/*****************************************************************************/
154	/*
155	*	126	*
156	*/	127	*/
157	static int ramfs_nommu_resize(struct inode *inode, loff_t newsize, loff_t size)	128	static int ramfs_nommu_resize(struct inode *inode, loff_t newsize, loff_t size)
@@ -169,7 +140,7 @@ static int ramfs_nommu_resize(struct inode *inode, loff_t newsize, loff_t size)
169		140
170	/* check that a decrease in size doesn't cut off any shared mappings */	141	/* check that a decrease in size doesn't cut off any shared mappings */
171	if (newsize < size) {	142	if (newsize < size) {
172	ret = ramfs_nommu_check_mappings(inode, newsize, size);	143	ret = nommu_shrink_inode_mappings(inode, size, newsize);
173	if (ret < 0)	144	if (ret < 0)
174	return ret;	145	return ret;
175	}	146	}


diff --git a/include/linux/mm.h b/include/linux/mm.h index 2265f28eb47a..60c467bfbabd 100644 --- a/include/linux/mm.h +++ b/include/linux/mm.h
@@ -1089,6 +1089,7 @@ extern void zone_pcp_update(struct zone *zone);
1089		1089
1090	/* nommu.c */	1090	/* nommu.c */
1091	extern atomic_long_t mmap_pages_allocated;	1091	extern atomic_long_t mmap_pages_allocated;
		1092	extern int nommu_shrink_inode_mappings(struct inode *, size_t, size_t);
1092		1093
1093	/* prio_tree.c */	1094	/* prio_tree.c */
1094	void vma_prio_tree_add(struct vm_area_struct , struct vm_area_struct old);	1095	void vma_prio_tree_add(struct vm_area_struct , struct vm_area_struct old);


diff --git a/mm/nommu.c b/mm/nommu.c index 32be0cf51ba6..48a2ecfaf059 100644 --- a/mm/nommu.c +++ b/mm/nommu.c
@@ -1914,3 +1914,65 @@ int access_process_vm(struct task_struct tsk, unsigned long addr, void buf, in
1914	mmput(mm);	1914	mmput(mm);
1915	return len;	1915	return len;
1916	}	1916	}
		1917
		1918	/**
		1919	* nommu_shrink_inode_mappings - Shrink the shared mappings on an inode
		1920	* @inode: The inode to check
		1921	* @size: The current filesize of the inode
		1922	* @newsize: The proposed filesize of the inode
		1923	*
		1924	* Check the shared mappings on an inode on behalf of a shrinking truncate to
		1925	* make sure that that any outstanding VMAs aren't broken and then shrink the
		1926	* vm_regions that extend that beyond so that do_mmap_pgoff() doesn't
		1927	* automatically grant mappings that are too large.
		1928	*/
		1929	int nommu_shrink_inode_mappings(struct inode *inode, size_t size,
		1930	size_t newsize)
		1931	{
		1932	struct vm_area_struct *vma;
		1933	struct prio_tree_iter iter;
		1934	struct vm_region *region;
		1935	pgoff_t low, high;
		1936	size_t r_size, r_top;
		1937
		1938	low = newsize >> PAGE_SHIFT;
		1939	high = (size + PAGE_SIZE - 1) >> PAGE_SHIFT;
		1940
		1941	down_write(&nommu_region_sem);
		1942
		1943	/* search for VMAs that fall within the dead zone */
		1944	vma_prio_tree_foreach(vma, &iter, &inode->i_mapping->i_mmap,
		1945	low, high) {
		1946	/* found one - only interested if it's shared out of the page
		1947	* cache */
		1948	if (vma->vm_flags & VM_SHARED) {
		1949	up_write(&nommu_region_sem);
		1950	return -ETXTBSY; /* not quite true, but near enough */
		1951	}
		1952	}
		1953
		1954	/* reduce any regions that overlap the dead zone - if in existence,
		1955	* these will be pointed to by VMAs that don't overlap the dead zone
		1956	*
		1957	* we don't check for any regions that start beyond the EOF as there
		1958	* shouldn't be any
		1959	*/
		1960	vma_prio_tree_foreach(vma, &iter, &inode->i_mapping->i_mmap,
		1961	0, ULONG_MAX) {
		1962	if (!(vma->vm_flags & VM_SHARED))
		1963	continue;
		1964
		1965	region = vma->vm_region;
		1966	r_size = region->vm_top - region->vm_start;
		1967	r_top = (region->vm_pgoff << PAGE_SHIFT) + r_size;
		1968
		1969	if (r_top > newsize) {
		1970	region->vm_top -= r_top - newsize;
		1971	if (region->vm_end > region->vm_top)
		1972	region->vm_end = region->vm_top;
		1973	}
		1974	}
		1975
		1976	up_write(&nommu_region_sem);
		1977	return 0;
		1978	}