diff options
| author | Christoph Hellwig <hch@infradead.org> | 2008-05-19 02:34:42 -0400 |
|---|---|---|
| committer | Lachlan McIlroy <lachlan@redback.melbourne.sgi.com> | 2008-05-23 04:12:49 -0400 |
| commit | 6ab455eeaff6893cd06da33843e840d888cdc04a (patch) | |
| tree | e7744d1580647ca3b08e829bcf976f2f60c49986 /fs/xfs/linux-2.6/xfs_buf.h | |
| parent | c8f5f12e46f079a954d4f7163ba59dadee08ca26 (diff) | |
[XFS] Fix memory corruption with small buffer reads
When we have multiple buffers in a single page for a blocksize == pagesize
filesystem we might overwrite the page contents if two callers hit it
shortly after each other. To prevent that we need to keep the page locked
until I/O is completed and the page marked uptodate.
Thanks to Eric Sandeen for triaging this bug and finding a reproducible
testcase and Dave Chinner for additional advice.
This should fix kernel.org bz #10421.
Tested-by: Eric Sandeen <sandeen@sandeen.net>
SGI-PV: 981813
SGI-Modid: xfs-linux-melb:xfs-kern:31173a
Signed-off-by: Christoph Hellwig <hch@infradead.org>
Signed-off-by: David Chinner <dgc@sgi.com>
Signed-off-by: Lachlan McIlroy <lachlan@sgi.com>
Diffstat (limited to 'fs/xfs/linux-2.6/xfs_buf.h')
| -rw-r--r-- | fs/xfs/linux-2.6/xfs_buf.h | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/fs/xfs/linux-2.6/xfs_buf.h b/fs/xfs/linux-2.6/xfs_buf.h index 841d7883528d..f948ec7ba9a4 100644 --- a/fs/xfs/linux-2.6/xfs_buf.h +++ b/fs/xfs/linux-2.6/xfs_buf.h | |||
| @@ -66,6 +66,25 @@ typedef enum { | |||
| 66 | _XBF_PAGES = (1 << 18), /* backed by refcounted pages */ | 66 | _XBF_PAGES = (1 << 18), /* backed by refcounted pages */ |
| 67 | _XBF_RUN_QUEUES = (1 << 19),/* run block device task queue */ | 67 | _XBF_RUN_QUEUES = (1 << 19),/* run block device task queue */ |
| 68 | _XBF_DELWRI_Q = (1 << 21), /* buffer on delwri queue */ | 68 | _XBF_DELWRI_Q = (1 << 21), /* buffer on delwri queue */ |
| 69 | |||
| 70 | /* | ||
| 71 | * Special flag for supporting metadata blocks smaller than a FSB. | ||
| 72 | * | ||
| 73 | * In this case we can have multiple xfs_buf_t on a single page and | ||
| 74 | * need to lock out concurrent xfs_buf_t readers as they only | ||
| 75 | * serialise access to the buffer. | ||
| 76 | * | ||
| 77 | * If the FSB size >= PAGE_CACHE_SIZE case, we have no serialisation | ||
| 78 | * between reads of the page. Hence we can have one thread read the | ||
| 79 | * page and modify it, but then race with another thread that thinks | ||
| 80 | * the page is not up-to-date and hence reads it again. | ||
| 81 | * | ||
| 82 | * The result is that the first modifcation to the page is lost. | ||
| 83 | * This sort of AGF/AGI reading race can happen when unlinking inodes | ||
| 84 | * that require truncation and results in the AGI unlinked list | ||
| 85 | * modifications being lost. | ||
| 86 | */ | ||
| 87 | _XBF_PAGE_LOCKED = (1 << 22), | ||
| 69 | } xfs_buf_flags_t; | 88 | } xfs_buf_flags_t; |
| 70 | 89 | ||
| 71 | typedef enum { | 90 | typedef enum { |