Bug#405449: linux-source-2.6.18: possible data corruption due to race condition in mmap
Package: linux-source-2.6.18
Version: 2.6.18-7
Severity: normal
Tags: patch
Full story is at http://www.kerneltrap.org/node/7518 . The source still seems to contain an old
code. I include patch (simple rediff from the new 2.6.20-rc3 source), but I haven't tested it
thoroughly yet. This bug should probably be tagged as "critical".
Regards,
M.
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-3-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Versions of packages linux-source-2.6.18 depends on:
ii binutils 2.17-3 The GNU assembler, linker and bina
ii bzip2 1.0.3-6 high-quality block-sorting file co
Versions of packages linux-source-2.6.18 recommends:
ii gcc 4:4.1.1-13 The GNU C compiler
ii libc6-dev [libc-dev] 2.3.6.ds1-8 GNU C Library: Development Librari
ii make 3.81-2 The GNU version of the "make" util
-- no debconf information
--- linux-source-2.6.18-old/mm/page-writeback.c 2006-12-04 15:27:13.000000000 +0100
+++ linux-source-2.6.18/mm/page-writeback.c 2007-01-03 17:36:31.000000000 +0100
@@ -757,19 +757,48 @@
*/
int clear_page_dirty_for_io(struct page *page)
{
- struct address_space *mapping = page_mapping(page);
+ struct address_space *mapping = page_mapping(page);
- if (mapping) {
- if (TestClearPageDirty(page)) {
- if (mapping_cap_account_dirty(mapping)) {
- page_mkclean(page);
- dec_zone_page_state(page, NR_FILE_DIRTY);
- }
- return 1;
- }
- return 0;
- }
- return TestClearPageDirty(page);
+ if (mapping && mapping_cap_account_dirty(mapping)) {
+ /*
+ * Yes, Virginia, this is indeed insane.
+ *
+ * We use this sequence to make sure that
+ * (a) we account for dirty stats properly
+ * (b) we tell the low-level filesystem to
+ * mark the whole page dirty if it was
+ * dirty in a pagetable. Only to then
+ * (c) clean the page again and return 1 to
+ * cause the writeback.
+ *
+ * This way we avoid all nasty races with the
+ * dirty bit in multiple places and clearing
+ * them concurrently from different threads.
+ *
+ * Note! Normally the "set_page_dirty(page)"
+ * has no effect on the actual dirty bit - since
+ * that will already usually be set. But we
+ * need the side effects, and it can help us
+ * avoid races.
+ *
+ * We basically use the page "master dirty bit"
+ * as a serialization point for all the different
+ * threads doing their things.
+ *
+ * FIXME! We still have a race here: if somebody
+ * adds the page back to the page tables in
+ * between the "page_mkclean()" and the "TestClearPageDirty()",
+ * we might have it mapped without the dirty bit set.
+ */
+ if (page_mkclean(page))
+ set_page_dirty(page);
+ if (TestClearPageDirty(page)) {
+ dec_zone_page_state(page, NR_FILE_DIRTY);
+ return 1;
+ }
+ return 0;
+ }
+ return TestClearPageDirty(page);
}
EXPORT_SYMBOL(clear_page_dirty_for_io);
Reply to: