Re: [patch] fix race in __block_prepare_write (again)

[Andrew Morton]

Anton Altaparmakov <aia21@xxxxxxxxx> wrote:
>
> mm/filemap.c::file_buffered_write():
> 
>  - It calls fault_in_pages_readable() which is completely bogus if
>  @nr_segs > 1.  It needs to be replaced by a to be written
>  "fault_in_pages_readable_iovec()".
> 
>  - It increments @buf even in the iovec case thus @buf can point to
>  random memory really quickly (in the iovec case) and then it calls
>  fault_in_pages_readable() on this random memory.  Ouch...

hmm, yes.  Like this?


diff -puN mm/filemap.c~generic_file_buffered_write-fixes mm/filemap.c
--- 25/mm/filemap.c~generic_file_buffered_write-fixes	2005-04-24 14:18:58.445943000 -0700
+++ 25-akpm/mm/filemap.c	2005-04-24 14:20:21.995241576 -0700
@@ -1944,7 +1944,7 @@ generic_file_buffered_write(struct kiocb
 		buf = iov->iov_base + written;
 	else {
 		filemap_set_next_iovec(&cur_iov, &iov_base, written);
-		buf = iov->iov_base + iov_base;
+		buf = cur_iov->iov_base + iov_base;
 	}
 
 	do {
@@ -2002,9 +2002,11 @@ generic_file_buffered_write(struct kiocb
 				count -= status;
 				pos += status;
 				buf += status;
-				if (unlikely(nr_segs > 1))
+				if (unlikely(nr_segs > 1)) {
 					filemap_set_next_iovec(&cur_iov,
 							&iov_base, status);
+					buf = cur_iov->iov_base + iov_base;
+				}
 			}
 		}
 		if (unlikely(copied != bytes))
_

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/