Re: [PATCH] cramfs corruption after BLKFLSBUF on loop device

From: Olaf Hering
Date: Wed Sep 20 2006 - 09:20:34 EST

Next message: Masami Hiramatsu: "Re: [PATCH] Linux Kernel Markers"
Previous message: Petter Sundlöf: "Buffer I/O error on Sony Ericsson W810i (writing/sync to memory stickduo via phone's USB)"
Next in thread: Andrew Morton: "Re: [PATCH] cramfs corruption after BLKFLSBUF on loop device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Jun 01, Olaf Hering wrote:

> ...
> Error -3 while decompressing!
> c0000000009592a2(2649)->c0000000edf87000(4096)
> Error -3 while decompressing!
> c000000000959298(2520)->c0000000edbc7000(4096)
> Error -3 while decompressing!
> c000000000959c70(2489)->c0000000f1482000(4096)
> Error -3 while decompressing!
> c00000000095a629(2355)->c0000000edaff000(4096)
> Error -3 while decompressing!
> ...

Today I looked at this bug again and found that 2.6.18-rc6-git2 has
fix for this. Is the patch below supposed to fix the cramfs corruption
or does it just paper over the bug?

...
cramfs_read() clears parts of the src buffer because the page is not
uptodate. invalidate_bdev() called from block_ioctl(BLKFLSBUF) will set
ClearPageUptodate() after cramfs_read() got the page from read_cache_page()
...

/root/cramfscrash.sh
#!/bin/bash
# cd /dev/shm/
# tar xfz /mounts/mirror/kernel/v2.6/linux-2.6.18.tar.gz
# cd linux-2.6.18/
# mkfs.cramfs drivers /tmp/cramfs.image
mount -vnt proc proc /proc
echo 1 > /proc/sys/kernel/panic
echo 9 > /proc/sysrq-trigger
mount -vnt sysfs sysfs /sys
modprobe -v loop
mount -vnt cramfs -o loop /tmp/cramfs.image /mnt
while :;do /sbin/blockdev --flushbufs /dev/loop0;done </dev/null &>/dev/null&
while :;do /usr/bin/find /mnt -type f -print0|xargs -0 cat &>/dev/null;done

kernel cmdline
xmon=off panic=1 sysrq=1 quiet root=/dev/disk/by-uuid/d50e4029-2e91-4332-bb16-24f946a74d3f ro init=/root/cramfscrash.sh

016eb4a0ed06a3677d67a584da901f0e9a63c666.patch
From: Andrew Morton <akpm@xxxxxxxx>

If a CPU faults this page into pagetables after invalidate_mapping_pages()
checked page_mapped(), invalidate_complete_page() will still proceed to remove
the page from pagecache. This leaves the page-faulting process with a
detached page. If it was MAP_SHARED then file data loss will ensue.

Fix that up by checking the page's refcount after taking tree_lock.

Cc: Nick Piggin <nickpiggin@xxxxxxxxxxxx>
Cc: Hugh Dickins <hugh@xxxxxxxxxxx>
Cc: <stable@xxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxx>
---

mm/truncate.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)

diff -puN mm/truncate.c~invalidate_complete_page-race-fix mm/truncate.c
--- a/mm/truncate.c~invalidate_complete_page-race-fix
+++ a/mm/truncate.c
@@ -68,10 +68,10 @@ invalidate_complete_page(struct address_
return 0;

write_lock_irq(&mapping->tree_lock);
- if (PageDirty(page)) {
- write_unlock_irq(&mapping->tree_lock);
- return 0;
- }
+ if (PageDirty(page))
+ goto failed;
+ if (page_count(page) != 2) /* caller's ref + pagecache ref */
+ goto failed;

BUG_ON(PagePrivate(page));
__remove_from_page_cache(page);
@@ -79,6 +79,9 @@ invalidate_complete_page(struct address_
ClearPageUptodate(page);
page_cache_release(page); /* pagecache ref */
return 1;
+failed:
+ write_unlock_irq(&mapping->tree_lock);
+ return 0;
}

/**
_
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Masami Hiramatsu: "Re: [PATCH] Linux Kernel Markers"
Previous message: Petter Sundlöf: "Buffer I/O error on Sony Ericsson W810i (writing/sync to memory stickduo via phone's USB)"
Next in thread: Andrew Morton: "Re: [PATCH] cramfs corruption after BLKFLSBUF on loop device"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]