[PATCH] nfs: clear_commit_release incorrectly handle truncated page

From: Dmitry Monakhov
Date: Tue Feb 02 2010 - 05:24:58 EST

Next message: Mark Brown: "Re: linux-next: sound tree build failure"
Previous message: Jiri Kosina: "Re: [PATCH] devres: typo fix s/dev/devm/"
Next in thread: Dmitry Monakhov: "[PATCH] nfs: clear_commit_release incorrectly handle truncated page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

After page was truncated it lost it's mapping, this result in null
pointer dereference on bdi_stat update. In fact we have to decrement
bdi_stat even for truncated pages, so let's pass correct mapping in
function arguments.

Signed-off-by: Dmitry Monakhov <dmonakhov@xxxxxxxxxx>
---
fs/nfs/write.c | 19 ++++++++++---------
1 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index d171696..bfcf92a 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -445,13 +445,13 @@ nfs_mark_request_commit(struct nfs_page *req)
}

static int
-nfs_clear_request_commit(struct nfs_page *req)
+nfs_clear_request_commit(struct nfs_page *req, struct address_space *mapping)
{
struct page *page = req->wb_page;
-
+ /* page->mapping may be NULL if page was truncated */
if (test_and_clear_bit(PG_CLEAN, &(req)->wb_flags)) {
dec_zone_page_state(page, NR_UNSTABLE_NFS);
- dec_bdi_stat(page->mapping->backing_dev_info, BDI_RECLAIMABLE);
+ dec_bdi_stat(mapping->backing_dev_info, BDI_RECLAIMABLE);
return 1;
}
return 0;
@@ -483,7 +483,7 @@ nfs_mark_request_commit(struct nfs_page *req)
}

static inline int
-nfs_clear_request_commit(struct nfs_page *req)
+nfs_clear_request_commit(struct nfs_page *req, struct address_space *mapping)
{
return 0;
}
@@ -539,14 +539,15 @@ static int nfs_wait_on_requests_locked(struct inode *inode, pgoff_t idx_start, u
return res;
}

-static void nfs_cancel_commit_list(struct list_head *head)
+static void nfs_cancel_commit_list(struct list_head *head,
+ struct address_space *mapping)
{
struct nfs_page *req;

while(!list_empty(head)) {
req = nfs_list_entry(head->next);
nfs_list_remove_request(req);
- nfs_clear_request_commit(req);
+ nfs_clear_request_commit(req, mapping);
nfs_inode_remove_request(req);
nfs_unlock_request(req);
}
@@ -642,7 +643,7 @@ static struct nfs_page *nfs_try_to_update_request(struct inode *inode,
spin_lock(&inode->i_lock);
}

- if (nfs_clear_request_commit(req))
+ if (nfs_clear_request_commit(req, inode->i_mapping))
radix_tree_tag_clear(&NFS_I(inode)->nfs_page_tree,
req->wb_index, NFS_PAGE_TAG_COMMIT);

@@ -1352,7 +1353,7 @@ static void nfs_commit_release(void *calldata)
while (!list_empty(&data->pages)) {
req = nfs_list_entry(data->pages.next);
nfs_list_remove_request(req);
- nfs_clear_request_commit(req);
+ nfs_clear_request_commit(req, data->inode->i_mapping);

dprintk("NFS: commit (%s/%lld %d@%lld)",
req->wb_context->path.dentry->d_inode->i_sb->s_id,
@@ -1449,7 +1450,7 @@ long nfs_sync_mapping_wait(struct address_space *mapping, struct writeback_contr
break;
if (how & FLUSH_INVALIDATE) {
spin_unlock(&inode->i_lock);
- nfs_cancel_commit_list(&head);
+ nfs_cancel_commit_list(&head, mapping);
ret = pages;
spin_lock(&inode->i_lock);
continue;
--
1.6.3.3

--=-=-=--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Mark Brown: "Re: linux-next: sound tree build failure"
Previous message: Jiri Kosina: "Re: [PATCH] devres: typo fix s/dev/devm/"
Next in thread: Dmitry Monakhov: "[PATCH] nfs: clear_commit_release incorrectly handle truncated page"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]