On Fri, May 05, 2017 at 09:25:00AM +0200, Jan Kara wrote: > Currently DAX read fault can race with write(2) in the following way: > > CPU1 - write(2) CPU2 - read fault > dax_iomap_pte_fault() > ->iomap_begin() - sees hole > dax_iomap_rw() > iomap_apply() > ->iomap_begin - allocates blocks > dax_iomap_actor() > invalidate_inode_pages2_range() > - there's nothing to invalidate > grab_mapping_entry() > - we add zero page in the radix tree > and map it to page tables > > The result is that hole page is mapped into page tables (and thus zeros > are seen in mmap) while file has data written in that place. > > Fix the problem by locking exception entry before mapping blocks for the > fault. That way we are sure invalidate_inode_pages2_range() call for > racing write will either block on entry lock waiting for the fault to > finish (and unmap stale page tables after that) or read fault will see > already allocated blocks by write(2). > > Fixes: 9f141d6ef6258a3a37a045842d9ba7e68f368956 > CC: stable@xxxxxxxxxxxxxxx > Signed-off-by: Jan Kara <jack@xxxxxxx> Yep, this looks correct to me. Thanks! Reviewed-by: Ross Zwisler <ross.zwisler@xxxxxxxxxxxxxxx>
