On 11/16/2015 08:34 PM, Ross Zwisler wrote: > On Mon, Nov 16, 2015 at 10:15:56AM -0800, Dan Williams wrote: >> On Mon, Nov 16, 2015 at 4:09 AM, Yigal Korman <yigal@xxxxxxxxxxxxx> wrote: >>> DAX handling of COW faults has wrong locking sequence: >>> dax_fault does i_mmap_lock_read >>> do_cow_fault does i_mmap_unlock_write >>> >>> Ross's commit[1] missed a fix[2] that Kirill added to Matthew's >>> commit[3]. >>> >>> Original COW locking logic was introduced by Matthew here[4]. >>> >>> This should be applied to v4.3 as well. >>> >>> [1] 0f90cc6609c7 mm, dax: fix DAX deadlocks >>> [2] 52a2b53ffde6 mm, dax: use i_mmap_unlock_write() in do_cow_fault() >>> [3] 843172978bb9 dax: fix race between simultaneous faults >>> [4] 2e4cdab0584f mm: allow page fault handlers to perform the COW >>> >>> Signed-off-by: Yigal Korman <yigal@xxxxxxxxxxxxx> >>> >>> Cc: Stable Tree <stable@xxxxxxxxxxxxxxx> >>> Cc: Boaz Harrosh <boaz@xxxxxxxxxxxxx> >>> Cc: Ross Zwisler <ross.zwisler@xxxxxxxxxxxxxxx> >>> Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx> >>> Cc: Dan Williams <dan.j.williams@xxxxxxxxx> >>> Cc: Dave Chinner <dchinner@xxxxxxxxxx> >>> Cc: Jan Kara <jack@xxxxxxxx> >>> Cc: "Kirill A. Shutemov" <kirill.shutemov@xxxxxxxxxxxxxxx> >>> Cc: Matthew Wilcox <matthew.r.wilcox@xxxxxxxxx> >>> --- >>> mm/memory.c | 8 ++++---- >>> 1 file changed, 4 insertions(+), 4 deletions(-) >>> >>> diff --git a/mm/memory.c b/mm/memory.c >>> index c716913..e5071af 100644 >>> --- a/mm/memory.c >>> +++ b/mm/memory.c >>> @@ -3015,9 +3015,9 @@ static int do_cow_fault(struct mm_struct *mm, struct vm_area_struct *vma, >>> } else { >>> /* >>> * The fault handler has no page to lock, so it holds >>> - * i_mmap_lock for write to protect against truncate. >>> + * i_mmap_lock for read to protect against truncate. >>> */ >>> - i_mmap_unlock_write(vma->vm_file->f_mapping); >>> + i_mmap_unlock_read(vma->vm_file->f_mapping); >>> } >>> goto uncharge_out; >>> } >>> @@ -3031,9 +3031,9 @@ static int do_cow_fault(struct mm_struct *mm, struct vm_area_struct *vma, >>> } else { >>> /* >>> * The fault handler has no page to lock, so it holds >>> - * i_mmap_lock for write to protect against truncate. >>> + * i_mmap_lock for read to protect against truncate. >>> */ >>> - i_mmap_unlock_write(vma->vm_file->f_mapping); >>> + i_mmap_unlock_read(vma->vm_file->f_mapping); >>> } >>> return ret; >>> uncharge_out: >> >> Looks good to me. I'll include this with some other DAX fixes I have pending. > > Looks good to me as well. Thanks for catching this. > Yes. None of the xfstests catch this. It needs a private-mapping mmap in some combination of other activity on the file at the same time. Which the linker of gcc does. We have a test of a git clone Kernel-tree and make. which catches this in the make phase. For some reason on ext4 it is reliable to crash but on xfs 1/2 the runs go through, go figure. Thanks Yigal for the fast fix Boaz -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html