• NeilBrown's avatar
    [PATCH] Prepare for __copy_from_user_inatomic to not zero missed bytes · 01408c49
    NeilBrown authored
    The problem is that when we write to a file, the copy from userspace to
    pagecache is first done with preemption disabled, so if the source address is
    not immediately available the copy fails *and* *zeros* *the* *destination*.
    
    This is a problem because a concurrent read (which admittedly is an odd thing
    to do) might see zeros rather that was there before the write, or what was
    there after, or some mixture of the two (any of these being a reasonable thing
    to see).
    
    If the copy did fail, it will immediately be retried with preemption
    re-enabled so any transient problem with accessing the source won't cause an
    error.
    
    The first copying does not need to zero any uncopied bytes, and doing so
    causes the problem.  It uses copy_from_user_atomic rather than copy_from_user
    so the simple expedient is to change copy_from_user_atomic to *not* zero out
    bytes on failure.
    
    The first of these two patches prepares for the change by fixing two places
    which assume copy_from_user_atomic does zero the tail.  The two usages are
    very similar pieces of code which copy from a userspace iovec into one or more
    page-cache pages.  These are changed to remove the assumption.
    
    The second patch changes __copy_from_user_inatomic* to not zero the tail.
    Once these are accepted, I will look at similar patches of other architectures
    where this is important (ppc, mips and sparc being the ones I can find).
    
    This patch:
    
    There is a problem with __copy_from_user_inatomic zeroing the tail of the
    buffer in the case of an error.  As it is called in atomic context, the error
    may be transient, so it results in zeros being written where maybe they
    shouldn't be.
    
    In the usage in filemap, this opens a window for a well timed read to see data
    (zeros) which is not consistent with any ordering of reads and writes.
    
    Most cases where __copy_from_user_inatomic is called, a failure results in
    __copy_from_user being called immediately.  As long as the latter zeros the
    tail, the former doesn't need to.  However in *copy_from_user_iovec
    implementations (in both filemap and ntfs/file), it is assumed that
    copy_from_user_inatomic will zero the tail.
    
    This patch removes that assumption, so that after this patch it will
    be safe for copy_from_user_inatomic to not zero the tail.
    
    This patch also adds some commentary to filemap.h and asm-i386/uaccess.h.
    
    After this patch, all architectures that might disable preempt when
    kmap_atomic is called need to have their __copy_from_user_inatomic* "fixed".
    This includes
     - powerpc
     - i386
     - mips
     - sparc
    Signed-off-by: default avatarNeil Brown <neilb@suse.de>
    Cc: David Howells <dhowells@redhat.com>
    Cc: Anton Altaparmakov <aia21@cantab.net>
    Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
    Cc: Paul Mackerras <paulus@samba.org>
    Cc: Ralf Baechle <ralf@linux-mips.org>
    Cc: William Lee Irwin III <wli@holomorphy.com>
    Signed-off-by: default avatarAndrew Morton <akpm@osdl.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@osdl.org>
    01408c49
file.c 70 KB