[PATCH] handle pages which alter their ->mapping

Patch from Hugh Dickins <hugh@veritas.com> tmpfs failed fsx+swapout tests after many hours, a page found zeroed. Not a truncate problem, but mirror image of earlier truncate problems: swap goes through mpage_writepages, which must therefore allow for a sudden swizzle back to file identity. Second time this caught us, so I've audited the tree for other places which might be surprised by such swizzling. The only others I found were (perhaps) in the parisc and sparc64 flush_dcache_page called from do_generic_mapping_read on a looped tmpfs file which is also mmapped; but that's a very marginal case, I wanted to understand it better before making any edit, and now realize that hch's sendfile in loop eliminates it (now go through do_shmem_file_read instead: similar but crucially this locks the page when raising its count, which is enough to keep vmscan from interfering).

[PATCH] handle pages which alter their ->mapping
Patch from Hugh Dickins <hugh@veritas.com> tmpfs failed fsx+swapout tests after many hours, a page found zeroed. Not a truncate problem, but mirror image of earlier truncate problems: swap goes through mpage_writepages, which must therefore allow for a sudden swizzle back to file identity. Second time this caught us, so I've audited the tree for other places which might be surprised by such swizzling. The only others I found were (perhaps) in the parisc and sparc64 flush_dcache_page called from do_generic_mapping_read on a looped tmpfs file which is also mmapped; but that's a very marginal case, I wanted to understand it better before making any edit, and now realize that hch's sendfile in loop eliminates it (now go through do_shmem_file_read instead: similar but crucially this locks the page when raising its count, which is enough to keep vmscan from interfering).
820ef9df · Andrew Morton · Linus Torvalds · 77fe2d67 · 820ef9df · 820ef9df
Commit 820ef9df authored Nov 15, 2002 by Andrew Morton Committed by Linus Torvalds Nov 15, 2002
Hide whitespace changes
Inline Side-by-side

Showing with 10 additions and 1 deletion

fs/mpage.c fs/mpage.c +8 -1

mm/page-writeback.c mm/page-writeback.c +1 -0

mm/page_io.c mm/page_io.c +1 -0

No files found.
--- a/fs/mpage.c
+++ b/fs/mpage.c
@@ -587,12 +587,19 @@ mpage_writepages(struct address_space *mapping,
 		page_cache_get(page);
 		write_unlock(&mapping->page_lock);
+		/*
+		 * At this point we hold neither mapping->page_lock nor
+		 * lock on the page itself: the page may be truncated or
+		 * invalidated (changing page->mapping to NULL), or even
+		 * swizzled back from swapper_space to tmpfs file mapping.
+		 */
 		lock_page(page);
 		if (sync)
 			wait_on_page_writeback(page);
-		if (page->mapping && !PageWriteback(page) &&
+		if (page->mapping == mapping && !PageWriteback(page) &&
 					test_clear_page_dirty(page)) {
 			if (writepage) {
 				ret = (*writepage)(page);

--- a/mm/page-writeback.c
+++ b/mm/page-writeback.c
@@ -613,6 +613,7 @@ int __set_page_dirty_nobuffers(struct page *page)
 		if (mapping) {
 			write_lock(&mapping->page_lock);
 			if (page->mapping) {	/* Race with truncate? */
+				BUG_ON(page->mapping != mapping);
 				if (!mapping->backing_dev_info->memory_backed)
 					inc_page_state(nr_dirty);
 				list_del(&page->list);

--- a/mm/page_io.c
+++ b/mm/page_io.c
@@ -30,6 +30,7 @@ get_swap_bio(int gfp_flags, struct page *page, bio_end_io_t end_io)
 		struct swap_info_struct *sis;
 		swp_entry_t entry;
+		BUG_ON(!PageSwapCache(page));
 		entry.val = page->index;
 		sis = get_swap_info_struct(swp_type(entry));