linux/mm
Hugh Dickins 487e9bf25c fix tmpfs BUG and AOP_WRITEPAGE_ACTIVATE
It's possible to provoke unionfs (not yet in mainline, though in mm and
some distros) to hit shmem_writepage's BUG_ON(page_mapped(page)).  I expect
it's possible to provoke the 2.6.23 ecryptfs in the same way (but the
2.6.24 ecryptfs no longer calls lower level's ->writepage).

This came to light with the recent find that AOP_WRITEPAGE_ACTIVATE could
leak from tmpfs via write_cache_pages and unionfs to userspace.  There's
already a fix (e423003028 - writeback: don't
propagate AOP_WRITEPAGE_ACTIVATE) in the tree for that, and it's okay so
far as it goes; but insufficient because it doesn't address the underlying
issue, that shmem_writepage expects to be called only by vmscan (relying on
backing_dev_info capabilities to prevent the normal writeback path from
ever approaching it).

That's an increasingly fragile assumption, and ramdisk_writepage (the other
source of AOP_WRITEPAGE_ACTIVATEs) is already careful to check
wbc->for_reclaim before returning it.  Make the same check in
shmem_writepage, thereby sidestepping the page_mapped BUG also.

Signed-off-by: Hugh Dickins <hugh@veritas.com>
Cc: Erez Zadok <ezk@cs.sunysb.edu>
Cc: <stable@kernel.org>
Reviewed-by: Pekka Enberg <penberg@cs.helsinki.fi>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2007-10-30 08:06:55 -07:00
..
allocpercpu.c Slab allocators: Replace explicit zeroing with __GFP_ZERO 2007-07-17 10:23:02 -07:00
backing-dev.c mm: per device dirty threshold 2007-10-17 08:42:45 -07:00
bootmem.c [PATCH] remove EXPORT_UNUSED_SYMBOL'ed symbols 2006-12-07 08:39:44 -08:00
bounce.c block: Initial support for data-less (or empty) barrier support 2007-10-16 11:03:56 +02:00
fadvise.c [PATCH] mm: change uses of f_{dentry,vfsmnt} to use f_path 2006-12-08 08:28:43 -08:00
filemap_xip.c mm: write iovec cleanup 2007-10-16 09:42:54 -07:00
filemap.c Fix a build error when BLOCK=n 2007-10-29 11:33:06 +01:00
fremap.c remap_file_pages: kernel-doc corrections 2007-10-17 08:43:07 -07:00
highmem.c Create the ZONE_MOVABLE zone 2007-07-17 10:22:59 -07:00
hugetlb.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
internal.h Breakout page_order() to internal.h to avoid special knowledge of the buddy allocator 2007-10-16 09:43:01 -07:00
Kconfig small documentation fixes 2007-10-20 02:46:58 +02:00
madvise.c speed up madvise_need_mmap_write() usage 2007-07-16 09:05:36 -07:00
Makefile memory unplug: page isolation 2007-10-16 09:43:02 -07:00
memory_hotplug.c memory hotplug: rearrange memory hotplug notifier 2007-10-22 08:13:17 -07:00
memory.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
mempolicy.c Uninline find_task_by_xxx set of functions 2007-10-19 11:53:40 -07:00
mempool.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
migrate.c Typo fixes retrun -> return 2007-10-20 02:13:26 +02:00
mincore.c [PATCH] mincore: vma crossing fix 2007-02-15 09:57:03 -08:00
mlock.c do not limit locked memory when RLIMIT_MEMLOCK is RLIM_INFINITY 2007-07-16 09:05:37 -07:00
mmap.c fix mprotect vma_wants_writenotify prot 2007-10-23 08:32:06 -07:00
mmzone.c [PATCH] remove EXPORT_UNUSED_SYMBOL'ed symbols 2006-12-07 08:39:44 -08:00
mprotect.c fix mprotect vma_wants_writenotify prot 2007-10-23 08:32:06 -07:00
mremap.c sparse pointer use of zero as null 2007-10-18 14:37:31 -07:00
msync.c Detach sched.h from mm.h 2007-05-21 09:18:19 -07:00
nommu.c NOMMU: mm/nommu.c needs linux/module.h 2007-10-29 07:53:26 -07:00
oom_kill.c oom_kill bug 2007-10-20 15:04:06 -07:00
page_alloc.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
page_io.c Drop 'size' argument from bio_endio and bi_end_io 2007-10-10 09:25:57 +02:00
page_isolation.c memory unplug: page isolation 2007-10-16 09:43:02 -07:00
page-writeback.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
pdflush.c Freezer: make kernel threads nonfreezable by default 2007-07-17 10:23:02 -07:00
prio_tree.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
quicklist.c Quicklists for page table pages 2007-05-07 12:12:54 -07:00
readahead.c mm: bdi init hooks 2007-10-17 08:42:45 -07:00
rmap.c mm: document tree_lock->zone.lock lockorder 2007-10-17 08:42:46 -07:00
shmem_acl.c [PATCH] Fix typos in mm/shmem_acl.c 2006-10-11 11:14:23 -07:00
shmem.c fix tmpfs BUG and AOP_WRITEPAGE_ACTIVATE 2007-10-30 08:06:55 -07:00
slab.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
slob.c Slab API: remove useless ctor parameter and reorder parameters 2007-10-17 08:42:45 -07:00
slub.c missing atomic_read_long() in slub.c 2007-10-29 07:41:32 -07:00
sparse-vmemmap.c mm/sparse-vmemmap.c: make sure init_mm is included 2007-10-30 08:06:55 -07:00
sparse.c Revert "x86_64: allocate sparsemem memmap above 4G" 2007-10-29 14:05:37 -07:00
swap_state.c mm: clarify __add_to_swap_cache locking 2007-10-16 09:42:53 -07:00
swap.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
swapfile.c Replace CONFIG_SOFTWARE_SUSPEND with CONFIG_HIBERNATION 2007-07-29 16:45:38 -07:00
thrash.c Bug in mm/thrash.c function grab_swap_token() 2007-05-11 08:29:32 -07:00
tiny-shmem.c r/o bind mounts: filesystem helpers for custom 'struct file's 2007-10-17 08:43:04 -07:00
truncate.c Drop some headers from mm.h 2007-10-17 08:42:55 -07:00
util.c Slab allocators: fail if ksize is called with a NULL parameter 2007-10-16 09:42:53 -07:00
vmalloc.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
vmscan.c spelling fixes: mm/ 2007-10-20 01:27:18 +02:00
vmstat.c oom: change all_unreclaimable zone member to flags 2007-10-17 08:42:45 -07:00