Bug 651373

Summary: NULL pointer dereference in reading vs. truncating race
Product: Red Hat Enterprise Linux 6 Reporter: Johannes Weiner <jweiner>
Component: kernelAssignee: Johannes Weiner <jweiner>
Status: CLOSED ERRATA QA Contact: Red Hat Kernel QE team <kernel-qe>
Severity: high Docs Contact:
Priority: low    
Version: 6.0CC: lwang, tao
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel-2.6.32-83.el6 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 12:39:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
proposed patch none

Description Johannes Weiner 2010-11-09 12:32:15 UTC 
A read() with concurrent truncation opens up a tiny race window that crashes the kernel.

If the read() path finds a page in the page cache that is not yet fully read from disk but truncated again before the reader acquires the page lock, the kernel will crash with a NULL pointer dereference.
Comment 2 RHEL Program Management 2010-11-16 16:31:08 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux maintenance release. Product Management has 
requested further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed 
products. This request is not yet committed for inclusion in an Update release.
Comment 3 Aristeu Rozanski 2010-11-17 19:47:37 UTC 
Patch(es) available on kernel-2.6.32-83.el6
Comment 5 Steve Best 2010-12-09 21:38:59 UTC 
*** Bug 661892 has been marked as a duplicate of this bug. ***
Comment 7 IBM Bug Proxy 2011-03-26 15:43:47 UTC 
------- Comment From sbest.com 2010-11-04 08:41 EDT-------
Dave, thanks for posting upstream.

http://www.spinics.net/lists/linux-mm/msg10985.html

------- Comment From sbest.com 2010-11-09 10:54 EDT-------
Johannes Weiner at RH just posted this patch to rh kernel mailing list.
rh bz is https://bugzilla.redhat.com/show_bug.cgi?id=651373

------- Comment From haveblue.com 2010-11-10 19:22 EDT-------
The patch is in -mm.  Unless something major happens, it's headed into Linus's tree pretty quickly.

------- Comment From haveblue.com 2010-11-16 14:46 EDT-------
Just hit Linus's tree:

http://git.kernel.org/gitweb.cgi?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=8d056cb965b8fb7c53c564abf28b1962d1061cd3
Comment 8 IBM Bug Proxy 2011-03-26 15:43:53 UTC 
Created attachment 487830 [details]
proposed patch
Comment 10 errata-xmlrpc 2011-05-19 12:39:40 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0542.html