Hi Penglei,
On 2025/3/30 15:55, Penglei Jiang wrote:
In ext4_page_mkwrite, it calls ext4_convert_inline_data, but it does
not use inode_lock to hold i_rwsem.
Fixes: 7b4cc9787fe35 ("ext4: evict inline data when writing to memory map")
Reported-by: syzbot+d14b2bea87fe2aaffa3b@xxxxxxxxxxxxxxxxxxxxxxxxx
Closes: https://lore.kernel.org/all/67e57c6c.050a0220.2f068f.0037.GAE@xxxxxxxxxx
Signed-off-by: Penglei Jiang <superman.xpt@xxxxxxxxx>
---
fs/ext4/inode.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c
index bcb96caf77c0..4e726c86377a 100644
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -6203,6 +6203,8 @@ vm_fault_t ext4_page_mkwrite(struct vm_fault *vmf)
sb_start_pagefault(inode->i_sb);
file_update_time(vma->vm_file);
+ inode_lock(inode);
+
filemap_invalidate_lock_shared(mapping);
err = ext4_convert_inline_data(inode);
We cannot directly add inode_lock here, otherwise it may cause ABBA
deadlock. The inline data conversion here does lack inode_lock, but
there is no good way to fix it now. For details, please see:
https://lore.kernel.org/all/d704ce55-321a-9c1d-1f8b-3360a0fdf978@xxxxxxxxxx/
@@ -6308,6 +6310,7 @@ vm_fault_t ext4_page_mkwrite(struct vm_fault *vmf)
ret = vmf_fs_error(err);
out:
filemap_invalidate_unlock_shared(mapping);
+ inode_unlock(inode);
sb_end_pagefault(inode->i_sb);
return ret;
out_error:
