commit caf6912f3f4af7232340d500a4a2008f81b93f14 upstream.
Fix block device sector offset calculation for swap page io on top of blockdevs that provide a rw_page operation and do page-sized io directly (without the block layer).
Currently swap_page_sector() maps a swap page into a blockdev sector by obtaining the swap page offset (swap map slot), but ignores the swapfile starting offset into the blockdev.
In setups where swapfiles are sitting on top of a filesystem, this results into swapping out activity potentially overwriting filesystem blocks that fall outside the swapfile region.
[This issue only affects swapfiles on filesystems on top of blockdevs that implement rw_page ops (brd, zram, btt, pmem), and not on top of any other block devices, in contrast to the upstream commit fix.]
Fixes: dd6bd0d9c7db ("swap: use bdev_read_page() / bdev_write_page()") Cc: stable@vger.kernel.org # 5.4
Signed-off-by: Anthony Iliopoulos ailiop@suse.com --- mm/page_io.c | 11 +++-------- mm/swapfile.c | 2 +- 2 files changed, 4 insertions(+), 9 deletions(-)
diff --git a/mm/page_io.c b/mm/page_io.c index 60a66a58b9bf..f03dca3f43d9 100644 --- a/mm/page_io.c +++ b/mm/page_io.c @@ -37,7 +37,6 @@ static struct bio *get_swap_bio(gfp_t gfp_flags,
bio->bi_iter.bi_sector = map_swap_page(page, &bdev); bio_set_dev(bio, bdev); - bio->bi_iter.bi_sector <<= PAGE_SHIFT - 9; bio->bi_end_io = end_io;
bio_add_page(bio, page, PAGE_SIZE * hpage_nr_pages(page), 0); @@ -260,11 +259,6 @@ int swap_writepage(struct page *page, struct writeback_control *wbc) return ret; }
-static sector_t swap_page_sector(struct page *page) -{ - return (sector_t)__page_file_index(page) << (PAGE_SHIFT - 9); -} - static inline void count_swpout_vm_event(struct page *page) { #ifdef CONFIG_TRANSPARENT_HUGEPAGE @@ -323,7 +317,8 @@ int __swap_writepage(struct page *page, struct writeback_control *wbc, return ret; }
- ret = bdev_write_page(sis->bdev, swap_page_sector(page), page, wbc); + ret = bdev_write_page(sis->bdev, map_swap_page(page, &sis->bdev), + page, wbc); if (!ret) { count_swpout_vm_event(page); return 0; @@ -374,7 +369,7 @@ int swap_readpage(struct page *page, bool synchronous) return ret; }
- ret = bdev_read_page(sis->bdev, swap_page_sector(page), page); + ret = bdev_read_page(sis->bdev, map_swap_page(page, &sis->bdev), page); if (!ret) { if (trylock_page(page)) { swap_slot_free_notify(page); diff --git a/mm/swapfile.c b/mm/swapfile.c index 7947633d3ced..2434387194e6 100644 --- a/mm/swapfile.c +++ b/mm/swapfile.c @@ -2275,7 +2275,7 @@ sector_t map_swap_page(struct page *page, struct block_device **bdev) { swp_entry_t entry; entry.val = page_private(page); - return map_swap_entry(entry, bdev); + return map_swap_entry(entry, bdev) << (PAGE_SHIFT - 9); }
/*