Linux-Fsdevel Archive on lore.kernel.org
 help / color / Atom feed
From: Wonhyuk Yang <vvghjk1234@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Miklos Szeredi <miklos@szeredi.hu>,
	Matthew Wilcox <willy@infradead.org>,
	linux-fsdevel@vger.kernel.org,
	Wonhyuk Yang <vvghjk1234@gmail.com>
Subject: [PATCH] fuse: fix panic in __readahead_batch()
Date: Tue,  3 Nov 2020 21:43:49 +0900
Message-ID: <20201103124349.16722-1-vvghjk1234@gmail.com> (raw)

According to xarray.h, xas_for_each's entry can be RETRY_ENTRY.
RETRY_ENTRY is defined as 0x402 and accessing that address
results in panic.

BUG: kernel NULL pointer dereference, address: 0000000000000402
kernel: RIP: 0010:fuse_readahead+0x152/0x470 [fuse]
CR2: 0000000000000402

Call Trace:
read_pages+0x83/0x270
page_cache_readahead_unbounded+0x197/0x230
generic_file_buffered_read+0x57a/0xa20
new_sync_read+0x112/0x1a0
vfs_read+0xf8/0x180
ksys_read+0x5f/0xe0
do_syscall_64+0x33/0x80
entry_SYSCALL_64_after_hwframe+0x44/0xa9

Signed-off-by: Wonhyuk Yang <vvghjk1234@gmail.com>
---
 include/linux/pagemap.h | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/include/linux/pagemap.h b/include/linux/pagemap.h
index c77b7c31b2e4..4c9f29bbdace 100644
--- a/include/linux/pagemap.h
+++ b/include/linux/pagemap.h
@@ -906,6 +906,12 @@ static inline unsigned int __readahead_batch(struct readahead_control *rac,
 	xas_set(&xas, rac->_index);
 	rcu_read_lock();
 	xas_for_each(&xas, page, rac->_index + rac->_nr_pages - 1) {
+		if (xas_retry(&xas, page))
+			continue;
+
+		if (!xa_is_value(page))
+			continue;
+
 		VM_BUG_ON_PAGE(!PageLocked(page), page);
 		VM_BUG_ON_PAGE(PageTail(page), page);
 		array[i++] = page;
-- 
2.25.1


             reply index

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-11-03 12:43 Wonhyuk Yang [this message]
2020-11-03 14:21 ` Matthew Wilcox
2020-11-03 14:38 ` Matthew Wilcox
2020-11-04  1:20   ` Wonhuyk Yang
2020-11-04  3:59     ` Amy Parker
2020-11-04  5:12       ` Wonhuyk Yang
2020-11-10  6:54 ` [fuse] 51ac7c8929: fio.read_iops -88.2% regression kernel test robot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20201103124349.16722-1-vvghjk1234@gmail.com \
    --to=vvghjk1234@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Linux-Fsdevel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-fsdevel/0 linux-fsdevel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-fsdevel linux-fsdevel/ https://lore.kernel.org/linux-fsdevel \
		linux-fsdevel@vger.kernel.org
	public-inbox-index linux-fsdevel

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-fsdevel


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git