From: ppvk@codeaurora.org
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Pradeep P V K <pragalla@qti.qualcomm.com>,
linux-fsdevel@vger.kernel.org,
Matthew Wilcox <willy@infradead.org>,
Sahitya Tummala <stummala@codeaurora.org>,
sayalil@codeaurora.org
Subject: Re: [PATCH V4] fuse: Fix VM_BUG_ON_PAGE issue while accessing zero ref count page
Date: Mon, 14 Sep 2020 19:02:43 +0530 [thread overview]
Message-ID: <a98eb58e0aff49ea0b49db1e90155a2d@codeaurora.org> (raw)
In-Reply-To: <CAJfpegtpLoskZDWwZpsEi=L_5jrvr7=xFG9GZJd8dTdJr647ww@mail.gmail.com>
On 2020-09-14 13:41, Miklos Szeredi wrote:
> On Thu, Sep 10, 2020 at 5:42 PM <ppvk@codeaurora.org> wrote:
>>
>> On 2020-09-08 16:55, Miklos Szeredi wrote:
>> > On Tue, Sep 8, 2020 at 10:17 AM Pradeep P V K
>> > <pragalla@qti.qualcomm.com> wrote:
>> >>
>> >> From: Pradeep P V K <ppvk@codeaurora.org>
>> >>
>> >> There is a potential race between fuse_abort_conn() and
>> >> fuse_copy_page() as shown below, due to which VM_BUG_ON_PAGE
>> >> crash is observed for accessing a free page.
>> >>
>> >> context#1: context#2:
>> >> fuse_dev_do_read() fuse_abort_conn()
>> >> ->fuse_copy_args() ->end_requests()
>> >
>> > This shouldn't happen due to FR_LOCKED logic. Are you seeing this on
>> > an upstream kernel? Which version?
>> >
>> > Thanks,
>> > Miklos
>>
>> This is happen just after unlock_request() in fuse_ref_page(). In
>> unlock_request(), it will clear the FR_LOCKED bit.
>> As there is no protection between context#1 & context#2 during
>> unlock_request(), there are chances that it could happen.
>
> Ah, indeed, I missed that one.
>
> Similar issue in fuse_try_move_page(), which dereferences oldpage
> after unlock_request().
>
> Fix for both is to grab a reference to the page from ap->pages[] array
> *before* calling unlock_request().
>
> Attached untested patch. Could you please verify that it fixes the
> bug?
>
Thanks for the patch. It is an one time issue and bit hard to reproduce
but still we
will verify the above proposed patch and update the test results here.
Minor comments on the commit text of the proposed patch : This issue was
originally reported by me and kernel test robot
identified compilation errors on the patch that i submitted.
This confusion might be due to un proper commit text note on "changes
since v1"
> Thanks,
> Miklos
Thanks and Regards,
Pradeep
next prev parent reply other threads:[~2020-09-14 14:16 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-09-08 8:17 [PATCH V4] fuse: Fix VM_BUG_ON_PAGE issue while accessing zero ref count page Pradeep P V K
2020-09-08 11:25 ` Miklos Szeredi
2020-09-10 15:42 ` ppvk
[not found] ` <0101017478aef256-c8471520-26b1-4b87-a3b8-8266627b704f-000000@us-west-2.amazonses.com>
2020-09-14 8:11 ` Miklos Szeredi
2020-09-14 13:32 ` ppvk [this message]
2020-09-16 15:31 ` ppvk
2020-09-18 8:40 ` Miklos Szeredi
2020-09-08 11:27 ` Matthew Wilcox
2020-09-10 15:49 ` ppvk
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a98eb58e0aff49ea0b49db1e90155a2d@codeaurora.org \
--to=ppvk@codeaurora.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=pragalla@qti.qualcomm.com \
--cc=sayalil@codeaurora.org \
--cc=stummala@codeaurora.org \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).