| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 30 Aug 2018 10:40:51 +0800
From: Larry Chen <lchen@...e.com>
To: Changwei Ge <gechangwei@...e.cn>,
Andrew Morton <akpm@...ux-foundation.org>
Cc: "ocfs2-devel@....oracle.com" <ocfs2-devel@....oracle.com>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [Ocfs2-devel] [PATCH] fix crash on
ocfs2_duplicate_clusters_by_page
Hi Andrew and Changwei,
Thanks for your review, I'll propose a new version with comments corrected.
Thanks,
Larry
On 08/30/2018 10:29 AM, Changwei Ge wrote:
> Hi Larry,
>
> Besides Andrew's comments, other parts of this patch look good to me.
>
> Thanks,
>
> Changwei
>
>
> On 2018/8/30 6:25, Andrew Morton wrote:
>> On Wed, 29 Aug 2018 15:47:40 +0800 Larry Chen <lchen@...e.com> wrote:
>>
>>> ocfs2_duplicate_clusters_by_page may crash if one of extent's pages is dirty.
>>> When a page has not been written back, it is still in dirty state. If
>>> ocfs2_duplicate_clusters_by_page is called against the
>>> dirty page, the crash happens.
>>>
>>> To fix this bug, we can just unlock the page and wait the page until
>>> it's not dirty.
>>>
>>> The following is the buck trace dump:
>>>
>>> kernel BUG at /root/code/ocfs2/refcounttree.c:2961!
>>> [exception RIP: ocfs2_duplicate_clusters_by_page+822]
>>> __ocfs2_move_extent+0x80/0x450 [ocfs2]
>>> ? __ocfs2_claim_clusters+0x130/0x250 [ocfs2]
>>> ocfs2_defrag_extent+0x5b8/0x5e0 [ocfs2]
>>> __ocfs2_move_extents_range+0x2a4/0x470 [ocfs2]
>>> ocfs2_move_extents+0x180/0x3b0 [ocfs2]
>>> ? ocfs2_wait_for_recovery+0x13/0x70 [ocfs2]
>>> ocfs2_ioctl_move_extents+0x133/0x2d0 [ocfs2]
>>> ocfs2_ioctl+0x253/0x640 [ocfs2]
>>> do_vfs_ioctl+0x90/0x5f0
>>> SyS_ioctl+0x74/0x80
>>> do_syscall_64+0x74/0x140
>>> entry_SYSCALL_64_after_hwframe+0x3d/0xa2
>>>
>>> --- a/fs/ocfs2/refcounttree.c
>>> +++ b/fs/ocfs2/refcounttree.c
>>> @@ -2946,6 +2946,7 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
>>> if (map_end & (PAGE_SIZE - 1))
>>> to = map_end & (PAGE_SIZE - 1);
>>>
>>> +retry:
>>> page = find_or_create_page(mapping, page_index, GFP_NOFS);
>>> if (!page) {
>>> ret = -ENOMEM;
>>> @@ -2957,8 +2958,15 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
>>> * In case PAGE_SIZE <= CLUSTER_SIZE, This page
>>> * can't be dirtied before we CoW it out.
>>> */
>> Looks sane, but the below change shows that the above comment is
>> untrue. Can we please update the comment as well?
>>
>>
>>> - if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize)
>>> - BUG_ON(PageDirty(page));
>>> + if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize) {
>>> + if (PageDirty(page)) {
>>> + /*
>>> + * write_on_page will unlock the page on return
>>> + */
>>> + ret = write_one_page(page);
>>> + goto retry;
>>> + }
>>> + }
>>>
>>> if (!PageUptodate(page)) {
>>> ret = block_read_full_page(page, ocfs2_get_block);
>>
>> _______________________________________________
>> Ocfs2-devel mailing list
>> Ocfs2-devel@....oracle.com
>> https://oss.oracle.com/mailman/listinfo/ocfs2-devel
>
Powered by blists - more mailing lists