lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Thu, 30 Aug 2018 10:40:51 +0800
From:   Larry Chen <lchen@...e.com>
To:     Changwei Ge <gechangwei@...e.cn>,
        Andrew Morton <akpm@...ux-foundation.org>
Cc:     "ocfs2-devel@....oracle.com" <ocfs2-devel@....oracle.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [Ocfs2-devel] [PATCH] fix crash on
 ocfs2_duplicate_clusters_by_page

Hi Andrew and Changwei,

Thanks for your review, I'll propose a new version with comments corrected.

Thanks,
Larry
On 08/30/2018 10:29 AM, Changwei Ge wrote:
> Hi Larry,
> 
> Besides Andrew's comments, other parts of this patch look good to me.
> 
> Thanks,
> 
> Changwei
> 
> 
> On 2018/8/30 6:25, Andrew Morton wrote:
>> On Wed, 29 Aug 2018 15:47:40 +0800 Larry Chen <lchen@...e.com> wrote:
>>
>>> ocfs2_duplicate_clusters_by_page may crash if one of extent's pages is dirty.
>>> When a page has not been written back, it is still in dirty state. If
>>> ocfs2_duplicate_clusters_by_page is called against the
>>> dirty page, the crash happens.
>>>
>>> To fix this bug, we can just unlock the page and wait the page until
>>> it's not dirty.
>>>
>>> The following is the buck trace dump:
>>>
>>> kernel BUG at /root/code/ocfs2/refcounttree.c:2961!
>>> [exception RIP: ocfs2_duplicate_clusters_by_page+822]
>>> __ocfs2_move_extent+0x80/0x450 [ocfs2]
>>> ? __ocfs2_claim_clusters+0x130/0x250 [ocfs2]
>>> ocfs2_defrag_extent+0x5b8/0x5e0 [ocfs2]
>>> __ocfs2_move_extents_range+0x2a4/0x470 [ocfs2]
>>> ocfs2_move_extents+0x180/0x3b0 [ocfs2]
>>> ? ocfs2_wait_for_recovery+0x13/0x70 [ocfs2]
>>> ocfs2_ioctl_move_extents+0x133/0x2d0 [ocfs2]
>>> ocfs2_ioctl+0x253/0x640 [ocfs2]
>>> do_vfs_ioctl+0x90/0x5f0
>>> SyS_ioctl+0x74/0x80
>>> do_syscall_64+0x74/0x140
>>> entry_SYSCALL_64_after_hwframe+0x3d/0xa2
>>>
>>> --- a/fs/ocfs2/refcounttree.c
>>> +++ b/fs/ocfs2/refcounttree.c
>>> @@ -2946,6 +2946,7 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
>>>    		if (map_end & (PAGE_SIZE - 1))
>>>    			to = map_end & (PAGE_SIZE - 1);
>>>    
>>> +retry:
>>>    		page = find_or_create_page(mapping, page_index, GFP_NOFS);
>>>    		if (!page) {
>>>    			ret = -ENOMEM;
>>> @@ -2957,8 +2958,15 @@ int ocfs2_duplicate_clusters_by_page(handle_t *handle,
>>>    		 * In case PAGE_SIZE <= CLUSTER_SIZE, This page
>>>    		 * can't be dirtied before we CoW it out.
>>>    		 */
>> Looks sane, but the below change shows that the above comment is
>> untrue.  Can we please update the comment as well?
>>
>>
>>> -		if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize)
>>> -			BUG_ON(PageDirty(page));
>>> +		if (PAGE_SIZE <= OCFS2_SB(sb)->s_clustersize) {
>>> +			if (PageDirty(page)) {
>>> +				/*
>>> +				 * write_on_page will unlock the page on return
>>> +				 */
>>> +				ret = write_one_page(page);
>>> +				goto retry;
>>> +			}
>>> +		}
>>>    
>>>    		if (!PageUptodate(page)) {
>>>    			ret = block_read_full_page(page, ocfs2_get_block);
>>
>> _______________________________________________
>> Ocfs2-devel mailing list
>> Ocfs2-devel@....oracle.com
>> https://oss.oracle.com/mailman/listinfo/ocfs2-devel
> 

Powered by blists - more mailing lists