| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <alpine.LSU.2.11.2011240810470.1029@eggly.anvils>
Date: Tue, 24 Nov 2020 08:28:16 -0800 (PST)
From: Hugh Dickins <hughd@...gle.com>
To: Matthew Wilcox <willy@...radead.org>
cc: Hugh Dickins <hughd@...gle.com>,
Linus Torvalds <torvalds@...ux-foundation.org>,
Jan Kara <jack@...e.cz>,
syzbot <syzbot+3622cea378100f45d59f@...kaller.appspotmail.com>,
Andreas Dilger <adilger.kernel@...ger.ca>,
Ext4 Developers List <linux-ext4@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
Theodore Ts'o <tytso@....edu>, Linux-MM <linux-mm@...ck.org>,
Oleg Nesterov <oleg@...hat.com>,
Andrew Morton <akpm@...ux-foundation.org>,
"Kirill A. Shutemov" <kirill@...temov.name>,
Nicholas Piggin <npiggin@...il.com>,
Alex Shi <alex.shi@...ux.alibaba.com>, Qian Cai <cai@....pw>,
Christoph Hellwig <hch@...radead.org>,
"Darrick J. Wong" <darrick.wong@...cle.com>,
William Kucharski <william.kucharski@...cle.com>,
Jens Axboe <axboe@...nel.dk>, linux-fsdevel@...r.kernel.org,
linux-xfs@...r.kernel.org
Subject: Re: kernel BUG at fs/ext4/inode.c:LINE!
On Tue, 24 Nov 2020, Matthew Wilcox wrote:
> On Mon, Nov 23, 2020 at 08:07:24PM -0800, Hugh Dickins wrote:
> >
> > Then on crashing a second time, realized there's a stronger reason against
> > that approach. If my testing just occasionally crashes on that check,
> > when the page is reused for part of a compound page, wouldn't it be much
> > more common for the page to get reused as an order-0 page before reaching
> > wake_up_page()? And on rare occasions, might that reused page already be
> > marked PageWriteback by its new user, and already be waited upon? What
> > would that look like?
> >
> > It would look like BUG_ON(PageWriteback) after wait_on_page_writeback()
> > in write_cache_pages() (though I have never seen that crash myself).
>
> I don't think this is it. write_cache_pages() holds a reference to the
> page -- indeed, it holds the page lock! So this particular race cannot
> cause the page to get recycled. I still have no good ideas what this
> is :-(
It is confusing. I tried to explain that in the final paragraph:
> > Was there a chance of missed wakeups before, since a page freed before
> > reaching wake_up_page() would have PageWaiters cleared? I think not,
> > because each waiter does hold a reference on the page: this bug comes
> > not from real waiters, but from when PageWaiters is a false positive.
but got lost in between the original end_page_writeback() and the patched
version when writing that last part - false positive PageWaiters are not
relevant. I'll try rewording that in the simpler version, following.
The BUG_ON(PageWriteback) would occur when the old use of the page, the
one we do TestClearPageWriteback on, had *no* waiters, so no additional
page reference beyond the page cache (and whoever racily frees it). The
reuse of the page definitely has a waiter holding a reference, as you
point out, and PageWriteback still set; but our belated wake_up_page()
has woken it to hit the BUG_ON.
Hugh
Powered by blists - more mailing lists