[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAFxkdAqU0peBNm_SB3En99bU+o=a+05t-Bwyds0AUFb+2W=CFw@mail.gmail.com>
Date: Tue, 23 Nov 2021 18:40:16 -0600
From: Justin Forbes <jmforbes@...uxtx.org>
To: Miklos Szeredi <mszeredi@...hat.com>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
LKML <linux-kernel@...r.kernel.org>,
Stable <stable@...r.kernel.org>,
Frank Dinoff <fdinoff@...gle.com>
Subject: Re: [PATCH 5.15 056/917] fuse: fix page stealing
On Tue, Nov 23, 2021 at 1:22 PM Miklos Szeredi <mszeredi@...hat.com> wrote:
>
> On Tue, Nov 23, 2021 at 7:29 PM Justin Forbes <jmforbes@...uxtx.org> wrote:
> >
> > On Mon, Nov 15, 2021 at 7:04 PM Greg Kroah-Hartman
> > <gregkh@...uxfoundation.org> wrote:
> > >
> > > From: Miklos Szeredi <mszeredi@...hat.com>
> > >
> > > commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
> > >
> > > It is possible to trigger a crash by splicing anon pipe bufs to the fuse
> > > device.
> > >
> > > The reason for this is that anon_pipe_buf_release() will reuse buf->page if
> > > the refcount is 1, but that page might have already been stolen and its
> > > flags modified (e.g. PG_lru added).
> > >
> > > This happens in the unlikely case of fuse_dev_splice_write() getting around
> > > to calling pipe_buf_release() after a page has been stolen, added to the
> > > page cache and removed from the page cache.
> > >
> > > Fix by calling pipe_buf_release() right after the page was inserted into
> > > the page cache. In this case the page has an elevated refcount so any
> > > release function will know that the page isn't reusable.
> > >
> > > Reported-by: Frank Dinoff <fdinoff@...gle.com>
> > > Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
> > > Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
> > > Cc: <stable@...r.kernel.org> # v2.6.35
> > > Signed-off-by: Miklos Szeredi <mszeredi@...hat.com>
> > > Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
> >
> > It appears this patch causes a rather serious regression in flatpacks
> > using portals to access files. Reverting this patch restores expected
> > behavior. I have asked users in the Fedora bug to test with 5.16-rc2
> > to see if we are just missing a dependent patch in stable, or if this
> > is broken there as well, but no response yet.:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=2025285
> > https://github.com/flatpak/flatpak/issues/4595
>
> Hi,
>
> Thanks for the report. Can someone with the reproducer try the attached patch?
>
> I think the race there is unlikely but possible.
>
Thanks, did a scratch build for that and dropped it in the bug. Only
one user has reported back, but the report was that it did not fix the
issue. I have also gotten confirmation now that the issue is occuring
with 5.16-rc2.
Thanks,
Justin
Powered by blists - more mailing lists