[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4901e9a6-f870-c30a-d910-732843d91a0f@huaweicloud.com>
Date: Mon, 21 Oct 2024 11:49:57 +0800
From: Hou Tao <houtao@...weicloud.com>
To: syzbot <syzbot+65d101735df4bb19d2a3@...kaller.appspotmail.com>,
joannelkoong@...il.com, josef@...icpanda.com
Cc: hdanton@...a.com, linux-fsdevel@...r.kernel.org,
linux-kernel@...r.kernel.org, miklos@...redi.hu, mszeredi@...hat.com,
syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] [fuse?] kernel BUG in fuse_dev_do_write
Hi,
On 10/21/2024 9:30 AM, syzbot wrote:
> syzbot has bisected this issue to:
>
> commit 5d9e1455630d0f464f169bbd637dbb264cbd8ac8
> Author: Josef Bacik <josef@...icpanda.com>
> Date: Mon Sep 30 13:45:18 2024 +0000
>
> fuse: convert fuse_notify_store to use folios
>
> bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=120dc25f980000
> start commit: 15e7d45e786a Add linux-next specific files for 20241016
> git tree: linux-next
> final oops: https://syzkaller.appspot.com/x/report.txt?x=110dc25f980000
> console output: https://syzkaller.appspot.com/x/log.txt?x=160dc25f980000
> kernel config: https://syzkaller.appspot.com/x/.config?x=c36416f1c54640c0
> dashboard link: https://syzkaller.appspot.com/bug?extid=65d101735df4bb19d2a3
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1623e830580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16582f27980000
>
> Reported-by: syzbot+65d101735df4bb19d2a3@...kaller.appspotmail.com
> Fixes: 5d9e1455630d ("fuse: convert fuse_notify_store to use folios")
>
> For information about bisection process see: https://goo.gl/tpsmEJ#bisection
>
> .
It seems fuse_notify_store invokes folio_zero_range() incorrectly. The
third argument of folio_zero_range() should be the to-copy length
instead of the total length. The following patch will fix the problem:
diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index 5edad55750b0..87e39c9343c4 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1668,7 +1668,7 @@ static int fuse_notify_store(struct fuse_conn *fc,
unsigned int size,
err = fuse_copy_page(cs, &page, offset, this_num, 0);
if (!folio_test_uptodate(folio) && !err && offset == 0 &&
(this_num == folio_size(folio) || file_size == end)) {
- folio_zero_range(folio, this_num,
folio_size(folio));
+ folio_zero_range(folio, this_num,
folio_size(folio) - this_num);
folio_mark_uptodate(folio);
}
folio_unlock(folio);
Will post a formal patch later.
Powered by blists - more mailing lists