Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
From: ppvk@codeaurora.org
To: Miklos Szeredi <miklos@szeredi.hu>
Cc: Pradeep P V K <pragalla@qti.qualcomm.com>,
	linux-fsdevel@vger.kernel.org,
	Matthew Wilcox <willy@infradead.org>,
	Sahitya Tummala <stummala@codeaurora.org>,
	sayalil@codeaurora.org
Subject: Re: [PATCH V4] fuse: Fix VM_BUG_ON_PAGE issue while accessing zero ref count page
Date: Thu, 10 Sep 2020 15:42:46 +0000	[thread overview]
Message-ID: <0101017478aef613-5b81c2f0-b17a-425d-bf79-e4ec49b47857-000000@us-west-2.amazonses.com> (raw)
In-Reply-To: <CAJfpegunet-5BOG74seeL3Gr=xCSStFznphDnuYPWEisbenPog@mail.gmail.com>

On 2020-09-08 16:55, Miklos Szeredi wrote:
> On Tue, Sep 8, 2020 at 10:17 AM Pradeep P V K 
> <pragalla@qti.qualcomm.com> wrote:
>> 
>> From: Pradeep P V K <ppvk@codeaurora.org>
>> 
>> There is a potential race between fuse_abort_conn() and
>> fuse_copy_page() as shown below, due to which VM_BUG_ON_PAGE
>> crash is observed for accessing a free page.
>> 
>> context#1:                      context#2:
>> fuse_dev_do_read()              fuse_abort_conn()
>> ->fuse_copy_args()               ->end_requests()
> 
> This shouldn't happen due to FR_LOCKED logic.   Are you seeing this on
> an upstream kernel?  Which version?
> 
> Thanks,
> Miklos

This is happen just after unlock_request() in fuse_ref_page(). In 
unlock_request(), it will clear the FR_LOCKED bit.
As there is no protection between context#1 & context#2 during 
unlock_request(), there are chances that it could happen.

The value of request flags under "fuse_req" DS is "1561" and this tells 
FR_PRIVATE bit is set and there by, it adds the request to end_io list 
and free.
This was seen on upstream kernel - v4.19 stable.

Thanks and Regards,
Pradeep

  reply	other threads:[~2020-09-10 19:39 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-09-08  8:17 Pradeep P V K
2020-09-08 11:25 ` Miklos Szeredi
2020-09-10 15:42   ` ppvk [this message]
     [not found]   ` <0101017478aef256-c8471520-26b1-4b87-a3b8-8266627b704f-000000@us-west-2.amazonses.com>
2020-09-14  8:11     ` Miklos Szeredi
2020-09-14 13:32       ` ppvk
2020-09-16 15:31         ` ppvk
2020-09-18  8:40           ` Miklos Szeredi
2020-09-08 11:27 ` Matthew Wilcox
2020-09-10 15:49   ` ppvk

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=0101017478aef613-5b81c2f0-b17a-425d-bf79-e4ec49b47857-000000@us-west-2.amazonses.com \
    --to=ppvk@codeaurora.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=miklos@szeredi.hu \
    --cc=pragalla@qti.qualcomm.com \
    --cc=sayalil@codeaurora.org \
    --cc=stummala@codeaurora.org \
    --cc=willy@infradead.org \
    --subject='Re: [PATCH V4] fuse: Fix VM_BUG_ON_PAGE issue while accessing zero ref count page' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).