From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F9BAC02198 for ; Mon, 10 Feb 2025 20:36:34 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 3247E280034; Mon, 10 Feb 2025 15:36:34 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2ACEC280033; Mon, 10 Feb 2025 15:36:34 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 1268E280034; Mon, 10 Feb 2025 15:36:34 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id E0746280033 for ; Mon, 10 Feb 2025 15:36:33 -0500 (EST) Received: from smtpin30.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 8521780596 for ; Mon, 10 Feb 2025 20:36:33 +0000 (UTC) X-FDA: 83105193066.30.F43467D Received: from casper.infradead.org (casper.infradead.org [90.155.50.34]) by imf21.hostedemail.com (Postfix) with ESMTP id D3A2F1C000D for ; Mon, 10 Feb 2025 20:36:29 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=pW6SLPFq; spf=none (imf21.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1739219791; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=dsSgA6Yf377jp8GIbPPXV+rVGw28eQh48UxX6W9rqVE=; b=fNv/n3DpG1Ox4+EaHg7h3c+zXtkdzWW7SZcVldJ9pGvzvIqFR/s62o5fESqNlFlXHIVFhJ XHxND3iFACRL6BXvpJ5Kignpvm1LUGzj5sg5SgDtdtGGhb+uIRNP82RQ73Su374h1vh40g pZ3SqJTY5sRNqRn3sNejQUahxp+YUaU= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=infradead.org header.s=casper.20170209 header.b=pW6SLPFq; spf=none (imf21.hostedemail.com: domain of willy@infradead.org has no SPF policy when checking 90.155.50.34) smtp.mailfrom=willy@infradead.org; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1739219792; a=rsa-sha256; cv=none; b=AbOfmW05DQqNN/qma77m2ATfnZs7qbiClhIowiZA2rApDX6UBLJrfaMHBBCZRC7T7l5fP7 7gFnRNA/5+52tyMckb1WrS/DPD9ysfq4JiwhCHkP2eafLW3d2ZAS9ksZf+aaa0H0kuoASW qGk4OfxwrN6c5w2Q2dlEKhE39lX0WU8= DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=casper.20170209; h=In-Reply-To:Content-Type:MIME-Version: References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=dsSgA6Yf377jp8GIbPPXV+rVGw28eQh48UxX6W9rqVE=; b=pW6SLPFqOelwpYrNGOFGvsaKxd QKR8QBm80arRcVftyH8StJPacJE/G64qPiGExpOvNsYBWDZvTvkkpRxJj+4AaQiOsKt+IYbl23LGw tJJG9vkf2cyDggw+A5tgoWQ7oFb4S67fTwbPuPzEbUQrFQHcfoga8YwG1Wr17CBrR6YTM4cSE8Bpt 6ZG8CgtTqg22DeMCq7iU/LPNOndTriqGQpsqvZobW2L8uEePA04hPAMSrEGKpszSDCOjD/H63bAGu 5rfDYa3vJyaD/c0Hl4/T8blKiUL7qaac+PKWSNXmt+Wi7Mzev4qy6kom2CNo1jDx9agfPt1YWxSQq Av23hiQg==; Received: from willy by casper.infradead.org with local (Exim 4.98 #2 (Red Hat Linux)) id 1thaW1-0000000GjmU-2iop; Mon, 10 Feb 2025 20:36:25 +0000 Date: Mon, 10 Feb 2025 20:36:25 +0000 From: Matthew Wilcox To: Josef Bacik Cc: Joanne Koong , Vlastimil Babka , Miklos Szeredi , Christian Heusel , Miklos Szeredi , regressions@lists.linux.dev, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-mm , Mantas =?utf-8?Q?Mikul=C4=97nas?= Subject: Re: [REGRESSION][BISECTED] Crash with Bad page state for FUSE/Flatpak related applications since v6.13 Message-ID: References: <9cd88643-daa8-4379-be0a-bd31de277658@suse.cz> <20250207172917.GA2072771@perftesting> <8f7333f2-1ba9-4df4-bc54-44fd768b3d5b@suse.cz> <81298bd1-e630-4940-ae5b-7882576b6bf4@suse.cz> <20250210191235.GA2256827@perftesting> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20250210191235.GA2256827@perftesting> X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: D3A2F1C000D X-Stat-Signature: w1k78waw9o6qrkwkr63qm5k4981ecew7 X-Rspam-User: X-HE-Tag: 1739219789-675291 X-HE-Meta: U2FsdGVkX19T7SkpON6rTlpCDYN6jgKoxF95aN9XIfowHrZVXahphmGA9aCWnV/lTrkReDPsKKZeVtdHS17S6nCdHZcuYE19FigqvYrigSwjHvmpDiskfu56eBzhf7xMHVzoSKJB+q5h3m6i4Q1+YK2cXPvHudpWf3EwLl32pqbhbe3dYXz84CMIwi4G8mlkFbufHovjDO4kqqdlsNrNxXC+9+Ag9+/jf97oZdH+qPxM+EbScQXk54vT2MMfy6BFBw77uz0CIPXKb/js2kEUBZsPl8pgbj5AFqIDhf8GqU8SJeeHTHCGiAQJh06YzUddhDo6RjK5lZfg9P9KERQ4JQSQU3U36kIC7s/3LNk4ZNNL4C1VvPEjOQdLgxAQUSkEBfEjKhfNq34tTdDOS37/fa7Y5doY6tNLTy80a7zaocy6sLjpY78UO4uCWakFgxjAI9ze/Ji5nUU0xSB29Upo9GSAO/4+EFlGolMDV7xlpK1ylNYrq25KI/4uL6zTMl6XInqvn5GB18tJ4whH6p8mrCgaZzeIMQstCM83myDltpnwtflc4ITuQbnjJv0T07wkDVhoDjNNgzUYlCs8gDeQt85o2GMS0nx2vJ/auId0RtcsTK3CAMgzRY+AIk/eEuI0ytphAIuOe120x8Q1MVGUszKL5h4uEqT273LZ5HPi+cHgaFS2ykY8b58G7EQxmoXhWnvTzL0l6T2wyK5wRiVZsHWsnRPV90YQn65vPmDxsy4Q+zIBbFk0VwnKQylZ+30wwrQ7a8QLtnvu5PQB/MIvqXWOY814WsUu7UrFeGlBaL+s+BkYCRKuVy8OCWwPJpH9IvAT1TSymTgj1zgFbxoIkerWMPPb8LVKCZ1vQw5x/tINn3uxOszIQUV5Gllu3zOFlKzijgjWeqbZrb4kix5cZFyFCcVbC0aNgG/EUT9Llnzi9BNVS+0udmm8cRo+sqgPeychLA7jV+Gqo6tSdj1 ybJZ8OnA X1zyabDlSgWGIfT8b7Rxbuih/rQPssgklNi98StpQ+iUrdam4JGYT0/8PM6qaK4VQ6ijjJlfFE3deDl0eozsZxsEY77yAjvN2y/DEKarfefn+EoDXJtgt35I/cGlK42QjdAq/Q0nkDPHdvIqKlGZhThws7C/bwRb6RQ2gomEBSHW7zAXwAbRH8MHJ7iGghh9ezjh3I0ew9LsEE6y6Fd0FiQc/B4gLSOAoeaBxcu3ybBhcqsOKTyiBxpjGfA6igS08G8ioxfveIyfJFpQDr109OmUoQUEaGPfXI2VBRCSJuRySJ4r/EHH45prI/nIIuIPX58szBHMJw6BiNR7ui2cwhlWmm6bS/WSq3etk3jBB4oqF4/uqVLUrqbvrnQ== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Feb 10, 2025 at 02:12:35PM -0500, Josef Bacik wrote: > From: Josef Bacik > Date: Mon, 10 Feb 2025 14:06:40 -0500 > Subject: [PATCH] fuse: drop extra put of folio when using pipe splice > > In 3eab9d7bc2f4 ("fuse: convert readahead to use folios"), I converted > us to using the new folio readahead code, which drops the reference on > the folio once it is locked, using an inferred reference on the folio. > Previously we held a reference on the folio for the entire duration of > the readpages call. > > This is fine, however I failed to catch the case for splice pipe > responses where we will remove the old folio and splice in the new > folio. Here we assumed that there is a reference held on the folio for > ap->folios, which is no longer the case. > > To fix this, simply drop the extra put to keep us consistent with the > non-splice variation. This will fix the UAF bug that was reported. > > Link: https://lore.kernel.org/linux-fsdevel/2f681f48-00f5-4e09-8431-2b3dbfaa881e@heusel.eu/ > Fixes: 3eab9d7bc2f4 ("fuse: convert readahead to use folios") > Signed-off-by: Josef Bacik > --- > fs/fuse/dev.c | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c > index 5b5f789b37eb..5bd6e2e184c0 100644 > --- a/fs/fuse/dev.c > +++ b/fs/fuse/dev.c > @@ -918,8 +918,6 @@ static int fuse_try_move_page(struct fuse_copy_state *cs, struct page **pagep) > } > > folio_unlock(oldfolio); > - /* Drop ref for ap->pages[] array */ > - folio_put(oldfolio); > cs->len = 0; But aren't we now leaking a reference to newfolio? ie shouldn't we also: - folio_get(newfolio); a few lines earlier?