Re: [PATCH] FUSE: fix beyond-end-of-page access in fuse_parse_cache()

From: Miklos Szeredi
Date: Sun Sep 22 2019 - 14:56:55 EST

Next message: Sasha Levin: "[PATCH AUTOSEL 4.19 111/128] platform/x86: intel_pmc_core: Do not ioremap RAM"
Previous message: Sasha Levin: "[PATCH AUTOSEL 4.19 104/128] md/raid1: fail run raid1 array when active disk less than one"
In reply to: Tejun Heo: "[PATCH] FUSE: fix beyond-end-of-page access in fuse_parse_cache()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, Sep 22, 2019 at 3:19 PM Tejun Heo <tj@xxxxxxxxxx> wrote:
>
> With DEBUG_PAGEALLOC on, the following triggers.
>
> BUG: unable to handle page fault for address: ffff88859367c000
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 3001067 P4D 3001067 PUD 406d3a8067 PMD 406d30c067 PTE 800ffffa6c983060
> Oops: 0000 [#1] SMP DEBUG_PAGEALLOC
> CPU: 38 PID: 3110657 Comm: python2.7
> RIP: 0010:fuse_readdir+0x88f/0xe7a [fuse]
> Code: 49 8b 4d 08 49 39 4e 60 0f 84 44 04 00 00 48 8b 43 08 43 8d 1c 3c 4d 01 7e 68 49 89 dc 48 03 5c 24 38 49 89 46 60 8b 44 24 30 <8b> 4b 10 44 29 e0 48 89 ca 48 83 c1 1f 48 83 e1 f8 83 f8 17 49 89
> RSP: 0018:ffffc90035edbde0 EFLAGS: 00010286
> RAX: 0000000000001000 RBX: ffff88859367bff0 RCX: 0000000000000000
> RDX: 0000000000000000 RSI: ffff88859367bfed RDI: 0000000000920907
> RBP: ffffc90035edbe90 R08: 000000000000014b R09: 0000000000000004
> R10: ffff88859367b000 R11: 0000000000000000 R12: 0000000000000ff0
> R13: ffffc90035edbee0 R14: ffff889fb8546180 R15: 0000000000000020
> FS: 00007f80b5f4a740(0000) GS:ffff889fffa00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffff88859367c000 CR3: 0000001c170c2001 CR4: 00000000003606e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> iterate_dir+0x122/0x180
> __x64_sys_getdents+0xa6/0x140
> do_syscall_64+0x42/0x100
> entry_SYSCALL_64_after_hwframe+0x44/0xa9
>
> faddr2line says
>
> fuse_readdir+0x88f/0x38fc9b:
> fuse_parse_cache at /builddir/build/BUILD/kernel-5.2.9-1992_g2c63931edbb0/fs/fuse/readdir.c:375
> (inlined by) fuse_readdir_cached at /builddir/build/BUILD/kernel-5.2.9-1992_g2c63931edbb0/fs/fuse/readdir.c:524
> (inlined by) fuse_readdir at /builddir/build/BUILD/kernel-5.2.9-1992_g2c63931edbb0/fs/fuse/readdir.c:562
>
> It's in fuse_parse_cache(). %rbx (ffff88859367bff0) is fuse_dirent
> pointer - addr + offset. FUSE_DIRENT_SIZE() is trying to dereference
> namelen off of it but that derefs into the next page which is disabled
> by pagealloc debug causing a PF.
>
> This is caused by dirent->namelen being accessed before ensuring that
> there's enough bytes in the page for the dirent. Fix it by pushing
> down reclen calculation.

Thanks, applied.

Miklos

Next message: Sasha Levin: "[PATCH AUTOSEL 4.19 111/128] platform/x86: intel_pmc_core: Do not ioremap RAM"
Previous message: Sasha Levin: "[PATCH AUTOSEL 4.19 104/128] md/raid1: fail run raid1 array when active disk less than one"
In reply to: Tejun Heo: "[PATCH] FUSE: fix beyond-end-of-page access in fuse_parse_cache()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]