Re: [syzbot] general protection fault in skb_dequeue (3)

From: David Howells
Date: Fri Feb 03 2023 - 11:25:03 EST

Next message: Christoph Hellwig: "Re: [syzbot] [ntfs3?] [btrfs?] BUG: unable to handle kernel paging request in clear_user_rep_good"
Previous message: Rob Herring: "[PATCH v2] perf arm-spe: Add raw decoding for SPEv1.2 previous branch address"
In reply to: David Howells: "Re: [syzbot] general protection fault in skb_dequeue (3)"
Next in thread: David Howells: "How does ftruncate() interact with DIO read?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Howells <dhowells@xxxxxxxxxx> wrote:

> I think I have managed to isolate the bug to the read side of sendfile() or
> the pipe in the middle by the following:

I did something similar in iov_iter_extract_pipe_pages(), allocating a
permanent page there:

+ mutex_lock(&extract_tmp_lock);
+ if (!extract_tmp) {
+ pr_notice("alloc extract_tmp\n");
+ extract_tmp = alloc_page(GFP_USER);
+ if (extract_tmp) {
+ SetPageDebugMark(extract_tmp);
+ page_ref_add(extract_tmp, 200);
+ }
+ }
+ mutex_unlock(&extract_tmp_lock);
+ if (!extract_tmp)
+ return -ENOMEM;

and then subbing that for the returned page:

chunk = min_t(size_t, left, PAGE_SIZE - offset);
left -= chunk;
- *p++ = page;
+ //*p++ = page;
+ *p++ = extract_tmp;

That makes the oopses stop happening. Pages are still being added to the pipe
at one end and being removed at the other.

So I'm guessing a DMA happens to the destination buffer for the DIO read after
it has been released.

David

Next message: Christoph Hellwig: "Re: [syzbot] [ntfs3?] [btrfs?] BUG: unable to handle kernel paging request in clear_user_rep_good"
Previous message: Rob Herring: "[PATCH v2] perf arm-spe: Add raw decoding for SPEv1.2 previous branch address"
In reply to: David Howells: "Re: [syzbot] general protection fault in skb_dequeue (3)"
Next in thread: David Howells: "How does ftruncate() interact with DIO read?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]