Re: [syzbot] general protection fault in skb_dequeue (3)

From: David Howells
Date: Fri Feb 03 2023 - 11:31:22 EST

Next message: Will Deacon: "Re: [PATCH 1/2] cpuset: Fix cpuset_cpus_allowed() to not filter offline CPUs"
Previous message: Christoph Hellwig: "Re: How does ftruncate() interact with DIO read?"
In reply to: Christoph Hellwig: "Re: How does ftruncate() interact with DIO read?"
Next in thread: John Hubbard: "Re: [syzbot] general protection fault in skb_dequeue (3)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

David Howells <dhowells@xxxxxxxxxx> wrote:

> I think I have managed to isolate the bug to the read side of sendfile() or
> the pipe in the middle by the following:
>
> In iter_file_splice_write(), I allocate a permanent page:
> ...
> and then stick it into the BVEC iter to be handed over to vfs_iter_write()
> instead of buf->page:
>
> - array[n].bv_page = buf->page;
> + array[n].bv_page = splice_tmp;
> + trace_page_ref_set(splice_tmp, 887);
> array[n].bv_len = this_len;
> array[n].bv_offset = buf->offset;
>
> that prevents vfs_iter_write() from ever seeing the pages from the pipe - but
> the crash still happens even with this change.

With the DIO output isolation in iov_iter_extract_pipe_pages(), this change
can be removed without causing oopses to happen.

David

Next message: Will Deacon: "Re: [PATCH 1/2] cpuset: Fix cpuset_cpus_allowed() to not filter offline CPUs"
Previous message: Christoph Hellwig: "Re: How does ftruncate() interact with DIO read?"
In reply to: Christoph Hellwig: "Re: How does ftruncate() interact with DIO read?"
Next in thread: John Hubbard: "Re: [syzbot] general protection fault in skb_dequeue (3)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]