Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp1788396imu;
        Thu, 10 Jan 2019 03:06:22 -0800 (PST)
X-Google-Smtp-Source: ALg8bN6vsyLOBuqYkt+pvH6cLit3Y8csMn6JcbBraFzOL2EwC4GpIdAtD4WhjIOenCfyGW71jsUG
X-Received: by 2002:a63:451a:: with SMTP id s26mr9107473pga.150.1547118382481;
        Thu, 10 Jan 2019 03:06:22 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1547118382; cv=none;
        d=google.com; s=arc-20160816;
        b=OZMCk/9NPTPd9bECoScarU0N2Y/BEIh9lhzhTmLPhI3mcE4bjpiiVqTi1XCHex6qN4
         j9afpdre2NoIz9bQxR7ZdpDcnV5RimzUECZ0NfB9Zv7hOl4HUUupshfDnVnGSJ8iAzLJ
         lxUs2GqhojW21k2eDndo/UsCUdbkHecEZvHin8KzIe3TZjMGfZ9HObnntORoRjxXC304
         ZY9SNSGxhQ4i5CjEW5BnA+OJZPLLCnPUDrRElq84uKrSOsTd+NLu/ttcgTeAmmO67WiA
         RlCaIA+UzLtlopLlUbfwfaHe4jmq0wL9NHDNEuXUtyRv3//I7Omzuc70egWr+RNMnzhv
         /6RQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=c8MJ5O5qoeQdBHpA0MpiU5uHvPirlHn/6WvD3Ps9Juc=;
        b=s9F0PrFm/2fYP6XQQidVeXV5Tt9fZHfMbLpglLPsGqrJdhmtmd8AhteZRDUcu1wbBu
         evkBoz8bWk7Pa1Ege3v5ob4l3j7O0B2mF10Qx0toLcmBG40olclmxYmFM98AK+G4ggyn
         l/E2t7VV88bwH4jpItVXfoJju11IoBpRz8qfn81qS4DFDc0+F4Xv+ElBGUEJoQZzR84c
         wTnXDJRLVLoJH8E1KJ/kfTE0thaHBJpGyEvwfm+u8Ay3yYlWnVZ7Ej/Lpm7qJIzGDiWl
         eM9czn7llicbselKIhAUyxlFIqtK5vT1CVk8BAHjLE9IvTRPYvMXmgmCcu5N//HdMHDk
         wZAA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=OmSoiSJF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c12si16960988pgb.402.2019.01.10.03.06.06;
        Thu, 10 Jan 2019 03:06:22 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=temperror (no key for signature) header.i=@szeredi.hu header.s=google header.b=OmSoiSJF;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728222AbfAJLAU (ORCPT <rfc822;ahaning.tech@gmail.com>
        + 99 others); Thu, 10 Jan 2019 06:00:20 -0500
Received: from mail-it1-f194.google.com ([209.85.166.194]:39021 "EHLO
        mail-it1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726969AbfAJLAU (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 10 Jan 2019 06:00:20 -0500
Received: by mail-it1-f194.google.com with SMTP id a6so15633820itl.4
        for <linux-kernel@vger.kernel.org>; Thu, 10 Jan 2019 03:00:19 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=szeredi.hu; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=c8MJ5O5qoeQdBHpA0MpiU5uHvPirlHn/6WvD3Ps9Juc=;
        b=OmSoiSJFwOW5puPGa3naqJljxufvfyg2nHkX/IDEm+vGPiGEKFGnrOrVV4v3QyDZUO
         kO61S6fuj4U7clU92vRLQMnm21Psk0AmUi+raDSqLwBoTWSjSHMM2WdbNXJu3ne7xU0a
         EqFfPj+E4gEyJFGBRanCE6SmoWVI10nZr2eF4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=c8MJ5O5qoeQdBHpA0MpiU5uHvPirlHn/6WvD3Ps9Juc=;
        b=DGn/gVzyVVHhHtArdIarDRywXDSTUwPug/0rIUfsP8Cigl2FXeltyqTqnS3ajmgKBN
         t4E6PL8uXscfSV2re4f+Yh6Tqg4CrHBOP2rBbjgiPOI+FNatCB5ezrZU5yK26cKdf53h
         Zf2hsKpgue4H8Tptxs4T2XjM2oyPkwz707Yj1lxicn1sPNr7X77kvy/pvUx+7Mp8xnxm
         +jDn50xGAzaSpGarwfW9vZfAsb9SxuNEEIPGzuLsVzthGjUZcg7koJJD4TzFhLfb0ee3
         2VXF6Fv01ticompqQ+MTHMQsRH0E/k98+J0E+B3RWRxBCOcJtvAeYFesWWNmKMEg9MZg
         /TIA==
X-Gm-Message-State: AJcUukdxcQvTj1NfyRnf308jwpEgsrgOour9DEGKa9bXLUgffC4sP4UT
        maZ0wVBuBelEqFKd5p+DBq7XsrrwzETvgQfRb5h9ag==
X-Received: by 2002:a02:40c9:: with SMTP id n192mr3954493jaa.78.1547118019463;
 Thu, 10 Jan 2019 03:00:19 -0800 (PST)
MIME-Version: 1.0
References: <154322517208.18737.3297786654135648324.stgit@localhost.localdomain>
 <00b1782a-5c5c-5bc8-7ea9-4f8450679fa1@virtuozzo.com>
In-Reply-To: <00b1782a-5c5c-5bc8-7ea9-4f8450679fa1@virtuozzo.com>
From:   Miklos Szeredi <miklos@szeredi.hu>
Date:   Thu, 10 Jan 2019 12:00:08 +0100
Message-ID: <CAJfpeguokUoCPEnK7Q_Rp9cmyBCMfm51=7TmbbS-QiEy2BxxAQ@mail.gmail.com>
Subject: Re: [PATCH 1/2] fuse: Fix race in fuse_writepage_in_flight()
To:     Kirill Tkhai <ktkhai@virtuozzo.com>
Cc:     linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jan 10, 2019 at 11:48 AM Kirill Tkhai <ktkhai@virtuozzo.com> wrote:
>
> Hi, Miklos,
>
> any comments about this?

Is there a reproducer?  ISTR that fsx-linux with mmaps enabled was
good for stressing the writeback_cache code.

Thanks,
Miklos

>
> On 26.11.2018 12:46, Kirill Tkhai wrote:
> > Checking for FR_PENDING in fuse_writepage_in_flight() is racy.
> > It does not guarantee the first request in misc.write.next list
> > is not in userspace, since there we take fc->lock, while
> > fuse_dev_do_read() takes fiq->waitq.lock:
> >
> > fuse_dev_read()                           fuse_writepage_in_flight()
> >                                             test_bit(FR_PENDING)
> >   clear_bit(FR_PENDING)
> > handle old_req->pages[0] in userspace
> >                                             copy_highpage(old_req->pages[0], page)
> >                                             ^^^^^
> >                                             userspace never sees this pages
> >
> > The only reliable way to determ, whether we are able to replace
> > old_req's page, is to completely skip the first request in the list.
> > This patch makes the function to do that.
> >
> > Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
> > ---
> >  fs/fuse/file.c |    4 +++-
> >  1 file changed, 3 insertions(+), 1 deletion(-)
> >
> > diff --git a/fs/fuse/file.c b/fs/fuse/file.c
> > index b52f9baaa3e7..c6650c68b31a 100644
> > --- a/fs/fuse/file.c
> > +++ b/fs/fuse/file.c
> > @@ -1740,6 +1740,7 @@ static bool fuse_writepage_in_flight(struct fuse_req *new_req,
> >  {
> >       struct fuse_conn *fc = get_fuse_conn(new_req->inode);
> >       struct fuse_inode *fi = get_fuse_inode(new_req->inode);
> > +     struct fuse_req *first_req;
> >       struct fuse_req *tmp;
> >       struct fuse_req *old_req;
> >       bool found = false;
> > @@ -1764,6 +1765,7 @@ static bool fuse_writepage_in_flight(struct fuse_req *new_req,
> >       }
> >
> >       new_req->num_pages = 1;
> > +     first_req = old_req;
> >       for (tmp = old_req; tmp != NULL; tmp = tmp->misc.write.next) {
> >               BUG_ON(tmp->inode != new_req->inode);
> >               curr_index = tmp->misc.write.in.offset >> PAGE_SHIFT;
> > @@ -1773,7 +1775,7 @@ static bool fuse_writepage_in_flight(struct fuse_req *new_req,
> >               }
> >       }
> >
> > -     if (old_req->num_pages == 1 && test_bit(FR_PENDING, &old_req->flags)) {
> > +     if (old_req->num_pages == 1 && old_req != first_req) {
> >               struct backing_dev_info *bdi = inode_to_bdi(page->mapping->host);
> >
> >               copy_highpage(old_req->pages[0], page);
> >