Return-Path: <linux-kernel-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 1C59AC433EF
	for <linux-kernel@archiver.kernel.org>; Wed, 24 Nov 2021 16:21:54 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1348483AbhKXQY7 (ORCPT
        <rfc822;linux-kernel@archiver.kernel.org>);
        Wed, 24 Nov 2021 11:24:59 -0500
Received: from us-smtp-delivery-124.mimecast.com ([170.10.133.124]:45721 "EHLO
        us-smtp-delivery-124.mimecast.com" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1348420AbhKXQYt (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 24 Nov 2021 11:24:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1637770899;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=90TigdZMMnC7ewblMejePQnNAjZkBXfCyuwYeUoTC3s=;
        b=cotwoc6dQpyqlUwao1X0uVU9t9Z1f62RTM9OotTw/8AOC51lLinWJr2tXpTlztUJCac7Kc
        RagDwT0SLw7Yqlxv/+Vn+i/YfR38FfL+DugCqxn8vITE2F6x4bbB+UMNgqQ9A3+JBOLzJG
        HveRhW3KEaIB7wF3xe54+I5SrHsUkbs=
Received: from mail-qt1-f200.google.com (mail-qt1-f200.google.com
 [209.85.160.200]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-350-PHcpvS_APO204zLg3IQu0g-1; Wed, 24 Nov 2021 11:21:37 -0500
X-MC-Unique: PHcpvS_APO204zLg3IQu0g-1
Received: by mail-qt1-f200.google.com with SMTP id h20-20020ac85e14000000b002b2e9555bb1so2483920qtx.3
        for <linux-kernel@vger.kernel.org>; Wed, 24 Nov 2021 08:21:37 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=90TigdZMMnC7ewblMejePQnNAjZkBXfCyuwYeUoTC3s=;
        b=Hn4dNhjRIiUrP5JSdGxwS5TohOh3+zOFNbrVcHzoXULrEQiGuoO7kpqKhtBqCFdq9O
         M0f4lc5PETP2SpoyN9xGLZd4S2ZGYwjjvtPH8qymdLKdIgH4+ggPL+UcP+VzucU9v0zV
         Ed9t+TKd+sTC6tZUxEiLS7R87qk6PWEWiSMhPn6m9qOCHJykmt2vJyfhArIJc6QR2/Os
         R/+XowfJSe4xEayfqvJg3/uh4xH7WKAISIwfLvKVJS9OQKrf4jv5AOjAteeHea+aDms6
         PX5YUwL12bASG732tl0OnRcQuzdIsSI4aFz3TeaNcaZjBXAicZkDTHXMuko4YXhZALXd
         qZCg==
X-Gm-Message-State: AOAM532ueUSPGWcY+sveoT0JoxEEuL8z8Be204LeVZwhOxMr6o4oluUM
        zuNsE1fNpEUEsFSgojRyK1if1MDBWM1f5T36IVnQGRN3ccheOj7mrD3PklcTf52bbvv39bkr7VZ
        6oX7XRR6bRl5e52odlhfj7vBMn3bt/MSTjbJnbBKM
X-Received: by 2002:a05:620a:298e:: with SMTP id r14mr7132015qkp.509.1637770897312;
        Wed, 24 Nov 2021 08:21:37 -0800 (PST)
X-Google-Smtp-Source: ABdhPJz+fhe6xQgUQvMw7x2eFGQXvQxfQ2GkuBX44MmkUSmaXmqu6/TnUHIiNOX11TRYsRT4PyQD0pb69t7BShFnHq0=
X-Received: by 2002:a05:620a:298e:: with SMTP id r14mr7131993qkp.509.1637770897141;
 Wed, 24 Nov 2021 08:21:37 -0800 (PST)
MIME-Version: 1.0
References: <20211124115658.328640564@linuxfoundation.org> <20211124115701.855204038@linuxfoundation.org>
In-Reply-To: <20211124115701.855204038@linuxfoundation.org>
From:   Miklos Szeredi <mszeredi@redhat.com>
Date:   Wed, 24 Nov 2021 17:21:26 +0100
Message-ID: <CAOssrKd=XAvCKW9t0gk9g_FBqFs6pPNJFsP7pc2EF6Dcj-se7w@mail.gmail.com>
Subject: Re: [PATCH 4.4 109/162] fuse: fix page stealing
To:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc:     lkml <linux-kernel@vger.kernel.org>,
        stable <stable@vger.kernel.org>,
        Frank Dinoff <fdinoff@google.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Nov 24, 2021 at 1:04 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> From: Miklos Szeredi <mszeredi@redhat.com>
>
> commit 712a951025c0667ff00b25afc360f74e639dfabe upstream.
>
> It is possible to trigger a crash by splicing anon pipe bufs to the fuse
> device.
>
> The reason for this is that anon_pipe_buf_release() will reuse buf->page if
> the refcount is 1, but that page might have already been stolen and its
> flags modified (e.g. PG_lru added).
>
> This happens in the unlikely case of fuse_dev_splice_write() getting around
> to calling pipe_buf_release() after a page has been stolen, added to the
> page cache and removed from the page cache.
>
> Fix by calling pipe_buf_release() right after the page was inserted into
> the page cache.  In this case the page has an elevated refcount so any
> release function will know that the page isn't reusable.
>
> Reported-by: Frank Dinoff <fdinoff@google.com>
> Link: https://lore.kernel.org/r/CAAmZXrsGg2xsP1CK+cbuEMumtrqdvD-NKnWzhNcvn71RV3c1yw@mail.gmail.com/
> Fixes: dd3bb14f44a6 ("fuse: support splice() writing to fuse device")
> Cc: <stable@vger.kernel.org> # v2.6.35
> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


Hi Greg,

This patch turned out to have a bug, so stable releases that didn't
yet have it released might be better off backing it out for now and
releasing only together with the fix to avoid regressions.

Thanks,
Miklos