fuse: launder page should wait for page writeback

Qian Cai reports that the WARNING in tree_insert() can be triggered by a fuzzer with the following call chain: invalidate_inode_pages2_range() fuse_launder_page() fuse_writepage_locked() tree_insert() The reason is that another write for the same page is already queued. The simplest fix is to wait until the pending write is completed and only after that queue the new write. Since this case is very rare, the additional wait should not be a problem. Reported-by: N Qian Cai <cai@redhat.com> Signed-off-by: N Miklos Szeredi <mszeredi@redhat.com>

fuse: launder page should wait for page writeback
Qian Cai reports that the WARNING in tree_insert() can be triggered by a fuzzer with the following call chain: invalidate_inode_pages2_range() fuse_launder_page() fuse_writepage_locked() tree_insert() The reason is that another write for the same page is already queued. The simplest fix is to wait until the pending write is completed and only after that queue the new write. Since this case is very rare, the additional wait should not be a problem. Reported-by: N Qian Cai <cai@redhat.com> Signed-off-by: N Miklos Szeredi <mszeredi@redhat.com>
3993382b · Miklos Szeredi · 3650b228 · 3993382b
隐藏空白更改
内联并排

Showing with 3 addition and 0 deletion

fs/fuse/file.c fs/fuse/file.c +3 -0

未找到文件。
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2281,6 +2281,9 @@ static int fuse_launder_page(struct page *page)
 	int err = 0;
 	if (clear_page_dirty_for_io(page)) {
 		struct inode *inode = page->mapping->host;
+
+		/* Serialize with pending writeback for the same page */
+		fuse_wait_on_page_writeback(inode, page->index);
 		err = fuse_writepage_locked(page);
 		if (!err)
 			fuse_wait_on_page_writeback(inode, page->index);