ANDROID: mm: page_pinner: use put_user_page at fuse_copy_finish

fuse could use get_user_pages_fast by iov_iter_get_pages at fuse_copy_fill so close the false positive by attributing it by put_user_page. Page pinned via pid 670, ts 4554195916 ns PFN 83125 Block 162 type Movable Flags 0xfffffc008001e(referenced|uptodate|dirty|lru|swapbacked) try_grab_compound_head+0x1e8/0x240 internal_get_user_pages_fast+0x66d/0xca0 iov_iter_get_pages+0xd4/0x3a0 fuse_copy_fill+0x197/0x200 fuse_copy_one+0x6e/0xf0 fuse_dev_do_read.constprop.0+0x435/0x7e0 fuse_dev_read+0x5d/0x90 new_sync_read+0x115/0x1a0 vfs_read+0xf4/0x180 ksys_read+0x5f/0xe0 do_syscall_64+0x33/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xae Bug: 183414571 Signed-off-by: Minchan Kim <minchan@kernel.org> Signed-off-by: Minchan Kim <minchan@google.com> Change-Id: Idc80d4a34b546f25e8f6dbc68313d39586e914d9
2021-03-18 09:32:48 -07:00 · 2021-03-18 09:32:48 -07:00 · 2de28a0bdd
commit 2de28a0bdd
parent f8d9ffe242
1 changed files with 5 additions and 1 deletions
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@ -684,7 +684,11 @@ static void fuse_copy_finish(struct fuse_copy_state *cs)
 			flush_dcache_page(cs->pg);
 			set_page_dirty_lock(cs->pg);
 		}
-		put_page(cs->pg);
+		/*
+		 * The page could be GUP page(see iov_iter_get_pages in
+		 * fuse_copy_fill) so use put_user_page to release it.
+		 */
+		put_user_page(cs->pg);
 	}
 	cs->pg = NULL;
 }