From: David Howells <dhowells@redhat.com>
Cc: dhowells@redhat.com, Jens Axboe <axboe@kernel.dk>,
Al Viro <viro@zeniv.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>,
Christoph Hellwig <hch@lst.de>,
Christian Brauner <christian@brauner.io>,
David Laight <David.Laight@ACULAB.COM>,
Matthew Wilcox <willy@infradead.org>,
Jeff Layton <jlayton@kernel.org>,
linux-fsdevel@vger.kernel.org, linux-block@vger.kernel.org,
linux-mm@kvack.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH v7 08/12] iov_iter: Don't deal with iter->copy_mc in memcpy_from_iter_mc()
Date: Mon, 02 Oct 2023 10:25:51 +0100 [thread overview]
Message-ID: <1809398.1696238751@warthog.procyon.org.uk> (raw)
In-Reply-To: <20230925120309.1731676-9-dhowells@redhat.com>
David Howells <dhowells@redhat.com> wrote:
> +static size_t __copy_from_iter_mc(void *addr, size_t bytes, struct iov_iter *i)
> {
> - struct iov_iter *iter = priv2;
> + size_t progress;
>
> - if (iov_iter_is_copy_mc(iter))
> - return copy_mc_to_kernel(to + progress, iter_from, len);
> - return memcpy_from_iter(iter_from, progress, len, to, priv2);
> + if (unlikely(i->count < bytes))
> + bytes = i->count;
> + if (unlikely(!bytes))
> + return 0;
> + progress = iterate_bvec(i, bytes, addr, NULL, memcpy_from_iter_mc);
> + i->count -= progress;
i->count shouldn't be decreased here as iterate_bvec() now does that.
This causes the LTP abort01 test to log a warning under KASAN (see below).
I'll remove the line and repush the patches.
David
LTP: starting abort01
==================================================================
BUG: KASAN: stack-out-of-bounds in __copy_from_iter_mc+0x2e6/0x480
Read of size 4 at addr ffffc90004777594 by task abort01/708
CPU: 4 PID: 708 Comm: abort01 Not tainted 99.6.0-rc3-ged6251886a1d #46
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009)/Incus, BIOS unknown 2/2/2022
Call Trace:
<TASK>
dump_stack_lvl+0x3d/0x70
print_report+0xce/0x650
? lock_acquire+0x1b1/0x330
kasan_report+0xda/0x110
? __copy_from_iter_mc+0x2e6/0x480
? __copy_from_iter_mc+0x2e6/0x480
__copy_from_iter_mc+0x2e6/0x480
copy_page_from_iter_atomic+0x517/0x1350
? __pfx_copy_page_from_iter_atomic+0x10/0x10
? __filemap_get_folio+0x281/0x6c0
? folio_wait_writeback+0x53/0x1e0
? prepare_pages.constprop.0+0x40b/0x6c0
btrfs_copy_from_user+0xc6/0x290
btrfs_buffered_write+0x8c9/0x1190
? __pfx_btrfs_buffered_write+0x10/0x10
? _raw_spin_unlock+0x2d/0x50
? btrfs_file_llseek+0x100/0xf00
? follow_page_mask+0x69f/0x1e10
btrfs_do_write_iter+0x859/0xff0
? __pfx_btrfs_file_llseek+0x10/0x10
? find_held_lock+0x2d/0x110
? __pfx_btrfs_do_write_iter+0x10/0x10
? __up_read+0x211/0x790
? __pfx___get_user_pages+0x10/0x10
? __pfx___up_read+0x10/0x10
? __kernel_write_iter+0x3be/0x6d0
__kernel_write_iter+0x226/0x6d0
? __pfx___kernel_write_iter+0x10/0x10
dump_user_range+0x25d/0x650
? __pfx_dump_user_range+0x10/0x10
? __pfx_writenote+0x10/0x10
elf_core_dump+0x231f/0x2e90
? __pfx_elf_core_dump+0x10/0x10
? do_coredump+0x12a9/0x38c0
? kasan_set_track+0x25/0x30
? __kasan_kmalloc+0xaa/0xb0
? __kmalloc_node+0x6c/0x1b0
? do_coredump+0x12a9/0x38c0
? get_signal+0x1e7d/0x20f0
? 0xffffffffff600000
? mas_next_slot+0x328/0x1dd0
? lock_acquire+0x162/0x330
? do_coredump+0x2537/0x38c0
do_coredump+0x2537/0x38c0
? __pfx_do_coredump+0x10/0x10
? kmem_cache_free+0x114/0x520
? find_held_lock+0x2d/0x110
get_signal+0x1e7d/0x20f0
? __pfx_get_signal+0x10/0x10
? do_send_specific+0xf1/0x1c0
? __pfx_do_send_specific+0x10/0x10
arch_do_signal_or_restart+0x8b/0x4b0
? __pfx_arch_do_signal_or_restart+0x10/0x10
exit_to_user_mode_prepare+0xde/0x210
syscall_exit_to_user_mode+0x16/0x50
do_syscall_64+0x53/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
next prev parent reply other threads:[~2023-10-02 9:26 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-25 12:02 [PATCH v7 00/12] iov_iter: Convert the iterator macros into inline funcs David Howells
2023-09-25 12:02 ` [PATCH v7 01/12] iov_iter: Remove last_offset from iov_iter as it was for ITER_PIPE David Howells
2023-09-25 12:02 ` [PATCH v7 02/12] iov_iter, x86: Be consistent about the __user tag on copy_mc_to_user() David Howells
2023-09-28 14:47 ` Borislav Petkov
2023-09-25 12:03 ` [PATCH v7 03/12] sound: Fix snd_pcm_readv()/writev() to use iov access functions David Howells
2023-09-25 12:03 ` [PATCH v7 04/12] infiniband: Use user_backed_iter() to see if iterator is UBUF/IOVEC David Howells
2023-09-25 12:03 ` [PATCH v7 05/12] iov_iter: Renumber ITER_* constants David Howells
2023-09-25 12:03 ` [PATCH v7 06/12] iov_iter: Derive user-backedness from the iterator type David Howells
2023-09-25 12:03 ` [PATCH v7 07/12] iov_iter: Convert iterate*() to inline funcs David Howells
2024-02-18 3:13 ` [bug report] dead loop in generic_perform_write() //Re: " Tong Tiangen
2024-02-27 12:43 ` Tong Tiangen
2024-02-28 21:21 ` Linus Torvalds
2024-02-28 22:57 ` Linus Torvalds
2024-02-29 8:13 ` Tong Tiangen
2024-02-29 17:32 ` Linus Torvalds
2024-03-01 2:13 ` Tong Tiangen
2024-03-02 2:59 ` Linus Torvalds
2024-03-02 9:37 ` Tong Tiangen
2024-03-02 18:06 ` Linus Torvalds
2024-03-02 18:11 ` Linus Torvalds
2024-03-04 8:45 ` Tong Tiangen
2024-03-04 11:56 ` David Howells
2024-03-04 12:15 ` Tong Tiangen
2024-03-04 18:32 ` Linus Torvalds
2024-03-05 6:57 ` Tong Tiangen
2023-09-25 12:03 ` [PATCH v7 08/12] iov_iter: Don't deal with iter->copy_mc in memcpy_from_iter_mc() David Howells
2023-09-25 12:03 ` [PATCH v7 09/12] iov_iter, net: Move csum_and_copy_to/from_iter() to net/ David Howells
2023-09-25 12:03 ` [PATCH v7 10/12] iov_iter, net: Fold in csum_and_memcpy() David Howells
2023-09-25 12:03 ` [PATCH v7 11/12] iov_iter, net: Merge csum_and_copy_from_iter{,_full}() together David Howells
2023-09-25 12:03 ` [PATCH v7 12/12] iov_iter, net: Move hash_and_copy_to_iter() to net/ David Howells
2023-09-25 12:34 ` [PATCH v7 00/12] iov_iter: Convert the iterator macros into inline funcs Christian Brauner
2023-10-02 9:25 ` David Howells [this message]
2023-10-07 4:32 ` [PATCH next] iov_iter: fix copy_page_from_iter_atomic() Hugh Dickins
2023-10-07 7:29 ` David Howells
2023-10-09 7:36 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1809398.1696238751@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=David.Laight@ACULAB.COM \
--cc=axboe@kernel.dk \
--cc=christian@brauner.io \
--cc=hch@lst.de \
--cc=jlayton@kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=netdev@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox