* Re: [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open
[not found] <6731d39c.050a0220.1fb99c.014e.GAE@google.com>
@ 2024-11-17 1:38 ` syzbot
2024-11-17 1:45 ` asmadeus
` (4 more replies)
0 siblings, 5 replies; 10+ messages in thread
From: syzbot @ 2024-11-17 1:38 UTC (permalink / raw)
To: akpm, asmadeus, ericvh, linux-kernel, linux-mm, linux_oss, lucho,
syzkaller-bugs, v9fs
syzbot has found a reproducer for the following issue on:
HEAD commit: e8bdb3c8be08 Merge tag 'riscv-for-linus-6.12-rc8' of git:/..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=136a52e8580000
kernel config: https://syzkaller.appspot.com/x/.config?x=327b6119dd928cbc
dashboard link: https://syzkaller.appspot.com/bug?extid=885c03ad650731743489
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1642d2c0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14547130580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-e8bdb3c8.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/3fca1f7d05f3/vmlinux-e8bdb3c8.xz
kernel image: https://storage.googleapis.com/syzbot-assets/51d966b1b453/bzImage-e8bdb3c8.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+885c03ad650731743489@syzkaller.appspotmail.com
BUG: TASK stack guard page was hit at ffffc90005abfff8 (stack is ffffc90005ac0000..ffffc90005ac8000)
Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 UID: 0 PID: 6005 Comm: syz-executor698 Not tainted 6.12.0-rc7-syzkaller-00189-ge8bdb3c8be08 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mark_lock+0xb0/0xc60 kernel/locking/lockdep.c:4703
Code: fe 09 0f 87 e3 00 00 00 41 83 fe 08 49 89 fc 48 89 f3 0f 84 97 00 00 00 41 bd 01 00 00 00 44 89 f1 41 d3 e5 4d 63 ed 48 89 df <e8> cb 6b ff ff 48 ba 00 00 00 00 00 fc ff df 48 8d 78 60 48 89 f9
RSP: 0018:ffffc90005ac0000 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff888029b953b0 RCX: 0000000000000003
RDX: 0000000000000002 RSI: ffff888029b953b0 RDI: ffff888029b953b0
RBP: ffffc90005ac0138 R08: 0000000000000000 R09: 0000000000000006
R10: ffffffff96e2ed1f R11: 0000000000000002 R12: ffff888029b94880
R13: 0000000000000200 R14: 0000000000000009 R15: 1ffff92000b58006
FS: 00007f59e396f6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90005abfff8 CR3: 000000003c6a2000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<#DF>
</#DF>
<TASK>
mark_usage kernel/locking/lockdep.c:4646 [inline]
__lock_acquire+0x906/0x3ce0 kernel/locking/lockdep.c:5156
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825
rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
rcu_read_lock include/linux/rcupdate.h:849 [inline]
page_ext_get+0x3a/0x310 mm/page_ext.c:525
__set_page_owner+0x96/0x560 mm/page_owner.c:322
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
prep_new_page mm/page_alloc.c:1564 [inline]
get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
__alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4750
alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
alloc_slab_page mm/slub.c:2412 [inline]
allocate_slab mm/slub.c:2578 [inline]
new_slab+0x2c9/0x410 mm/slub.c:2631
___slab_alloc+0xdac/0x1880 mm/slub.c:3818
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
kmem_cache_alloc_noprof+0x2a7/0x2f0 mm/slub.c:4141
p9_tag_alloc+0x9c/0x870 net/9p/client.c:281
p9_client_prepare_req+0x19f/0x4d0 net/9p/client.c:644
p9_client_zc_rpc.constprop.0+0x105/0x880 net/9p/client.c:793
p9_client_read_once+0x443/0x820 net/9p/client.c:1570
p9_client_read+0x13f/0x1b0 net/9p/client.c:1534
v9fs_issue_read+0x115/0x310 fs/9p/vfs_addr.c:74
netfs_retry_read_subrequests fs/netfs/read_retry.c:60 [inline]
netfs_retry_reads+0x153a/0x1d00 fs/netfs/read_retry.c:232
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_dispatch_unbuffered_reads fs/netfs/direct_read.c:103 [inline]
netfs_unbuffered_read fs/netfs/direct_read.c:127 [inline]
netfs_unbuffered_read_iter_locked+0x12f6/0x19b0 fs/netfs/direct_read.c:221
netfs_unbuffered_read_iter+0xc5/0x100 fs/netfs/direct_read.c:256
v9fs_file_read_iter+0xbf/0x100 fs/9p/vfs_file.c:361
__kernel_read+0x3f1/0xb50 fs/read_write.c:527
integrity_kernel_read+0x7f/0xb0 security/integrity/iint.c:28
ima_calc_file_hash_tfm+0x2c9/0x3e0 security/integrity/ima/ima_crypto.c:480
ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline]
ima_calc_file_hash+0x1ba/0x490 security/integrity/ima/ima_crypto.c:568
ima_collect_measurement+0x89f/0xa40 security/integrity/ima/ima_api.c:293
process_measurement+0x1271/0x2370 security/integrity/ima/ima_main.c:372
ima_file_check+0xc1/0x110 security/integrity/ima/ima_main.c:572
security_file_post_open+0x8e/0x210 security/security.c:3129
do_open fs/namei.c:3776 [inline]
path_openat+0x1419/0x2d60 fs/namei.c:3933
do_filp_open+0x1dc/0x430 fs/namei.c:3960
do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_open fs/open.c:1438 [inline]
__se_sys_open fs/open.c:1434 [inline]
__x64_sys_open+0x154/0x1e0 fs/open.c:1434
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f59e39b43e9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f59e396f218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f59e3a3e308 RCX: 00007f59e39b43e9
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140
RBP: 00007f59e3a3e300 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f59e3a3e30c
R13: 00007f59e3a0b074 R14: 0030656c69662f2e R15: 00000000ffffff3c
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mark_lock+0xb0/0xc60 kernel/locking/lockdep.c:4703
Code: fe 09 0f 87 e3 00 00 00 41 83 fe 08 49 89 fc 48 89 f3 0f 84 97 00 00 00 41 bd 01 00 00 00 44 89 f1 41 d3 e5 4d 63 ed 48 89 df <e8> cb 6b ff ff 48 ba 00 00 00 00 00 fc ff df 48 8d 78 60 48 89 f9
RSP: 0018:ffffc90005ac0000 EFLAGS: 00010002
RAX: 0000000000000000 RBX: ffff888029b953b0 RCX: 0000000000000003
RDX: 0000000000000002 RSI: ffff888029b953b0 RDI: ffff888029b953b0
RBP: ffffc90005ac0138 R08: 0000000000000000 R09: 0000000000000006
R10: ffffffff96e2ed1f R11: 0000000000000002 R12: ffff888029b94880
R13: 0000000000000200 R14: 0000000000000009 R15: 1ffff92000b58006
FS: 00007f59e396f6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc90005abfff8 CR3: 000000003c6a2000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: fe 09 decb (%rcx)
2: 0f 87 e3 00 00 00 ja 0xeb
8: 41 83 fe 08 cmp $0x8,%r14d
c: 49 89 fc mov %rdi,%r12
f: 48 89 f3 mov %rsi,%rbx
12: 0f 84 97 00 00 00 je 0xaf
18: 41 bd 01 00 00 00 mov $0x1,%r13d
1e: 44 89 f1 mov %r14d,%ecx
21: 41 d3 e5 shl %cl,%r13d
24: 4d 63 ed movslq %r13d,%r13
27: 48 89 df mov %rbx,%rdi
* 2a: e8 cb 6b ff ff call 0xffff6bfa <-- trapping instruction
2f: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
36: fc ff df
39: 48 8d 78 60 lea 0x60(%rax),%rdi
3d: 48 89 f9 mov %rdi,%rcx
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open
2024-11-17 1:38 ` [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open syzbot
@ 2024-11-17 1:45 ` asmadeus
2024-11-18 16:23 ` David Howells
` (3 subsequent siblings)
4 siblings, 0 replies; 10+ messages in thread
From: asmadeus @ 2024-11-17 1:45 UTC (permalink / raw)
To: Lizhi Xu
Cc: syzbot, akpm, ericvh, linux-kernel, linux-mm, linux_oss, lucho,
syzkaller-bugs, v9fs, David Howells
Lizhi Xu,
now a reproducer was found it would be great if you could also test your
patch on this; it looks like the same problem as [1]
[1] https://lkml.kernel.org/r/672b7858.050a0220.350062.0256.GAE@google.com
Thanks,
(full quote for context, no other below)
syzbot wrote on Sat, Nov 16, 2024 at 05:38:22PM -0800:
> syzbot has found a reproducer for the following issue on:
>
> HEAD commit: e8bdb3c8be08 Merge tag 'riscv-for-linus-6.12-rc8' of git:/..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=136a52e8580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=327b6119dd928cbc
> dashboard link: https://syzkaller.appspot.com/bug?extid=885c03ad650731743489
> compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1642d2c0580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14547130580000
>
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7feb34a89c2a/non_bootable_disk-e8bdb3c8.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/3fca1f7d05f3/vmlinux-e8bdb3c8.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/51d966b1b453/bzImage-e8bdb3c8.xz
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+885c03ad650731743489@syzkaller.appspotmail.com
>
> BUG: TASK stack guard page was hit at ffffc90005abfff8 (stack is ffffc90005ac0000..ffffc90005ac8000)
> Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN NOPTI
> CPU: 0 UID: 0 PID: 6005 Comm: syz-executor698 Not tainted 6.12.0-rc7-syzkaller-00189-ge8bdb3c8be08 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> RIP: 0010:mark_lock+0xb0/0xc60 kernel/locking/lockdep.c:4703
> Code: fe 09 0f 87 e3 00 00 00 41 83 fe 08 49 89 fc 48 89 f3 0f 84 97 00 00 00 41 bd 01 00 00 00 44 89 f1 41 d3 e5 4d 63 ed 48 89 df <e8> cb 6b ff ff 48 ba 00 00 00 00 00 fc ff df 48 8d 78 60 48 89 f9
> RSP: 0018:ffffc90005ac0000 EFLAGS: 00010002
> RAX: 0000000000000000 RBX: ffff888029b953b0 RCX: 0000000000000003
> RDX: 0000000000000002 RSI: ffff888029b953b0 RDI: ffff888029b953b0
> RBP: ffffc90005ac0138 R08: 0000000000000000 R09: 0000000000000006
> R10: ffffffff96e2ed1f R11: 0000000000000002 R12: ffff888029b94880
> R13: 0000000000000200 R14: 0000000000000009 R15: 1ffff92000b58006
> FS: 00007f59e396f6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffc90005abfff8 CR3: 000000003c6a2000 CR4: 0000000000352ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <#DF>
> </#DF>
> <TASK>
> mark_usage kernel/locking/lockdep.c:4646 [inline]
> __lock_acquire+0x906/0x3ce0 kernel/locking/lockdep.c:5156
> lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825
> rcu_lock_acquire include/linux/rcupdate.h:337 [inline]
> rcu_read_lock include/linux/rcupdate.h:849 [inline]
> page_ext_get+0x3a/0x310 mm/page_ext.c:525
> __set_page_owner+0x96/0x560 mm/page_owner.c:322
> set_page_owner include/linux/page_owner.h:32 [inline]
> post_alloc_hook+0x2d1/0x350 mm/page_alloc.c:1556
> prep_new_page mm/page_alloc.c:1564 [inline]
> get_page_from_freelist+0xfce/0x2f80 mm/page_alloc.c:3474
> __alloc_pages_noprof+0x223/0x25a0 mm/page_alloc.c:4750
> alloc_pages_mpol_noprof+0x2c9/0x610 mm/mempolicy.c:2265
> alloc_slab_page mm/slub.c:2412 [inline]
> allocate_slab mm/slub.c:2578 [inline]
> new_slab+0x2c9/0x410 mm/slub.c:2631
> ___slab_alloc+0xdac/0x1880 mm/slub.c:3818
> __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
> __slab_alloc_node mm/slub.c:3961 [inline]
> slab_alloc_node mm/slub.c:4122 [inline]
> kmem_cache_alloc_noprof+0x2a7/0x2f0 mm/slub.c:4141
> p9_tag_alloc+0x9c/0x870 net/9p/client.c:281
> p9_client_prepare_req+0x19f/0x4d0 net/9p/client.c:644
> p9_client_zc_rpc.constprop.0+0x105/0x880 net/9p/client.c:793
> p9_client_read_once+0x443/0x820 net/9p/client.c:1570
> p9_client_read+0x13f/0x1b0 net/9p/client.c:1534
> v9fs_issue_read+0x115/0x310 fs/9p/vfs_addr.c:74
> netfs_retry_read_subrequests fs/netfs/read_retry.c:60 [inline]
> netfs_retry_reads+0x153a/0x1d00 fs/netfs/read_retry.c:232
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_dispatch_unbuffered_reads fs/netfs/direct_read.c:103 [inline]
> netfs_unbuffered_read fs/netfs/direct_read.c:127 [inline]
> netfs_unbuffered_read_iter_locked+0x12f6/0x19b0 fs/netfs/direct_read.c:221
> netfs_unbuffered_read_iter+0xc5/0x100 fs/netfs/direct_read.c:256
> v9fs_file_read_iter+0xbf/0x100 fs/9p/vfs_file.c:361
> __kernel_read+0x3f1/0xb50 fs/read_write.c:527
> integrity_kernel_read+0x7f/0xb0 security/integrity/iint.c:28
> ima_calc_file_hash_tfm+0x2c9/0x3e0 security/integrity/ima/ima_crypto.c:480
> ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline]
> ima_calc_file_hash+0x1ba/0x490 security/integrity/ima/ima_crypto.c:568
> ima_collect_measurement+0x89f/0xa40 security/integrity/ima/ima_api.c:293
> process_measurement+0x1271/0x2370 security/integrity/ima/ima_main.c:372
> ima_file_check+0xc1/0x110 security/integrity/ima/ima_main.c:572
> security_file_post_open+0x8e/0x210 security/security.c:3129
> do_open fs/namei.c:3776 [inline]
> path_openat+0x1419/0x2d60 fs/namei.c:3933
> do_filp_open+0x1dc/0x430 fs/namei.c:3960
> do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
> do_sys_open fs/open.c:1430 [inline]
> __do_sys_open fs/open.c:1438 [inline]
> __se_sys_open fs/open.c:1434 [inline]
> __x64_sys_open+0x154/0x1e0 fs/open.c:1434
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7f59e39b43e9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f59e396f218 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
> RAX: ffffffffffffffda RBX: 00007f59e3a3e308 RCX: 00007f59e39b43e9
> RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140
> RBP: 00007f59e3a3e300 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f59e3a3e30c
> R13: 00007f59e3a0b074 R14: 0030656c69662f2e R15: 00000000ffffff3c
> </TASK>
> Modules linked in:
> ---[ end trace 0000000000000000 ]---
> RIP: 0010:mark_lock+0xb0/0xc60 kernel/locking/lockdep.c:4703
> Code: fe 09 0f 87 e3 00 00 00 41 83 fe 08 49 89 fc 48 89 f3 0f 84 97 00 00 00 41 bd 01 00 00 00 44 89 f1 41 d3 e5 4d 63 ed 48 89 df <e8> cb 6b ff ff 48 ba 00 00 00 00 00 fc ff df 48 8d 78 60 48 89 f9
> RSP: 0018:ffffc90005ac0000 EFLAGS: 00010002
> RAX: 0000000000000000 RBX: ffff888029b953b0 RCX: 0000000000000003
> RDX: 0000000000000002 RSI: ffff888029b953b0 RDI: ffff888029b953b0
> RBP: ffffc90005ac0138 R08: 0000000000000000 R09: 0000000000000006
> R10: ffffffff96e2ed1f R11: 0000000000000002 R12: ffff888029b94880
> R13: 0000000000000200 R14: 0000000000000009 R15: 1ffff92000b58006
> FS: 00007f59e396f6c0(0000) GS:ffff88806a600000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffc90005abfff8 CR3: 000000003c6a2000 CR4: 0000000000352ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> ----------------
> Code disassembly (best guess):
> 0: fe 09 decb (%rcx)
> 2: 0f 87 e3 00 00 00 ja 0xeb
> 8: 41 83 fe 08 cmp $0x8,%r14d
> c: 49 89 fc mov %rdi,%r12
> f: 48 89 f3 mov %rsi,%rbx
> 12: 0f 84 97 00 00 00 je 0xaf
> 18: 41 bd 01 00 00 00 mov $0x1,%r13d
> 1e: 44 89 f1 mov %r14d,%ecx
> 21: 41 d3 e5 shl %cl,%r13d
> 24: 4d 63 ed movslq %r13d,%r13
> 27: 48 89 df mov %rbx,%rdi
> * 2a: e8 cb 6b ff ff call 0xffff6bfa <-- trapping instruction
> 2f: 48 ba 00 00 00 00 00 movabs $0xdffffc0000000000,%rdx
> 36: fc ff df
> 39: 48 8d 78 60 lea 0x60(%rax),%rdi
> 3d: 48 89 f9 mov %rdi,%rcx
>
>
> ---
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
--
Dominique Martinet | Asmadeus
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open
2024-11-17 1:38 ` [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open syzbot
2024-11-17 1:45 ` asmadeus
@ 2024-11-18 16:23 ` David Howells
2024-11-18 16:36 ` syzbot
2024-11-18 17:23 ` David Howells
` (2 subsequent siblings)
4 siblings, 1 reply; 10+ messages in thread
From: David Howells @ 2024-11-18 16:23 UTC (permalink / raw)
To: syzbot
Cc: dhowells, akpm, asmadeus, ericvh, linux-kernel, linux-mm,
linux_oss, lucho, syzkaller-bugs, v9fs
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git netfs-writeback
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open
2024-11-18 16:23 ` David Howells
@ 2024-11-18 16:36 ` syzbot
0 siblings, 0 replies; 10+ messages in thread
From: syzbot @ 2024-11-18 16:36 UTC (permalink / raw)
To: akpm, asmadeus, dhowells, ericvh, linux-kernel, linux-mm,
linux_oss, lucho, syzkaller-bugs, v9fs
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING in netfs_retry_reads
------------[ cut here ]------------
do not call blocking ops when !TASK_RUNNING; state=2 set at [<ffffffff81670f76>] prepare_to_wait+0xa6/0x380 kernel/sched/wait.c:237
WARNING: CPU: 2 PID: 6504 at kernel/sched/core.c:8576 __might_sleep+0x117/0x170 kernel/sched/core.c:8576
Modules linked in:
CPU: 2 UID: 0 PID: 6504 Comm: syz.0.19 Not tainted 6.12.0-rc6-syzkaller-gaf01434f267f #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:__might_sleep+0x117/0x170 kernel/sched/core.c:8576
Code: 49 8d bc 24 68 17 00 00 48 89 fa 48 c1 ea 03 80 3c 02 00 75 38 49 8b 94 24 68 17 00 00 48 c7 c7 40 49 6c 8b e8 ba 41 f2 ff 90 <0f> 0b 90 90 e9 70 ff ff ff e8 fb d9 92 00 e9 1e ff ff ff 89 34 24
RSP: 0018:ffffc90003a5eb48 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff8b83c8e0 RCX: ffffffff814e6e79
RDX: ffff888023afc880 RSI: ffffffff814e6e86 RDI: 0000000000000001
RBP: 0000000000000049 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff888023afc880
R13: 0000000000000000 R14: 1ffff9200074bd83 R15: ffff88803ea60700
FS: 00007f803b8a96c0(0000) GS:ffff88806a800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005635a9d4bc60 CR3: 0000000031d88000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
wait_on_bit include/linux/wait_bit.h:73 [inline]
netfs_retry_reads+0xe4/0x1dc0 fs/netfs/read_retry.c:263
netfs_collect_read_results fs/netfs/read_collect.c:333 [inline]
netfs_read_collection+0x2990/0x3bb0 fs/netfs/read_collect.c:414
netfs_wait_for_read+0x1e6/0x440 fs/netfs/read_collect.c:629
netfs_unbuffered_read fs/netfs/direct_read.c:156 [inline]
netfs_unbuffered_read_iter_locked+0x1247/0x1860 fs/netfs/direct_read.c:231
netfs_unbuffered_read_iter+0xc5/0x100 fs/netfs/direct_read.c:266
v9fs_file_read_iter+0xbf/0x100 fs/9p/vfs_file.c:361
__kernel_read+0x3f1/0xb50 fs/read_write.c:527
integrity_kernel_read+0x7f/0xb0 security/integrity/iint.c:28
ima_calc_file_hash_tfm+0x2c9/0x3e0 security/integrity/ima/ima_crypto.c:480
ima_calc_file_shash security/integrity/ima/ima_crypto.c:511 [inline]
ima_calc_file_hash+0x1ba/0x490 security/integrity/ima/ima_crypto.c:568
ima_collect_measurement+0x89f/0xa40 security/integrity/ima/ima_api.c:293
process_measurement+0x1271/0x2370 security/integrity/ima/ima_main.c:372
ima_file_check+0xc1/0x110 security/integrity/ima/ima_main.c:572
security_file_post_open+0x8e/0x210 security/security.c:3129
do_open fs/namei.c:3776 [inline]
path_openat+0x1419/0x2d60 fs/namei.c:3933
do_filp_open+0x1dc/0x430 fs/namei.c:3960
do_sys_openat2+0x17a/0x1e0 fs/open.c:1415
do_sys_open fs/open.c:1430 [inline]
__do_sys_open fs/open.c:1438 [inline]
__se_sys_open fs/open.c:1434 [inline]
__x64_sys_open+0x154/0x1e0 fs/open.c:1434
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f803ab7e719
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f803b8a9038 EFLAGS: 00000246 ORIG_RAX: 0000000000000002
RAX: ffffffffffffffda RBX: 00007f803ad35f80 RCX: 00007f803ab7e719
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000020000140
RBP: 00007f803abf175e R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f803ad35f80 R15: 00007fff5dc85c38
</TASK>
Tested on:
commit: af01434f rxrpc: Fix missing locking causing hanging ca..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git netfs-writeback
console output: https://syzkaller.appspot.com/x/log.txt?x=11796ac0580000
kernel config: https://syzkaller.appspot.com/x/.config?x=c0b2fb415081f288
dashboard link: https://syzkaller.appspot.com/bug?extid=885c03ad650731743489
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open
2024-11-17 1:38 ` [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open syzbot
2024-11-17 1:45 ` asmadeus
2024-11-18 16:23 ` David Howells
@ 2024-11-18 17:23 ` David Howells
2024-11-18 17:41 ` syzbot
2024-12-09 15:06 ` David Howells
2024-12-09 15:29 ` David Howells
4 siblings, 1 reply; 10+ messages in thread
From: David Howells @ 2024-11-18 17:23 UTC (permalink / raw)
To: syzbot
Cc: dhowells, akpm, asmadeus, ericvh, linux-kernel, linux-mm,
linux_oss, lucho, syzkaller-bugs, v9fs
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git 2aece382e1dadd03231e3133c17ddddd6c6f75bb
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open
2024-11-18 17:23 ` David Howells
@ 2024-11-18 17:41 ` syzbot
0 siblings, 0 replies; 10+ messages in thread
From: syzbot @ 2024-11-18 17:41 UTC (permalink / raw)
To: akpm, asmadeus, dhowells, ericvh, linux-kernel, linux-mm,
linux_oss, lucho, syzkaller-bugs, v9fs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+885c03ad650731743489@syzkaller.appspotmail.com
Tested-by: syzbot+885c03ad650731743489@syzkaller.appspotmail.com
Tested on:
commit: 2aece382 netfs: Report on NULL folioq in netfs_writeba..
git tree: git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
console output: https://syzkaller.appspot.com/x/log.txt?x=12714930580000
kernel config: https://syzkaller.appspot.com/x/.config?x=55f8591b98dd132
dashboard link: https://syzkaller.appspot.com/bug?extid=885c03ad650731743489
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
Note: no patches were applied.
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open
2024-11-17 1:38 ` [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open syzbot
` (2 preceding siblings ...)
2024-11-18 17:23 ` David Howells
@ 2024-12-09 15:06 ` David Howells
2024-12-09 15:07 ` syzbot
2024-12-09 15:29 ` David Howells
4 siblings, 1 reply; 10+ messages in thread
From: David Howells @ 2024-12-09 15:06 UTC (permalink / raw)
To: syzbot
Cc: dhowells, akpm, asmadeus, ericvh, linux-kernel, linux-mm,
linux_oss, lucho, syzkaller-bugs, v9fs
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
commit 78513c0ee0d9a767b5c2568c6c220a941e73529c
Author: Lizhi Xu <lizhi.xu@windriver.com>
Date: Fri Nov 8 11:40:20 2024 +0800
netfs: If didn't read new data then abandon retry
syzkaller reported a three-level circle calls (netfs_rreq_assess,
netfs_retry_reads, netfs_rreq_terminated), during an unbuffered or direct
I/O read. [1]
netfs_rreq_terminated() only checks that subreq's transferred is greater
than consumed and then sets the retry flag. There is no limit on the number
of retries, and there is no judgment on whether the retry is effective in
reading new data. This hitting the stack guard page.
To avoid the issue, let's add retry read times and the length of the data
just read in struct netfs_io_subrequest, use them to assess the state of a
read request and decide what to do retry.
[1]
BUG: TASK stack guard page was hit at ffffc9000482ff48 (stack is ffffc90004830000..ffffc90004838000)
Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 6237 Comm: syz-executor663 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mark_lock+0x25/0xc60 kernel/locking/lockdep.c:4686
Code: 90 90 90 90 90 55 48 89 e5 41 57 41 56 41 89 d6 48 ba 00 00 00 00 00 fc ff df 41 55 41 54 53 48 83 e4 f0 48 81 ec 10 01 00 00 <48> c7 44 24 30 b3 8a b5 41 48 8d 44 24 30 48 c7 44 24 38 c0 4d 7a
RSP: 0018:ffffc9000482ff50 EFLAGS: 00010086
RAX: 000000000000000c RBX: ffff8880306c2fba RCX: 0000000000000002
RDX: dffffc0000000000 RSI: ffff8880306c2f98 RDI: ffff8880306c2440
RBP: ffffc90004830088 R08: 0000000000000000 R09: 0000000000000006
R10: ffffffff96e2dd27 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880306c2f98 R14: 0000000000000008 R15: ffff8880306c2440
FS: 00007fedf3b6e6c0(0000) GS:ffff88806a900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000482ff48 CR3: 000000002c910000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<#DF>
</#DF>
<TASK>
mark_usage kernel/locking/lockdep.c:4646 [inline]
__lock_acquire+0x906/0x3ce0 kernel/locking/lockdep.c:5156
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825
local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
___slab_alloc+0x123/0x1880 mm/slub.c:3695
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
kmem_cache_alloc_noprof+0x2a7/0x2f0 mm/slub.c:4141
radix_tree_node_alloc.constprop.0+0x1e8/0x350 lib/radix-tree.c:253
idr_get_free+0x528/0xa40 lib/radix-tree.c:1506
idr_alloc_u32+0x191/0x2f0 lib/idr.c:46
idr_alloc+0xc1/0x130 lib/idr.c:87
p9_tag_alloc+0x394/0x870 net/9p/client.c:321
p9_client_prepare_req+0x19f/0x4d0 net/9p/client.c:644
p9_client_zc_rpc.constprop.0+0x105/0x880 net/9p/client.c:793
p9_client_read_once+0x443/0x820 net/9p/client.c:1570
p9_client_read+0x13f/0x1b0 net/9p/client.c:1534
v9fs_issue_read+0x115/0x310 fs/9p/vfs_addr.c:74
netfs_retry_read_subrequests fs/netfs/read_retry.c:60 [inline]
netfs_retry_reads+0x153a/0x1d00 fs/netfs/read_retry.c:232
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
...
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_dispatch_unbuffered_reads fs/netfs/direct_read.c:103 [inline]
netfs_unbuffered_read fs/netfs/direct_read.c:127 [inline]
netfs_unbuffered_read_iter_locked+0x12f6/0x19b0 fs/netfs/direct_read.c:221
netfs_unbuffered_read_iter+0xc5/0x100 fs/netfs/direct_read.c:256
v9fs_file_read_iter+0xbf/0x100 fs/9p/vfs_file.c:361
do_iter_readv_writev+0x614/0x7f0 fs/read_write.c:832
vfs_readv+0x4cf/0x890 fs/read_write.c:1025
do_preadv fs/read_write.c:1142 [inline]
__do_sys_preadv fs/read_write.c:1192 [inline]
__se_sys_preadv fs/read_write.c:1187 [inline]
__x64_sys_preadv+0x22d/0x310 fs/read_write.c:1187
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fedf3bd4dd9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fedf3b6e168 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007fedf3c5e318 RCX: 00007fedf3bd4dd9
RDX: 0000000000000001 RSI: 00000000200015c0 RDI: 0000000000000003
RBP: 00007fedf3c5e310 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fedf3c5e31c
R13: 000000000000000b R14: 00007fffe9d355b0 R15: 00007fffe9d35698
</TASK>
Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
Closes: https://syzkaller.appspot.com/bug?extid=1fc6f64c40a9d143cfb6
Signed-off-by: David Howells <dhowells@redhat.com>
Suggested-by: Lizhi Xu <lizhi.xu@windriver.com> [2]
cc: Dominique Martinet <asmadeus@codewreck.org>
cc: Jeff Layton <jlayton@kernel.org>
cc: v9fs@lists.linux.dev
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20241108034020.3695718-1-lizhi.xu@windriver.com/ [2]
diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index 819c75233235..3bc9ce6c575e 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -57,6 +57,8 @@ static void v9fs_issue_write(struct netfs_io_subrequest *subreq)
int err, len;
len = p9_client_write(fid, subreq->start, &subreq->io_iter, &err);
+ if (len > 0)
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
netfs_write_subrequest_terminated(subreq, len ?: err, false);
}
@@ -80,8 +82,10 @@ static void v9fs_issue_read(struct netfs_io_subrequest *subreq)
if (pos + total >= i_size_read(rreq->inode))
__set_bit(NETFS_SREQ_HIT_EOF, &subreq->flags);
- if (!err)
+ if (!err) {
subreq->transferred += total;
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
+ }
netfs_read_subreq_terminated(subreq, err, false);
}
diff --git a/fs/afs/write.c b/fs/afs/write.c
index 34107b55f834..ccb6aa8027c5 100644
--- a/fs/afs/write.c
+++ b/fs/afs/write.c
@@ -122,7 +122,7 @@ static void afs_issue_write_worker(struct work_struct *work)
if (subreq->debug_index == 3)
return netfs_write_subrequest_terminated(subreq, -ENOANO, false);
- if (!test_bit(NETFS_SREQ_RETRYING, &subreq->flags)) {
+ if (!subreq->retry_count) {
set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
return netfs_write_subrequest_terminated(subreq, -EAGAIN, false);
}
@@ -149,6 +149,9 @@ static void afs_issue_write_worker(struct work_struct *work)
afs_wait_for_operation(op);
ret = afs_put_operation(op);
switch (ret) {
+ case 0:
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
+ break;
case -EACCES:
case -EPERM:
case -ENOKEY:
diff --git a/fs/netfs/read_collect.c b/fs/netfs/read_collect.c
index 46ce3b7adf07..47ed3a5044e2 100644
--- a/fs/netfs/read_collect.c
+++ b/fs/netfs/read_collect.c
@@ -438,7 +438,7 @@ void netfs_read_subreq_progress(struct netfs_io_subrequest *subreq,
rreq->origin == NETFS_READPAGE ||
rreq->origin == NETFS_READ_FOR_WRITE)) {
netfs_consume_read_data(subreq, was_async);
- __clear_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags);
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
}
}
EXPORT_SYMBOL(netfs_read_subreq_progress);
@@ -497,7 +497,7 @@ void netfs_read_subreq_terminated(struct netfs_io_subrequest *subreq,
rreq->origin == NETFS_READPAGE ||
rreq->origin == NETFS_READ_FOR_WRITE)) {
netfs_consume_read_data(subreq, was_async);
- __clear_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags);
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
}
rreq->transferred += subreq->transferred;
}
@@ -511,10 +511,13 @@ void netfs_read_subreq_terminated(struct netfs_io_subrequest *subreq,
} else {
trace_netfs_sreq(subreq, netfs_sreq_trace_short);
if (subreq->transferred > subreq->consumed) {
- __set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
- __clear_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags);
- set_bit(NETFS_RREQ_NEED_RETRY, &rreq->flags);
- } else if (!__test_and_set_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags)) {
+ /* If we didn't read new data, abandon retry. */
+ if (subreq->retry_count &&
+ test_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags)) {
+ __set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
+ set_bit(NETFS_RREQ_NEED_RETRY, &rreq->flags);
+ }
+ } else if (test_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags)) {
__set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
set_bit(NETFS_RREQ_NEED_RETRY, &rreq->flags);
} else {
diff --git a/fs/netfs/read_retry.c b/fs/netfs/read_retry.c
index 0350592ea804..0e72e9226fc8 100644
--- a/fs/netfs/read_retry.c
+++ b/fs/netfs/read_retry.c
@@ -56,6 +56,8 @@ static void netfs_retry_read_subrequests(struct netfs_io_request *rreq)
if (test_bit(NETFS_SREQ_FAILED, &subreq->flags))
break;
if (__test_and_clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags)) {
+ __clear_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
+ subreq->retry_count++;
netfs_reset_iter(subreq);
netfs_reissue_read(rreq, subreq);
}
@@ -137,7 +139,8 @@ static void netfs_retry_read_subrequests(struct netfs_io_request *rreq)
stream0->sreq_max_len = subreq->len;
__clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
- __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
+ __clear_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
+ subreq->retry_count++;
spin_lock_bh(&rreq->lock);
list_add_tail(&subreq->rreq_link, &rreq->subrequests);
@@ -213,7 +216,6 @@ static void netfs_retry_read_subrequests(struct netfs_io_request *rreq)
subreq->error = -ENOMEM;
__clear_bit(NETFS_SREQ_FAILED, &subreq->flags);
__clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
- __clear_bit(NETFS_SREQ_RETRYING, &subreq->flags);
}
spin_lock_bh(&rreq->lock);
list_splice_tail_init(&queue, &rreq->subrequests);
diff --git a/fs/netfs/write_collect.c b/fs/netfs/write_collect.c
index 82290c92ba7a..ca3a11ed9b54 100644
--- a/fs/netfs/write_collect.c
+++ b/fs/netfs/write_collect.c
@@ -179,7 +179,6 @@ static void netfs_retry_write_stream(struct netfs_io_request *wreq,
struct iov_iter source = subreq->io_iter;
iov_iter_revert(&source, subreq->len - source.count);
- __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
netfs_reissue_write(stream, subreq, &source);
}
@@ -234,7 +233,7 @@ static void netfs_retry_write_stream(struct netfs_io_request *wreq,
/* Renegotiate max_len (wsize) */
trace_netfs_sreq(subreq, netfs_sreq_trace_retry);
__clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
- __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
+ subreq->retry_count++;
stream->prepare_write(subreq);
part = min(len, stream->sreq_max_len);
@@ -279,7 +278,7 @@ static void netfs_retry_write_stream(struct netfs_io_request *wreq,
subreq->start = start;
subreq->debug_index = atomic_inc_return(&wreq->subreq_counter);
subreq->stream_nr = to->stream_nr;
- __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
+ subreq->retry_count = 1;
trace_netfs_sreq_ref(wreq->debug_id, subreq->debug_index,
refcount_read(&subreq->ref),
diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index bf6d507578e5..ff0e82505a0b 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -244,6 +244,8 @@ void netfs_reissue_write(struct netfs_io_stream *stream,
iov_iter_advance(source, size);
iov_iter_truncate(&subreq->io_iter, size);
+ subreq->retry_count++;
+ __clear_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
netfs_do_issue_write(stream, subreq);
}
diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
index bd42a419458e..6cb1e81993f8 100644
--- a/fs/smb/client/cifssmb.c
+++ b/fs/smb/client/cifssmb.c
@@ -1319,14 +1319,16 @@ cifs_readv_callback(struct mid_q_entry *mid)
}
if (rdata->result == -ENODATA) {
- __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
rdata->result = 0;
+ __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
} else {
size_t trans = rdata->subreq.transferred + rdata->got_bytes;
if (trans < rdata->subreq.len &&
rdata->subreq.start + trans == ictx->remote_i_size) {
- __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
rdata->result = 0;
+ __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
+ } else if (rdata->got_bytes > 0) {
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &rdata->subreq.flags);
}
}
@@ -1670,10 +1672,13 @@ cifs_writev_callback(struct mid_q_entry *mid)
if (written > wdata->subreq.len)
written &= 0xFFFF;
- if (written < wdata->subreq.len)
+ if (written < wdata->subreq.len) {
result = -ENOSPC;
- else
+ } else {
result = written;
+ if (written > 0)
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &wdata->subreq.flags);
+ }
break;
case MID_REQUEST_SUBMITTED:
case MID_RETRY_NEEDED:
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index 010eae9d6c47..458b53d1f9cb 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -4615,6 +4615,7 @@ smb2_readv_callback(struct mid_q_entry *mid)
__set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
rdata->result = 0;
}
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &rdata->subreq.flags);
}
trace_smb3_rw_credits(rreq_debug_id, subreq_debug_index, rdata->credits.value,
server->credits, server->in_flight,
@@ -4840,10 +4841,12 @@ smb2_writev_callback(struct mid_q_entry *mid)
if (written > wdata->subreq.len)
written &= 0xFFFF;
- if (written < wdata->subreq.len)
+ if (written < wdata->subreq.len) {
wdata->result = -ENOSPC;
- else
+ } else if (written > 0) {
wdata->subreq.len = written;
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &wdata->subreq.flags);
+ }
break;
case MID_REQUEST_SUBMITTED:
case MID_RETRY_NEEDED:
@@ -5012,7 +5015,7 @@ smb2_async_writev(struct cifs_io_subrequest *wdata)
}
#endif
- if (test_bit(NETFS_SREQ_RETRYING, &wdata->subreq.flags))
+ if (wdata->subreq.retry_count > 0)
smb2_set_replay(server, &rqst);
cifs_dbg(FYI, "async write at %llu %u bytes iter=%zx\n",
diff --git a/include/linux/netfs.h b/include/linux/netfs.h
index 5eaceef41e6c..4083d77e3f39 100644
--- a/include/linux/netfs.h
+++ b/include/linux/netfs.h
@@ -185,6 +185,7 @@ struct netfs_io_subrequest {
short error; /* 0 or error that occurred */
unsigned short debug_index; /* Index in list (for debugging output) */
unsigned int nr_segs; /* Number of segs in io_iter */
+ u8 retry_count; /* The number of retries (0 on initial pass) */
enum netfs_io_source source; /* Where to read from/write to */
unsigned char stream_nr; /* I/O stream this belongs to */
unsigned char curr_folioq_slot; /* Folio currently being read */
@@ -194,14 +195,13 @@ struct netfs_io_subrequest {
#define NETFS_SREQ_COPY_TO_CACHE 0 /* Set if should copy the data to the cache */
#define NETFS_SREQ_CLEAR_TAIL 1 /* Set if the rest of the read should be cleared */
#define NETFS_SREQ_SEEK_DATA_READ 3 /* Set if ->read() should SEEK_DATA first */
-#define NETFS_SREQ_NO_PROGRESS 4 /* Set if we didn't manage to read any data */
+#define NETFS_SREQ_MADE_PROGRESS 4 /* Set if we transferred at least some data */
#define NETFS_SREQ_ONDEMAND 5 /* Set if it's from on-demand read mode */
#define NETFS_SREQ_BOUNDARY 6 /* Set if ends on hard boundary (eg. ceph object) */
#define NETFS_SREQ_HIT_EOF 7 /* Set if short due to EOF */
#define NETFS_SREQ_IN_PROGRESS 8 /* Unlocked when the subrequest completes */
#define NETFS_SREQ_NEED_RETRY 9 /* Set if the filesystem requests a retry */
-#define NETFS_SREQ_RETRYING 10 /* Set if we're retrying */
-#define NETFS_SREQ_FAILED 11 /* Set if the subreq failed unretryably */
+#define NETFS_SREQ_FAILED 10 /* Set if the subreq failed unretryably */
};
enum netfs_io_origin {
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open
2024-12-09 15:06 ` David Howells
@ 2024-12-09 15:07 ` syzbot
0 siblings, 0 replies; 10+ messages in thread
From: syzbot @ 2024-12-09 15:07 UTC (permalink / raw)
To: dhowells
Cc: akpm, asmadeus, dhowells, ericvh, linux-kernel, linux-mm,
linux_oss, lucho, syzkaller-bugs, v9fs
> #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
want either no args or 2 args (repo, branch), got 3
>
> commit 78513c0ee0d9a767b5c2568c6c220a941e73529c
> Author: Lizhi Xu <lizhi.xu@windriver.com>
> Date: Fri Nov 8 11:40:20 2024 +0800
>
> netfs: If didn't read new data then abandon retry
>
> syzkaller reported a three-level circle calls (netfs_rreq_assess,
> netfs_retry_reads, netfs_rreq_terminated), during an unbuffered or direct
> I/O read. [1]
>
> netfs_rreq_terminated() only checks that subreq's transferred is greater
> than consumed and then sets the retry flag. There is no limit on the number
> of retries, and there is no judgment on whether the retry is effective in
> reading new data. This hitting the stack guard page.
>
> To avoid the issue, let's add retry read times and the length of the data
> just read in struct netfs_io_subrequest, use them to assess the state of a
> read request and decide what to do retry.
>
> [1]
> BUG: TASK stack guard page was hit at ffffc9000482ff48 (stack is ffffc90004830000..ffffc90004838000)
> Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN NOPTI
> CPU: 3 UID: 0 PID: 6237 Comm: syz-executor663 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
> RIP: 0010:mark_lock+0x25/0xc60 kernel/locking/lockdep.c:4686
> Code: 90 90 90 90 90 55 48 89 e5 41 57 41 56 41 89 d6 48 ba 00 00 00 00 00 fc ff df 41 55 41 54 53 48 83 e4 f0 48 81 ec 10 01 00 00 <48> c7 44 24 30 b3 8a b5 41 48 8d 44 24 30 48 c7 44 24 38 c0 4d 7a
> RSP: 0018:ffffc9000482ff50 EFLAGS: 00010086
> RAX: 000000000000000c RBX: ffff8880306c2fba RCX: 0000000000000002
> RDX: dffffc0000000000 RSI: ffff8880306c2f98 RDI: ffff8880306c2440
> RBP: ffffc90004830088 R08: 0000000000000000 R09: 0000000000000006
> R10: ffffffff96e2dd27 R11: 0000000000000000 R12: dffffc0000000000
> R13: ffff8880306c2f98 R14: 0000000000000008 R15: ffff8880306c2440
> FS: 00007fedf3b6e6c0(0000) GS:ffff88806a900000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: ffffc9000482ff48 CR3: 000000002c910000 CR4: 0000000000352ef0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <#DF>
> </#DF>
> <TASK>
> mark_usage kernel/locking/lockdep.c:4646 [inline]
> __lock_acquire+0x906/0x3ce0 kernel/locking/lockdep.c:5156
> lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825
> local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
> ___slab_alloc+0x123/0x1880 mm/slub.c:3695
> __slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
> __slab_alloc_node mm/slub.c:3961 [inline]
> slab_alloc_node mm/slub.c:4122 [inline]
> kmem_cache_alloc_noprof+0x2a7/0x2f0 mm/slub.c:4141
> radix_tree_node_alloc.constprop.0+0x1e8/0x350 lib/radix-tree.c:253
> idr_get_free+0x528/0xa40 lib/radix-tree.c:1506
> idr_alloc_u32+0x191/0x2f0 lib/idr.c:46
> idr_alloc+0xc1/0x130 lib/idr.c:87
> p9_tag_alloc+0x394/0x870 net/9p/client.c:321
> p9_client_prepare_req+0x19f/0x4d0 net/9p/client.c:644
> p9_client_zc_rpc.constprop.0+0x105/0x880 net/9p/client.c:793
> p9_client_read_once+0x443/0x820 net/9p/client.c:1570
> p9_client_read+0x13f/0x1b0 net/9p/client.c:1534
> v9fs_issue_read+0x115/0x310 fs/9p/vfs_addr.c:74
> netfs_retry_read_subrequests fs/netfs/read_retry.c:60 [inline]
> netfs_retry_reads+0x153a/0x1d00 fs/netfs/read_retry.c:232
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> ...
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
> netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
> netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
> netfs_dispatch_unbuffered_reads fs/netfs/direct_read.c:103 [inline]
> netfs_unbuffered_read fs/netfs/direct_read.c:127 [inline]
> netfs_unbuffered_read_iter_locked+0x12f6/0x19b0 fs/netfs/direct_read.c:221
> netfs_unbuffered_read_iter+0xc5/0x100 fs/netfs/direct_read.c:256
> v9fs_file_read_iter+0xbf/0x100 fs/9p/vfs_file.c:361
> do_iter_readv_writev+0x614/0x7f0 fs/read_write.c:832
> vfs_readv+0x4cf/0x890 fs/read_write.c:1025
> do_preadv fs/read_write.c:1142 [inline]
> __do_sys_preadv fs/read_write.c:1192 [inline]
> __se_sys_preadv fs/read_write.c:1187 [inline]
> __x64_sys_preadv+0x22d/0x310 fs/read_write.c:1187
> do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
> entry_SYSCALL_64_after_hwframe+0x77/0x7f
> RIP: 0033:0x7fedf3bd4dd9
> Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007fedf3b6e168 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
> RAX: ffffffffffffffda RBX: 00007fedf3c5e318 RCX: 00007fedf3bd4dd9
> RDX: 0000000000000001 RSI: 00000000200015c0 RDI: 0000000000000003
> RBP: 00007fedf3c5e310 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007fedf3c5e31c
> R13: 000000000000000b R14: 00007fffe9d355b0 R15: 00007fffe9d35698
> </TASK>
>
> Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
> Closes: https://syzkaller.appspot.com/bug?extid=1fc6f64c40a9d143cfb6
> Signed-off-by: David Howells <dhowells@redhat.com>
> Suggested-by: Lizhi Xu <lizhi.xu@windriver.com> [2]
> cc: Dominique Martinet <asmadeus@codewreck.org>
> cc: Jeff Layton <jlayton@kernel.org>
> cc: v9fs@lists.linux.dev
> cc: netfs@lists.linux.dev
> cc: linux-fsdevel@vger.kernel.org
> Link: https://lore.kernel.org/r/20241108034020.3695718-1-lizhi.xu@windriver.com/ [2]
>
> diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
> index 819c75233235..3bc9ce6c575e 100644
> --- a/fs/9p/vfs_addr.c
> +++ b/fs/9p/vfs_addr.c
> @@ -57,6 +57,8 @@ static void v9fs_issue_write(struct netfs_io_subrequest *subreq)
> int err, len;
>
> len = p9_client_write(fid, subreq->start, &subreq->io_iter, &err);
> + if (len > 0)
> + __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
> netfs_write_subrequest_terminated(subreq, len ?: err, false);
> }
>
> @@ -80,8 +82,10 @@ static void v9fs_issue_read(struct netfs_io_subrequest *subreq)
> if (pos + total >= i_size_read(rreq->inode))
> __set_bit(NETFS_SREQ_HIT_EOF, &subreq->flags);
>
> - if (!err)
> + if (!err) {
> subreq->transferred += total;
> + __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
> + }
>
> netfs_read_subreq_terminated(subreq, err, false);
> }
> diff --git a/fs/afs/write.c b/fs/afs/write.c
> index 34107b55f834..ccb6aa8027c5 100644
> --- a/fs/afs/write.c
> +++ b/fs/afs/write.c
> @@ -122,7 +122,7 @@ static void afs_issue_write_worker(struct work_struct *work)
> if (subreq->debug_index == 3)
> return netfs_write_subrequest_terminated(subreq, -ENOANO, false);
>
> - if (!test_bit(NETFS_SREQ_RETRYING, &subreq->flags)) {
> + if (!subreq->retry_count) {
> set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
> return netfs_write_subrequest_terminated(subreq, -EAGAIN, false);
> }
> @@ -149,6 +149,9 @@ static void afs_issue_write_worker(struct work_struct *work)
> afs_wait_for_operation(op);
> ret = afs_put_operation(op);
> switch (ret) {
> + case 0:
> + __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
> + break;
> case -EACCES:
> case -EPERM:
> case -ENOKEY:
> diff --git a/fs/netfs/read_collect.c b/fs/netfs/read_collect.c
> index 46ce3b7adf07..47ed3a5044e2 100644
> --- a/fs/netfs/read_collect.c
> +++ b/fs/netfs/read_collect.c
> @@ -438,7 +438,7 @@ void netfs_read_subreq_progress(struct netfs_io_subrequest *subreq,
> rreq->origin == NETFS_READPAGE ||
> rreq->origin == NETFS_READ_FOR_WRITE)) {
> netfs_consume_read_data(subreq, was_async);
> - __clear_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags);
> + __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
> }
> }
> EXPORT_SYMBOL(netfs_read_subreq_progress);
> @@ -497,7 +497,7 @@ void netfs_read_subreq_terminated(struct netfs_io_subrequest *subreq,
> rreq->origin == NETFS_READPAGE ||
> rreq->origin == NETFS_READ_FOR_WRITE)) {
> netfs_consume_read_data(subreq, was_async);
> - __clear_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags);
> + __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
> }
> rreq->transferred += subreq->transferred;
> }
> @@ -511,10 +511,13 @@ void netfs_read_subreq_terminated(struct netfs_io_subrequest *subreq,
> } else {
> trace_netfs_sreq(subreq, netfs_sreq_trace_short);
> if (subreq->transferred > subreq->consumed) {
> - __set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
> - __clear_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags);
> - set_bit(NETFS_RREQ_NEED_RETRY, &rreq->flags);
> - } else if (!__test_and_set_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags)) {
> + /* If we didn't read new data, abandon retry. */
> + if (subreq->retry_count &&
> + test_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags)) {
> + __set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
> + set_bit(NETFS_RREQ_NEED_RETRY, &rreq->flags);
> + }
> + } else if (test_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags)) {
> __set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
> set_bit(NETFS_RREQ_NEED_RETRY, &rreq->flags);
> } else {
> diff --git a/fs/netfs/read_retry.c b/fs/netfs/read_retry.c
> index 0350592ea804..0e72e9226fc8 100644
> --- a/fs/netfs/read_retry.c
> +++ b/fs/netfs/read_retry.c
> @@ -56,6 +56,8 @@ static void netfs_retry_read_subrequests(struct netfs_io_request *rreq)
> if (test_bit(NETFS_SREQ_FAILED, &subreq->flags))
> break;
> if (__test_and_clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags)) {
> + __clear_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
> + subreq->retry_count++;
> netfs_reset_iter(subreq);
> netfs_reissue_read(rreq, subreq);
> }
> @@ -137,7 +139,8 @@ static void netfs_retry_read_subrequests(struct netfs_io_request *rreq)
> stream0->sreq_max_len = subreq->len;
>
> __clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
> - __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
> + __clear_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
> + subreq->retry_count++;
>
> spin_lock_bh(&rreq->lock);
> list_add_tail(&subreq->rreq_link, &rreq->subrequests);
> @@ -213,7 +216,6 @@ static void netfs_retry_read_subrequests(struct netfs_io_request *rreq)
> subreq->error = -ENOMEM;
> __clear_bit(NETFS_SREQ_FAILED, &subreq->flags);
> __clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
> - __clear_bit(NETFS_SREQ_RETRYING, &subreq->flags);
> }
> spin_lock_bh(&rreq->lock);
> list_splice_tail_init(&queue, &rreq->subrequests);
> diff --git a/fs/netfs/write_collect.c b/fs/netfs/write_collect.c
> index 82290c92ba7a..ca3a11ed9b54 100644
> --- a/fs/netfs/write_collect.c
> +++ b/fs/netfs/write_collect.c
> @@ -179,7 +179,6 @@ static void netfs_retry_write_stream(struct netfs_io_request *wreq,
> struct iov_iter source = subreq->io_iter;
>
> iov_iter_revert(&source, subreq->len - source.count);
> - __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
> netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
> netfs_reissue_write(stream, subreq, &source);
> }
> @@ -234,7 +233,7 @@ static void netfs_retry_write_stream(struct netfs_io_request *wreq,
> /* Renegotiate max_len (wsize) */
> trace_netfs_sreq(subreq, netfs_sreq_trace_retry);
> __clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
> - __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
> + subreq->retry_count++;
> stream->prepare_write(subreq);
>
> part = min(len, stream->sreq_max_len);
> @@ -279,7 +278,7 @@ static void netfs_retry_write_stream(struct netfs_io_request *wreq,
> subreq->start = start;
> subreq->debug_index = atomic_inc_return(&wreq->subreq_counter);
> subreq->stream_nr = to->stream_nr;
> - __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
> + subreq->retry_count = 1;
>
> trace_netfs_sreq_ref(wreq->debug_id, subreq->debug_index,
> refcount_read(&subreq->ref),
> diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
> index bf6d507578e5..ff0e82505a0b 100644
> --- a/fs/netfs/write_issue.c
> +++ b/fs/netfs/write_issue.c
> @@ -244,6 +244,8 @@ void netfs_reissue_write(struct netfs_io_stream *stream,
> iov_iter_advance(source, size);
> iov_iter_truncate(&subreq->io_iter, size);
>
> + subreq->retry_count++;
> + __clear_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
> __set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
> netfs_do_issue_write(stream, subreq);
> }
> diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
> index bd42a419458e..6cb1e81993f8 100644
> --- a/fs/smb/client/cifssmb.c
> +++ b/fs/smb/client/cifssmb.c
> @@ -1319,14 +1319,16 @@ cifs_readv_callback(struct mid_q_entry *mid)
> }
>
> if (rdata->result == -ENODATA) {
> - __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
> rdata->result = 0;
> + __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
> } else {
> size_t trans = rdata->subreq.transferred + rdata->got_bytes;
> if (trans < rdata->subreq.len &&
> rdata->subreq.start + trans == ictx->remote_i_size) {
> - __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
> rdata->result = 0;
> + __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
> + } else if (rdata->got_bytes > 0) {
> + __set_bit(NETFS_SREQ_MADE_PROGRESS, &rdata->subreq.flags);
> }
> }
>
> @@ -1670,10 +1672,13 @@ cifs_writev_callback(struct mid_q_entry *mid)
> if (written > wdata->subreq.len)
> written &= 0xFFFF;
>
> - if (written < wdata->subreq.len)
> + if (written < wdata->subreq.len) {
> result = -ENOSPC;
> - else
> + } else {
> result = written;
> + if (written > 0)
> + __set_bit(NETFS_SREQ_MADE_PROGRESS, &wdata->subreq.flags);
> + }
> break;
> case MID_REQUEST_SUBMITTED:
> case MID_RETRY_NEEDED:
> diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
> index 010eae9d6c47..458b53d1f9cb 100644
> --- a/fs/smb/client/smb2pdu.c
> +++ b/fs/smb/client/smb2pdu.c
> @@ -4615,6 +4615,7 @@ smb2_readv_callback(struct mid_q_entry *mid)
> __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
> rdata->result = 0;
> }
> + __set_bit(NETFS_SREQ_MADE_PROGRESS, &rdata->subreq.flags);
> }
> trace_smb3_rw_credits(rreq_debug_id, subreq_debug_index, rdata->credits.value,
> server->credits, server->in_flight,
> @@ -4840,10 +4841,12 @@ smb2_writev_callback(struct mid_q_entry *mid)
> if (written > wdata->subreq.len)
> written &= 0xFFFF;
>
> - if (written < wdata->subreq.len)
> + if (written < wdata->subreq.len) {
> wdata->result = -ENOSPC;
> - else
> + } else if (written > 0) {
> wdata->subreq.len = written;
> + __set_bit(NETFS_SREQ_MADE_PROGRESS, &wdata->subreq.flags);
> + }
> break;
> case MID_REQUEST_SUBMITTED:
> case MID_RETRY_NEEDED:
> @@ -5012,7 +5015,7 @@ smb2_async_writev(struct cifs_io_subrequest *wdata)
> }
> #endif
>
> - if (test_bit(NETFS_SREQ_RETRYING, &wdata->subreq.flags))
> + if (wdata->subreq.retry_count > 0)
> smb2_set_replay(server, &rqst);
>
> cifs_dbg(FYI, "async write at %llu %u bytes iter=%zx\n",
> diff --git a/include/linux/netfs.h b/include/linux/netfs.h
> index 5eaceef41e6c..4083d77e3f39 100644
> --- a/include/linux/netfs.h
> +++ b/include/linux/netfs.h
> @@ -185,6 +185,7 @@ struct netfs_io_subrequest {
> short error; /* 0 or error that occurred */
> unsigned short debug_index; /* Index in list (for debugging output) */
> unsigned int nr_segs; /* Number of segs in io_iter */
> + u8 retry_count; /* The number of retries (0 on initial pass) */
> enum netfs_io_source source; /* Where to read from/write to */
> unsigned char stream_nr; /* I/O stream this belongs to */
> unsigned char curr_folioq_slot; /* Folio currently being read */
> @@ -194,14 +195,13 @@ struct netfs_io_subrequest {
> #define NETFS_SREQ_COPY_TO_CACHE 0 /* Set if should copy the data to the cache */
> #define NETFS_SREQ_CLEAR_TAIL 1 /* Set if the rest of the read should be cleared */
> #define NETFS_SREQ_SEEK_DATA_READ 3 /* Set if ->read() should SEEK_DATA first */
> -#define NETFS_SREQ_NO_PROGRESS 4 /* Set if we didn't manage to read any data */
> +#define NETFS_SREQ_MADE_PROGRESS 4 /* Set if we transferred at least some data */
> #define NETFS_SREQ_ONDEMAND 5 /* Set if it's from on-demand read mode */
> #define NETFS_SREQ_BOUNDARY 6 /* Set if ends on hard boundary (eg. ceph object) */
> #define NETFS_SREQ_HIT_EOF 7 /* Set if short due to EOF */
> #define NETFS_SREQ_IN_PROGRESS 8 /* Unlocked when the subrequest completes */
> #define NETFS_SREQ_NEED_RETRY 9 /* Set if the filesystem requests a retry */
> -#define NETFS_SREQ_RETRYING 10 /* Set if we're retrying */
> -#define NETFS_SREQ_FAILED 11 /* Set if the subreq failed unretryably */
> +#define NETFS_SREQ_FAILED 10 /* Set if the subreq failed unretryably */
> };
>
> enum netfs_io_origin {
>
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open
2024-11-17 1:38 ` [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open syzbot
` (3 preceding siblings ...)
2024-12-09 15:06 ` David Howells
@ 2024-12-09 15:29 ` David Howells
2024-12-09 15:48 ` syzbot
4 siblings, 1 reply; 10+ messages in thread
From: David Howells @ 2024-12-09 15:29 UTC (permalink / raw)
To: syzbot
Cc: dhowells, akpm, asmadeus, ericvh, linux-kernel, linux-mm,
linux_oss, lucho, syzkaller-bugs, v9fs
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git master
commit 78513c0ee0d9a767b5c2568c6c220a941e73529c
Author: Lizhi Xu <lizhi.xu@windriver.com>
Date: Fri Nov 8 11:40:20 2024 +0800
netfs: If didn't read new data then abandon retry
syzkaller reported a three-level circle calls (netfs_rreq_assess,
netfs_retry_reads, netfs_rreq_terminated), during an unbuffered or direct
I/O read. [1]
netfs_rreq_terminated() only checks that subreq's transferred is greater
than consumed and then sets the retry flag. There is no limit on the number
of retries, and there is no judgment on whether the retry is effective in
reading new data. This hitting the stack guard page.
To avoid the issue, let's add retry read times and the length of the data
just read in struct netfs_io_subrequest, use them to assess the state of a
read request and decide what to do retry.
[1]
BUG: TASK stack guard page was hit at ffffc9000482ff48 (stack is ffffc90004830000..ffffc90004838000)
Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 3 UID: 0 PID: 6237 Comm: syz-executor663 Not tainted 6.12.0-rc6-syzkaller-00077-g2e1b3cc9d7f7 #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
RIP: 0010:mark_lock+0x25/0xc60 kernel/locking/lockdep.c:4686
Code: 90 90 90 90 90 55 48 89 e5 41 57 41 56 41 89 d6 48 ba 00 00 00 00 00 fc ff df 41 55 41 54 53 48 83 e4 f0 48 81 ec 10 01 00 00 <48> c7 44 24 30 b3 8a b5 41 48 8d 44 24 30 48 c7 44 24 38 c0 4d 7a
RSP: 0018:ffffc9000482ff50 EFLAGS: 00010086
RAX: 000000000000000c RBX: ffff8880306c2fba RCX: 0000000000000002
RDX: dffffc0000000000 RSI: ffff8880306c2f98 RDI: ffff8880306c2440
RBP: ffffc90004830088 R08: 0000000000000000 R09: 0000000000000006
R10: ffffffff96e2dd27 R11: 0000000000000000 R12: dffffc0000000000
R13: ffff8880306c2f98 R14: 0000000000000008 R15: ffff8880306c2440
FS: 00007fedf3b6e6c0(0000) GS:ffff88806a900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffc9000482ff48 CR3: 000000002c910000 CR4: 0000000000352ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<#DF>
</#DF>
<TASK>
mark_usage kernel/locking/lockdep.c:4646 [inline]
__lock_acquire+0x906/0x3ce0 kernel/locking/lockdep.c:5156
lock_acquire.part.0+0x11b/0x380 kernel/locking/lockdep.c:5825
local_lock_acquire include/linux/local_lock_internal.h:29 [inline]
___slab_alloc+0x123/0x1880 mm/slub.c:3695
__slab_alloc.constprop.0+0x56/0xb0 mm/slub.c:3908
__slab_alloc_node mm/slub.c:3961 [inline]
slab_alloc_node mm/slub.c:4122 [inline]
kmem_cache_alloc_noprof+0x2a7/0x2f0 mm/slub.c:4141
radix_tree_node_alloc.constprop.0+0x1e8/0x350 lib/radix-tree.c:253
idr_get_free+0x528/0xa40 lib/radix-tree.c:1506
idr_alloc_u32+0x191/0x2f0 lib/idr.c:46
idr_alloc+0xc1/0x130 lib/idr.c:87
p9_tag_alloc+0x394/0x870 net/9p/client.c:321
p9_client_prepare_req+0x19f/0x4d0 net/9p/client.c:644
p9_client_zc_rpc.constprop.0+0x105/0x880 net/9p/client.c:793
p9_client_read_once+0x443/0x820 net/9p/client.c:1570
p9_client_read+0x13f/0x1b0 net/9p/client.c:1534
v9fs_issue_read+0x115/0x310 fs/9p/vfs_addr.c:74
netfs_retry_read_subrequests fs/netfs/read_retry.c:60 [inline]
netfs_retry_reads+0x153a/0x1d00 fs/netfs/read_retry.c:232
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
...
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_retry_reads+0x155e/0x1d00 fs/netfs/read_retry.c:235
netfs_rreq_assess+0x5d3/0x870 fs/netfs/read_collect.c:371
netfs_rreq_terminated+0xe5/0x110 fs/netfs/read_collect.c:407
netfs_dispatch_unbuffered_reads fs/netfs/direct_read.c:103 [inline]
netfs_unbuffered_read fs/netfs/direct_read.c:127 [inline]
netfs_unbuffered_read_iter_locked+0x12f6/0x19b0 fs/netfs/direct_read.c:221
netfs_unbuffered_read_iter+0xc5/0x100 fs/netfs/direct_read.c:256
v9fs_file_read_iter+0xbf/0x100 fs/9p/vfs_file.c:361
do_iter_readv_writev+0x614/0x7f0 fs/read_write.c:832
vfs_readv+0x4cf/0x890 fs/read_write.c:1025
do_preadv fs/read_write.c:1142 [inline]
__do_sys_preadv fs/read_write.c:1192 [inline]
__se_sys_preadv fs/read_write.c:1187 [inline]
__x64_sys_preadv+0x22d/0x310 fs/read_write.c:1187
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fedf3bd4dd9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 51 18 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fedf3b6e168 EFLAGS: 00000246 ORIG_RAX: 0000000000000127
RAX: ffffffffffffffda RBX: 00007fedf3c5e318 RCX: 00007fedf3bd4dd9
RDX: 0000000000000001 RSI: 00000000200015c0 RDI: 0000000000000003
RBP: 00007fedf3c5e310 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fedf3c5e31c
R13: 000000000000000b R14: 00007fffe9d355b0 R15: 00007fffe9d35698
</TASK>
Fixes: ee4cdf7ba857 ("netfs: Speed up buffered reading")
Closes: https://syzkaller.appspot.com/bug?extid=1fc6f64c40a9d143cfb6
Signed-off-by: David Howells <dhowells@redhat.com>
Suggested-by: Lizhi Xu <lizhi.xu@windriver.com> [2]
cc: Dominique Martinet <asmadeus@codewreck.org>
cc: Jeff Layton <jlayton@kernel.org>
cc: v9fs@lists.linux.dev
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Link: https://lore.kernel.org/r/20241108034020.3695718-1-lizhi.xu@windriver.com/ [2]
diff --git a/fs/9p/vfs_addr.c b/fs/9p/vfs_addr.c
index 819c75233235..3bc9ce6c575e 100644
--- a/fs/9p/vfs_addr.c
+++ b/fs/9p/vfs_addr.c
@@ -57,6 +57,8 @@ static void v9fs_issue_write(struct netfs_io_subrequest *subreq)
int err, len;
len = p9_client_write(fid, subreq->start, &subreq->io_iter, &err);
+ if (len > 0)
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
netfs_write_subrequest_terminated(subreq, len ?: err, false);
}
@@ -80,8 +82,10 @@ static void v9fs_issue_read(struct netfs_io_subrequest *subreq)
if (pos + total >= i_size_read(rreq->inode))
__set_bit(NETFS_SREQ_HIT_EOF, &subreq->flags);
- if (!err)
+ if (!err) {
subreq->transferred += total;
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
+ }
netfs_read_subreq_terminated(subreq, err, false);
}
diff --git a/fs/afs/write.c b/fs/afs/write.c
index 34107b55f834..ccb6aa8027c5 100644
--- a/fs/afs/write.c
+++ b/fs/afs/write.c
@@ -122,7 +122,7 @@ static void afs_issue_write_worker(struct work_struct *work)
if (subreq->debug_index == 3)
return netfs_write_subrequest_terminated(subreq, -ENOANO, false);
- if (!test_bit(NETFS_SREQ_RETRYING, &subreq->flags)) {
+ if (!subreq->retry_count) {
set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
return netfs_write_subrequest_terminated(subreq, -EAGAIN, false);
}
@@ -149,6 +149,9 @@ static void afs_issue_write_worker(struct work_struct *work)
afs_wait_for_operation(op);
ret = afs_put_operation(op);
switch (ret) {
+ case 0:
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
+ break;
case -EACCES:
case -EPERM:
case -ENOKEY:
diff --git a/fs/netfs/read_collect.c b/fs/netfs/read_collect.c
index 46ce3b7adf07..47ed3a5044e2 100644
--- a/fs/netfs/read_collect.c
+++ b/fs/netfs/read_collect.c
@@ -438,7 +438,7 @@ void netfs_read_subreq_progress(struct netfs_io_subrequest *subreq,
rreq->origin == NETFS_READPAGE ||
rreq->origin == NETFS_READ_FOR_WRITE)) {
netfs_consume_read_data(subreq, was_async);
- __clear_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags);
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
}
}
EXPORT_SYMBOL(netfs_read_subreq_progress);
@@ -497,7 +497,7 @@ void netfs_read_subreq_terminated(struct netfs_io_subrequest *subreq,
rreq->origin == NETFS_READPAGE ||
rreq->origin == NETFS_READ_FOR_WRITE)) {
netfs_consume_read_data(subreq, was_async);
- __clear_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags);
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
}
rreq->transferred += subreq->transferred;
}
@@ -511,10 +511,13 @@ void netfs_read_subreq_terminated(struct netfs_io_subrequest *subreq,
} else {
trace_netfs_sreq(subreq, netfs_sreq_trace_short);
if (subreq->transferred > subreq->consumed) {
- __set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
- __clear_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags);
- set_bit(NETFS_RREQ_NEED_RETRY, &rreq->flags);
- } else if (!__test_and_set_bit(NETFS_SREQ_NO_PROGRESS, &subreq->flags)) {
+ /* If we didn't read new data, abandon retry. */
+ if (subreq->retry_count &&
+ test_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags)) {
+ __set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
+ set_bit(NETFS_RREQ_NEED_RETRY, &rreq->flags);
+ }
+ } else if (test_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags)) {
__set_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
set_bit(NETFS_RREQ_NEED_RETRY, &rreq->flags);
} else {
diff --git a/fs/netfs/read_retry.c b/fs/netfs/read_retry.c
index 0350592ea804..0e72e9226fc8 100644
--- a/fs/netfs/read_retry.c
+++ b/fs/netfs/read_retry.c
@@ -56,6 +56,8 @@ static void netfs_retry_read_subrequests(struct netfs_io_request *rreq)
if (test_bit(NETFS_SREQ_FAILED, &subreq->flags))
break;
if (__test_and_clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags)) {
+ __clear_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
+ subreq->retry_count++;
netfs_reset_iter(subreq);
netfs_reissue_read(rreq, subreq);
}
@@ -137,7 +139,8 @@ static void netfs_retry_read_subrequests(struct netfs_io_request *rreq)
stream0->sreq_max_len = subreq->len;
__clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
- __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
+ __clear_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
+ subreq->retry_count++;
spin_lock_bh(&rreq->lock);
list_add_tail(&subreq->rreq_link, &rreq->subrequests);
@@ -213,7 +216,6 @@ static void netfs_retry_read_subrequests(struct netfs_io_request *rreq)
subreq->error = -ENOMEM;
__clear_bit(NETFS_SREQ_FAILED, &subreq->flags);
__clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
- __clear_bit(NETFS_SREQ_RETRYING, &subreq->flags);
}
spin_lock_bh(&rreq->lock);
list_splice_tail_init(&queue, &rreq->subrequests);
diff --git a/fs/netfs/write_collect.c b/fs/netfs/write_collect.c
index 82290c92ba7a..ca3a11ed9b54 100644
--- a/fs/netfs/write_collect.c
+++ b/fs/netfs/write_collect.c
@@ -179,7 +179,6 @@ static void netfs_retry_write_stream(struct netfs_io_request *wreq,
struct iov_iter source = subreq->io_iter;
iov_iter_revert(&source, subreq->len - source.count);
- __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
netfs_reissue_write(stream, subreq, &source);
}
@@ -234,7 +233,7 @@ static void netfs_retry_write_stream(struct netfs_io_request *wreq,
/* Renegotiate max_len (wsize) */
trace_netfs_sreq(subreq, netfs_sreq_trace_retry);
__clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
- __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
+ subreq->retry_count++;
stream->prepare_write(subreq);
part = min(len, stream->sreq_max_len);
@@ -279,7 +278,7 @@ static void netfs_retry_write_stream(struct netfs_io_request *wreq,
subreq->start = start;
subreq->debug_index = atomic_inc_return(&wreq->subreq_counter);
subreq->stream_nr = to->stream_nr;
- __set_bit(NETFS_SREQ_RETRYING, &subreq->flags);
+ subreq->retry_count = 1;
trace_netfs_sreq_ref(wreq->debug_id, subreq->debug_index,
refcount_read(&subreq->ref),
diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c
index bf6d507578e5..ff0e82505a0b 100644
--- a/fs/netfs/write_issue.c
+++ b/fs/netfs/write_issue.c
@@ -244,6 +244,8 @@ void netfs_reissue_write(struct netfs_io_stream *stream,
iov_iter_advance(source, size);
iov_iter_truncate(&subreq->io_iter, size);
+ subreq->retry_count++;
+ __clear_bit(NETFS_SREQ_MADE_PROGRESS, &subreq->flags);
__set_bit(NETFS_SREQ_IN_PROGRESS, &subreq->flags);
netfs_do_issue_write(stream, subreq);
}
diff --git a/fs/smb/client/cifssmb.c b/fs/smb/client/cifssmb.c
index bd42a419458e..6cb1e81993f8 100644
--- a/fs/smb/client/cifssmb.c
+++ b/fs/smb/client/cifssmb.c
@@ -1319,14 +1319,16 @@ cifs_readv_callback(struct mid_q_entry *mid)
}
if (rdata->result == -ENODATA) {
- __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
rdata->result = 0;
+ __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
} else {
size_t trans = rdata->subreq.transferred + rdata->got_bytes;
if (trans < rdata->subreq.len &&
rdata->subreq.start + trans == ictx->remote_i_size) {
- __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
rdata->result = 0;
+ __set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
+ } else if (rdata->got_bytes > 0) {
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &rdata->subreq.flags);
}
}
@@ -1670,10 +1672,13 @@ cifs_writev_callback(struct mid_q_entry *mid)
if (written > wdata->subreq.len)
written &= 0xFFFF;
- if (written < wdata->subreq.len)
+ if (written < wdata->subreq.len) {
result = -ENOSPC;
- else
+ } else {
result = written;
+ if (written > 0)
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &wdata->subreq.flags);
+ }
break;
case MID_REQUEST_SUBMITTED:
case MID_RETRY_NEEDED:
diff --git a/fs/smb/client/smb2pdu.c b/fs/smb/client/smb2pdu.c
index 010eae9d6c47..458b53d1f9cb 100644
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -4615,6 +4615,7 @@ smb2_readv_callback(struct mid_q_entry *mid)
__set_bit(NETFS_SREQ_HIT_EOF, &rdata->subreq.flags);
rdata->result = 0;
}
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &rdata->subreq.flags);
}
trace_smb3_rw_credits(rreq_debug_id, subreq_debug_index, rdata->credits.value,
server->credits, server->in_flight,
@@ -4840,10 +4841,12 @@ smb2_writev_callback(struct mid_q_entry *mid)
if (written > wdata->subreq.len)
written &= 0xFFFF;
- if (written < wdata->subreq.len)
+ if (written < wdata->subreq.len) {
wdata->result = -ENOSPC;
- else
+ } else if (written > 0) {
wdata->subreq.len = written;
+ __set_bit(NETFS_SREQ_MADE_PROGRESS, &wdata->subreq.flags);
+ }
break;
case MID_REQUEST_SUBMITTED:
case MID_RETRY_NEEDED:
@@ -5012,7 +5015,7 @@ smb2_async_writev(struct cifs_io_subrequest *wdata)
}
#endif
- if (test_bit(NETFS_SREQ_RETRYING, &wdata->subreq.flags))
+ if (wdata->subreq.retry_count > 0)
smb2_set_replay(server, &rqst);
cifs_dbg(FYI, "async write at %llu %u bytes iter=%zx\n",
diff --git a/include/linux/netfs.h b/include/linux/netfs.h
index 5eaceef41e6c..4083d77e3f39 100644
--- a/include/linux/netfs.h
+++ b/include/linux/netfs.h
@@ -185,6 +185,7 @@ struct netfs_io_subrequest {
short error; /* 0 or error that occurred */
unsigned short debug_index; /* Index in list (for debugging output) */
unsigned int nr_segs; /* Number of segs in io_iter */
+ u8 retry_count; /* The number of retries (0 on initial pass) */
enum netfs_io_source source; /* Where to read from/write to */
unsigned char stream_nr; /* I/O stream this belongs to */
unsigned char curr_folioq_slot; /* Folio currently being read */
@@ -194,14 +195,13 @@ struct netfs_io_subrequest {
#define NETFS_SREQ_COPY_TO_CACHE 0 /* Set if should copy the data to the cache */
#define NETFS_SREQ_CLEAR_TAIL 1 /* Set if the rest of the read should be cleared */
#define NETFS_SREQ_SEEK_DATA_READ 3 /* Set if ->read() should SEEK_DATA first */
-#define NETFS_SREQ_NO_PROGRESS 4 /* Set if we didn't manage to read any data */
+#define NETFS_SREQ_MADE_PROGRESS 4 /* Set if we transferred at least some data */
#define NETFS_SREQ_ONDEMAND 5 /* Set if it's from on-demand read mode */
#define NETFS_SREQ_BOUNDARY 6 /* Set if ends on hard boundary (eg. ceph object) */
#define NETFS_SREQ_HIT_EOF 7 /* Set if short due to EOF */
#define NETFS_SREQ_IN_PROGRESS 8 /* Unlocked when the subrequest completes */
#define NETFS_SREQ_NEED_RETRY 9 /* Set if the filesystem requests a retry */
-#define NETFS_SREQ_RETRYING 10 /* Set if we're retrying */
-#define NETFS_SREQ_FAILED 11 /* Set if the subreq failed unretryably */
+#define NETFS_SREQ_FAILED 10 /* Set if the subreq failed unretryably */
};
enum netfs_io_origin {
^ permalink raw reply [flat|nested] 10+ messages in thread
* Re: [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open
2024-12-09 15:29 ` David Howells
@ 2024-12-09 15:48 ` syzbot
0 siblings, 0 replies; 10+ messages in thread
From: syzbot @ 2024-12-09 15:48 UTC (permalink / raw)
To: akpm, asmadeus, dhowells, ericvh, linux-kernel, linux-mm,
linux_oss, lucho, syzkaller-bugs, v9fs
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+885c03ad650731743489@syzkaller.appspotmail.com
Tested-by: syzbot+885c03ad650731743489@syzkaller.appspotmail.com
Tested on:
commit: fac04efc Linux 6.13-rc2
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=13ee54df980000
kernel config: https://syzkaller.appspot.com/x/.config?x=b041310d53c18b96
dashboard link: https://syzkaller.appspot.com/bug?extid=885c03ad650731743489
compiler: gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch: https://syzkaller.appspot.com/x/patch.diff?x=14f654df980000
Note: testing is done by a robot and is best-effort only.
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2024-12-09 15:48 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <6731d39c.050a0220.1fb99c.014e.GAE@google.com>
2024-11-17 1:38 ` [syzbot] [mm?] [v9fs?] BUG: stack guard page was hit in sys_open syzbot
2024-11-17 1:45 ` asmadeus
2024-11-18 16:23 ` David Howells
2024-11-18 16:36 ` syzbot
2024-11-18 17:23 ` David Howells
2024-11-18 17:41 ` syzbot
2024-12-09 15:06 ` David Howells
2024-12-09 15:07 ` syzbot
2024-12-09 15:29 ` David Howells
2024-12-09 15:48 ` syzbot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox