From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7F84CCF9EB for ; Thu, 26 Sep 2024 02:21:12 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 4DA156B00B4; Wed, 25 Sep 2024 22:21:12 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 462866B00BA; Wed, 25 Sep 2024 22:21:12 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 266F76B00BC; Wed, 25 Sep 2024 22:21:12 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0011.hostedemail.com [216.40.44.11]) by kanga.kvack.org (Postfix) with ESMTP id EEE1A6B00B4 for ; Wed, 25 Sep 2024 22:21:11 -0400 (EDT) Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay07.hostedemail.com (Postfix) with ESMTP id 6002F160770 for ; Thu, 26 Sep 2024 02:21:11 +0000 (UTC) X-FDA: 82605287142.14.05D2A1E Received: from mgamail.intel.com (mgamail.intel.com [192.198.163.14]) by imf28.hostedemail.com (Postfix) with ESMTP id 71749C0009 for ; Thu, 26 Sep 2024 02:21:05 +0000 (UTC) Authentication-Results: imf28.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=IhJ7p6G3; dmarc=pass (policy=none) header.from=intel.com; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); spf=pass (imf28.hostedemail.com: domain of oliver.sang@intel.com designates 192.198.163.14 as permitted sender) smtp.mailfrom=oliver.sang@intel.com ARC-Seal: i=2; s=arc-20220608; d=hostedemail.com; t=1727317250; a=rsa-sha256; cv=fail; b=g5M+buMWuxyUeJPeXECLSxqe9wI42IOhuzZZJQCzkd/beErgTu8GSO/oSma3jpnfEao93l iNQ0yYM5tUuEEiOm+rRDfUGa7k7dQbyqNDhDeHT/uLpQKCB4JivUEWkKDLTUzOfTGwf/pW F7AHW7jZtx8ZrmJq4tyjk4uH30hQU/o= ARC-Authentication-Results: i=2; imf28.hostedemail.com; dkim=pass header.d=intel.com header.s=Intel header.b=IhJ7p6G3; dmarc=pass (policy=none) header.from=intel.com; arc=reject ("signature check failed: fail, {[1] = sig:microsoft.com:reject}"); spf=pass (imf28.hostedemail.com: domain of oliver.sang@intel.com designates 192.198.163.14 as permitted sender) smtp.mailfrom=oliver.sang@intel.com ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1727317250; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=gXoj3dgmCHMJo41l9eRm8VTiA9QCXeR18XoHgzx+oZ0=; b=durWfknysCgPkX8movyx58XUCu/2yfcKU7ouQhq8ADKgySdV0feEhfAB/XhpOhTqPfecJM nbENgAMBDvuonuYa8Bu7to/6B6GS+rxLLZztNdYVAYUjA3Z9hacGeU2dQgwievpGwT2UI/ BXARMYVeiEJrICO5vhxaDde2KYXbAAw= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=intel.com; i=@intel.com; q=dns/txt; s=Intel; t=1727317265; x=1758853265; h=date:from:to:cc:subject:message-id:references: in-reply-to:mime-version; bh=dGbXqeXra5+unxTEq/dz1Tfk3tNIDE5u24Kl+Zs75KM=; b=IhJ7p6G3K7tVvPci28FGaAtD3Ws8oMgB9d91DCcYHWpL1GG0OtMCni2Q RntOffoCLJU/+0rnkxZXiPb5MStaQnJInKNNQrgYJAxPo+cj1MHxBe2U9 11Tlh1x2BBObvDpCA3KXb5vNl4yY9BGejo/ytqfCdHKwiHbVrtFwfyYp4 CjwsosgSPz+FPrMB5m3vUmWacVvx+zz0guAJIkBNK6OBl9bENPiSx3PKI 7eL5CYcYxd+Da85a67a6RM/tkZSxvf/NFOoBBhB8t9bVnb/FbtPNbbWKz k0bqrJVlrtpGmC3iAG3nFwXkfIjspUJ3A78xpC7t8dyXhO6rqLvVukjto g==; X-CSE-ConnectionGUID: ms0Bng5jQ+W9/U3vLCh2xg== X-CSE-MsgGUID: CFF9P70xSaa4YZn7mokHeQ== X-IronPort-AV: E=McAfee;i="6700,10204,11206"; a="26573702" X-IronPort-AV: E=Sophos;i="6.10,259,1719903600"; d="scan'208";a="26573702" Received: from orviesa006.jf.intel.com ([10.64.159.146]) by fmvoesa108.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 25 Sep 2024 19:21:04 -0700 X-CSE-ConnectionGUID: KWQWrOLSR0CEKlN/pw3lEQ== X-CSE-MsgGUID: IRvXLfghQSm/tET7JmT7ww== X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="6.10,259,1719903600"; d="scan'208";a="72279161" Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by orviesa006.jf.intel.com with ESMTP/TLS/AES256-GCM-SHA384; 25 Sep 2024 19:20:59 -0700 Received: from orsmsx610.amr.corp.intel.com (10.22.229.23) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39; Wed, 25 Sep 2024 19:20:56 -0700 Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx610.amr.corp.intel.com (10.22.229.23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.39 via Frontend Transport; Wed, 25 Sep 2024 19:20:56 -0700 Received: from NAM02-DM3-obe.outbound.protection.outlook.com (104.47.56.40) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.39; Wed, 25 Sep 2024 19:20:55 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=HF7DNRYBU8WH3t4yLCYqR2nOTk2S8D8Vn0+kJXxVyR6uyty9xqGVX3Jsb1fWJKH/wJq5Y5CoGoqTp/3kNN6i6k3a/pBUd41l6+kaE2G6r+gMWeWVe+zbdRABnZpdqG17NcuOSTZRWQYIhwwyiJ/DTXwt0PhvReuLaAgzmeY1U1Ag4lW73w2G/Vc2UpA16mAb+O374wGiOLfZbDDTjUUnafe3NqdNx7RjSeVdasiBI/kNo+cbAc8mx0WXMSFQZD1H928zOizHSuwWvbNC034G9MCidxvdBZhbGXxrvuCuwk6goVDluim7kXT1qgg7+VLOVfdctnS0t/Rwjz3NmcwQOQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=gXoj3dgmCHMJo41l9eRm8VTiA9QCXeR18XoHgzx+oZ0=; b=Hh+aPR6hEKVbC+bqz6zOaMERQp0dvbtfPUnKzjOZZfZnyAQfOG4+XcM2iV19F8J3DdYCmh7lHR8tdrCn+D011Mh9enyoaTNPUrySkIjjLmLMXiYF3/JjuHc74XvpQZwzFDWKmXeXmH3COKf2+n5159dYJwDoa8GszpT6LOIokBtfCf+dHssW54FKLErviaf7deuL+K9xOt8IoJ7OgZevYTq2oBzv1g8BR9RlT3uzWLukhCDQcFIanK0w0toodfuq9uRUlv8jCHYgQpT6bCuGpc/wpg/VzAE15SCOaPCfl38BhP1W3Qa1P2Q3nTsv0/4PltVREbFZsDKd6afkYqeZAg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none Received: from LV3PR11MB8603.namprd11.prod.outlook.com (2603:10b6:408:1b6::9) by PH7PR11MB6404.namprd11.prod.outlook.com (2603:10b6:510:1f8::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7982.25; Thu, 26 Sep 2024 02:20:53 +0000 Received: from LV3PR11MB8603.namprd11.prod.outlook.com ([fe80::4622:29cf:32b:7e5c]) by LV3PR11MB8603.namprd11.prod.outlook.com ([fe80::4622:29cf:32b:7e5c%5]) with mapi id 15.20.7982.022; Thu, 26 Sep 2024 02:20:53 +0000 Date: Thu, 26 Sep 2024 10:20:44 +0800 From: Oliver Sang To: David Howells CC: , , Linux Memory Management List , Christian Brauner , Jeff Layton , , , Subject: Re: [linux-next:master] [netfs] a05b682d49: BUG:KASAN:slab-use-after-free_in_copy_from_iter Message-ID: References: <202409131438.3f225fbf-oliver.sang@intel.com> <1191933.1727214450@warthog.procyon.org.uk> Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <1191933.1727214450@warthog.procyon.org.uk> X-ClientProxiedBy: SI2PR02CA0006.apcprd02.prod.outlook.com (2603:1096:4:194::8) To LV3PR11MB8603.namprd11.prod.outlook.com (2603:10b6:408:1b6::9) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: LV3PR11MB8603:EE_|PH7PR11MB6404:EE_ X-MS-Office365-Filtering-Correlation-Id: 5b7eefcc-a4e6-463d-14b0-08dcddd1d888 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0;ARA:13230040|366016|1800799024|376014; X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?X+y6mG0y/a6d3SBhaenEfZW35QfW2VJND2z9pD5941XD+R44Ajodj1JySZVV?= =?us-ascii?Q?XUZdRrHiLPIWQ7Q05SBQWOXlB24CGPkmtGLk1jIHd99UtGHUZVl7gbvc+RvT?= =?us-ascii?Q?74edchWjdDBfKR1xzcc+bxVS+2k7veWpWnbVFc1B0/EvVS9qiX/1GGmtmi09?= =?us-ascii?Q?Kpgj+Lky6fCeYEkpwaVdBhwA6BxUYSggIWTghZNeDzIhLMHJTkqXlSYZuRmk?= =?us-ascii?Q?DQ82CDQ3+TwNTfCWF881VSHxtRcSHdWh2wEKp494lUIFRoJ0y4pMpVjnB+kS?= =?us-ascii?Q?zwCYZgvTgwb6orYUeuP6RZAXNpDeGN3lh5ia3k94GoKU4BLSswh5qZIY48Ns?= =?us-ascii?Q?JRbIZWJ+/2oCJH4uCahakmqBjL8lxx3fzGWE1jio4v0A5lmBCZFJsCPJXfG6?= =?us-ascii?Q?5DYz9t1L3kd4Y8FoZdxiUJPkvZhP07PvtK13ng3vFNyp32gTLHmp0ZWMc7aB?= =?us-ascii?Q?sSWi7OmORMgN1bX2Ml/dyHdz03Wclz6MPLQFvClfG0b1VQV6pN+fACQ7+Dht?= =?us-ascii?Q?5pojgN3C92pTwUvhmTB5/vlu0EkLPtLBLvSa68zzM4jegNcGKUFAD4kBEO+b?= =?us-ascii?Q?VcjI2MJ5NTthheFwRSFhxpngCbxA5MUjBYjLi+HP420Eqg5CjVq6nXo5hNUC?= =?us-ascii?Q?3CTKE+0w7sRp1wEQDzmvU8NfpYvULaKWoYQ7QkpGkAkIGVLb/F9b4mX2buam?= =?us-ascii?Q?L0AjWABHlVKQ6yrm6hJsyMAn4zZhBJuiF796RyXGp2QIXKjeJfAV45b5frv0?= =?us-ascii?Q?JwvF/+TvHch3ZMhVXH3u9tLDoTFHrfXMrJ08svxBARh/h4ybs6BhhgGMhfI6?= =?us-ascii?Q?QPb8bZYC2lwNu8R2FBJd78Yw540Q2UR4pvRldkQualDatsN0Ze5Tfi1GJYw/?= =?us-ascii?Q?aOqUBvUPgaynwAQaExRAlpco8DXWVOoM/IykAilRT27Lg/oHvEoVJp58mwOw?= =?us-ascii?Q?D6Sk+LLqbuP/G32RHZwH9n7IcwOV2Rgizonj3wbnkcG48F6LYASLZKoAPafw?= =?us-ascii?Q?1tJ9oP7clFOIq6H9lXr3Ea0KsXqcja0c5EjCFh4p++sX/eMCNQAHF3zcFMIl?= =?us-ascii?Q?n2fqJzzhK9jDx9cG3+PPO4AJ2jLqv4lBW98q3Occh2OepcFfnYKhlibUeMQB?= =?us-ascii?Q?saLoUIUM4dQPhi85Cmq9TSWFsOhGGNYC3JpHLr839hGG8skD3MkfT+O7V+pz?= =?us-ascii?Q?LCjaD8inLTqZjChrbTwnrYXGxuYuyoAaCzbInhn49QP663PlCE1BuV1pR6KI?= =?us-ascii?Q?q0wGrRnUUuIMQNaMjikx/zhwUw3uPd5/P+SNJTpDqewYfv9QcbH/ZJHxcZpB?= =?us-ascii?Q?HCc=3D?= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:LV3PR11MB8603.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(366016)(1800799024)(376014);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?L9yKNqpRyVVznURSqjd36K4nPvSIcYMmIIJh6sX9zwDiw0y/S2cZ8rKYCteP?= =?us-ascii?Q?kB5EryJYk9obRnJF1J/G0HGvLhxrrt+f9jGgaxrC44NvY/1m7By3Yu727GXQ?= =?us-ascii?Q?3DV1hJbRY7A37Q38s1CuZKEzhTPRXXAA39aXnasdcd6uZAo1a9h285AEHjmD?= =?us-ascii?Q?z97EsrGwCo2xG4Wppwtcndeq5+89LmxbXFklvFK+pmOOwgKUXxpbG/Rl7lvn?= =?us-ascii?Q?sOZoNinu5yfw6tO6TwzLVF6H/UcDPeJ2p6CROJ3g2mIURvErodM2qB4y58+R?= =?us-ascii?Q?6cB6oOh75/2lZ9PKUeSjzB1Dmg4RVMGVxJ/8ehvsfRPErMw9c5sUc9Hp5vrM?= =?us-ascii?Q?F1vTwME1Csa8oQhEqn+7zppxAa2f7TjAcctHCbFN47G9cjkD6XvRhwsiRTyv?= =?us-ascii?Q?Tgre0+XRxarbOvQsoND5XDyzK4Ki/BGN5g2HDzJPmSroI8cAJRTex0YeDiRh?= =?us-ascii?Q?8QzPGi/+NLGnSBUZtdtEftOu8yBsO5PyIllC6d6f9TxKlr8Bjdbmss9uzjw/?= =?us-ascii?Q?85i0AVHFPmYEPjhg2LYgOkOoEspE86nyF75YIZHgGdiWADwIVN/y/WTsQG2c?= =?us-ascii?Q?0Xc1yf3yHamd9lxeKPrjr9hm+qRzZq/xYRdEwZrw4y40Ot4srTKUtocuqOQv?= =?us-ascii?Q?0+OsFJzMTleWqlLb334twO+U6p9ZJcsqb3AUFvjPVBZYA0dJXKB3+vgFn0RP?= =?us-ascii?Q?ppX+3ssoPRcxM/XpMoc2urZ+vSna73nO2HDuAd8NzGaofDlyPUDHnEJveqCF?= =?us-ascii?Q?moqaXKk+fAjGyWk8+2SkwSgJslsCXGqCy7HOOm6i2YGe8EUtho7+et/gvZKn?= =?us-ascii?Q?9gfGdzk5VZYyzrSNPw5uvUT9GWl/YVcss6UjmsCMioPwFP2gFF4eadpt9B0C?= =?us-ascii?Q?evQHUPPWagLOPw/BftrkLmLXdEwXi12vix2tO9R9j5UPFd4BnLVMZ/Be/7fC?= =?us-ascii?Q?RX7mytdEKSw5vJqk7AC887atYU/lfX7/XuQINBHEYr08MblokoP2rxVKWsjh?= =?us-ascii?Q?s+Nf9h4Sy58kYVKzYj0qxsU3DB/CJEHO3eYUPOiivn3Klu1gGkajzMUO37Zn?= =?us-ascii?Q?n1ONjCtHHDSK1PqPrQGTaTYltVoJuoiTY5jSWqq66zEEr00nVdEbK68PGVig?= =?us-ascii?Q?T+e+dNpbe3w63StUHCW0Hxn2nFl0dyAitoTVHiOmRopNgXfgUC3gEmjEdJPV?= =?us-ascii?Q?toTVQaKlrBdEL2JinDIPbPasgbTmEgkYS2gWoMQD/6dc9Wv2D6X2cZ4hAPaj?= =?us-ascii?Q?7PSb/cK5v+jhNFZLmgrpe7S+ph0s7wMRJ03SaoVTLVik6ZzXoY4m8FPLM8Zv?= =?us-ascii?Q?aegQtPYyb56YKPvbc1onz43YTnwawD45Svwi6XecAet3uLGg37SRWUrHAgdO?= =?us-ascii?Q?Z2qc42SVTHL/QkhBWMDg18acuEShaaeoonSebWKmixLLG73KUHRSaE1PusGX?= =?us-ascii?Q?yj+Ft4EhOyL/XzKJip1BNNM3yxmFE7rqUyqBqTuCfbw11u9f2r3ZlwOp9j4E?= =?us-ascii?Q?WkyVXUcItQAeJpGzLxvC70f33Qx8NMuxkBtl+8KlupJcUUwRQI68RMAz/qmT?= =?us-ascii?Q?lDSkQWXPCPFXKSWtS6q+OjG22IBHFr/wjF4VClPgpuEc3SUiBFX6dgrMC5e8?= =?us-ascii?Q?Uw=3D=3D?= X-MS-Exchange-CrossTenant-Network-Message-Id: 5b7eefcc-a4e6-463d-14b0-08dcddd1d888 X-MS-Exchange-CrossTenant-AuthSource: LV3PR11MB8603.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 26 Sep 2024 02:20:53.1872 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 46c98d88-e344-4ed4-8496-4ed7712e255d X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Y76bqV5lHKGvNmdwtZoA+R4vNy6VZpUcE787yVEJLoXJZtEem/xXqvxDE1DGA4Sn+N+7iioUNuu0UY/wZSzFUQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH7PR11MB6404 X-OriginatorOrg: intel.com X-Rspam-User: X-Stat-Signature: h5wjg53tysjzimknumaxgaodfsbfjkxr X-Rspamd-Queue-Id: 71749C0009 X-Rspamd-Server: rspam02 X-HE-Tag: 1727317265-702265 X-HE-Meta: U2FsdGVkX19kPMAiazYwIKGcVi9zsohZvrhaFAlodCy0nmy6bPGnzX2gWOZEIb0OC32hE2jFftQj5bSfk+KJlWQHbV7rbA+lTtu7V7hF+om623VC3bPA01z3u1pNnWHN+U3pJcpKUXoSmhGP/l/qqaQP1B+fZQAYRCItt27rd4wEoMLOknjlmJZxz7Dih6/x+gDG1emuz22Ncd3h4z95M3XEzNnFItuoF7YSu26p1nsqD24ldCcy21+F28wbPyRzfiJL8RXIDbvxG/DVCQy1qkiQzqfRPYXbhyKTgQiKGR3X4c32AVtA5TJWB1xb/Ry//QWR/uNe2M76nE7edzStQ4T6XdOYwDKHMCYK+zlajvS4cxpYJizbkQ3XvAnqvAoJBoOzMGETO3VCZ56TBb5kk166Lze1L2RrTLHcKrfR7VzWokAakeutFHNLXTBHaQjSVXiukk9wUz2GEO/FhPQX/F7WUahsksD7IWLw1rIf5C73VY1ukaDKpRgH92YXB5s+MIJFrzchiqOMbtE/bQKy1l+8agz1xArUHarXq3TxSupUHju+wkpZ9V5/FjBCE846a3sjXKPTaLa0WSq+BUpwL+edrJiPXYxTqy+zPDP/aoogOWHmgVfTDRdBroZNp7hRn0oBmbg8nleTJ8Hc+uUL+i6vy/LRzC25v5B3vFigFIfYV9hM9GbCz/xjtxIE38AIWts3deVQkKZFVs0ZXLRhUzRwULUYRC0EqBHeUsn+wg3fKrlVGgf/UpXBPpG8NbxmcM+gfZ0oBozKnlVdJ5+/UQ3MfsSPyAhBBkz5xkHsy35fUleL764Gd7kj6QU9bI+sKRLnXUv9tnQRqDFYMjJo1QUGCYvIq3IKjHIliFknykOGQjljoNMRcyUr7Xej9uO6DiZs70V/66s8hFF42ebnK76uiDQnJwOadZEKSQbLJeO5sLrkVvByOWgSzNE7PSzNjQ/kHpi1NFbfr0+npO2 SlkQIO6B 1l3QHmdPAqWu3ZJ+qLrNQvmehzgKsHnbnnUdRNvAOEOpUG00Fyt/SjkCCa9itWeUcO+pKccXbowmdMBCPCzdpWmo+6JyD9Y96Z97Ffios2Dh/byU9zoHyiAZTOVrulYsQRbS0jQrKOsUh1aqoERnM5CP01X6Iys/gHxXF5h7/bpkvQCxDr5RCAGvIVIcPs9kKXvimqpDwkKhi/v2CRy+xQbcEnSp6HdN0wsv2vgVFTroTfxRMBkFtquHkz6B4vJYIDFzi0YiLRdhKkknG3mEmBPAKkMt1Bv2NGqmRKjVpcsgcGmNAHpHNoYWGQ4E7BXwwxZ9NYpNWsDvFuYKH6m7oCktDzdwH273H+jfqwcOeKm1dnFM9Fy3sWJf5OlJPdRKYF0hkGO0nb5401c/aHofLO+GTZRSMbsVyINjh8BGuQdyz4HOdhxpZ59erjlnyRoHNGDzQcPagVThEOrxWvMjsefdIjiauPP9i8V8K5PD2+jIVnkCx5nxaBsGSaox8bJX/zUWZ/xDQXEX9kYhgSIYsBTSQ2pK9qBTDRmT1B4dcKX4Bjjuzydzg9XQE3Gh4MrvcM6Ml/FZabcdv8z9zaBCOz+Kqk063NAJ/TLFmNmA8gdL4Ok4t8o0plQH0XMy9sEObh/qKSa6yWUQv5//6LHXeI7PX6qg22pVh5R+ty+YokTbYA2CeCW/pG++uyOpfTcavJhl1veOouiWNPhwkImQ23z45gjX9f20np7SRnuAhUefPMGCbkm3K3aNqJI235srE8AqJC3LfuyidsS8thxIUleumgk6JafsCdkzdds1D/zqgMbUG+hltCOtzYLvct3rrblksjBpkRr85g6Q= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: hi, David, On Tue, Sep 24, 2024 at 10:47:30PM +0100, David Howells wrote: > Does the attached fix the problem? yes, as I've replied in https://lore.kernel.org/all/ZvTD2t5s8lwQyphN@xsang-OptiPlex-9020/ thanks! > > David > --- > netfs: Fix write oops in generic/346 (9p) and maybe generic/074 (cifs) > > In netfslib, a buffered writeback operation has a 'write queue' of folios > that are being written, held in a linear sequence of folio_queue structs. > The 'issuer' adds new folio_queues on the leading edge of the queue and > populates each one progressively; the 'collector' pops them off the > trailing edge and discards them and the folios they point to as they are > consumed. > > The queue is required to always retain at least one folio_queue structure. > This allows the queue to be accessed without locking and with just a bit of > barriering. > > When a new subrequest is prepared, its ->io_iter iterator is pointed at the > current end of the write queue and then the iterator is extended as more > data is added to the queue until the subrequest is committed. > > Now, the problem is that the folio_queue at the leading edge of the write > queue when a subrequest is prepared might have been entirely consumed - but > not yet removed from the queue as it is the only remaining one and is > preventing the queue from collapsing. > > So, what happens is that subreq->io_iter is pointed at the spent > folio_queue, then a new folio_queue is added, and, at that point, the > collector is at entirely at liberty to immediately delete the spent > folio_queue. > > This leaves the subreq->io_iter pointing at a freed object. If the system > is lucky, iterate_folioq() sees ->io_iter, sees the as-yet uncorrupted > freed object and advances to the next folio_queue in the queue. > > In the case seen, however, the freed object gets recycled and put back onto > the queue at the tail and filled to the end. This confuses > iterate_folioq() and it tries to step ->next, which may be NULL - resulting > in an oops. > > Fix this by the following means: > > (1) When preparing a write subrequest, make sure there's a folio_queue > struct with space in it at the leading edge of the queue. A function > to make space is split out of the function to append a folio so that > it can be called for this purpose. > > (2) If the request struct iterator is pointing to a completely spent > folio_queue when we make space, then advance the iterator to the newly > allocated folio_queue. The subrequest's iterator will then be set > from this. > > Whilst we're at it, also split out the function to allocate a folio_queue, > initialise it and do the accounting. > > The oops could be triggered using the generic/346 xfstest with a filesystem > on9P over TCP with cache=loose. The oops looked something like: > > BUG: kernel NULL pointer dereference, address: 0000000000000008 > #PF: supervisor read access in kernel mode > #PF: error_code(0x0000) - not-present page > ... > RIP: 0010:_copy_from_iter+0x2db/0x530 > ... > Call Trace: > > ... > p9pdu_vwritef+0x3d8/0x5d0 > p9_client_prepare_req+0xa8/0x140 > p9_client_rpc+0x81/0x280 > p9_client_write+0xcf/0x1c0 > v9fs_issue_write+0x87/0xc0 > netfs_advance_write+0xa0/0xb0 > netfs_write_folio.isra.0+0x42d/0x500 > netfs_writepages+0x15a/0x1f0 > do_writepages+0xd1/0x220 > filemap_fdatawrite_wbc+0x5c/0x80 > v9fs_mmap_vm_close+0x7d/0xb0 > remove_vma+0x35/0x70 > vms_complete_munmap_vmas+0x11a/0x170 > do_vmi_align_munmap+0x17d/0x1c0 > do_vmi_munmap+0x13e/0x150 > __vm_munmap+0x92/0xd0 > __x64_sys_munmap+0x17/0x20 > do_syscall_64+0x80/0xe0 > entry_SYSCALL_64_after_hwframe+0x71/0x79 > > This may also fix a similar-looking issue with cifs and generic/074. > > | Reported-by: kernel test robot > | Closes: https://lore.kernel.org/oe-lkp/202409180928.f20b5a08-oliver.sang@intel.com > > Signed-off-by: David Howells > cc: Eric Van Hensbergen > cc: Latchesar Ionkov > cc: Dominique Martinet > cc: Christian Schoenebeck > cc: Steve French > cc: Paulo Alcantara > cc: Jeff Layton > cc: v9fs@lists.linux.dev > cc: linux-cifs@vger.kernel.org > cc: netfs@lists.linux.dev > cc: linux-fsdevel@vger.kernel.org > --- > fs/netfs/internal.h | 2 + > fs/netfs/misc.c | 72 ++++++++++++++++++++++++++++++++++--------------- > fs/netfs/objects.c | 12 ++++++++ > fs/netfs/write_issue.c | 12 +++++++- > 4 files changed, 76 insertions(+), 22 deletions(-) > > diff --git a/fs/netfs/internal.h b/fs/netfs/internal.h > index c7f23dd3556a..79c0ad89affb 100644 > --- a/fs/netfs/internal.h > +++ b/fs/netfs/internal.h > @@ -58,6 +58,7 @@ static inline void netfs_proc_del_rreq(struct netfs_io_request *rreq) {} > /* > * misc.c > */ > +struct folio_queue *netfs_buffer_make_space(struct netfs_io_request *rreq); > int netfs_buffer_append_folio(struct netfs_io_request *rreq, struct folio *folio, > bool needs_put); > struct folio_queue *netfs_delete_buffer_head(struct netfs_io_request *wreq); > @@ -76,6 +77,7 @@ void netfs_clear_subrequests(struct netfs_io_request *rreq, bool was_async); > void netfs_put_request(struct netfs_io_request *rreq, bool was_async, > enum netfs_rreq_ref_trace what); > struct netfs_io_subrequest *netfs_alloc_subrequest(struct netfs_io_request *rreq); > +struct folio_queue *netfs_folioq_alloc(struct netfs_io_request *rreq, gfp_t gfp); > > static inline void netfs_see_request(struct netfs_io_request *rreq, > enum netfs_rreq_ref_trace what) > diff --git a/fs/netfs/misc.c b/fs/netfs/misc.c > index 0ad0982ce0e2..a743e8963247 100644 > --- a/fs/netfs/misc.c > +++ b/fs/netfs/misc.c > @@ -9,34 +9,64 @@ > #include "internal.h" > > /* > - * Append a folio to the rolling queue. > + * Make sure there's space in the rolling queue. > */ > -int netfs_buffer_append_folio(struct netfs_io_request *rreq, struct folio *folio, > - bool needs_put) > +struct folio_queue *netfs_buffer_make_space(struct netfs_io_request *rreq) > { > - struct folio_queue *tail = rreq->buffer_tail; > - unsigned int slot, order = folio_order(folio); > + struct folio_queue *tail = rreq->buffer_tail, *prev; > + unsigned int prev_nr_slots = 0; > > if (WARN_ON_ONCE(!rreq->buffer && tail) || > WARN_ON_ONCE(rreq->buffer && !tail)) > - return -EIO; > - > - if (!tail || folioq_full(tail)) { > - tail = kmalloc(sizeof(*tail), GFP_NOFS); > - if (!tail) > - return -ENOMEM; > - netfs_stat(&netfs_n_folioq); > - folioq_init(tail); > - tail->prev = rreq->buffer_tail; > - if (tail->prev) > - tail->prev->next = tail; > - rreq->buffer_tail = tail; > - if (!rreq->buffer) { > - rreq->buffer = tail; > - iov_iter_folio_queue(&rreq->io_iter, ITER_SOURCE, tail, 0, 0, 0); > + return ERR_PTR(-EIO); > + > + prev = tail; > + if (prev) { > + if (!folioq_full(tail)) > + return tail; > + prev_nr_slots = folioq_nr_slots(tail); > + } > + > + tail = netfs_folioq_alloc(rreq, GFP_NOFS); > + if (!tail) > + return ERR_PTR(-ENOMEM); > + tail->prev = prev; > + if (prev) > + /* [!] NOTE: After we set prev->next, the consumer is entirely > + * at liberty to delete prev. > + */ > + WRITE_ONCE(prev->next, tail); > + > + rreq->buffer_tail = tail; > + if (!rreq->buffer) { > + rreq->buffer = tail; > + iov_iter_folio_queue(&rreq->io_iter, ITER_SOURCE, tail, 0, 0, 0); > + } else { > + /* Make sure we don't leave the master iterator pointing to a > + * block that might get immediately consumed. > + */ > + if (rreq->io_iter.folioq == prev && > + rreq->io_iter.folioq_slot == prev_nr_slots) { > + rreq->io_iter.folioq = tail; > + rreq->io_iter.folioq_slot = 0; > } > - rreq->buffer_tail_slot = 0; > } > + rreq->buffer_tail_slot = 0; > + return tail; > +} > + > +/* > + * Append a folio to the rolling queue. > + */ > +int netfs_buffer_append_folio(struct netfs_io_request *rreq, struct folio *folio, > + bool needs_put) > +{ > + struct folio_queue *tail; > + unsigned int slot, order = folio_order(folio); > + > + tail = netfs_buffer_make_space(rreq); > + if (IS_ERR(tail)) > + return PTR_ERR(tail); > > rreq->io_iter.count += PAGE_SIZE << order; > > diff --git a/fs/netfs/objects.c b/fs/netfs/objects.c > index d32964e8ca5d..dd8241bc996b 100644 > --- a/fs/netfs/objects.c > +++ b/fs/netfs/objects.c > @@ -250,3 +250,15 @@ void netfs_put_subrequest(struct netfs_io_subrequest *subreq, bool was_async, > if (dead) > netfs_free_subrequest(subreq, was_async); > } > + > +struct folio_queue *netfs_folioq_alloc(struct netfs_io_request *rreq, gfp_t gfp) > +{ > + struct folio_queue *fq; > + > + fq = kmalloc(sizeof(*fq), gfp); > + if (fq) { > + netfs_stat(&netfs_n_folioq); > + folioq_init(fq); > + } > + return fq; > +} > diff --git a/fs/netfs/write_issue.c b/fs/netfs/write_issue.c > index 04e66d587f77..0929d9fd4ce7 100644 > --- a/fs/netfs/write_issue.c > +++ b/fs/netfs/write_issue.c > @@ -153,12 +153,22 @@ static void netfs_prepare_write(struct netfs_io_request *wreq, > loff_t start) > { > struct netfs_io_subrequest *subreq; > + struct iov_iter *wreq_iter = &wreq->io_iter; > + > + /* Make sure we don't point the iterator at a used-up folio_queue > + * struct being used as a placeholder to prevent the queue from > + * collapsing. In such a case, extend the queue. > + */ > + if (iov_iter_is_folioq(wreq_iter) && > + wreq_iter->folioq_slot >= folioq_nr_slots(wreq_iter->folioq)) { > + netfs_buffer_make_space(wreq); > + } > > subreq = netfs_alloc_subrequest(wreq); > subreq->source = stream->source; > subreq->start = start; > subreq->stream_nr = stream->stream_nr; > - subreq->io_iter = wreq->io_iter; > + subreq->io_iter = *wreq_iter; > > _enter("R=%x[%x]", wreq->debug_id, subreq->debug_index); >