From: Tong Tiangen <tongtiangen@huawei.com>
To: Linus Torvalds <torvalds@linux-foundation.org>,
Alexander Viro <viro@zeniv.linux.org.uk>
Cc: David Howells <dhowells@redhat.com>, Jens Axboe <axboe@kernel.dk>,
Al Viro <viro@zeniv.linux.org.uk>, Christoph Hellwig <hch@lst.de>,
Christian Brauner <christian@brauner.io>,
David Laight <David.Laight@aculab.com>,
Matthew Wilcox <willy@infradead.org>,
Jeff Layton <jlayton@kernel.org>, <linux-fsdevel@vger.kernel.org>,
<linux-block@vger.kernel.org>, <linux-mm@kvack.org>,
<netdev@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
Kefeng Wang <wangkefeng.wang@huawei.com>
Subject: Re: [bug report] dead loop in generic_perform_write() //Re: [PATCH v7 07/12] iov_iter: Convert iterate*() to inline funcs
Date: Thu, 29 Feb 2024 16:13:18 +0800 [thread overview]
Message-ID: <e985429e-5fc4-a175-0564-5bb4ca8f662c@huawei.com> (raw)
In-Reply-To: <CAHk-=wjSjuDrS9gc191PTEDDow7vHy6Kd3DKDaG+KVH0NQ3v=w@mail.gmail.com>
在 2024/2/29 6:57, Linus Torvalds 写道:
> On Wed, 28 Feb 2024 at 13:21, Linus Torvalds
> <torvalds@linux-foundation.org> wrote:
>>
>> Hmm. If the copy doesn't succeed and make any progress at all, then
>> the code in generic_perform_write() after the "goto again"
>>
>> //[4]
>> if (unlikely(fault_in_iov_iter_readable(i, bytes) ==
>> bytes)) {
>>
>> should break out of the loop.
>
> Ahh. I see the problem. Or at least part of it.
>
> The iter is an ITER_BVEC.
>
> And fault_in_iov_iter_readable() "knows" that an ITER_BVEC cannot
> fail. Because obviously it's a kernel address, so no user page fault.
>
> But for the machine check case, ITER_BVEC very much can fail.
>
> This should never have worked in the first place.
>
> What a crock.
>
> Do we need to make iterate_bvec() always succeed fully, and make
> copy_mc_to_kernel() zero out the end?
>
> Linus
> .
Hi Linus:
See the logic before this patch, always success (((void)(K),0)) is
returned for three types: ITER_BVEC, ITER_KVEC and ITER_XARRAY.
-------------------------------------------------------------------
-#define __iterate_and_advance(i, n, base, len, off, I, K) { \
- if (unlikely(i->count < n)) \
- n = i->count; \
- if (likely(n)) { \
- if (likely(iter_is_ubuf(i))) { \
[...] \
- iterate_buf(i, n, base, len, off, \
- i->ubuf, (I)) \
- } else if (likely(iter_is_iovec(i))) { \
[...] \
- iterate_iovec(i, n, base, len, off, \
- iov, (I)) \
- i->nr_segs -= iov - iter_iov(i); \
- i->__iov = iov; \
- } else if (iov_iter_is_bvec(i)) { \
[...] \
- iterate_bvec(i, n, base, len, off, \
- bvec, (K)) \
- i->nr_segs -= bvec - i->bvec; \
- i->bvec = bvec; \
- } else if (iov_iter_is_kvec(i)) { \
[...] \
- iterate_iovec(i, n, base, len, off, \
- kvec, (K)) \
[...] \
- } else if (iov_iter_is_xarray(i)) { \
[...] \
- iterate_xarray(i, n, base, len, off, \
- (K)) \
- } \
- i->count -= n; \
- } \
-}
-#define iterate_and_advance(i, n, base, len, off, I, K) \
- __iterate_and_advance(i, n, base, len, off, I, ((void)(K),0))
-------------------------------------------------------------------
Maybe we're all gonna fix it back? as follows:
-------------------------------------------------------------------
--- a/include/linux/iov_iter.h
+++ b/include/linux/iov_iter.h
@@ -246,11 +246,11 @@ size_t iterate_and_advance2(struct iov_iter
*iter, size_t len, void *priv,
if (likely(iter_is_iovec(iter)))
return iterate_iovec(iter, len, priv, priv2, ustep);
if (iov_iter_is_bvec(iter))
- return iterate_bvec(iter, len, priv, priv2, step);
+ return iterate_bvec(iter, len, priv, priv2, ((void
*)step, 0));
if (iov_iter_is_kvec(iter))
- return iterate_kvec(iter, len, priv, priv2, step);
+ return iterate_kvec(iter, len, priv, priv2, ((void
*)step, 0));
if (iov_iter_is_xarray(iter))
- return iterate_xarray(iter, len, priv, priv2, step);
+ return iterate_xarray(iter, len, priv, priv2, ((void
*)step, 0));
return iterate_discard(iter, len, priv, priv2, step);
}
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index e0aa6b440ca5..fabd5b1b97c7 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -257,7 +257,7 @@ static size_t __copy_from_iter_mc(void *addr,
size_t bytes, struct iov_iter *i)
bytes = i->count;
if (unlikely(!bytes))
return 0;
- return iterate_bvec(i, bytes, addr, NULL, memcpy_from_iter_mc);
+ return iterate_bvec(i, bytes, addr, NULL, ((void
*)memcpy_from_iter_mc, 0));
}
static __always_inline
-------------------------------------------------------------------
Hi, maintainer Alexander, what do you think ? :)
Thanks,
Tong.
next prev parent reply other threads:[~2024-02-29 8:13 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-09-25 12:02 [PATCH v7 00/12] iov_iter: Convert the iterator macros into " David Howells
2023-09-25 12:02 ` [PATCH v7 01/12] iov_iter: Remove last_offset from iov_iter as it was for ITER_PIPE David Howells
2023-09-25 12:02 ` [PATCH v7 02/12] iov_iter, x86: Be consistent about the __user tag on copy_mc_to_user() David Howells
2023-09-28 14:47 ` Borislav Petkov
2023-09-25 12:03 ` [PATCH v7 03/12] sound: Fix snd_pcm_readv()/writev() to use iov access functions David Howells
2023-09-25 12:03 ` [PATCH v7 04/12] infiniband: Use user_backed_iter() to see if iterator is UBUF/IOVEC David Howells
2023-09-25 12:03 ` [PATCH v7 05/12] iov_iter: Renumber ITER_* constants David Howells
2023-09-25 12:03 ` [PATCH v7 06/12] iov_iter: Derive user-backedness from the iterator type David Howells
2023-09-25 12:03 ` [PATCH v7 07/12] iov_iter: Convert iterate*() to inline funcs David Howells
2024-02-18 3:13 ` [bug report] dead loop in generic_perform_write() //Re: " Tong Tiangen
2024-02-27 12:43 ` Tong Tiangen
2024-02-28 21:21 ` Linus Torvalds
2024-02-28 22:57 ` Linus Torvalds
2024-02-29 8:13 ` Tong Tiangen [this message]
2024-02-29 17:32 ` Linus Torvalds
2024-03-01 2:13 ` Tong Tiangen
2024-03-02 2:59 ` Linus Torvalds
2024-03-02 9:37 ` Tong Tiangen
2024-03-02 18:06 ` Linus Torvalds
2024-03-02 18:11 ` Linus Torvalds
2024-03-04 8:45 ` Tong Tiangen
2024-03-04 11:56 ` David Howells
2024-03-04 12:15 ` Tong Tiangen
2024-03-04 18:32 ` Linus Torvalds
2024-03-05 6:57 ` Tong Tiangen
2023-09-25 12:03 ` [PATCH v7 08/12] iov_iter: Don't deal with iter->copy_mc in memcpy_from_iter_mc() David Howells
2023-09-25 12:03 ` [PATCH v7 09/12] iov_iter, net: Move csum_and_copy_to/from_iter() to net/ David Howells
2023-09-25 12:03 ` [PATCH v7 10/12] iov_iter, net: Fold in csum_and_memcpy() David Howells
2023-09-25 12:03 ` [PATCH v7 11/12] iov_iter, net: Merge csum_and_copy_from_iter{,_full}() together David Howells
2023-09-25 12:03 ` [PATCH v7 12/12] iov_iter, net: Move hash_and_copy_to_iter() to net/ David Howells
2023-09-25 12:34 ` [PATCH v7 00/12] iov_iter: Convert the iterator macros into inline funcs Christian Brauner
2023-10-02 9:25 ` [PATCH v7 08/12] iov_iter: Don't deal with iter->copy_mc in memcpy_from_iter_mc() David Howells
2023-10-07 4:32 ` [PATCH next] iov_iter: fix copy_page_from_iter_atomic() Hugh Dickins
2023-10-07 7:29 ` David Howells
2023-10-09 7:36 ` Christian Brauner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e985429e-5fc4-a175-0564-5bb4ca8f662c@huawei.com \
--to=tongtiangen@huawei.com \
--cc=David.Laight@aculab.com \
--cc=axboe@kernel.dk \
--cc=christian@brauner.io \
--cc=dhowells@redhat.com \
--cc=hch@lst.de \
--cc=jlayton@kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=netdev@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=wangkefeng.wang@huawei.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox