Re: [syzbot] WARNING in iov_iter_revert (3)

[Hillf Danton <hdanton@sina.com>]

On 29 Nov 2022 04:04:35 +0000 Al Viro <viro@zeniv.linux.org.uk>
> On Mon, Nov 28, 2022 at 02:57:49PM -0800, syzbot wrote:
> > syzbot has found a reproducer for the following issue on:
> 
> [snip]
> 
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17219fbb880000
> 
> "syz_mount_image$ntfs3(" followed by arseloads of garbage.  And the thing
> conspiciously missing?  Why, any ntfs3 maintainers in Cc...  Or lists,
> for that matter...
> 
> >  generic_file_read_iter+0x3d4/0x540 mm/filemap.c:2804
> >  do_iter_read+0x6e3/0xc10 fs/read_write.c:796
> >  vfs_readv fs/read_write.c:916 [inline]
> >  do_preadv+0x1f4/0x330 fs/read_write.c:1008
> >  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> >  do_syscall_64+0x3d/0xb0 arch/x86/entry/common.c:80
> >  entry_SYSCALL_64_after_hwframe+0x63/0xcd
> 
> At a guess - something's screwed in ntfs3 ->direct_IO() (return value, most
> likely).

2798		retval = mapping->a_ops->direct_IO(iocb, iter);
2799		if (retval >= 0) {
2800		        iocb->ki_pos += retval;
2801		        count -= retval;
2802		}
2803		if (retval != -EIOCBQUEUED)
2804		        iov_iter_revert(iter, count - iov_iter_count(iter));
2805		
2806		/*
2807		 * Btrfs can have a short DIO read if we encounter
2808		 * compressed extents, so if there was an error, or if
2809		 * we've already read everything we wanted to, or if
2810		 * there was a short read because we hit EOF, go ahead
2811		 * and return.  Otherwise fallthrough to buffered io for
2812		 * the rest of the read.  Buffered reads will not work for
2813		 * DAX files, so don't bother trying.
2814		 */
2815		if (retval < 0 || !count || IS_DAX(inode))
2816		        return retval;
2817		if (iocb->ki_pos >= i_size_read(inode))
2818		        return retval;


If ntfs3 is supposed to do nothing wrong with retval set to 5, why is
iov_iter_revert() invoked? Is it correct to check -EIOCBQUEUED only if
the direct_IO callback returns error?

Hillf