All of lore.kernel.org
 help / color / mirror / Atom feed
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Cc: syzbot <syzbot+61acc40a49a3e46e25ea@syzkaller.appspotmail.com>,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: splice: infinite busy loop lockup bug
Date: Fri, 7 Aug 2020 19:35:08 +0900	[thread overview]
Message-ID: <29de15ff-15e9-5c52-cf87-e0ebdfa1a001@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <00000000000084b59f05abe928ee@google.com>

syzbot is reporting hung task at pipe_release() [1], for for_each_bvec() from
iterate_bvec() from iterate_all_kinds() from iov_iter_alignment() from
ext4_unaligned_io() from ext4_dio_write_iter() from ext4_file_write_iter() from
call_write_iter() from do_iter_readv_writev() from do_iter_write() from
vfs_iter_write() from iter_file_splice_write() falls into infinite busy loop
with pipe->mutex held.

The reason of falling into infinite busy loop is that iter_file_splice_write()
for some reason generates "struct bio_vec" entry with .bv_len=0 and .bv_offset=0
while for_each_bvec() cannot handle .bv_len == 0.

--- a/fs/splice.c
+++ b/fs/splice.c
@@ -747,6 +747,14 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 		}
 
 		iov_iter_bvec(&from, WRITE, array, n, sd.total_len - left);
+		if (!strncmp(current->comm, "syz-executor", 12)) {
+			int i;
+			printk("Starting vfs_write_iter from.type=%d from.iov_offset=%zu from.count=%zu n=%u sd.total_len=%zu left=%zu\n",
+			       from.type, from.iov_offset, from.count, n, sd.total_len, left);
+			for (i = 0; i < n; i++)
+				printk("  array[%u]: bv_page=%px bv_len=%u bv_offset=%u\n",
+				       i, array[i].bv_page, array[i].bv_len, array[i].bv_offset);
+		}
 		ret = vfs_iter_write(out, &from, &sd.pos, 0);
 		if (ret <= 0)
 			break;

When splice() from pipe to file works.

[   31.704915][ T6552] Starting vfs_write_iter from.type=17 from.iov_offset=0 from.count=4096 n=1 sd.total_len=65504 left=61408
[   31.709098][ T6552]   array[0]: bv_page=ffffea000870a7c0 bv_len=4096 bv_offset=0

When splice() from pipe to file falls into infinite busy loop.

[   31.717178][ T6553] Starting vfs_write_iter from.type=17 from.iov_offset=0 from.count=4096 n=2 sd.total_len=65504 left=61408
[   31.720983][ T6553]   array[0]: bv_page=ffffea0008706680 bv_len=0 bv_offset=0
[   31.723565][ T6553]   array[1]: bv_page=ffffea00086f4e80 bv_len=4096 bv_offset=0

Is it normal behavior that an empty page is linked to pipe's array?
If yes, don't we need to skip empty pages when iter_file_splice_write() fills in "struct bio_vec *array" ?

[1] https://syzkaller.appspot.com/bug?id=2ccac875e85dc852911a0b5b788ada82dc0a081e


  reply	other threads:[~2020-08-07 10:35 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-02 18:26 INFO: task hung in pipe_release (2) syzbot
2020-08-07 10:35 ` Tetsuo Handa [this message]
2020-08-07 12:27   ` splice: infinite busy loop lockup bug Al Viro
2020-08-07 12:34     ` Tetsuo Handa
2020-09-01  0:51       ` Qian Cai
2020-09-01  1:09         ` Al Viro
2020-09-01  1:47           ` Qian Cai
2020-09-01  3:32           ` Qian Cai
2020-09-01  4:07             ` Al Viro
2020-09-01  1:10         ` Ming Lei
2020-09-01 14:22           ` Qian Cai
2020-08-07 12:38     ` Al Viro
2020-08-07 13:41       ` Ming Lei
2020-08-07 14:11         ` Matthew Wilcox
2020-08-07 15:11           ` Tetsuo Handa
2020-08-09  2:31           ` Ming Lei
2020-08-09  2:49             ` Ming Lei
2020-08-07 14:17         ` Tetsuo Handa
2020-08-13  3:57 ` INFO: task hung in pipe_release (2) syzbot
2020-08-13  3:57   ` syzbot
2020-08-13  3:57   ` syzbot
2020-08-13  3:57   ` syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=29de15ff-15e9-5c52-cf87-e0ebdfa1a001@I-love.SAKURA.ne.jp \
    --to=penguin-kernel@i-love.sakura.ne.jp \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+61acc40a49a3e46e25ea@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.