Re: null_handle_cmd() doesn't initialize data when reading

From: Bart Van Assche <bvanassche@acm.org>
To: Alexander Potapenko <glider@google.com>
Cc: Chaitanya Kulkarni <Chaitanya.Kulkarni@wdc.com>,
	Damien Le Moal <damien.lemoal@wdc.com>,
	Jens Axboe <axboe@kernel.dk>,
	"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
	Willem de Bruijn <willemb@google.com>,
	Dmitriy Vyukov <dvyukov@google.com>
Subject: Re: null_handle_cmd() doesn't initialize data when reading
Date: Mon, 11 May 2020 16:18:59 -0700	[thread overview]
Message-ID: <55674c05-37dc-0646-af78-db4c3b112683@acm.org> (raw)
In-Reply-To: <CAG_fn=WQXuTuGmC8oQ25f6DYJ4CiMSz7_S7Nkp+z6L1QL7Zokw@mail.gmail.com>

On 2020-05-11 05:58, Alexander Potapenko wrote:
> On Sun, May 10, 2020 at 6:20 PM Bart Van Assche <bvanassche@acm.org> wrote:
>>
>> On 2020-05-10 03:03, Alexander Potapenko wrote:
>>> Thanks for the explanation!
>>> The code has changed recently, and my patch does not apply anymore,
>>> yet the problem still persists.
>>> I ended up just calling null_handle_rq() at the end of
>>> null_process_cmd(), but we probably need a cleaner fix.
>>
>> Does this (totally untested) patch help? copy_to_nullb() guarantees that
>> it will write some data to the pages that it allocates but does not
>> guarantee yet that all data of the pages it allocates is initialized.
> 
> No, this does not help. Apparently null_insert_page() is never called
> in this scenario.
> If I modify __page_cache_alloc() to allocate zero-initialized pages,
> the reports go away.
> This means there's no other uninitialized buffer that's copied to the
> page cache, the nullb driver just forgets to write anything to the
> page cache.

Hi Alexander,

I had misread the email at the start of this thread. My patch only
affects the "memory backed" mode while the email at the start of this
thread explains that the KMSAN report refers to the memory_backed == 0
mode. Anyway, can you give the patch below a try?

Thanks,

Bart.

diff --git a/drivers/block/null_blk_main.c b/drivers/block/null_blk_main.c
index 06f5761fccb6..682b38ccef57 100644
--- a/drivers/block/null_blk_main.c
+++ b/drivers/block/null_blk_main.c
@@ -1250,8 +1250,36 @@ static inline blk_status_t
null_handle_memory_backed(struct nullb_cmd *cmd,
 	return errno_to_blk_status(err);
 }

+static void nullb_zero_data_buffer(const struct request *rq)
+{
+	struct req_iterator iter;
+	struct bio_vec bvec;
+	struct page *page;
+	void *kaddr;
+	u32 offset, left, len;
+
+	rq_for_each_bvec(bvec, rq, iter) {
+		page = bvec.bv_page;
+		offset = bvec.bv_offset;
+		left = bvec.bv_len;
+		while (left) {
+			kaddr = kmap_atomic(page);
+			len = min_t(u32, left, PAGE_SIZE - offset);
+			memset(kaddr + offset, 0, len);
+			kunmap_atomic(kaddr);
+			page++;
+			left -= len;
+			offset = 0;
+		}
+	}
+}
+
+/* Complete a request. Only called if dev->memory_backed == 0. */
 static inline void nullb_complete_cmd(struct nullb_cmd *cmd)
 {
+	if (req_op(cmd->rq) == REQ_OP_READ)
+		nullb_zero_data_buffer(cmd->rq);
+
 	/* Complete IO by inline, softirq or timer */
 	switch (cmd->nq->dev->irqmode) {
 	case NULL_IRQ_SOFTIRQ:
