From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: Rasmus Villemoes <linux@rasmusvillemoes.dk>
Cc: syzbot <syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com>,
agruenba@redhat.com, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
viro@zeniv.linux.org.uk
Subject: Re: INFO: task hung in pipe_write (2)
Date: Thu, 19 Sep 2019 14:10:13 -0700 [thread overview]
Message-ID: <20190919211013.GN5340@magnolia> (raw)
In-Reply-To: <d9a957b3-9f0a-20b5-588a-64ca4722d433@rasmusvillemoes.dk>
On Thu, Sep 19, 2019 at 10:55:44PM +0200, Rasmus Villemoes wrote:
> On 19/09/2019 19.19, syzbot wrote:
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit: 288b9117 Add linux-next specific files for 20190918
> > git tree: linux-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=17e86645600000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=f6126e51304ef1c3
> > dashboard link:
> > https://syzkaller.appspot.com/bug?extid=3c01db6025f26530cf8d
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=11855769600000
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=143580a1600000
> >
> > The bug was bisected to:
> >
> > commit cfb864757d8690631aadf1c4b80022c18ae865b3
> > Author: Darrick J. Wong <darrick.wong@oracle.com>
> > Date: Tue Sep 17 16:05:22 2019 +0000
> >
> > splice: only read in as much information as there is pipe buffer space
>
> The middle hunk (the one before splice_pipe_to_pipe()) accesses
> opipe->{buffers, nrbufs}, but opipe is not locked at that point. So
> maybe we end up passing len==0, which seems (once there's room in opipe)
> it would put a zero-length pipe_buffer in opipe - and that probably
> violates an invariant somewhere.
>
> But does the splice_pipe_to_pipe() case even need that extra logic?
> Doesn't it handle short writes correctly already?
Yep. I missed the part where splice_pipe_to_pipe is already perfectly
capable of detecting insufficient space in opipe and kicking opipe's
readers to clear out the buffer. So that hunk isn't needed, and now I'm
wondering how in the other clause we return 0 from wait_for_space yet
still don't have buffer space...
Oh well, back to the drawing board. Good catch, though now it's become
painfully clear that xfstests lacks rigorous testing of splice()...
--D
> Rasmus
next prev parent reply other threads:[~2019-09-19 21:10 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-19 17:19 INFO: task hung in pipe_write (2) syzbot
2019-09-19 20:55 ` Rasmus Villemoes
2019-09-19 21:10 ` Darrick J. Wong [this message]
2019-10-14 20:40 ` Andreas Gruenbacher
2019-10-14 22:16 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190919211013.GN5340@magnolia \
--to=darrick.wong@oracle.com \
--cc=agruenba@redhat.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=syzbot+3c01db6025f26530cf8d@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).