From: David Howells <dhowells@redhat.com>
To: kernel test robot <lkp@intel.com>
Cc: dhowells@redhat.com, torvalds@linux-foundation.org,
Rasmus Villemoes <linux@rasmusvillemoes.dk>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Peter Zijlstra <peterz@infradead.org>,
nicolas.dichtel@6wind.com, raven@themaw.net,
Christian Brauner <christian@brauner.io>,
keyrings@vger.kernel.org, linux-usb@vger.kernel.org,
linux-block@vger.kernel.org,
linux-security-module@vger.kernel.org,
linux-fsdevel@vger.kernel.org, linux-api@vger.kernel.org,
linux-kernel@vger.kernel.org, lkp@lists.01.org
Subject: Re: [pipe] d60337eff1: BUG:kernel_NULL_pointer_dereference,address
Date: Fri, 15 Nov 2019 13:28:52 +0000 [thread overview]
Message-ID: <9279.1573824532@warthog.procyon.org.uk> (raw)
In-Reply-To: <20191110031348.GE29418@shao2-debian>
kernel test robot <lkp@intel.com> wrote:
> [ 9.423019] BUG: kernel NULL pointer dereference, address: 0000000000000008
> [ 9.425646] #PF: supervisor read access in kernel mode
> [ 9.427714] #PF: error_code(0x0000) - not-present page
> [ 9.429851] PGD 80000001fb937067 P4D 80000001fb937067 PUD 1739e1067 PMD 0
> [ 9.432468] Oops: 0000 [#1] SMP PTI
> [ 9.434064] CPU: 0 PID: 178 Comm: cat Not tainted 5.4.0-rc5-00353-gd60337eff18a3 #1
> [ 9.437139] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
> [ 9.440439] RIP: 0010:iov_iter_get_pages_alloc+0x2a8/0x400
Can you tell me if the following change fixes it for you?
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -404,7 +404,7 @@ static size_t copy_page_to_iter_pipe(struct page *page, size_t offset, size_t by
buf->offset = offset;
buf->len = bytes;
- pipe->head = i_head;
+ pipe->head = i_head + 1;
i->iov_offset = offset + bytes;
i->head = i_head;
out:
Attached is a test program that can induce some a bug in
copy_page_to_iter_pipe() where I forgot to increment the new head when
assigning it to pipe->head.
David
---
#define _GNU_SOURCE
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <fcntl.h>
#include <err.h>
#include <sys/wait.h>
static char buf[256 * 1024] __attribute__((aligned(512)));
static char *filename;
static int pipe_wfd = -1;
static void cleanup(void)
{
close(pipe_wfd);
}
static void cleanup_child(void)
{
int w;
wait(&w);
}
int child(int fd)
{
ssize_t r;
do {
r = read(fd, buf, 256 * 1024);
if (r == -1)
err(1, "read");
} while (r != 0);
if (close(fd) == -1)
err(1, "close");
return 0;
}
int main(int argc, char **argv)
{
ssize_t n;
loff_t offset;
size_t len;
pid_t pid;
int fd, pfd[2];
if (argc != 2) {
fprintf(stderr, "Format: %s <file>\n", argv[1]);
exit(2);
}
filename = argv[1];
if (pipe(pfd) == -1)
err(1, "pipe");
pipe_wfd = pfd[1];
pid = fork();
switch (pid) {
case -1:
err(1, "fork");
case 0:
close(pfd[1]);
return child(pfd[0]);
default:
close(pfd[0]);
atexit(cleanup_child);
break;
}
fd = open(filename, O_RDONLY);
if (fd == -1)
err(1, "%s", filename);
atexit(cleanup);
len = 256 * 1024;
offset = 0;
do {
n = splice(fd, &offset, pfd[1], NULL, 256 * 1024, 0);
if (n == -1)
err(1, "splice");
} while (len -= n, len > 0);
if (close(pfd[1]) == -1)
err(1, "close/p");
if (close(fd) == -1)
err(1, "close/f");
return 0;
}
next prev parent reply other threads:[~2019-11-15 13:29 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-01 17:34 [RFC PATCH 00/11] pipe: Notification queue preparation [ver #3] David Howells
2019-11-01 17:34 ` [RFC PATCH 01/11] pipe: Reduce #inclusion of pipe_fs_i.h " David Howells
2019-11-01 17:34 ` [RFC PATCH 02/11] Remove the nr_exclusive argument from __wake_up_sync_key() " David Howells
2019-11-01 17:34 ` [RFC PATCH 03/11] Add wake_up_interruptible_sync_poll_locked() " David Howells
2019-11-01 17:34 ` [RFC PATCH 04/11] pipe: Use head and tail pointers for the ring, not cursor and length " David Howells
2019-11-07 9:03 ` [pipe] d60337eff1: phoronix-test-suite.noise-level.0.activity_level 144.0% improvement lkp report check
2019-11-07 16:51 ` Linus Torvalds
2019-11-07 17:42 ` David Howells
2019-11-10 3:13 ` [pipe] d60337eff1: BUG:kernel_NULL_pointer_dereference,address kernel test robot
2019-11-15 13:28 ` David Howells [this message]
2019-11-15 16:22 ` David Howells
2019-11-18 7:53 ` [LKP] " kernel test robot
2019-11-01 17:34 ` [RFC PATCH 05/11] pipe: Allow pipes to have kernel-reserved slots [ver #3] David Howells
2019-11-01 17:34 ` [RFC PATCH 06/11] pipe: Advance tail pointer inside of wait spinlock in pipe_read() " David Howells
2019-11-01 17:35 ` [RFC PATCH 07/11] pipe: Conditionalise wakeup " David Howells
2019-11-01 17:35 ` [RFC PATCH 08/11] pipe: Rearrange sequence in pipe_write() to preallocate slot " David Howells
2019-11-01 17:35 ` [RFC PATCH 09/11] pipe: Remove redundant wakeup from pipe_write() " David Howells
2019-11-01 17:35 ` [RFC PATCH 10/11] pipe: Check for ring full inside of the spinlock in " David Howells
2019-11-01 17:35 ` [RFC PATCH 11/11] pipe: Increase the writer-wakeup threshold to reduce context-switch count " David Howells
2019-11-01 19:24 ` [RFC PATCH 00/11] pipe: Notification queue preparation " Linus Torvalds
2019-11-01 22:05 ` David Howells
2019-11-01 22:12 ` Linus Torvalds
2019-11-05 16:02 ` Details on the UAPI of implementing notifications on pipes David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9279.1573824532@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=christian@brauner.io \
--cc=gregkh@linuxfoundation.org \
--cc=keyrings@vger.kernel.org \
--cc=linux-api@vger.kernel.org \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=linux-usb@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=lkp@intel.com \
--cc=lkp@lists.01.org \
--cc=nicolas.dichtel@6wind.com \
--cc=peterz@infradead.org \
--cc=raven@themaw.net \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).