From: Dave Jones <davej@codemonkey.org.uk>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Linux Kernel <linux-kernel@vger.kernel.org>
Subject: Re: iov_iter_pipe warning.
Date: Tue, 11 Apr 2017 16:53:36 -0400 [thread overview]
Message-ID: <20170411205336.uyz5vfw52twhh6ob@codemonkey.org.uk> (raw)
In-Reply-To: <20170411032839.GF29622@ZenIV.linux.org.uk>
On Tue, Apr 11, 2017 at 04:28:39AM +0100, Al Viro wrote:
> On Mon, Apr 10, 2017 at 11:05:32PM -0400, Dave Jones wrote:
> > On Tue, Apr 11, 2017 at 01:22:15AM +0100, Al Viro wrote:
> >
> > > * in do_splice_to(): WARN_ON(pipe->nrbufs == pipe->buffers)
> >
> > Hit this one.
>
> But not WARN_ON(pipe->nrbufs) in its caller *or* WARN_ON(!pipe->buffers)
> in do_splice_to() itself?
>
> How the devil can that be possible?
>
> Again, to make sure we are on the same page: in
> if (WARN_ON(pipe->nrbufs)) {
> printk(KERN_ERR "->splice_write = %p",
> sd->u.file->f_op->splice_write);
> }
> while (len) {
> size_t read_len;
> loff_t pos = sd->pos, prev_pos = pos;
>
> ret = do_splice_to(in, &pos, pipe, len, flags);
> ...
> ... (not a single continue in sight)
> ...
> if (WARN_ON(pipe->nrbufs)) {
> printk(KERN_ERR "->splice_write = %p",
> sd->u.file->f_op->splice_write);
> }
> }
Ah, missed adding this 2nd WARN_ON.
> neither of those WARN_ON() triggers. In do_splice_to()
> WARN_ON(pipe->nrbufs == pipe->buffers);
> does trigger, but
> WARN_ON(!pipe->buffers);
> does not. And pipe is equal to current->splice_pipe, so nobody else could
> see it, let alone be messing with it.
>
> How can that be possible? Non-triggering WARN_ON() in caller of do_splice_to()
> mean that pipe->nrbufs is zero. Triggering WARN_ON() in do_splice_to() means
> that it's equal to pipe->buffers, but WARN_ON(!pipe->buffers) manages to avoid
> being triggered? Can you confirm all that?
asides from above, yeah, same.
> Because if that's the case,
> the next possibility is random memory corruption and/or pipe_info dangling
> pointers/use-after-free/etc.
I've been tied up with other stuff today, so while I was preoccupied, I
did a run with KASAN to see if anything fell out. That seems to slow
things down enough that I don't trigger anything. Been running all day
without incident.
I'll turn it back off, and retry with the missing WARN from above added.
Dave
next prev parent reply other threads:[~2017-04-11 20:53 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-03-21 20:59 iov_iter_pipe warning Dave Jones
2017-04-05 22:02 ` Dave Jones
2017-04-10 19:28 ` Al Viro
2017-04-10 19:42 ` Dave Jones
2017-04-10 19:57 ` Al Viro
2017-04-10 23:48 ` Dave Jones
2017-04-11 0:22 ` Al Viro
2017-04-11 3:05 ` Dave Jones
2017-04-11 3:28 ` Al Viro
2017-04-11 20:53 ` Dave Jones [this message]
2017-04-11 21:12 ` Al Viro
2017-04-11 22:25 ` Dave Jones
2017-04-11 23:28 ` Al Viro
2017-04-11 23:34 ` Dave Jones
2017-04-11 23:48 ` Al Viro
2017-04-11 23:45 ` Dave Jones
2017-04-11 23:51 ` Al Viro
2017-04-11 23:56 ` Al Viro
2017-04-12 0:06 ` Dave Jones
2017-04-12 0:17 ` Al Viro
2017-04-12 0:58 ` Dave Jones
2017-04-12 1:15 ` Al Viro
2017-04-12 2:29 ` Dave Jones
2017-04-12 2:58 ` Al Viro
2017-04-12 14:35 ` Dave Jones
2017-04-12 15:26 ` Al Viro
2017-04-12 16:27 ` Dave Jones
2017-04-12 17:07 ` Al Viro
2017-04-12 19:03 ` Dave Jones
2017-04-21 17:54 ` Al Viro
2017-04-27 4:19 ` Dave Jones
2017-04-27 16:34 ` Dave Jones
2017-04-27 17:39 ` Al Viro
2017-04-28 15:29 ` Dave Jones
2017-04-28 16:43 ` Al Viro
2017-04-28 16:50 ` Dave Jones
2017-04-28 17:20 ` Al Viro
2017-04-28 18:25 ` Al Viro
2017-04-29 1:58 ` Dave Jones
2017-04-29 2:47 ` Al Viro
2017-04-29 15:51 ` Dave Jones
2017-04-29 20:46 ` [git pull] vfs.git fix (Re: iov_iter_pipe warning.) Al Viro
2017-08-07 20:18 ` iov_iter_pipe warning Dave Jones
2017-08-28 20:31 ` Dave Jones
2017-08-29 4:25 ` Darrick J. Wong
2017-08-30 17:05 ` Dave Jones
2017-08-30 17:13 ` Darrick J. Wong
2017-08-30 17:17 ` Dave Jones
2017-09-06 20:03 ` Dave Jones
2017-09-06 23:46 ` Dave Chinner
2017-09-07 3:48 ` Dave Jones
2017-09-07 4:33 ` Al Viro
2017-09-08 1:04 ` Al Viro
2017-09-10 1:07 ` Dave Jones
2017-09-10 2:57 ` Al Viro
2017-09-10 16:07 ` Dave Jones
2017-09-10 20:05 ` Al Viro
2017-09-10 20:07 ` Dave Jones
2017-09-10 20:33 ` Al Viro
2017-09-10 21:11 ` Dave Chinner
2017-09-10 21:19 ` Al Viro
2017-09-10 22:08 ` Dave Chinner
2017-09-10 23:07 ` Al Viro
2017-09-10 23:15 ` Al Viro
2017-09-11 0:31 ` Dave Chinner
2017-09-11 3:32 ` Al Viro
2017-09-11 6:44 ` Dave Chinner
2017-09-11 20:07 ` Al Viro
2017-09-11 20:17 ` Al Viro
2017-09-12 6:02 ` Dave Chinner
2017-09-12 11:13 ` Al Viro
2017-09-11 12:07 ` Christoph Hellwig
2017-09-11 12:51 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170411205336.uyz5vfw52twhh6ob@codemonkey.org.uk \
--to=davej@codemonkey.org.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=viro@ZenIV.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).