From: Qian Cai <quic_qiancai@quicinc.com>
To: Al Viro <viro@zeniv.linux.org.uk>,
Linus Torvalds <torvalds@linux-foundation.org>
Cc: <linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>,
David Sterba <dsterba@suse.com>,
Miklos Szeredi <miklos@szeredi.hu>,
Anton Altaparmakov <anton@tuxera.com>,
David Howells <dhowells@redhat.com>,
Matthew Wilcox <willy@infradead.org>,
Pavel Begunkov <asml.silence@gmail.com>
Subject: Re: [RFC][PATCHSET] iov_iter work
Date: Thu, 10 Jun 2021 10:29:59 -0400 [thread overview]
Message-ID: <7433441f-b175-8484-240c-d1498c8c43f2@quicinc.com> (raw)
In-Reply-To: <YL0dCEVEiVL+NwG6@zeniv-ca.linux.org.uk>
On 6/6/2021 3:07 PM, Al Viro wrote:
> Large part of the problems with iov_iter comes from its history -
> it was not designed, it accreted over years. Worse, its users sit on
> rather hots paths, so touching any of the primitives can come with
> considerable performance cost.
Al, a quick fuzzing on today's linux-next triggered this. I never saw this before, so I am wondering if this is anything to do with this series. I could try to narrow it down and bisect if necessary. Any thoughts?
[ 1904.633865][T14444] BUG: KASAN: stack-out-of-bounds in iov_iter_revert+0x65c/0x760
[ 1904.641445][T14444] Read of size 8 at addr ffff80002692faf8 by task trinity-c30/14444
[ 1904.649275][T14444]
[ 1904.651461][T14444] CPU: 28 PID: 14444 Comm: trinity-c30 Not tainted 5.13.0-rc5-next-20210610+ #24
[ 1904.660419][T14444] Hardware name: MiTAC RAPTOR EV-883832-X3-0001/RAPTOR, BIOS 1.6 06/28/2020
[ 1904.668944][T14444] Call trace:
[ 1904.672084][T14444] dump_backtrace+0x0/0x3b8
[ 1904.676445][T14444] show_stack+0x20/0x30
[ 1904.680454][T14444] dump_stack_lvl+0x144/0x190
[ 1904.684987][T14444] print_address_description.constprop.0+0xd0/0x3c8
[ 1904.691432][T14444] kasan_report+0x1f0/0x208
[ 1904.695787][T14444] __asan_report_load8_noabort+0x34/0x60
[ 1904.701274][T14444] iov_iter_revert+0x65c/0x760
iov_iter_revert at /usr/src/linux-next/lib/iov_iter.c:1118
(inlined by) iov_iter_revert at /usr/src/linux-next/lib/iov_iter.c:1058
[ 1904.705891][T14444] netlink_sendmsg+0x870/0xa18
netlink_sendmsg at /usr/src/linux-next/net/netlink/af_netlink.c:1913
[ 1904.710511][T14444] sock_write_iter+0x208/0x358
sock_sendmsg_nosec at /usr/src/linux-next/net/socket.c:657
(inlined by) sock_sendmsg at /usr/src/linux-next/net/socket.c:674
(inlined by) sock_write_iter at /usr/src/linux-next/net/socket.c:1001
[ 1904.715128][T14444] do_iter_readv_writev+0x2e8/0x598
[ 1904.720180][T14444] do_iter_write+0x110/0x4d0
[ 1904.724622][T14444] vfs_writev+0x120/0xa00
[ 1904.728805][T14444] do_writev+0x1a0/0x1e8
[ 1904.732900][T14444] __arm64_sys_writev+0x78/0xa8
[ 1904.737604][T14444] invoke_syscall.constprop.0+0xdc/0x1d8
[ 1904.743091][T14444] do_el0_svc+0xe4/0x298
[ 1904.747187][T14444] el0_svc+0x20/0x30
[ 1904.750934][T14444] el0t_64_sync_handler+0xb0/0xb8
[ 1904.755811][T14444] el0t_64_sync+0x178/0x17c
[ 1904.760168][T14444]
[ 1904.762352][T14444]
[ 1904.764533][T14444] addr ffff80002692faf8 is located in stack of task trinity-c30/14444 at offset 152 in frame:
[ 1904.774617][T14444] vfs_writev+0x8/0xa00
[ 1904.778629][T14444]
[ 1904.780810][T14444] this frame has 3 objects:
[ 1904.785164][T14444] [48, 56) 'iov'
[ 1904.785171][T14444] [80, 120) 'iter'
[ 1904.788656][T14444] [160, 288) 'iovstack'
[ 1904.792315][T14444]
[ 1904.798582][T14444] Memory state around the buggy address:
[ 1904.804065][T14444] ffff80002692f980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1904.811979][T14444] ffff80002692fa00: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[ 1904.819892][T14444] >ffff80002692fa80: 00 00 00 f2 f2 f2 00 00 00 00 00 f2 f2 f2 f2 f2
[ 1904.827806][T14444] ^
[ 1904.835638][T14444] ffff80002692fb00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1904.843554][T14444] ffff80002692fb80: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
next prev parent reply other threads:[~2021-06-10 14:30 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-06 19:07 [RFC][PATCHSET] iov_iter work Al Viro
2021-06-06 19:10 ` [RFC PATCH 01/37] ntfs_copy_from_user_iter(): don't bother with copying iov_iter Al Viro
2021-06-06 19:10 ` [RFC PATCH 02/37] generic_perform_write()/iomap_write_actor(): saner logics for short copy Al Viro
2021-06-06 19:10 ` [RFC PATCH 03/37] fuse_fill_write_pages(): don't bother with iov_iter_single_seg_count() Al Viro
2021-06-06 19:10 ` [RFC PATCH 04/37] iov_iter: Remove iov_iter_for_each_range() Al Viro
2021-06-06 19:10 ` [RFC PATCH 05/37] teach copy_page_to_iter() to handle compound pages Al Viro
2021-06-06 19:10 ` [RFC PATCH 06/37] copy_page_to_iter(): fix ITER_DISCARD case Al Viro
2021-06-06 19:10 ` [RFC PATCH 07/37] [xarray] iov_iter_fault_in_readable() should do nothing in xarray case Al Viro
2021-06-06 19:10 ` [RFC PATCH 08/37] iov_iter_advance(): use consistent semantics for move past the end Al Viro
2021-06-06 19:10 ` [RFC PATCH 09/37] iov_iter: switch ..._full() variants of primitives to use of iov_iter_revert() Al Viro
2021-06-06 19:10 ` [RFC PATCH 10/37] iov_iter: reorder handling of flavours in primitives Al Viro
2021-06-06 19:10 ` [RFC PATCH 11/37] iov_iter_advance(): don't modify ->iov_offset for ITER_DISCARD Al Viro
2021-06-06 19:10 ` [RFC PATCH 12/37] iov_iter: separate direction from flavour Al Viro
2021-06-06 19:10 ` [RFC PATCH 13/37] iov_iter: optimize iov_iter_advance() for iovec and kvec Al Viro
2021-06-06 19:10 ` [RFC PATCH 14/37] sanitize iov_iter_fault_in_readable() Al Viro
2021-06-06 19:10 ` [RFC PATCH 15/37] iov_iter_alignment(): don't bother with iterate_all_kinds() Al Viro
2021-06-06 19:10 ` [RFC PATCH 16/37] iov_iter_gap_alignment(): get rid of iterate_all_kinds() Al Viro
2021-06-09 13:01 ` Qian Cai
2021-06-09 18:06 ` Al Viro
2021-06-06 19:10 ` [RFC PATCH 17/37] get rid of iterate_all_kinds() in iov_iter_get_pages()/iov_iter_get_pages_alloc() Al Viro
2021-06-06 19:10 ` [RFC PATCH 18/37] iov_iter_npages(): don't bother with iterate_all_kinds() Al Viro
2021-06-06 19:10 ` [RFC PATCH 19/37] [xarray] iov_iter_npages(): just use DIV_ROUND_UP() Al Viro
2021-06-06 19:10 ` [RFC PATCH 20/37] iov_iter: replace iov_iter_copy_from_user_atomic() with iterator-advancing variant Al Viro
2021-06-06 19:10 ` [RFC PATCH 21/37] csum_and_copy_to_iter(): massage into form closer to csum_and_copy_from_iter() Al Viro
2021-06-06 19:10 ` [RFC PATCH 22/37] iterate_and_advance(): get rid of magic in case when n is 0 Al Viro
2021-06-06 19:10 ` [RFC PATCH 23/37] iov_iter: massage iterate_iovec and iterate_kvec to logics similar to iterate_bvec Al Viro
2021-06-06 19:10 ` [RFC PATCH 24/37] iov_iter: unify iterate_iovec and iterate_kvec Al Viro
2021-06-06 19:10 ` [RFC PATCH 25/37] iterate_bvec(): expand bvec.h macro forest, massage a bit Al Viro
2021-06-06 19:10 ` [RFC PATCH 26/37] iov_iter: teach iterate_{bvec,xarray}() about possible short copies Al Viro
2021-06-06 19:10 ` [RFC PATCH 27/37] iov_iter: get rid of separate bvec and xarray callbacks Al Viro
2021-06-06 19:10 ` [RFC PATCH 28/37] iov_iter: make the amount already copied available to iterator callbacks Al Viro
2021-06-06 19:10 ` [RFC PATCH 29/37] iov_iter: make iterator callbacks use base and len instead of iovec Al Viro
2021-06-06 19:10 ` [RFC PATCH 30/37] pull handling of ->iov_offset into iterate_{iovec,bvec,xarray} Al Viro
2021-06-06 19:10 ` [RFC PATCH 31/37] iterate_xarray(): only of the first iteration we might get offset != 0 Al Viro
2021-06-06 19:10 ` [RFC PATCH 32/37] copy_page_to_iter(): don't bother with kmap_atomic() for bvec/kvec cases Al Viro
2021-06-06 19:10 ` [RFC PATCH 33/37] copy_page_from_iter(): don't need kmap_atomic() for kvec/bvec cases Al Viro
2021-06-06 19:10 ` [RFC PATCH 34/37] iov_iter: clean csum_and_copy_...() primitives up a bit Al Viro
2021-06-06 19:10 ` [RFC PATCH 35/37] pipe_zero(): we don't need no stinkin' kmap_atomic() Al Viro
2021-06-06 19:10 ` [RFC PATCH 36/37] clean up copy_mc_pipe_to_iter() Al Viro
2021-06-06 19:10 ` [RFC PATCH 37/37] csum_and_copy_to_pipe_iter(): leave handling of csum_state to caller Al Viro
2021-06-06 22:05 ` [RFC][PATCHSET] iov_iter work Linus Torvalds
2021-06-06 22:46 ` Linus Torvalds
2021-06-07 9:28 ` Christoph Hellwig
2021-06-07 14:43 ` Al Viro
2021-06-07 15:59 ` Christoph Hellwig
2021-06-07 21:07 ` Al Viro
2021-06-07 22:01 ` Linus Torvalds
2021-06-07 23:35 ` Linus Torvalds
2021-06-08 5:25 ` Christoph Hellwig
2021-06-08 11:27 ` Al Viro
2021-06-06 23:29 ` Al Viro
2021-06-07 10:38 ` Pavel Begunkov
2021-06-08 14:43 ` David Laight
2021-06-10 14:29 ` Qian Cai [this message]
2021-06-10 15:35 ` Al Viro
2021-06-10 15:48 ` Al Viro
2021-06-10 19:08 ` Qian Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7433441f-b175-8484-240c-d1498c8c43f2@quicinc.com \
--to=quic_qiancai@quicinc.com \
--cc=anton@tuxera.com \
--cc=asml.silence@gmail.com \
--cc=dhowells@redhat.com \
--cc=dsterba@suse.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=torvalds@linux-foundation.org \
--cc=viro@zeniv.linux.org.uk \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).