WARNING in csum_and_copy_to_iter

WARNING in csum_and_copy_to_iter

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    edeca3a769ad Merge tag 'sound-4.20-rc4' of git://git.kerne..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=12bee26d400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=73e2bc0cb6463446
dashboard link: https://syzkaller.appspot.com/bug?extid=ce18da013d76d837144d
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15ccd1f5400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+ce18da013d76d837144d@syzkaller.appspotmail.com

8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
WARNING: CPU: 1 PID: 7440 at lib/iov_iter.c:1443  
csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443
Kernel panic - not syncing: panic_on_warn set ...
CPU: 1 PID: 7440 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #345
kobject: 'loop0' (00000000da2348da): kobject_uevent_env
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x244/0x39d lib/dump_stack.c:113
  panic+0x2ad/0x55c kernel/panic.c:188
kobject: 'loop0' (00000000da2348da): fill_kobj_path: path  
= '/devices/virtual/block/loop0'
  __warn.cold.8+0x20/0x45 kernel/panic.c:540
  report_bug+0x254/0x2d0 lib/bug.c:186
  fixup_bug arch/x86/kernel/traps.c:178 [inline]
  do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
  do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290
WARNING: CPU: 0 PID: 7446 at lib/iov_iter.c:1443  
csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443
Modules linked in:
  invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969
CPU: 0 PID: 7446 Comm: syz-executor0 Not tainted 4.20.0-rc3+ #345
RIP: 0010:csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Code: ee fd 48 83 bd b0 fe ff ff 00 0f 84 48 fc ff ff e9 91 fe ff ff e8 e6  
6d ee fd 49 83 c4 10 31 db e9 70 fc ff ff e8 d6 6d ee fd <0f> 0b 48 c7 85  
e8 fe ff ff 00 00 00 00 e9 70 fd ff ff 4c 89 f7 e8
RIP: 0010:csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443
RSP: 0018:ffff8881bc80f368 EFLAGS: 00010293
Code: ee fd 48 83 bd b0 fe ff ff 00 0f 84 48 fc ff ff e9 91 fe ff ff e8 e6  
6d ee fd 49 83 c4 10 31 db e9 70 fc ff ff e8 d6 6d ee fd <0f> 0b 48 c7 85  
e8 fe ff ff 00 00 00 00 e9 70 fd ff ff 4c 89 f7 e8
RAX: ffff8881c87ca080 RBX: 000000000000038a RCX: ffffffff839116c2
RSP: 0018:ffff8881bbabf368 EFLAGS: 00010293
RDX: 0000000000000000 RSI: ffffffff83911d1a RDI: 0000000000000005
RAX: ffff8881caf18080 RBX: 000000000000038a RCX: ffffffff839116c2
RBP: ffff8881bc80f4f8 R08: ffff8881c87ca080 R09: 0000000000000006
RDX: 0000000000000000 RSI: ffffffff83911d1a RDI: 0000000000000005
R10: 0000000000000000 R11: ffff8881c87ca080 R12: 0000000000000000
RBP: ffff8881bbabf4f8 R08: ffff8881caf18080 R09: 0000000000000006
R13: 0000000000000008 R14: ffff8881bc80fa50 R15: 000000000000038a
R10: 0000000000000000 R11: ffff8881caf18080 R12: 0000000000000000
R13: 0000000000000008 R14: ffff8881bbabfa50 R15: 000000000000038a
FS:  00007fed2599c700(0000) GS:ffff8881dae00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004cce48 CR3: 00000001cf367000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  skb_copy_and_csum_datagram+0x1ab/0xae0 net/core/datagram.c:662
  skb_copy_and_csum_datagram+0x1ab/0xae0 net/core/datagram.c:662
  skb_copy_and_csum_datagram_msg+0x246/0x420 net/core/datagram.c:802
  udpv6_recvmsg+0xd62/0x1d80 net/ipv6/udp.c:376
  skb_copy_and_csum_datagram_msg+0x246/0x420 net/core/datagram.c:802
  udpv6_recvmsg+0xd62/0x1d80 net/ipv6/udp.c:376
  inet_recvmsg+0x181/0x6d0 net/ipv4/af_inet.c:830
  inet_recvmsg+0x181/0x6d0 net/ipv4/af_inet.c:830
  sock_recvmsg_nosec net/socket.c:794 [inline]
  sock_recvmsg+0xd0/0x110 net/socket.c:801
  sock_read_iter+0x39b/0x570 net/socket.c:878
  call_read_iter include/linux/fs.h:1851 [inline]
  generic_file_splice_read+0x5a2/0x9a0 fs/splice.c:308
  sock_recvmsg_nosec net/socket.c:794 [inline]
  sock_recvmsg+0xd0/0x110 net/socket.c:801
  sock_read_iter+0x39b/0x570 net/socket.c:878
  sock_splice_read+0xef/0x110 net/socket.c:856
  do_splice_to+0x12e/0x190 fs/splice.c:880
  call_read_iter include/linux/fs.h:1851 [inline]
  generic_file_splice_read+0x5a2/0x9a0 fs/splice.c:308
  do_splice+0x1014/0x1430 fs/splice.c:1173
  sock_splice_read+0xef/0x110 net/socket.c:856
  __do_sys_splice fs/splice.c:1414 [inline]
  __se_sys_splice fs/splice.c:1394 [inline]
  __x64_sys_splice+0x2c1/0x330 fs/splice.c:1394
  do_splice_to+0x12e/0x190 fs/splice.c:880
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  do_splice+0x1014/0x1430 fs/splice.c:1173
  __do_sys_splice fs/splice.c:1414 [inline]
  __se_sys_splice fs/splice.c:1394 [inline]
  __x64_sys_splice+0x2c1/0x330 fs/splice.c:1394
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f6517086c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000457569
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RBP: 000000000072bfa0 R08: 0000000010000200 R09: 0000000000000000
RIP: 0033:0x457569
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f65170876d4
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7  
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff  
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
R13: 00000000004c5719 R14: 00000000004d8c08 R15: 00000000ffffffff
RSP: 002b:00007fed2599bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000457569
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 000000000072bfa0 R08: 0000000010000200 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fed2599c6d4
R13: 00000000004c5719 R14: 00000000004d8c08 R15: 00000000ffffffff
irq event stamp: 352
hardirqs last  enabled at (351): [<ffffffff814ad030>]  
__local_bh_enable_ip+0x160/0x260 kernel/softirq.c:194
hardirqs last disabled at (352): [<ffffffff81007ced>]  
trace_hardirqs_off_thunk+0x1a/0x1c
softirqs last  enabled at (350): [<ffffffff86aef3ab>] spin_unlock_bh  
include/linux/spinlock.h:374 [inline]
softirqs last  enabled at (350): [<ffffffff86aef3ab>]  
__skb_recv_udp+0x4ab/0xaf0 net/ipv4/udp.c:1611
softirqs last disabled at (348): [<ffffffff86aef190>] spin_lock_bh  
include/linux/spinlock.h:334 [inline]
softirqs last disabled at (348): [<ffffffff86aef190>]  
__skb_recv_udp+0x290/0xaf0 net/ipv4/udp.c:1583
---[ end trace fcfb475d82d5a575 ]---
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: WARNING in csum_and_copy_to_iter

[Al Viro]

On Sat, Nov 24, 2018 at 11:40:03AM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following crash on:
> 
> HEAD commit:    edeca3a769ad Merge tag 'sound-4.20-rc4' of git://git.kerne..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12bee26d400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=73e2bc0cb6463446
> dashboard link: https://syzkaller.appspot.com/bug?extid=ce18da013d76d837144d
> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15ccd1f5400000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+ce18da013d76d837144d@syzkaller.appspotmail.com

Caused by commit 95506588d2c1d72ca29adef8ae9bf771bcfb4ced
Author: Slavomir Kaslev <kaslevs@vmware.com>
Date:   Fri Nov 16 11:27:53 2018 +0200

    socket: do a generic_file_splice_read when proto_ops has no splice_read

exposing all ->recvmsg() instances to pipe-backed iov_iter as possible destination.
It's not all that hard to fix (I'll probably have a candidate patch by tonight,
it's just a matter of adding the only missing primitive), but... shouldn't that
patch have sat in -next for at least some testing first?  Because it's very
easy to reproduce - splice from e.g. UDP socket will step into it.  Sure, the
sky is not falling (unless you set panic-on-WARN, that is); the damn thing
would've failed anyway, but...

Re: WARNING in csum_and_copy_to_iter

[Slavomir Kaslev]

On Sat, Nov 24, 2018 at 08:03:57PM +0000, Al Viro wrote:
> On Sat, Nov 24, 2018 at 11:40:03AM -0800, syzbot wrote:
> > Hello,
> > 
> > syzbot found the following crash on:
> > 
> > HEAD commit:    edeca3a769ad Merge tag 'sound-4.20-rc4' of git://git.kerne..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12bee26d400000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=73e2bc0cb6463446
> > dashboard link: https://syzkaller.appspot.com/bug?extid=ce18da013d76d837144d
> > compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15ccd1f5400000
> > 
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+ce18da013d76d837144d@syzkaller.appspotmail.com
> 
> Caused by commit 95506588d2c1d72ca29adef8ae9bf771bcfb4ced
> Author: Slavomir Kaslev <kaslevs@vmware.com>
> Date:   Fri Nov 16 11:27:53 2018 +0200
> 
>     socket: do a generic_file_splice_read when proto_ops has no splice_read
> 
> exposing all ->recvmsg() instances to pipe-backed iov_iter as possible destination.
> It's not all that hard to fix (I'll probably have a candidate patch by tonight,
> it's just a matter of adding the only missing primitive), but... shouldn't that
> patch have sat in -next for at least some testing first?  Because it's very
> easy to reproduce - splice from e.g. UDP socket will step into it.  Sure, the
> sky is not falling (unless you set panic-on-WARN, that is); the damn thing
> would've failed anyway, but...

My bad for not sending the patch tagged as net-next, feel free to revert it.

Re: WARNING in csum_and_copy_to_iter

[Al Viro]

On Sat, Nov 24, 2018 at 11:20:14PM +0200, Slavomir Kaslev wrote:
> On Sat, Nov 24, 2018 at 08:03:57PM +0000, Al Viro wrote:
> > On Sat, Nov 24, 2018 at 11:40:03AM -0800, syzbot wrote:
> > > Hello,
> > > 
> > > syzbot found the following crash on:
> > > 
> > > HEAD commit:    edeca3a769ad Merge tag 'sound-4.20-rc4' of git://git.kerne..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12bee26d400000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=73e2bc0cb6463446
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=ce18da013d76d837144d
> > > compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=15ccd1f5400000
> > > 
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+ce18da013d76d837144d@syzkaller.appspotmail.com
> > 
> > Caused by commit 95506588d2c1d72ca29adef8ae9bf771bcfb4ced
> > Author: Slavomir Kaslev <kaslevs@vmware.com>
> > Date:   Fri Nov 16 11:27:53 2018 +0200
> > 
> >     socket: do a generic_file_splice_read when proto_ops has no splice_read
> > 
> > exposing all ->recvmsg() instances to pipe-backed iov_iter as possible destination.
> > It's not all that hard to fix (I'll probably have a candidate patch by tonight,
> > it's just a matter of adding the only missing primitive), but... shouldn't that
> > patch have sat in -next for at least some testing first?  Because it's very
> > easy to reproduce - splice from e.g. UDP socket will step into it.  Sure, the
> > sky is not falling (unless you set panic-on-WARN, that is); the damn thing
> > would've failed anyway, but...
> 
> My bad for not sending the patch tagged as net-next, feel free to revert it.

No point, IMO - the fix isn't hard and bisect hazard created by the whole thing
is both mild (spurious WARN() in case that used to fail anyway) _and_ won't
disappear from reverting, obviously.  I'll post a fix later tonight...

Re: WARNING in csum_and_copy_to_iter

[Al Viro]

On Sat, Nov 24, 2018 at 09:44:36PM +0000, Al Viro wrote:

> No point, IMO - the fix isn't hard and bisect hazard created by the whole thing
> is both mild (spurious WARN() in case that used to fail anyway) _and_ won't
> disappear from reverting, obviously.  I'll post a fix later tonight...

FWIW, I think the following ought to work; it's obviously a pair of commits
(introduction of convenience helper/switch to its use + csum_and_copy_to_iter()
for ITER_PIPE), as well as commit message, etc., but I would really appreciate
if folks gave it a look _and_ a beating.

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 7ebccb5c1637..621984743268 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -560,6 +560,44 @@ static size_t copy_pipe_to_iter(const void *addr, size_t bytes,
 	return bytes;
 }
 
+static __wsum csum_and_memcpy(void *to, const void *from, size_t len,
+			      __wsum sum, size_t off)
+{
+	__wsum next = csum_partial_copy_nocheck(from, to, len, 0);
+	return csum_block_add(sum, next, off);
+}
+
+static size_t csum_and_copy_to_pipe_iter(const void *addr, size_t bytes,
+				__wsum *csum, struct iov_iter *i)
+{
+	struct pipe_inode_info *pipe = i->pipe;
+	size_t n, r;
+	size_t off = 0;
+	__wsum sum = *csum;
+	int idx;
+
+	if (!sanity(i))
+		return 0;
+
+	bytes = n = push_pipe(i, bytes, &idx, &r);
+	if (unlikely(!n))
+		return 0;
+	for ( ; n; idx = next_idx(idx, pipe), r = 0) {
+		size_t chunk = min_t(size_t, n, PAGE_SIZE - r);
+		char *p = kmap_atomic(pipe->bufs[idx].page);
+		sum = csum_and_memcpy(p + r, addr, chunk, sum, off);
+		kunmap_atomic(p);
+		i->idx = idx;
+		i->iov_offset = r + chunk;
+		n -= chunk;
+		off += chunk;
+		addr += chunk;
+	}
+	i->count -= bytes;
+	*csum = sum;
+	return bytes;
+}
+
 size_t _copy_to_iter(const void *addr, size_t bytes, struct iov_iter *i)
 {
 	const char *from = addr;
@@ -1368,17 +1406,15 @@ size_t csum_and_copy_from_iter(void *addr, size_t bytes, __wsum *csum,
 		err ? v.iov_len : 0;
 	}), ({
 		char *p = kmap_atomic(v.bv_page);
-		next = csum_partial_copy_nocheck(p + v.bv_offset,
-						 (to += v.bv_len) - v.bv_len,
-						 v.bv_len, 0);
+		sum = csum_and_memcpy((to += v.bv_len) - v.bv_len,
+				      p + v.bv_offset, v.bv_len,
+				      sum, off);
 		kunmap_atomic(p);
-		sum = csum_block_add(sum, next, off);
 		off += v.bv_len;
 	}),({
-		next = csum_partial_copy_nocheck(v.iov_base,
-						 (to += v.iov_len) - v.iov_len,
-						 v.iov_len, 0);
-		sum = csum_block_add(sum, next, off);
+		sum = csum_and_memcpy((to += v.iov_len) - v.iov_len,
+				      v.iov_base, v.iov_len,
+				      sum, off);
 		off += v.iov_len;
 	})
 	)
@@ -1412,17 +1448,15 @@ bool csum_and_copy_from_iter_full(void *addr, size_t bytes, __wsum *csum,
 		0;
 	}), ({
 		char *p = kmap_atomic(v.bv_page);
-		next = csum_partial_copy_nocheck(p + v.bv_offset,
-						 (to += v.bv_len) - v.bv_len,
-						 v.bv_len, 0);
+		sum = csum_and_memcpy((to += v.bv_len) - v.bv_len,
+				      p + v.bv_offset, v.bv_len,
+				      sum, off);
 		kunmap_atomic(p);
-		sum = csum_block_add(sum, next, off);
 		off += v.bv_len;
 	}),({
-		next = csum_partial_copy_nocheck(v.iov_base,
-						 (to += v.iov_len) - v.iov_len,
-						 v.iov_len, 0);
-		sum = csum_block_add(sum, next, off);
+		sum = csum_and_memcpy((to += v.iov_len) - v.iov_len,
+				      v.iov_base, v.iov_len,
+				      sum, off);
 		off += v.iov_len;
 	})
 	)
@@ -1438,8 +1472,12 @@ size_t csum_and_copy_to_iter(const void *addr, size_t bytes, __wsum *csum,
 	const char *from = addr;
 	__wsum sum, next;
 	size_t off = 0;
+
+	if (unlikely(iov_iter_is_pipe(i)))
+		return csum_and_copy_to_pipe_iter(addr, bytes, csum, i);
+
 	sum = *csum;
-	if (unlikely(iov_iter_is_pipe(i) || iov_iter_is_discard(i))) {
+	if (unlikely(iov_iter_is_discard(i))) {
 		WARN_ON(1);	/* for now */
 		return 0;
 	}
@@ -1455,17 +1493,15 @@ size_t csum_and_copy_to_iter(const void *addr, size_t bytes, __wsum *csum,
 		err ? v.iov_len : 0;
 	}), ({
 		char *p = kmap_atomic(v.bv_page);
-		next = csum_partial_copy_nocheck((from += v.bv_len) - v.bv_len,
-						 p + v.bv_offset,
-						 v.bv_len, 0);
+		sum = csum_and_memcpy(p + v.bv_offset,
+				      (from += v.bv_len) - v.bv_len,
+				      v.bv_len, sum, off);
 		kunmap_atomic(p);
-		sum = csum_block_add(sum, next, off);
 		off += v.bv_len;
 	}),({
-		next = csum_partial_copy_nocheck((from += v.iov_len) - v.iov_len,
-						 v.iov_base,
-						 v.iov_len, 0);
-		sum = csum_block_add(sum, next, off);
+		sum = csum_and_memcpy(v.iov_base,
+				     (from += v.iov_len) - v.iov_len,
+				     v.iov_len, sum, off);
 		off += v.iov_len;
 	})
 	)

Re: WARNING in csum_and_copy_to_iter

[Slavomir Kaslev]

On Sun, Nov 25, 2018 at 3:52 AM Al Viro <viro@zeniv.linux.org.uk> wrote:
>
> On Sat, Nov 24, 2018 at 09:44:36PM +0000, Al Viro wrote:
>
> > No point, IMO - the fix isn't hard and bisect hazard created by the whole thing
> > is both mild (spurious WARN() in case that used to fail anyway) _and_ won't
> > disappear from reverting, obviously.  I'll post a fix later tonight...
>
> FWIW, I think the following ought to work; it's obviously a pair of commits
> (introduction of convenience helper/switch to its use + csum_and_copy_to_iter()
> for ITER_PIPE), as well as commit message, etc., but I would really appreciate
> if folks gave it a look _and_ a beating.

Tested the patch in qemu, splice reading from udp and vsock sockets (with
https://github.com/skaslev/thru), and it seems to work great.

No warnings or suspicious messages in dmesg with kernel config similar to what
syzbot is using
https://github.com/google/syzkaller/blob/master/docs/linux/kernel_configs.md

> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
> ---
> diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> index 7ebccb5c1637..621984743268 100644
> --- a/lib/iov_iter.c
> +++ b/lib/iov_iter.c
> @@ -560,6 +560,44 @@ static size_t copy_pipe_to_iter(const void *addr, size_t bytes,
>         return bytes;
>  }
>
> +static __wsum csum_and_memcpy(void *to, const void *from, size_t len,
> +                             __wsum sum, size_t off)
> +{
> +       __wsum next = csum_partial_copy_nocheck(from, to, len, 0);
> +       return csum_block_add(sum, next, off);
> +}
> +
> +static size_t csum_and_copy_to_pipe_iter(const void *addr, size_t bytes,
> +                               __wsum *csum, struct iov_iter *i)
> +{
> +       struct pipe_inode_info *pipe = i->pipe;
> +       size_t n, r;
> +       size_t off = 0;
> +       __wsum sum = *csum;
> +       int idx;
> +
> +       if (!sanity(i))
> +               return 0;
> +
> +       bytes = n = push_pipe(i, bytes, &idx, &r);
> +       if (unlikely(!n))
> +               return 0;
> +       for ( ; n; idx = next_idx(idx, pipe), r = 0) {
> +               size_t chunk = min_t(size_t, n, PAGE_SIZE - r);
> +               char *p = kmap_atomic(pipe->bufs[idx].page);
> +               sum = csum_and_memcpy(p + r, addr, chunk, sum, off);
> +               kunmap_atomic(p);
> +               i->idx = idx;
> +               i->iov_offset = r + chunk;
> +               n -= chunk;
> +               off += chunk;
> +               addr += chunk;
> +       }
> +       i->count -= bytes;
> +       *csum = sum;
> +       return bytes;
> +}
> +
>  size_t _copy_to_iter(const void *addr, size_t bytes, struct iov_iter *i)
>  {
>         const char *from = addr;
> @@ -1368,17 +1406,15 @@ size_t csum_and_copy_from_iter(void *addr, size_t bytes, __wsum *csum,
>                 err ? v.iov_len : 0;
>         }), ({
>                 char *p = kmap_atomic(v.bv_page);
> -               next = csum_partial_copy_nocheck(p + v.bv_offset,
> -                                                (to += v.bv_len) - v.bv_len,
> -                                                v.bv_len, 0);
> +               sum = csum_and_memcpy((to += v.bv_len) - v.bv_len,
> +                                     p + v.bv_offset, v.bv_len,
> +                                     sum, off);
>                 kunmap_atomic(p);
> -               sum = csum_block_add(sum, next, off);
>                 off += v.bv_len;
>         }),({
> -               next = csum_partial_copy_nocheck(v.iov_base,
> -                                                (to += v.iov_len) - v.iov_len,
> -                                                v.iov_len, 0);
> -               sum = csum_block_add(sum, next, off);
> +               sum = csum_and_memcpy((to += v.iov_len) - v.iov_len,
> +                                     v.iov_base, v.iov_len,
> +                                     sum, off);
>                 off += v.iov_len;
>         })
>         )
> @@ -1412,17 +1448,15 @@ bool csum_and_copy_from_iter_full(void *addr, size_t bytes, __wsum *csum,
>                 0;
>         }), ({
>                 char *p = kmap_atomic(v.bv_page);
> -               next = csum_partial_copy_nocheck(p + v.bv_offset,
> -                                                (to += v.bv_len) - v.bv_len,
> -                                                v.bv_len, 0);
> +               sum = csum_and_memcpy((to += v.bv_len) - v.bv_len,
> +                                     p + v.bv_offset, v.bv_len,
> +                                     sum, off);
>                 kunmap_atomic(p);
> -               sum = csum_block_add(sum, next, off);
>                 off += v.bv_len;
>         }),({
> -               next = csum_partial_copy_nocheck(v.iov_base,
> -                                                (to += v.iov_len) - v.iov_len,
> -                                                v.iov_len, 0);
> -               sum = csum_block_add(sum, next, off);
> +               sum = csum_and_memcpy((to += v.iov_len) - v.iov_len,
> +                                     v.iov_base, v.iov_len,
> +                                     sum, off);
>                 off += v.iov_len;
>         })
>         )
> @@ -1438,8 +1472,12 @@ size_t csum_and_copy_to_iter(const void *addr, size_t bytes, __wsum *csum,
>         const char *from = addr;
>         __wsum sum, next;
>         size_t off = 0;
> +
> +       if (unlikely(iov_iter_is_pipe(i)))
> +               return csum_and_copy_to_pipe_iter(addr, bytes, csum, i);
> +
>         sum = *csum;
> -       if (unlikely(iov_iter_is_pipe(i) || iov_iter_is_discard(i))) {
> +       if (unlikely(iov_iter_is_discard(i))) {
>                 WARN_ON(1);     /* for now */
>                 return 0;
>         }
> @@ -1455,17 +1493,15 @@ size_t csum_and_copy_to_iter(const void *addr, size_t bytes, __wsum *csum,
>                 err ? v.iov_len : 0;
>         }), ({
>                 char *p = kmap_atomic(v.bv_page);
> -               next = csum_partial_copy_nocheck((from += v.bv_len) - v.bv_len,
> -                                                p + v.bv_offset,
> -                                                v.bv_len, 0);
> +               sum = csum_and_memcpy(p + v.bv_offset,
> +                                     (from += v.bv_len) - v.bv_len,
> +                                     v.bv_len, sum, off);
>                 kunmap_atomic(p);
> -               sum = csum_block_add(sum, next, off);
>                 off += v.bv_len;
>         }),({
> -               next = csum_partial_copy_nocheck((from += v.iov_len) - v.iov_len,
> -                                                v.iov_base,
> -                                                v.iov_len, 0);
> -               sum = csum_block_add(sum, next, off);
> +               sum = csum_and_memcpy(v.iov_base,
> +                                    (from += v.iov_len) - v.iov_len,
> +                                    v.iov_len, sum, off);
>                 off += v.iov_len;
>         })
>         )

Re: [syzbot]

[syzbot]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: 
Author: nogikh@google.com

The issue has not been happening for >1800 days.

#syz invalid