Re: [PATCH] block: check bi_size overflow before merge

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ming Lei <ming.lei@redhat.com>
To: Junichi Nomura <j-nomura@ce.jp.nec.com>
Cc: "linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
	Jens Axboe <axboe@kernel.dk>, Christoph Hellwig <hch@lst.de>
Subject: Re: [PATCH] block: check bi_size overflow before merge
Date: Tue, 12 Nov 2019 16:46:17 +0800	[thread overview]
Message-ID: <20191112084617.GA26804@ming.t460p> (raw)
In-Reply-To: <20191112071957.GA10061@jeru.linux.bs1.fc.nec.co.jp>

On Tue, Nov 12, 2019 at 07:19:58AM +0000, Junichi Nomura wrote:
> __bio_try_merge_page() may merge a page to bio without bio_full() check
> and cause bi_size overflow.
> 
> The overflow typically ends up with sd_init_command() warning on zero
> segment request with call trace like this:
> 
>     ------------[ cut here ]------------
>     WARNING: CPU: 2 PID: 1986 at drivers/scsi/scsi_lib.c:1025 scsi_init_io+0x156/0x180
>     CPU: 2 PID: 1986 Comm: kworker/2:1H Kdump: loaded Not tainted 5.4.0-rc7 #1
>     Workqueue: kblockd blk_mq_run_work_fn
>     RIP: 0010:scsi_init_io+0x156/0x180
>     RSP: 0018:ffffa11487663bf0 EFLAGS: 00010246
>     RAX: 00000000002be0a0 RBX: ffff8e6e9ff30118 RCX: 0000000000000000
>     RDX: 00000000ffffffe1 RSI: 0000000000000000 RDI: ffff8e6e9ff30118
>     RBP: ffffa11487663c18 R08: ffffa11487663d28 R09: ffff8e6e9ff30150
>     R10: 0000000000000001 R11: 0000000000000000 R12: ffff8e6e9ff30000
>     R13: 0000000000000001 R14: ffff8e74a1cf1800 R15: ffff8e6e9ff30000
>     FS:  0000000000000000(0000) GS:ffff8e6ea7680000(0000) knlGS:0000000000000000
>     CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>     CR2: 00007fff18cf0fe8 CR3: 0000000659f0a001 CR4: 00000000001606e0
>     Call Trace:
>      sd_init_command+0x326/0xb40 [sd_mod]
>      scsi_queue_rq+0x502/0xaa0
>      ? blk_mq_get_driver_tag+0xe7/0x120
>      blk_mq_dispatch_rq_list+0x256/0x5a0
>      ? elv_rb_del+0x24/0x30
>      ? deadline_remove_request+0x7b/0xc0
>      blk_mq_do_dispatch_sched+0xa3/0x140
>      blk_mq_sched_dispatch_requests+0xfb/0x170
>      __blk_mq_run_hw_queue+0x81/0x130
>      blk_mq_run_work_fn+0x1b/0x20
>      process_one_work+0x179/0x390
>      worker_thread+0x4f/0x3e0
>      kthread+0x105/0x140
>      ? max_active_store+0x80/0x80
>      ? kthread_bind+0x20/0x20
>      ret_from_fork+0x35/0x40
>     ---[ end trace f9036abf5af4a4d3 ]---
>     blk_update_request: I/O error, dev sdd, sector 2875552 op 0x1:(WRITE) flags 0x0 phys_seg 0 prio class 0
>     XFS (sdd1): writeback error on sector 2875552
> 
> __bio_try_merge_page() should check the overflow before actually doing
> merge.
> 
> Fixes: 07173c3ec276c ("block: enable multipage bvecs")
> Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
> Cc: Ming Lei <ming.lei@redhat.com>
> Cc: Jens Axboe <axboe@kernel.dk>
> 
> diff --git a/block/bio.c b/block/bio.c
> --- a/block/bio.c
> +++ b/block/bio.c
> @@ -751,7 +751,7 @@ bool __bio_try_merge_page(struct bio *bio, struct page *page,
>  	if (WARN_ON_ONCE(bio_flagged(bio, BIO_CLONED)))
>  		return false;
>  
> -	if (bio->bi_vcnt > 0) {
> +	if (bio->bi_vcnt > 0 && !bio_full(bio, len)) {
>  		struct bio_vec *bv = &bio->bi_io_vec[bio->bi_vcnt - 1];
>  
>  		if (page_is_mergeable(bv, page, len, off, same_page)) {
> 

Looks fine:

Reviewed-by: Ming Lei <ming.lei@redhat.com>

-- 
Ming

next prev parent reply	other threads:[~2019-11-12  8:46 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-12  7:19 [PATCH] block: check bi_size overflow before merge Junichi Nomura
2019-11-12  8:31 ` Christoph Hellwig
2019-11-12  8:46 ` Ming Lei [this message]
2019-11-12  9:03   ` Hannes Reinecke
2019-11-12  9:55     ` Ming Lei
2019-11-12 14:26 ` Jens Axboe

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191112084617.GA26804@ming.t460p \
    --to=ming.lei@redhat.com \
    --cc=axboe@kernel.dk \
    --cc=hch@lst.de \
    --cc=j-nomura@ce.jp.nec.com \
    --cc=linux-block@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.