From: Benny Halevy <bhalevy@panasas.com>
To: Jens Axboe <jens.axboe@oracle.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Ingo Molnar <mingo@elte.hu>,
linux-kernel@vger.kernel.org,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [bug] block subsystem related crash with latest -git
Date: Thu, 18 Oct 2007 12:52:48 +0200 [thread overview]
Message-ID: <47173B00.3070303@panasas.com> (raw)
In-Reply-To: <20071017182206.GS15552@kernel.dk>
On Oct. 17, 2007, 20:22 +0200, Jens Axboe <jens.axboe@oracle.com> wrote:
> On Wed, Oct 17 2007, Linus Torvalds wrote:
>>
>> On Wed, 17 Oct 2007, Jens Axboe wrote:
>>>> So avoiding the "sg_next()" on the last entry is pointless.
>>> Yeah, I didn't quite understand why if sg was valid, why dereferencing
>>> *(sg + 1)->page would crap out :/
>> Actually, I take that back. If 'sg' is the last entry in a *non*linked
>> scatter-gather list (ie we don't use the last entry as a link, we actually
>> use it as a real SG entry), then "sg_next(sg)" will indeed access past the
>> end of the whole allocated array, and will access one past the end.
>>
>> And with page-alloc debugging, that *will* blow up.
>>
>> So I think your change to use "sg_next()" only when you actually need a
>> next pointer is the correct one after all.
>
> Thanks, so I'm not totally crazy :-)
>
> Can you just pull:
>
> git://git.kernel.dk/data/git/linux-2.6-block.git for-linus
>
> then so we get those two pieces correct? Then the remaining issue seems
> to be a new one that is biting Ingo elsewhere, at least we'll all be on
> the same page then.
>
Jens, for_each_sg still calls sg_next on the last entry which will
dereference a possibly bogus sg->page (for the sg_is_chain(sg)
condition in sg_next) if the last entry is the last one on the page
of unchained entry and sg+1 falls over into an uninitialized page.
How about the following?
(untested yet.
sg.c included here as an example for usage out of scatterlist.h)
diff --git a/include/linux/scatterlist.h b/include/linux/scatterlist.h
index 2dc7464..3a27e03 100644
--- a/include/linux/scatterlist.h
+++ b/include/linux/scatterlist.h
@@ -30,7 +30,7 @@ static inline void sg_init_one(struct scatterlist *sg, const void *buf,
((struct scatterlist *) ((unsigned long) (sg)->page & ~0x01))
/**
- * sg_next - return the next scatterlist entry in a list
+ * sg_next_unsafe - return the next scatterlist entry in a list
* @sg: The current sg entry
*
* Usually the next entry will be @sg@ + 1, but if this sg element is part
@@ -41,7 +41,7 @@ static inline void sg_init_one(struct scatterlist *sg, const void *buf,
* the current entry, this function will NOT return NULL for an end-of-list.
*
*/
-static inline struct scatterlist *sg_next(struct scatterlist *sg)
+static inline struct scatterlist *sg_next_unsafe(struct scatterlist *sg)
{
sg++;
@@ -51,11 +51,27 @@ static inline struct scatterlist *sg_next(struct scatterlist *sg)
return sg;
}
+/**
+ * sg_next - return the next scatterlist entry in a list
+ * @sg: The current sg entry
+ * @next: Index of next sg entry
+ * @nr: Number of sg entries in the list
+ *
+ * Note that the caller must ensure that there are further entries after
+ * the current entry, this function will NOT return NULL for an end-of-list.
+ *
+ */
+static inline struct scatterlist *sg_next(struct scatterlist *sg,
+ int next, int nr)
+{
+ return next < nr ? sg_next_unsafe(sg) : NULL;
+}
+
/*
* Loop over each sg element, following the pointer to a new list if necessary
*/
#define for_each_sg(sglist, sg, nr, __i) \
- for (__i = 0, sg = (sglist); __i < (nr); __i++, sg = sg_next(sg))
+ for (__i = 0, sg = (sglist); sg; sg = sg_next(sg, ++__i, nr))
/**
* sg_last - return the last scatterlist entry in a list
diff --git a/drivers/scsi/sg.c b/drivers/scsi/sg.c
index 7238b2d..57cc1dd 100644
--- a/drivers/scsi/sg.c
+++ b/drivers/scsi/sg.c
@@ -1165,7 +1165,7 @@ sg_vma_nopage(struct vm_area_struct *vma, unsigned long addr, int *type)
sg = rsv_schp->buffer;
sa = vma->vm_start;
for (k = 0; (k < rsv_schp->k_use_sg) && (sa < vma->vm_end);
- ++k, sg = sg_next(sg)) {
+ sg = sg_next(sg, ++k, rsv_schp->k_use_sg)) {
len = vma->vm_end - sa;
len = (len < sg->length) ? len : sg->length;
if (offset < len) {
@@ -1209,7 +1209,7 @@ sg_mmap(struct file *filp, struct vm_area_struct *vma)
sa = vma->vm_start;
sg = rsv_schp->buffer;
for (k = 0; (k < rsv_schp->k_use_sg) && (sa < vma->vm_end);
- ++k, sg = sg_next(sg)) {
+ sg = sg_next(sg, ++k, rsv_schp->k_use_sg)) {
len = vma->vm_end - sa;
len = (len < sg->length) ? len : sg->length;
sa += len;
@@ -1840,7 +1840,7 @@ sg_build_indirect(Sg_scatter_hold * schp, Sg_fd * sfp, int buff_size)
}
for (k = 0, sg = schp->buffer, rem_sz = blk_size;
(rem_sz > 0) && (k < mx_sc_elems);
- ++k, rem_sz -= ret_sz, sg = sg_next(sg)) {
+ rem_sz -= ret_sz, sg = sg_next(sg, ++k, mx_sc_elems)) {
num = (rem_sz > scatter_elem_sz_prev) ?
scatter_elem_sz_prev : rem_sz;
@@ -1913,7 +1913,7 @@ sg_write_xfer(Sg_request * srp)
if (res)
return res;
- for (; p; sg = sg_next(sg), ksglen = sg->length,
+ for (; p; sg = sg_next_unsafe(sg), ksglen = sg->length,
p = page_address(sg->page)) {
if (usglen <= 0)
break;
@@ -1991,8 +1991,8 @@ sg_remove_scat(Sg_scatter_hold * schp)
} else {
int k;
- for (k = 0; (k < schp->k_use_sg) && sg->page;
- ++k, sg = sg_next(sg)) {
+ for (k = 0; sg && sg->page;
+ sg = sg_next(sg, ++k, schp->k_use_sg)) {
SCSI_LOG_TIMEOUT(5, printk(
"sg_remove_scat: k=%d, pg=0x%p, len=%d\n",
k, sg->page, sg->length));
@@ -2045,7 +2045,7 @@ sg_read_xfer(Sg_request * srp)
if (res)
return res;
- for (; p; sg = sg_next(sg), ksglen = sg->length,
+ for (; p; sg = sg_next_unsafe(sg), ksglen = sg->length,
p = page_address(sg->page)) {
if (usglen <= 0)
break;
@@ -2092,7 +2092,7 @@ sg_read_oxfer(Sg_request * srp, char __user *outp, int num_read_xfer)
if ((!outp) || (num_read_xfer <= 0))
return 0;
- for (k = 0; (k < schp->k_use_sg) && sg->page; ++k, sg = sg_next(sg)) {
+ for (k = 0; sg && sg->page; sg = sg_next(sg, ++k, schp->k_use_sg)) {
num = sg->length;
if (num > num_read_xfer) {
if (__copy_to_user(outp, page_address(sg->page),
@@ -2142,7 +2142,7 @@ sg_link_reserve(Sg_fd * sfp, Sg_request * srp, int size)
SCSI_LOG_TIMEOUT(4, printk("sg_link_reserve: size=%d\n", size));
rem = size;
- for (k = 0; k < rsv_schp->k_use_sg; ++k, sg = sg_next(sg)) {
+ for (k = 0; sg; sg = sg_next(sg, ++k, rsv_schp->k_use_sg)) {
num = sg->length;
if (rem <= num) {
sfp->save_scat_len = num;
next prev parent reply other threads:[~2007-10-18 10:54 UTC|newest]
Thread overview: 151+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-17 15:46 [bug] block subsystem related crash with latest -git Ingo Molnar
2007-10-17 15:50 ` Ingo Molnar
2007-10-17 16:32 ` Jens Axboe
2007-10-17 16:50 ` Linus Torvalds
2007-10-17 16:59 ` Jens Axboe
2007-10-17 17:08 ` Jens Axboe
2007-10-17 17:21 ` Jens Axboe
2007-10-17 17:29 ` Jens Axboe
2007-10-17 17:34 ` Ingo Molnar
2007-10-17 17:36 ` Jens Axboe
2007-10-17 17:45 ` [bug] ata " Ingo Molnar
2007-10-17 17:53 ` Jens Axboe
2007-10-17 17:55 ` Jens Axboe
2007-10-17 17:58 ` Ingo Molnar
2007-10-17 18:37 ` Jens Axboe
2007-10-17 19:04 ` Ingo Molnar
2007-10-17 19:08 ` Jens Axboe
2007-10-17 19:14 ` Ingo Molnar
2007-10-17 19:17 ` Ingo Molnar
2007-10-17 19:25 ` Jens Axboe
2007-10-17 19:25 ` Jens Axboe
2007-10-17 19:09 ` Ingo Molnar
2007-10-17 19:28 ` Linus Torvalds
2007-10-17 19:35 ` Jens Axboe
2007-10-17 19:45 ` Linus Torvalds
2007-10-17 19:56 ` Jens Axboe
2007-10-17 20:06 ` Jens Axboe
2007-10-17 20:24 ` Linus Torvalds
2007-10-17 20:31 ` Jens Axboe
2007-10-17 21:11 ` Linus Torvalds
2007-10-17 23:00 ` FUJITA Tomonori
2007-10-18 1:07 ` Linus Torvalds
2007-10-18 1:14 ` Jeff Garzik
2007-10-18 1:19 ` David Miller
2007-10-18 1:36 ` Linus Torvalds
2007-10-18 1:49 ` David Miller
2007-10-18 3:44 ` Mark Lord
2007-10-18 4:01 ` Linus Torvalds
2007-10-18 4:05 ` Mark Lord
2007-10-18 4:14 ` Jeff Garzik
2007-10-18 4:18 ` Mark Lord
2007-10-18 4:31 ` Jeff Garzik
2007-10-18 4:41 ` Mark Lord
2007-10-18 4:53 ` Linus Torvalds
2007-10-18 7:05 ` Jens Axboe
2007-10-18 13:13 ` Mark Lord
2007-10-18 13:23 ` Jens Axboe
2007-10-18 13:32 ` Mark Lord
2007-10-18 13:34 ` Jens Axboe
2007-10-18 13:59 ` Mark Lord
2007-10-18 14:04 ` Jens Axboe
2007-10-18 4:45 ` Linus Torvalds
2007-10-18 4:54 ` Mark Lord
2007-10-18 5:09 ` Mark Lord
2007-10-18 4:20 ` Linus Torvalds
2007-10-18 5:25 ` Mark Lord
2007-10-18 5:34 ` Mark Lord
2007-10-18 5:45 ` Jeff Garzik
2007-10-18 7:09 ` Jens Axboe
2007-10-18 7:30 ` Jeff Garzik
2007-10-18 8:21 ` Jens Axboe
2007-10-18 11:55 ` David Miller
2007-10-18 11:57 ` Jens Axboe
2007-10-18 12:05 ` David Miller
2007-10-18 12:09 ` Jens Axboe
2007-10-18 12:15 ` Jens Axboe
2007-10-18 12:36 ` David Miller
2007-10-18 12:39 ` Jens Axboe
2007-10-18 12:58 ` Benny Halevy
2007-10-18 13:56 ` Jens Axboe
2007-10-18 14:05 ` Jens Axboe
2007-10-18 14:16 ` Benny Halevy
2007-10-18 14:38 ` Jens Axboe
2007-10-18 14:58 ` Olof Johansson
2007-10-18 15:25 ` Jens Axboe
2007-10-18 12:58 ` Jens Axboe
2007-10-18 13:32 ` Jens Axboe
2007-10-18 13:49 ` Benny Halevy
2007-10-18 13:55 ` Jens Axboe
2007-10-18 13:51 ` Mark Lord
2007-10-18 13:58 ` Jens Axboe
2007-10-18 14:03 ` Mark Lord
2007-10-18 14:10 ` Mark Lord
2007-10-18 14:13 ` Mark Lord
2007-10-18 14:14 ` Jens Axboe
2007-10-18 16:55 ` Linus Torvalds
2007-10-18 17:01 ` Jens Axboe
2007-10-18 17:10 ` Jens Axboe
2007-10-18 17:10 ` Arjan van de Ven
2007-10-18 17:14 ` Jens Axboe
2007-10-19 8:59 ` FUJITA Tomonori
2007-10-18 19:20 ` Jeff Garzik
2007-10-17 20:51 ` Ingo Molnar
2007-10-17 19:49 ` Jens Axboe
2007-10-17 20:05 ` Ingo Molnar
2007-10-17 20:10 ` Linus Torvalds
2007-10-18 7:07 ` Ingo Molnar
2007-10-18 7:10 ` Jens Axboe
2007-10-18 8:22 ` Jeff Garzik
2007-10-18 8:32 ` Jens Axboe
2007-10-18 8:38 ` Jeff Garzik
2007-10-18 8:51 ` Jeff Garzik
2007-10-18 9:01 ` Jeff Garzik
[not found] ` <bd58e4af0710180210tcc0d31ep9d05a0f2e9d6df29@mail.gmail.com>
2007-10-18 9:14 ` Jeff Garzik
2007-10-18 9:17 ` Jens Axboe
2007-10-18 9:32 ` Jeff Garzik
2007-10-18 9:41 ` Jens Axboe
2007-10-18 10:04 ` Jeff Garzik
2007-10-18 10:10 ` Jens Axboe
2007-10-18 10:13 ` Ingo Molnar
2007-10-18 10:16 ` Jens Axboe
2007-10-18 10:17 ` Jens Axboe
2007-10-18 10:49 ` Ingo Molnar
2007-10-18 10:50 ` Jeff Garzik
2007-10-18 10:56 ` Jens Axboe
2007-10-18 10:42 ` [PATCH] " Jeff Garzik
2007-10-18 10:54 ` Ingo Molnar
2007-10-18 11:02 ` Jeff Garzik
2007-10-18 11:40 ` Ingo Molnar
2007-10-18 14:52 ` Olof Johansson
2007-10-20 11:55 ` Torsten Kaiser
2007-10-18 11:03 ` Ingo Molnar
2007-10-18 11:05 ` Jens Axboe
2007-10-17 19:42 ` Linus Torvalds
2007-10-17 19:55 ` Jens Axboe
2007-10-17 18:08 ` Linus Torvalds
2007-10-17 18:13 ` Ingo Molnar
2007-10-17 17:56 ` [bug] block " Linus Torvalds
2007-10-17 18:02 ` Jens Axboe
2007-10-17 18:13 ` Linus Torvalds
2007-10-17 18:20 ` Jens Axboe
2007-10-17 18:58 ` Linus Torvalds
2007-10-17 19:03 ` Jens Axboe
2007-10-17 19:15 ` Linus Torvalds
2007-10-17 18:02 ` Ingo Molnar
2007-10-17 18:14 ` Linus Torvalds
2007-10-17 20:15 ` Luca Tettamanti
2007-10-17 17:30 ` Ingo Molnar
2007-10-17 17:31 ` Jens Axboe
2007-10-17 17:28 ` Ingo Molnar
2007-10-17 17:52 ` Linus Torvalds
2007-10-17 18:00 ` Jens Axboe
2007-10-17 18:18 ` Linus Torvalds
2007-10-17 18:22 ` Jens Axboe
2007-10-18 10:52 ` Benny Halevy [this message]
2007-10-18 10:55 ` Jens Axboe
2007-10-18 12:03 ` David Miller
2007-10-18 12:28 ` Jens Axboe
2007-10-17 18:22 ` Linus Torvalds
2007-10-17 18:40 ` Jens Axboe
2007-10-17 17:11 ` Ingo Molnar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47173B00.3070303@panasas.com \
--to=bhalevy@panasas.com \
--cc=akpm@linux-foundation.org \
--cc=jens.axboe@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mingo@elte.hu \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.