From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1751399AbbJEShX (ORCPT <rfc822;w@1wt.eu>);
	Mon, 5 Oct 2015 14:37:23 -0400
Received: from mx2.parallels.com ([199.115.105.18]:51818 "EHLO
	mx2.parallels.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1750834AbbJEShW (ORCPT
	<rfc822;linux-kernel@vger.kernel.org>);
	Mon, 5 Oct 2015 14:37:22 -0400
Subject: Re: [fuse-devel] [PATCH] fuse: break infinite loop in
 fuse_fill_write_pages()
To: Konstantin Khlebnikov <koct9i@gmail.com>
References: <1442829773-14150-1-git-send-email-klamm@yandex-team.ru>
 <CALYGNiPt+6GB5DfvuPWHY1yJQFFsE3UWGdvhotzGeif2zdBrGA@mail.gmail.com>
 <560EDAB1.5090605@parallels.com>
 <20151002150440.e691f6c81619794f8a947263@linux-foundation.org>
 <CALYGNiO1x=13Gc43BZNO2+-RQUp-FFaL668G=-KD4u4mqSnC=Q@mail.gmail.com>
CC: Andrew Morton <akpm@linux-foundation.org>,
        Roman Gushchin <klamm@yandex-team.ru>,
        <fuse-devel@lists.sourceforge.net>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>, Miklos Szeredi <miklos@szeredi.hu>,
        <fuse-devel@lists.sourceforge.net>, <linux-kernel@vger.kernel.org>
From: Maxim Patlasov <mpatlasov@parallels.com>
Message-ID: <5612C357.1050000@parallels.com>
Date: Mon, 5 Oct 2015 11:37:11 -0700
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <CALYGNiO1x=13Gc43BZNO2+-RQUp-FFaL668G=-KD4u4mqSnC=Q@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format=flowed
Content-Transfer-Encoding: 7bit
X-ClientProxiedBy: US-EXCH.sw.swsoft.com (10.255.249.47) To
 US-EXCH.sw.swsoft.com (10.255.249.47)
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 10/02/2015 06:58 PM, Konstantin Khlebnikov wrote:
> On Sat, Oct 3, 2015 at 1:04 AM, Andrew Morton <akpm@linux-foundation.org> wrote:
>> On Fri, 2 Oct 2015 12:27:45 -0700 Maxim Patlasov <mpatlasov@parallels.com> wrote:
>>
>>> On 10/02/2015 04:21 AM, Konstantin Khlebnikov wrote:
>>>> Bump. Add more peopple in CC.
>>>>
>>>> On Mon, Sep 21, 2015 at 1:02 PM, Roman Gushchin <klamm@yandex-team.ru> wrote:
>>>>> I got a report about unkillable task eating CPU. Thge further
>>>>> investigation shows, that the problem is in the fuse_fill_write_pages()
>>>>> function. If iov's first segment has zero length, we get an infinite
>>>>> loop, because we never reach iov_iter_advance() call.
>>> iov_iter_copy_from_user_atomic() eventually calls iterate_iovec(). The
>>> latter silently consumes zero-length iov. So I don't think "iov's first
>>> segment has zero length" can cause infinite loop.
>> I'm suspecting it got stuck because local variable `bytes' is zero, so
>> the code does `goto again' repeatedly.
>>
>> Or maybe not.   A more complete description of the bug would help.
> I suspect here is the same scenario like in 124d3b7041f:
> Zero-length segmend is followed by segment with invalid address:
> iov_iter_fault_in_readable() checks only first segment (zero-length)
> iov_iter_copy_from_user_atomic() skips it, fails at second and
> returns zero -> goto again without skipping zero-length segment.
>
> Patch calls iov_iter_advance() before goto again: we'll skip zero-length
> segment at second iteraction and iov_iter_fault_in_readable() will detect
> invalid address.

Makes sense to me. The patch looks fine.

Thanks,
Maxim