From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jens Axboe Subject: Re: [PATCH 11/19] block: implement bio helper to add iter bvec pages to bio Date: Mon, 25 Feb 2019 21:34:36 -0700 Message-ID: References: <20190211190049.7888-1-axboe@kernel.dk> <20190211190049.7888-13-axboe@kernel.dk> <20190220225856.GB28313@ming.t460p> <20190226034613.GA676@sol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20190226034613.GA676@sol.localdomain> Content-Language: en-US Sender: owner-linux-aio@kvack.org To: Eric Biggers Cc: Ming Lei , linux-aio@kvack.org, linux-block@vger.kernel.org, linux-api@vger.kernel.org, hch@lst.de, jmoyer@redhat.com, avi@scylladb.com, jannh@google.com, viro@zeniv.linux.org.uk List-Id: linux-api@vger.kernel.org On 2/25/19 8:46 PM, Eric Biggers wrote: > Hi Jens, > > On Thu, Feb 21, 2019 at 10:45:27AM -0700, Jens Axboe wrote: >> On 2/20/19 3:58 PM, Ming Lei wrote: >>> On Mon, Feb 11, 2019 at 12:00:41PM -0700, Jens Axboe wrote: >>>> For an ITER_BVEC, we can just iterate the iov and add the pages >>>> to the bio directly. This requires that the caller doesn't releases >>>> the pages on IO completion, we add a BIO_NO_PAGE_REF flag for that. >>>> >>>> The current two callers of bio_iov_iter_get_pages() are updated to >>>> check if they need to release pages on completion. This makes them >>>> work with bvecs that contain kernel mapped pages already. >>>> >>>> Reviewed-by: Hannes Reinecke >>>> Reviewed-by: Christoph Hellwig >>>> Signed-off-by: Jens Axboe >>>> --- >>>> block/bio.c | 59 ++++++++++++++++++++++++++++++++------- >>>> fs/block_dev.c | 5 ++-- >>>> fs/iomap.c | 5 ++-- >>>> include/linux/blk_types.h | 1 + >>>> 4 files changed, 56 insertions(+), 14 deletions(-) >>>> >>>> diff --git a/block/bio.c b/block/bio.c >>>> index 4db1008309ed..330df572cfb8 100644 >>>> --- a/block/bio.c >>>> +++ b/block/bio.c >>>> @@ -828,6 +828,23 @@ int bio_add_page(struct bio *bio, struct page *page, >>>> } >>>> EXPORT_SYMBOL(bio_add_page); >>>> >>>> +static int __bio_iov_bvec_add_pages(struct bio *bio, struct iov_iter *iter) >>>> +{ >>>> + const struct bio_vec *bv = iter->bvec; >>>> + unsigned int len; >>>> + size_t size; >>>> + >>>> + len = min_t(size_t, bv->bv_len, iter->count); >>>> + size = bio_add_page(bio, bv->bv_page, len, >>>> + bv->bv_offset + iter->iov_offset); >>> >>> iter->iov_offset needs to be subtracted from 'len', looks >>> the following delta change[1] is required, otherwise memory corruption >>> can be observed when running xfstests over loop/dio. >> >> Thanks, I folded this in. >> >> -- >> Jens Axboe >> > > syzkaller started hitting a crash on linux-next starting with this commit, and > it still occurs even with your latest version that has Ming's fix folded in. > Specifically, commit a566653ab5ab80a from your io_uring branch with commit date > Sun Feb 24 08:20:53 2019 -0700. > > Reproducer: > > #define _GNU_SOURCE > #include > #include > #include > #include > #include > #include > > int main(void) > { > int memfd, loopfd; > > memfd = syscall(__NR_memfd_create, "foo", 0); > > pwrite(memfd, "\xa8", 1, 4096); > > loopfd = open("/dev/loop0", O_RDWR|O_DIRECT); > > ioctl(loopfd, LOOP_SET_FD, memfd); > > sendfile(loopfd, loopfd, NULL, 1000000); > } > > > Crash: > > page:ffffea0001a6aab8 count:0 mapcount:0 mapping:0000000000000000 index:0x0 > flags: 0x100000000000000() > raw: 0100000000000000 ffffea0001ad2c50 ffff88807fca49d0 0000000000000000 > raw: 0000000000000000 0000000000000000 00000000ffffffff > page dumped because: VM_BUG_ON_PAGE(page_ref_count(page) == 0) I see what this is, I'll cut a fix for this tomorrow. -- Jens Axboe -- To unsubscribe, send a message with 'unsubscribe linux-aio' in the body to majordomo@kvack.org. For more info on Linux AIO, see: http://www.kvack.org/aio/ Don't email: aart@kvack.org