* Re: [PATCH] iov_iter: fix advancing slot in iter_folioq_get_pages()
2024-09-30 18:55 [PATCH] iov_iter: fix advancing slot in iter_folioq_get_pages() Omar Sandoval
@ 2024-09-30 19:27 ` Eduard Zingerman
2024-09-30 20:10 ` David Howells
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Eduard Zingerman @ 2024-09-30 19:27 UTC (permalink / raw)
To: Omar Sandoval, linux-fsdevel, Al Viro, Christian Brauner
Cc: kernel-team, v9fs, David Howells, Manu Bretelle, Leon Romanovsky
On Mon, 2024-09-30 at 11:55 -0700, Omar Sandoval wrote:
> From: Omar Sandoval <osandov@fb.com>
>
> iter_folioq_get_pages() decides to advance to the next folioq slot when
> it has reached the end of the current folio. However, it is checking
> offset, which is the beginning of the current part, instead of
> iov_offset, which is adjusted to the end of the current part, so it
> doesn't advance the slot when it's supposed to. As a result, on the next
> iteration, we'll use the same folio with an out-of-bounds offset and
> return an unrelated page.
>
> This manifested as various crashes and other failures in 9pfs in drgn's
> VM testing setup and BPF CI.
>
> Fixes: db0aa2e9566f ("mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios")
> Link: https://lore.kernel.org/linux-fsdevel/20240923183432.1876750-1-chantr4@gmail.com/
> Tested-by: Manu Bretelle <chantr4@gmail.com>
> Signed-off-by: Omar Sandoval <osandov@fb.com>
> ---
Tried this on top of the following commit from net-fs-fixes branch:
e1b0d67c7ae0 ("9p: Don't revert the I/O iterator after reading")
The boot issue is gone, thank you!
Tested-by: Eduard Zingerman <eddyz87@gmail.com>
[...]
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] iov_iter: fix advancing slot in iter_folioq_get_pages()
2024-09-30 18:55 [PATCH] iov_iter: fix advancing slot in iter_folioq_get_pages() Omar Sandoval
2024-09-30 19:27 ` Eduard Zingerman
@ 2024-09-30 20:10 ` David Howells
2024-10-01 5:52 ` Leon Romanovsky
2024-10-01 9:47 ` Joey Gouly
2024-10-01 9:50 ` Christian Brauner
3 siblings, 1 reply; 6+ messages in thread
From: David Howells @ 2024-09-30 20:10 UTC (permalink / raw)
To: Omar Sandoval, Christian Brauner
Cc: dhowells, linux-fsdevel, Al Viro, kernel-team, v9fs,
Manu Bretelle, Eduard Zingerman, Leon Romanovsky
Omar Sandoval <osandov@osandov.com> wrote:
> From: Omar Sandoval <osandov@fb.com>
>
> iter_folioq_get_pages() decides to advance to the next folioq slot when
> it has reached the end of the current folio. However, it is checking
> offset, which is the beginning of the current part, instead of
> iov_offset, which is adjusted to the end of the current part, so it
> doesn't advance the slot when it's supposed to. As a result, on the next
> iteration, we'll use the same folio with an out-of-bounds offset and
> return an unrelated page.
>
> This manifested as various crashes and other failures in 9pfs in drgn's
> VM testing setup and BPF CI.
>
> Fixes: db0aa2e9566f ("mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios")
> Link: https://lore.kernel.org/linux-fsdevel/20240923183432.1876750-1-chantr4@gmail.com/
> Tested-by: Manu Bretelle <chantr4@gmail.com>
> Signed-off-by: Omar Sandoval <osandov@fb.com>
Thanks for finding that! That would explain why I didn't see it with afs or
cifs - both of those pass the iterator directly to the socket rather than
pulling the pages out of it. I'm not sure how I managed to do things like run
xfstests to completion and git clone and build a kernel without encountering
the bug.
Christian: Can you add this to vfs.fixes and tag it:
Acked-by: David Howells <dhowells@redhat.com>
Tested-by: Eduard Zingerman <eddyz87@gmail.com>
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] iov_iter: fix advancing slot in iter_folioq_get_pages()
2024-09-30 20:10 ` David Howells
@ 2024-10-01 5:52 ` Leon Romanovsky
0 siblings, 0 replies; 6+ messages in thread
From: Leon Romanovsky @ 2024-10-01 5:52 UTC (permalink / raw)
To: David Howells, Christian Brauner
Cc: Omar Sandoval, linux-fsdevel, Al Viro, kernel-team, v9fs,
Manu Bretelle, Eduard Zingerman
On Mon, Sep 30, 2024 at 09:10:02PM +0100, David Howells wrote:
> Omar Sandoval <osandov@osandov.com> wrote:
>
> > From: Omar Sandoval <osandov@fb.com>
> >
> > iter_folioq_get_pages() decides to advance to the next folioq slot when
> > it has reached the end of the current folio. However, it is checking
> > offset, which is the beginning of the current part, instead of
> > iov_offset, which is adjusted to the end of the current part, so it
> > doesn't advance the slot when it's supposed to. As a result, on the next
> > iteration, we'll use the same folio with an out-of-bounds offset and
> > return an unrelated page.
> >
> > This manifested as various crashes and other failures in 9pfs in drgn's
> > VM testing setup and BPF CI.
> >
> > Fixes: db0aa2e9566f ("mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios")
> > Link: https://lore.kernel.org/linux-fsdevel/20240923183432.1876750-1-chantr4@gmail.com/
> > Tested-by: Manu Bretelle <chantr4@gmail.com>
> > Signed-off-by: Omar Sandoval <osandov@fb.com>
>
> Thanks for finding that! That would explain why I didn't see it with afs or
> cifs - both of those pass the iterator directly to the socket rather than
> pulling the pages out of it. I'm not sure how I managed to do things like run
> xfstests to completion and git clone and build a kernel without encountering
> the bug.
>
> Christian: Can you add this to vfs.fixes and tag it:
>
> Acked-by: David Howells <dhowells@redhat.com>
> Tested-by: Eduard Zingerman <eddyz87@gmail.com>
It worked for me too.
Tested-by: Leon Romanovsky <leon@kernel.org>
Thanks
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] iov_iter: fix advancing slot in iter_folioq_get_pages()
2024-09-30 18:55 [PATCH] iov_iter: fix advancing slot in iter_folioq_get_pages() Omar Sandoval
2024-09-30 19:27 ` Eduard Zingerman
2024-09-30 20:10 ` David Howells
@ 2024-10-01 9:47 ` Joey Gouly
2024-10-01 9:50 ` Christian Brauner
3 siblings, 0 replies; 6+ messages in thread
From: Joey Gouly @ 2024-10-01 9:47 UTC (permalink / raw)
To: Omar Sandoval
Cc: linux-fsdevel, Al Viro, Christian Brauner, kernel-team, v9fs,
David Howells, Manu Bretelle, Eduard Zingerman, Leon Romanovsky
On Mon, Sep 30, 2024 at 11:55:00AM -0700, Omar Sandoval wrote:
> From: Omar Sandoval <osandov@fb.com>
>
> iter_folioq_get_pages() decides to advance to the next folioq slot when
> it has reached the end of the current folio. However, it is checking
> offset, which is the beginning of the current part, instead of
> iov_offset, which is adjusted to the end of the current part, so it
> doesn't advance the slot when it's supposed to. As a result, on the next
> iteration, we'll use the same folio with an out-of-bounds offset and
> return an unrelated page.
>
> This manifested as various crashes and other failures in 9pfs in drgn's
> VM testing setup and BPF CI.
>
> Fixes: db0aa2e9566f ("mm: Define struct folio_queue and ITER_FOLIOQ to handle a sequence of folios")
> Link: https://lore.kernel.org/linux-fsdevel/20240923183432.1876750-1-chantr4@gmail.com/
> Tested-by: Manu Bretelle <chantr4@gmail.com>
> Signed-off-by: Omar Sandoval <osandov@fb.com>
> ---
> lib/iov_iter.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/lib/iov_iter.c b/lib/iov_iter.c
> index 97003155bfac..1abb32c0da50 100644
> --- a/lib/iov_iter.c
> +++ b/lib/iov_iter.c
> @@ -1033,7 +1033,7 @@ static ssize_t iter_folioq_get_pages(struct iov_iter *iter,
> if (maxpages == 0 || extracted >= maxsize)
> break;
>
> - if (offset >= fsize) {
> + if (iov_offset >= fsize) {
> iov_offset = 0;
> slot++;
> if (slot == folioq_nr_slots(folioq) && folioq->next) {
This fixes booting for me with my 9pfs rootfs. Tested on next-20241001+this patch.
Tested-by: Joey Gouly <joey.gouly@arm.com>
Thanks!
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [PATCH] iov_iter: fix advancing slot in iter_folioq_get_pages()
2024-09-30 18:55 [PATCH] iov_iter: fix advancing slot in iter_folioq_get_pages() Omar Sandoval
` (2 preceding siblings ...)
2024-10-01 9:47 ` Joey Gouly
@ 2024-10-01 9:50 ` Christian Brauner
3 siblings, 0 replies; 6+ messages in thread
From: Christian Brauner @ 2024-10-01 9:50 UTC (permalink / raw)
To: Omar Sandoval
Cc: Christian Brauner, kernel-team, v9fs, David Howells,
Manu Bretelle, Eduard Zingerman, Leon Romanovsky, linux-fsdevel,
Al Viro
On Mon, 30 Sep 2024 11:55:00 -0700, Omar Sandoval wrote:
> iter_folioq_get_pages() decides to advance to the next folioq slot when
> it has reached the end of the current folio. However, it is checking
> offset, which is the beginning of the current part, instead of
> iov_offset, which is adjusted to the end of the current part, so it
> doesn't advance the slot when it's supposed to. As a result, on the next
> iteration, we'll use the same folio with an out-of-bounds offset and
> return an unrelated page.
>
> [...]
Applied to the vfs.fixes branch of the vfs/vfs.git tree.
Patches in the vfs.fixes branch should appear in linux-next soon.
Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.
It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.
Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.fixes
[1/1] iov_iter: fix advancing slot in iter_folioq_get_pages()
https://git.kernel.org/vfs/vfs/c/0d24852bd71e
^ permalink raw reply [flat|nested] 6+ messages in thread