* [PATCH] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators
@ 2026-03-07 9:00 Deepanshu Kartikey
2026-03-07 13:51 ` David Howells
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Deepanshu Kartikey @ 2026-03-07 9:00 UTC (permalink / raw)
To: dhowells, pc
Cc: jlayton, netfs, linux-fsdevel, linux-kernel, Deepanshu Kartikey,
syzbot+9c058f0d63475adc97fd, Deepanshu Kartikey
When a process crashes and the kernel writes a core dump to a 9P
filesystem, __kernel_write() creates an ITER_KVEC iterator. This
iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which
only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,
hitting the BUG() for any other type.
Fix this by adding netfs_limit_kvec() following the same pattern as
netfs_limit_bvec(), since both kvec and bvec are simple segment arrays
with pointer and length fields. Dispatch it from netfs_limit_iter() when
the iterator type is ITER_KVEC.
Fixes: cae932d3aee5 ("netfs: Add func to calculate pagecount/size-limited span of an iterator")
Reported-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9c058f0d63475adc97fd
Tested-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
fs/netfs/iterator.c | 43 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/fs/netfs/iterator.c b/fs/netfs/iterator.c
index 72a435e5fc6d..154a14bb2d7f 100644
--- a/fs/netfs/iterator.c
+++ b/fs/netfs/iterator.c
@@ -142,6 +142,47 @@ static size_t netfs_limit_bvec(const struct iov_iter *iter, size_t start_offset,
return min(span, max_size);
}
+/*
+ * Select the span of a kvec iterator we're going to use. Limit it by both
+ * maximum size and maximum number of segments. Returns the size of the span
+ * in bytes.
+ */
+static size_t netfs_limit_kvec(const struct iov_iter *iter, size_t start_offset,
+ size_t max_size, size_t max_segs)
+{
+ const struct kvec *kvecs = iter->kvec;
+ unsigned int nkv = iter->nr_segs, ix = 0, nsegs = 0;
+ size_t len, span = 0, n = iter->count;
+ size_t skip = iter->iov_offset + start_offset;
+
+ if (WARN_ON(!iov_iter_is_kvec(iter)) ||
+ WARN_ON(start_offset > n) ||
+ n == 0)
+ return 0;
+
+ while (n && ix < nkv && skip) {
+ len = kvecs[ix].iov_len;
+ if (skip < len)
+ break;
+ skip -= len;
+ n -= len;
+ ix++;
+ }
+
+ while (n && ix < nkv) {
+ len = min3(n, kvecs[ix].iov_len - skip, max_size);
+ span += len;
+ nsegs++;
+ ix++;
+ if (span >= max_size || nsegs >= max_segs)
+ break;
+ skip = 0;
+ n -= len;
+ }
+
+ return min(span, max_size);
+}
+
/*
* Select the span of an xarray iterator we're going to use. Limit it by both
* maximum size and maximum number of segments. It is assumed that segments
@@ -245,6 +286,8 @@ size_t netfs_limit_iter(const struct iov_iter *iter, size_t start_offset,
return netfs_limit_bvec(iter, start_offset, max_size, max_segs);
if (iov_iter_is_xarray(iter))
return netfs_limit_xarray(iter, start_offset, max_size, max_segs);
+ if (iov_iter_is_kvec(iter))
+ return netfs_limit_kvec(iter, start_offset, max_size, max_segs);
BUG();
}
EXPORT_SYMBOL(netfs_limit_iter);
--
2.43.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators
2026-03-07 9:00 [PATCH] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators Deepanshu Kartikey
@ 2026-03-07 13:51 ` David Howells
2026-03-09 9:17 ` Christian Brauner
2026-03-13 15:14 ` Vitaly Chikunov
2 siblings, 0 replies; 4+ messages in thread
From: David Howells @ 2026-03-07 13:51 UTC (permalink / raw)
To: Deepanshu Kartikey
Cc: dhowells, pc, jlayton, netfs, linux-fsdevel, linux-kernel,
syzbot+9c058f0d63475adc97fd
Thanks very much for these two patches :-)
David
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators
2026-03-07 9:00 [PATCH] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators Deepanshu Kartikey
2026-03-07 13:51 ` David Howells
@ 2026-03-09 9:17 ` Christian Brauner
2026-03-13 15:14 ` Vitaly Chikunov
2 siblings, 0 replies; 4+ messages in thread
From: Christian Brauner @ 2026-03-09 9:17 UTC (permalink / raw)
To: dhowells, pc, Deepanshu Kartikey
Cc: Christian Brauner, jlayton, netfs, linux-fsdevel, linux-kernel,
syzbot+9c058f0d63475adc97fd, Deepanshu Kartikey
On Sat, 07 Mar 2026 14:30:41 +0530, Deepanshu Kartikey wrote:
> When a process crashes and the kernel writes a core dump to a 9P
> filesystem, __kernel_write() creates an ITER_KVEC iterator. This
> iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which
> only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,
> hitting the BUG() for any other type.
>
> Fix this by adding netfs_limit_kvec() following the same pattern as
> netfs_limit_bvec(), since both kvec and bvec are simple segment arrays
> with pointer and length fields. Dispatch it from netfs_limit_iter() when
> the iterator type is ITER_KVEC.
>
> [...]
Applied to the vfs.fixes branch of the vfs/vfs.git tree.
Patches in the vfs.fixes branch should appear in linux-next soon.
Please report any outstanding bugs that were missed during review in a
new review to the original patch series allowing us to drop it.
It's encouraged to provide Acked-bys and Reviewed-bys even though the
patch has now been applied. If possible patch trailers will be updated.
Note that commit hashes shown below are subject to change due to rebase,
trailer updates or similar. If in doubt, please check the listed branch.
tree: https://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs.git
branch: vfs.fixes
[1/1] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators
https://git.kernel.org/vfs/vfs/c/67e467a11f62
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators
2026-03-07 9:00 [PATCH] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators Deepanshu Kartikey
2026-03-07 13:51 ` David Howells
2026-03-09 9:17 ` Christian Brauner
@ 2026-03-13 15:14 ` Vitaly Chikunov
2 siblings, 0 replies; 4+ messages in thread
From: Vitaly Chikunov @ 2026-03-13 15:14 UTC (permalink / raw)
To: Deepanshu Kartikey
Cc: dhowells, pc, jlayton, netfs, linux-fsdevel, linux-kernel,
syzbot+9c058f0d63475adc97fd
Deepanshu, David,
On Sat, Mar 07, 2026 at 02:30:41PM +0530, Deepanshu Kartikey wrote:
> When a process crashes and the kernel writes a core dump to a 9P
> filesystem, __kernel_write() creates an ITER_KVEC iterator. This
> iterator reaches netfs_limit_iter() via netfs_unbuffered_write(), which
> only handles ITER_FOLIOQ, ITER_BVEC and ITER_XARRAY iterator types,
> hitting the BUG() for any other type.
>
> Fix this by adding netfs_limit_kvec() following the same pattern as
> netfs_limit_bvec(), since both kvec and bvec are simple segment arrays
> with pointer and length fields. Dispatch it from netfs_limit_iter() when
> the iterator type is ITER_KVEC.
[ 1.901035] kernel BUG at fs/netfs/iterator.c:248!
We hit the issue in v6.18.17 and the patch resolved it.
Tested-by: Vitaly Chikunov <vt@altlinux.org>
Thanks,
>
> Fixes: cae932d3aee5 ("netfs: Add func to calculate pagecount/size-limited span of an iterator")
> Reported-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=9c058f0d63475adc97fd
> Tested-by: syzbot+9c058f0d63475adc97fd@syzkaller.appspotmail.com
> Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
> ---
> fs/netfs/iterator.c | 43 +++++++++++++++++++++++++++++++++++++++++++
> 1 file changed, 43 insertions(+)
>
> diff --git a/fs/netfs/iterator.c b/fs/netfs/iterator.c
> index 72a435e5fc6d..154a14bb2d7f 100644
> --- a/fs/netfs/iterator.c
> +++ b/fs/netfs/iterator.c
> @@ -142,6 +142,47 @@ static size_t netfs_limit_bvec(const struct iov_iter *iter, size_t start_offset,
> return min(span, max_size);
> }
>
> +/*
> + * Select the span of a kvec iterator we're going to use. Limit it by both
> + * maximum size and maximum number of segments. Returns the size of the span
> + * in bytes.
> + */
> +static size_t netfs_limit_kvec(const struct iov_iter *iter, size_t start_offset,
> + size_t max_size, size_t max_segs)
> +{
> + const struct kvec *kvecs = iter->kvec;
> + unsigned int nkv = iter->nr_segs, ix = 0, nsegs = 0;
> + size_t len, span = 0, n = iter->count;
> + size_t skip = iter->iov_offset + start_offset;
> +
> + if (WARN_ON(!iov_iter_is_kvec(iter)) ||
> + WARN_ON(start_offset > n) ||
> + n == 0)
> + return 0;
> +
> + while (n && ix < nkv && skip) {
> + len = kvecs[ix].iov_len;
> + if (skip < len)
> + break;
> + skip -= len;
> + n -= len;
> + ix++;
> + }
> +
> + while (n && ix < nkv) {
> + len = min3(n, kvecs[ix].iov_len - skip, max_size);
> + span += len;
> + nsegs++;
> + ix++;
> + if (span >= max_size || nsegs >= max_segs)
> + break;
> + skip = 0;
> + n -= len;
> + }
> +
> + return min(span, max_size);
> +}
> +
> /*
> * Select the span of an xarray iterator we're going to use. Limit it by both
> * maximum size and maximum number of segments. It is assumed that segments
> @@ -245,6 +286,8 @@ size_t netfs_limit_iter(const struct iov_iter *iter, size_t start_offset,
> return netfs_limit_bvec(iter, start_offset, max_size, max_segs);
> if (iov_iter_is_xarray(iter))
> return netfs_limit_xarray(iter, start_offset, max_size, max_segs);
> + if (iov_iter_is_kvec(iter))
> + return netfs_limit_kvec(iter, start_offset, max_size, max_segs);
> BUG();
> }
> EXPORT_SYMBOL(netfs_limit_iter);
> --
> 2.43.0
>
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-03-13 15:24 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-07 9:00 [PATCH] netfs: Fix kernel BUG in netfs_limit_iter() for ITER_KVEC iterators Deepanshu Kartikey
2026-03-07 13:51 ` David Howells
2026-03-09 9:17 ` Christian Brauner
2026-03-13 15:14 ` Vitaly Chikunov
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox