From: Dave Chinner <david@fromorbit.com>
To: Christoph Hellwig <hch@infradead.org>
Cc: Brian Foster <bfoster@redhat.com>, linux-xfs@vger.kernel.org
Subject: Re: [PATCH 3/3] xfs: alignment check bio buffers
Date: Thu, 22 Aug 2019 10:44:57 +1000 [thread overview]
Message-ID: <20190822004457.GT1119@dread.disaster.area> (raw)
In-Reply-To: <20190821233041.GD24904@infradead.org>
On Wed, Aug 21, 2019 at 04:30:41PM -0700, Christoph Hellwig wrote:
> On Wed, Aug 21, 2019 at 09:39:04AM -0400, Brian Foster wrote:
> > > @@ -36,9 +57,12 @@ xfs_rw_bdev(
> > > unsigned int off = offset_in_page(data);
> > > unsigned int len = min_t(unsigned, left, PAGE_SIZE - off);
> > >
> > > - while (bio_add_page(bio, page, len, off) != len) {
> > > + while ((ret = xfs_bio_add_page(bio, page, len, off)) != len) {
> > > struct bio *prev = bio;
> > >
> > > + if (ret < 0)
> > > + goto submit;
> > > +
> >
> > Hmm.. is submitting the bio really the right thing to do if we get here
> > and have failed to add any pages to the bio? If we're already seeing
> > weird behavior for bios with unaligned data memory, this seems like a
> > recipe for similar weirdness. We'd also end up doing a partial write in
> > scenarios where we already know we're returning an error. Perhaps we
> > should create an error path or use a check similar to what is already in
> > xfs_buf_ioapply_map() (though I'm not a fan of submitting a partial I/O
> > when we already know we're going to return an error) to call bio_endio()
> > to undo any chaining.
>
> It is not the right thing to do. Calling bio_endio after setting
> an error is the right thing to do (modulo any other cleanup needed).
bio_endio() doesn't wait for completion or all the IO in progress.
In fact, if we have chained bios still in progress, it does
absolutely nothing:
void bio_endio(struct bio *bio)
{
again:
>>>>> if (!bio_remaining_done(bio))
return;
and so we return still with the memory we've put into the buffers in
active use by the chained bios under IO. On error, we'll free the
allocated buffer immediately, and that means we've got a
use-after-free as the bios in progress still have references to it.
If it's heap memory we are using here, then that's a memory
corruption (read) or kernel memory leak (write) vector.
So we have to wait for IO completion before we return from this
function, and AFAICT, the only way to do that is to call
submit_bio_wait() on the parent of the bio chain to wait for all
child bios to drop their references and call bio_endio() on the
parent of the chain....
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
next prev parent reply other threads:[~2019-08-22 0:46 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-21 8:38 [PATCH 0/3] xfs: avoid IO issues unaligned memory allocation Dave Chinner
2019-08-21 8:38 ` [PATCH 1/3] xfs: add kmem allocation trace points Dave Chinner
2019-08-21 13:34 ` Brian Foster
2019-08-21 23:20 ` Christoph Hellwig
2019-08-21 8:38 ` [PATCH 2/3] xfs: add kmem_alloc_io() Dave Chinner
2019-08-21 13:35 ` Brian Foster
2019-08-21 15:08 ` Darrick J. Wong
2019-08-21 21:24 ` Dave Chinner
2019-08-21 15:23 ` Eric Sandeen
2019-08-21 21:14 ` Dave Chinner
2019-08-22 13:40 ` Brian Foster
2019-08-22 22:39 ` Dave Chinner
2019-08-23 12:10 ` Brian Foster
2019-08-21 23:24 ` Christoph Hellwig
2019-08-22 0:31 ` Dave Chinner
2019-08-22 7:59 ` Christoph Hellwig
2019-08-22 8:51 ` Peter Zijlstra
2019-08-22 9:10 ` Peter Zijlstra
2019-08-22 10:14 ` Dave Chinner
2019-08-22 11:14 ` Vlastimil Babka
2019-08-22 12:07 ` Dave Chinner
2019-08-22 12:19 ` Vlastimil Babka
2019-08-22 13:17 ` Dave Chinner
2019-08-22 14:26 ` Vlastimil Babka
2019-08-26 12:21 ` Michal Hocko
2019-08-21 8:38 ` [PATCH 3/3] xfs: alignment check bio buffers Dave Chinner
2019-08-21 13:39 ` Brian Foster
2019-08-21 21:39 ` Dave Chinner
2019-08-22 13:47 ` Brian Foster
2019-08-22 23:03 ` Dave Chinner
2019-08-23 12:33 ` Brian Foster
2019-08-21 23:30 ` Christoph Hellwig
2019-08-22 0:44 ` Dave Chinner [this message]
2019-08-21 23:29 ` Christoph Hellwig
2019-08-22 0:37 ` Dave Chinner
2019-08-22 8:03 ` Christoph Hellwig
2019-08-22 10:17 ` Dave Chinner
2019-08-22 2:50 ` Ming Lei
2019-08-22 4:49 ` Dave Chinner
2019-08-22 7:23 ` Ming Lei
2019-08-22 8:08 ` Christoph Hellwig
2019-08-22 10:20 ` Ming Lei
2019-08-23 0:14 ` Christoph Hellwig
2019-08-23 1:19 ` Ming Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190822004457.GT1119@dread.disaster.area \
--to=david@fromorbit.com \
--cc=bfoster@redhat.com \
--cc=hch@infradead.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox