From: Al Viro <viro@ZenIV.linux.org.uk>
To: "Alan J. Wylie" <alan@wylie.me.uk>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
Thorsten Leemhuis <regressions@leemhuis.info>,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: 4.9.0 regression in pipe-backed iov_iter with systemd-nspawn
Date: Fri, 13 Jan 2017 11:18:42 +0000 [thread overview]
Message-ID: <20170113111842.GL1555@ZenIV.linux.org.uk> (raw)
In-Reply-To: <20170113102019.GK1555@ZenIV.linux.org.uk>
On Fri, Jan 13, 2017 at 10:20:19AM +0000, Al Viro wrote:
> OK, so it is iov_iter_advance() failing to free the shit allocated, either
> due to some breakage in pipe_advance() or buggered 'copied'... Let's
> see which one; could you apply the following and run your reproducer? The
> only difference from the previous is that it collects and prints a bit more,
> so it should be just as reproducible...
Actually, I think I understand what's going on. It's
if (pipe->nrbufs) {
int unused = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);
/* [curbuf,unused) is in use. Free [idx,unused) */
while (idx != unused) {
pipe_buf_release(pipe, &pipe->bufs[idx]);
idx = next_idx(idx, pipe);
pipe->nrbufs--;
}
}
in case when pipe->nrbufs == pipe->buffers and idx == pipe->curbuf. IOW,
we have a full pipe and want to empty it entirely; the fun question is,
of course, telling that case from having nothing to free with the same
full pipe...
OK, so we have either
* off != 0 => something's being left in the pipe, i->idx points
to the last in-use buffer after that, idx points to the first buffer unused
after that. In that case the current logics is correct.
* off == 0 => we are emptying the damn thing. i->idx and idx point
to the first buffer unused after that (== pipe->curbuf + pipe->nrbufs at the
time we'd set the iov_iter up). The current logics is correct unless
pipe->nrbufs was originally 0 and now has become pipe->buffers. IOW,
we screw up when off == 0, idx == unused, pipe->nrbufs == pipe->buffers...
OK, we really ought to make sure that iov_iter_pipe() is never
done on a full pipe. AFAICS, we do, and if so the following should
suffice. WARNING: it's completely untested and it's a result of debugging
a fencepost bug in handling of cyclic buffers done at 6 in the morning,
on _way_ too long uptime. Treat as very dangerous; it's not entirely
impossible that I hadn't fucked up, but don't consider it anything other
than "let's try and see if it immediately explodes" until I've got
a chance to reread it after getting some sleep.
diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index 25f572303801..7bc0b99d3c83 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -759,11 +759,12 @@ static void pipe_advance(struct iov_iter *i, size_t size)
idx = next_idx(idx, pipe);
if (pipe->nrbufs) {
int unused = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);
- /* [curbuf,unused) is in use. Free [idx,unused) */
- while (idx != unused) {
- pipe_buf_release(pipe, &pipe->bufs[idx]);
- idx = next_idx(idx, pipe);
- pipe->nrbufs--;
+ if (idx != unused || unlikely(idx == pipe->curbuf && !off)) {
+ do {
+ pipe_buf_release(pipe, &pipe->bufs[idx]);
+ idx = next_idx(idx, pipe);
+ pipe->nrbufs--;
+ } while (idx != unused);
}
}
i->count -= orig_sz;
@@ -826,6 +827,7 @@ void iov_iter_pipe(struct iov_iter *i, int direction,
size_t count)
{
BUG_ON(direction != ITER_PIPE);
+ WARN_ON(pipe->nrbufs == pipe->buffers);
i->type = direction;
i->pipe = pipe;
i->idx = (pipe->curbuf + pipe->nrbufs) & (pipe->buffers - 1);
next prev parent reply other threads:[~2017-01-13 11:18 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-12 20:26 4.9.0 regression in pipe-backed iov_iter with systemd-nspawn Alan J. Wylie
2017-01-12 20:31 ` Al Viro
2017-01-12 20:38 ` Alan J. Wylie
2017-01-12 22:26 ` Linus Torvalds
2017-01-12 22:37 ` Al Viro
2017-01-12 22:46 ` Al Viro
2017-01-12 23:02 ` Linus Torvalds
2017-01-12 23:14 ` Al Viro
2017-01-12 23:14 ` Linus Torvalds
2017-01-12 23:27 ` Al Viro
2017-01-12 22:46 ` Alan J. Wylie
2017-01-12 22:58 ` Al Viro
2017-01-12 23:28 ` Linus Torvalds
2017-01-13 4:00 ` Al Viro
2017-01-13 7:38 ` Alan J. Wylie
2017-01-13 7:23 ` Alan J. Wylie
2017-01-13 9:33 ` Al Viro
2017-01-13 9:54 ` Alan J. Wylie
2017-01-13 10:20 ` Al Viro
2017-01-13 10:32 ` Alan J. Wylie
2017-01-13 11:25 ` Al Viro
2017-01-13 11:18 ` Al Viro [this message]
2017-01-13 19:33 ` Linus Torvalds
2017-01-13 20:08 ` Al Viro
2017-01-13 20:11 ` Al Viro
2017-01-13 20:32 ` Linus Torvalds
2017-01-13 20:47 ` Al Viro
2017-01-13 21:55 ` Al Viro
2017-01-13 21:59 ` Al Viro
2017-01-13 22:13 ` Al Viro
2017-01-13 22:50 ` Al Viro
2017-01-14 0:59 ` Linus Torvalds
2017-01-14 1:24 ` Al Viro
2017-01-14 1:43 ` Al Viro
2017-01-14 1:46 ` Linus Torvalds
2017-01-14 1:57 ` Al Viro
2017-01-15 0:53 ` Al Viro
2017-01-14 13:16 ` Alan J. Wylie
2017-01-14 16:29 ` Alan J. Wylie
2017-01-14 17:57 ` Linus Torvalds
2017-01-13 20:08 ` Linus Torvalds
2017-01-13 20:16 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170113111842.GL1555@ZenIV.linux.org.uk \
--to=viro@zeniv.linux.org.uk \
--cc=alan@wylie.me.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=regressions@leemhuis.info \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox