* WARNING in csum_and_copy_to_iter @ 2018-11-24 19:40 syzbot 2018-11-24 20:03 ` Al Viro 2023-11-24 10:30 ` [syzbot] syzbot 0 siblings, 2 replies; 7+ messages in thread From: syzbot @ 2018-11-24 19:40 UTC (permalink / raw) To: davem, gregkh, kgraul, linux-kernel, netdev, stranche, syzkaller-bugs, viro Hello, syzbot found the following crash on: HEAD commit: edeca3a769ad Merge tag 'sound-4.20-rc4' of git://git.kerne.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12bee26d400000 kernel config: https://syzkaller.appspot.com/x/.config?x=73e2bc0cb6463446 dashboard link: https://syzkaller.appspot.com/bug?extid=ce18da013d76d837144d compiler: gcc (GCC) 8.0.1 20180413 (experimental) syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ccd1f5400000 IMPORTANT: if you fix the bug, please add the following tag to the commit: Reported-by: syzbot+ce18da013d76d837144d@syzkaller.appspotmail.com 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 8021q: adding VLAN 0 to HW filter on device team0 WARNING: CPU: 1 PID: 7440 at lib/iov_iter.c:1443 csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 7440 Comm: syz-executor2 Not tainted 4.20.0-rc3+ #345 kobject: 'loop0' (00000000da2348da): kobject_uevent_env Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 panic+0x2ad/0x55c kernel/panic.c:188 kobject: 'loop0' (00000000da2348da): fill_kobj_path: path = '/devices/virtual/block/loop0' __warn.cold.8+0x20/0x45 kernel/panic.c:540 report_bug+0x254/0x2d0 lib/bug.c:186 fixup_bug arch/x86/kernel/traps.c:178 [inline] do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271 do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290 WARNING: CPU: 0 PID: 7446 at lib/iov_iter.c:1443 csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443 Modules linked in: invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:969 CPU: 0 PID: 7446 Comm: syz-executor0 Not tainted 4.20.0-rc3+ #345 RIP: 0010:csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Code: ee fd 48 83 bd b0 fe ff ff 00 0f 84 48 fc ff ff e9 91 fe ff ff e8 e6 6d ee fd 49 83 c4 10 31 db e9 70 fc ff ff e8 d6 6d ee fd <0f> 0b 48 c7 85 e8 fe ff ff 00 00 00 00 e9 70 fd ff ff 4c 89 f7 e8 RIP: 0010:csum_and_copy_to_iter+0x73a/0x14f0 lib/iov_iter.c:1443 RSP: 0018:ffff8881bc80f368 EFLAGS: 00010293 Code: ee fd 48 83 bd b0 fe ff ff 00 0f 84 48 fc ff ff e9 91 fe ff ff e8 e6 6d ee fd 49 83 c4 10 31 db e9 70 fc ff ff e8 d6 6d ee fd <0f> 0b 48 c7 85 e8 fe ff ff 00 00 00 00 e9 70 fd ff ff 4c 89 f7 e8 RAX: ffff8881c87ca080 RBX: 000000000000038a RCX: ffffffff839116c2 RSP: 0018:ffff8881bbabf368 EFLAGS: 00010293 RDX: 0000000000000000 RSI: ffffffff83911d1a RDI: 0000000000000005 RAX: ffff8881caf18080 RBX: 000000000000038a RCX: ffffffff839116c2 RBP: ffff8881bc80f4f8 R08: ffff8881c87ca080 R09: 0000000000000006 RDX: 0000000000000000 RSI: ffffffff83911d1a RDI: 0000000000000005 R10: 0000000000000000 R11: ffff8881c87ca080 R12: 0000000000000000 RBP: ffff8881bbabf4f8 R08: ffff8881caf18080 R09: 0000000000000006 R13: 0000000000000008 R14: ffff8881bc80fa50 R15: 000000000000038a R10: 0000000000000000 R11: ffff8881caf18080 R12: 0000000000000000 R13: 0000000000000008 R14: ffff8881bbabfa50 R15: 000000000000038a FS: 00007fed2599c700(0000) GS:ffff8881dae00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004cce48 CR3: 00000001cf367000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: skb_copy_and_csum_datagram+0x1ab/0xae0 net/core/datagram.c:662 skb_copy_and_csum_datagram+0x1ab/0xae0 net/core/datagram.c:662 skb_copy_and_csum_datagram_msg+0x246/0x420 net/core/datagram.c:802 udpv6_recvmsg+0xd62/0x1d80 net/ipv6/udp.c:376 skb_copy_and_csum_datagram_msg+0x246/0x420 net/core/datagram.c:802 udpv6_recvmsg+0xd62/0x1d80 net/ipv6/udp.c:376 inet_recvmsg+0x181/0x6d0 net/ipv4/af_inet.c:830 inet_recvmsg+0x181/0x6d0 net/ipv4/af_inet.c:830 sock_recvmsg_nosec net/socket.c:794 [inline] sock_recvmsg+0xd0/0x110 net/socket.c:801 sock_read_iter+0x39b/0x570 net/socket.c:878 call_read_iter include/linux/fs.h:1851 [inline] generic_file_splice_read+0x5a2/0x9a0 fs/splice.c:308 sock_recvmsg_nosec net/socket.c:794 [inline] sock_recvmsg+0xd0/0x110 net/socket.c:801 sock_read_iter+0x39b/0x570 net/socket.c:878 sock_splice_read+0xef/0x110 net/socket.c:856 do_splice_to+0x12e/0x190 fs/splice.c:880 call_read_iter include/linux/fs.h:1851 [inline] generic_file_splice_read+0x5a2/0x9a0 fs/splice.c:308 do_splice+0x1014/0x1430 fs/splice.c:1173 sock_splice_read+0xef/0x110 net/socket.c:856 __do_sys_splice fs/splice.c:1414 [inline] __se_sys_splice fs/splice.c:1394 [inline] __x64_sys_splice+0x2c1/0x330 fs/splice.c:1394 do_splice_to+0x12e/0x190 fs/splice.c:880 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 do_splice+0x1014/0x1430 fs/splice.c:1173 __do_sys_splice fs/splice.c:1414 [inline] __se_sys_splice fs/splice.c:1394 [inline] __x64_sys_splice+0x2c1/0x330 fs/splice.c:1394 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x457569 Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f6517086c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000457569 RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 entry_SYSCALL_64_after_hwframe+0x49/0xbe RBP: 000000000072bfa0 R08: 0000000010000200 R09: 0000000000000000 RIP: 0033:0x457569 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f65170876d4 Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 R13: 00000000004c5719 R14: 00000000004d8c08 R15: 00000000ffffffff RSP: 002b:00007fed2599bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 0000000000000006 RCX: 0000000000457569 RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 000000000072bfa0 R08: 0000000010000200 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007fed2599c6d4 R13: 00000000004c5719 R14: 00000000004d8c08 R15: 00000000ffffffff irq event stamp: 352 hardirqs last enabled at (351): [<ffffffff814ad030>] __local_bh_enable_ip+0x160/0x260 kernel/softirq.c:194 hardirqs last disabled at (352): [<ffffffff81007ced>] trace_hardirqs_off_thunk+0x1a/0x1c softirqs last enabled at (350): [<ffffffff86aef3ab>] spin_unlock_bh include/linux/spinlock.h:374 [inline] softirqs last enabled at (350): [<ffffffff86aef3ab>] __skb_recv_udp+0x4ab/0xaf0 net/ipv4/udp.c:1611 softirqs last disabled at (348): [<ffffffff86aef190>] spin_lock_bh include/linux/spinlock.h:334 [inline] softirqs last disabled at (348): [<ffffffff86aef190>] __skb_recv_udp+0x290/0xaf0 net/ipv4/udp.c:1583 ---[ end trace fcfb475d82d5a575 ]--- Kernel Offset: disabled Rebooting in 86400 seconds.. --- This bug is generated by a bot. It may contain errors. See https://goo.gl/tpsmEJ for more information about syzbot. syzbot engineers can be reached at syzkaller@googlegroups.com. syzbot will keep track of this bug report. See: https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with syzbot. syzbot can test patches for this bug, for details see: https://goo.gl/tpsmEJ#testing-patches ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: WARNING in csum_and_copy_to_iter 2018-11-24 19:40 WARNING in csum_and_copy_to_iter syzbot @ 2018-11-24 20:03 ` Al Viro 2018-11-24 21:20 ` Slavomir Kaslev 2023-11-24 10:30 ` [syzbot] syzbot 1 sibling, 1 reply; 7+ messages in thread From: Al Viro @ 2018-11-24 20:03 UTC (permalink / raw) To: syzbot Cc: davem, gregkh, kgraul, linux-kernel, netdev, stranche, syzkaller-bugs On Sat, Nov 24, 2018 at 11:40:03AM -0800, syzbot wrote: > Hello, > > syzbot found the following crash on: > > HEAD commit: edeca3a769ad Merge tag 'sound-4.20-rc4' of git://git.kerne.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=12bee26d400000 > kernel config: https://syzkaller.appspot.com/x/.config?x=73e2bc0cb6463446 > dashboard link: https://syzkaller.appspot.com/bug?extid=ce18da013d76d837144d > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ccd1f5400000 > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > Reported-by: syzbot+ce18da013d76d837144d@syzkaller.appspotmail.com Caused by commit 95506588d2c1d72ca29adef8ae9bf771bcfb4ced Author: Slavomir Kaslev <kaslevs@vmware.com> Date: Fri Nov 16 11:27:53 2018 +0200 socket: do a generic_file_splice_read when proto_ops has no splice_read exposing all ->recvmsg() instances to pipe-backed iov_iter as possible destination. It's not all that hard to fix (I'll probably have a candidate patch by tonight, it's just a matter of adding the only missing primitive), but... shouldn't that patch have sat in -next for at least some testing first? Because it's very easy to reproduce - splice from e.g. UDP socket will step into it. Sure, the sky is not falling (unless you set panic-on-WARN, that is); the damn thing would've failed anyway, but... ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: WARNING in csum_and_copy_to_iter 2018-11-24 20:03 ` Al Viro @ 2018-11-24 21:20 ` Slavomir Kaslev 2018-11-24 21:44 ` Al Viro 0 siblings, 1 reply; 7+ messages in thread From: Slavomir Kaslev @ 2018-11-24 21:20 UTC (permalink / raw) To: Al Viro Cc: syzbot, davem, gregkh, kgraul, linux-kernel, netdev, stranche, syzkaller-bugs On Sat, Nov 24, 2018 at 08:03:57PM +0000, Al Viro wrote: > On Sat, Nov 24, 2018 at 11:40:03AM -0800, syzbot wrote: > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: edeca3a769ad Merge tag 'sound-4.20-rc4' of git://git.kerne.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=12bee26d400000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=73e2bc0cb6463446 > > dashboard link: https://syzkaller.appspot.com/bug?extid=ce18da013d76d837144d > > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ccd1f5400000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+ce18da013d76d837144d@syzkaller.appspotmail.com > > Caused by commit 95506588d2c1d72ca29adef8ae9bf771bcfb4ced > Author: Slavomir Kaslev <kaslevs@vmware.com> > Date: Fri Nov 16 11:27:53 2018 +0200 > > socket: do a generic_file_splice_read when proto_ops has no splice_read > > exposing all ->recvmsg() instances to pipe-backed iov_iter as possible destination. > It's not all that hard to fix (I'll probably have a candidate patch by tonight, > it's just a matter of adding the only missing primitive), but... shouldn't that > patch have sat in -next for at least some testing first? Because it's very > easy to reproduce - splice from e.g. UDP socket will step into it. Sure, the > sky is not falling (unless you set panic-on-WARN, that is); the damn thing > would've failed anyway, but... My bad for not sending the patch tagged as net-next, feel free to revert it. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: WARNING in csum_and_copy_to_iter 2018-11-24 21:20 ` Slavomir Kaslev @ 2018-11-24 21:44 ` Al Viro 2018-11-25 1:51 ` Al Viro 0 siblings, 1 reply; 7+ messages in thread From: Al Viro @ 2018-11-24 21:44 UTC (permalink / raw) To: Slavomir Kaslev Cc: syzbot, davem, gregkh, kgraul, linux-kernel, netdev, stranche, syzkaller-bugs On Sat, Nov 24, 2018 at 11:20:14PM +0200, Slavomir Kaslev wrote: > On Sat, Nov 24, 2018 at 08:03:57PM +0000, Al Viro wrote: > > On Sat, Nov 24, 2018 at 11:40:03AM -0800, syzbot wrote: > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: edeca3a769ad Merge tag 'sound-4.20-rc4' of git://git.kerne.. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=12bee26d400000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=73e2bc0cb6463446 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=ce18da013d76d837144d > > > compiler: gcc (GCC) 8.0.1 20180413 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15ccd1f5400000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+ce18da013d76d837144d@syzkaller.appspotmail.com > > > > Caused by commit 95506588d2c1d72ca29adef8ae9bf771bcfb4ced > > Author: Slavomir Kaslev <kaslevs@vmware.com> > > Date: Fri Nov 16 11:27:53 2018 +0200 > > > > socket: do a generic_file_splice_read when proto_ops has no splice_read > > > > exposing all ->recvmsg() instances to pipe-backed iov_iter as possible destination. > > It's not all that hard to fix (I'll probably have a candidate patch by tonight, > > it's just a matter of adding the only missing primitive), but... shouldn't that > > patch have sat in -next for at least some testing first? Because it's very > > easy to reproduce - splice from e.g. UDP socket will step into it. Sure, the > > sky is not falling (unless you set panic-on-WARN, that is); the damn thing > > would've failed anyway, but... > > My bad for not sending the patch tagged as net-next, feel free to revert it. No point, IMO - the fix isn't hard and bisect hazard created by the whole thing is both mild (spurious WARN() in case that used to fail anyway) _and_ won't disappear from reverting, obviously. I'll post a fix later tonight... ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: WARNING in csum_and_copy_to_iter 2018-11-24 21:44 ` Al Viro @ 2018-11-25 1:51 ` Al Viro 2018-11-26 11:46 ` Slavomir Kaslev 0 siblings, 1 reply; 7+ messages in thread From: Al Viro @ 2018-11-25 1:51 UTC (permalink / raw) To: Slavomir Kaslev Cc: syzbot, davem, gregkh, kgraul, linux-kernel, netdev, stranche, syzkaller-bugs On Sat, Nov 24, 2018 at 09:44:36PM +0000, Al Viro wrote: > No point, IMO - the fix isn't hard and bisect hazard created by the whole thing > is both mild (spurious WARN() in case that used to fail anyway) _and_ won't > disappear from reverting, obviously. I'll post a fix later tonight... FWIW, I think the following ought to work; it's obviously a pair of commits (introduction of convenience helper/switch to its use + csum_and_copy_to_iter() for ITER_PIPE), as well as commit message, etc., but I would really appreciate if folks gave it a look _and_ a beating. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> --- diff --git a/lib/iov_iter.c b/lib/iov_iter.c index 7ebccb5c1637..621984743268 100644 --- a/lib/iov_iter.c +++ b/lib/iov_iter.c @@ -560,6 +560,44 @@ static size_t copy_pipe_to_iter(const void *addr, size_t bytes, return bytes; } +static __wsum csum_and_memcpy(void *to, const void *from, size_t len, + __wsum sum, size_t off) +{ + __wsum next = csum_partial_copy_nocheck(from, to, len, 0); + return csum_block_add(sum, next, off); +} + +static size_t csum_and_copy_to_pipe_iter(const void *addr, size_t bytes, + __wsum *csum, struct iov_iter *i) +{ + struct pipe_inode_info *pipe = i->pipe; + size_t n, r; + size_t off = 0; + __wsum sum = *csum; + int idx; + + if (!sanity(i)) + return 0; + + bytes = n = push_pipe(i, bytes, &idx, &r); + if (unlikely(!n)) + return 0; + for ( ; n; idx = next_idx(idx, pipe), r = 0) { + size_t chunk = min_t(size_t, n, PAGE_SIZE - r); + char *p = kmap_atomic(pipe->bufs[idx].page); + sum = csum_and_memcpy(p + r, addr, chunk, sum, off); + kunmap_atomic(p); + i->idx = idx; + i->iov_offset = r + chunk; + n -= chunk; + off += chunk; + addr += chunk; + } + i->count -= bytes; + *csum = sum; + return bytes; +} + size_t _copy_to_iter(const void *addr, size_t bytes, struct iov_iter *i) { const char *from = addr; @@ -1368,17 +1406,15 @@ size_t csum_and_copy_from_iter(void *addr, size_t bytes, __wsum *csum, err ? v.iov_len : 0; }), ({ char *p = kmap_atomic(v.bv_page); - next = csum_partial_copy_nocheck(p + v.bv_offset, - (to += v.bv_len) - v.bv_len, - v.bv_len, 0); + sum = csum_and_memcpy((to += v.bv_len) - v.bv_len, + p + v.bv_offset, v.bv_len, + sum, off); kunmap_atomic(p); - sum = csum_block_add(sum, next, off); off += v.bv_len; }),({ - next = csum_partial_copy_nocheck(v.iov_base, - (to += v.iov_len) - v.iov_len, - v.iov_len, 0); - sum = csum_block_add(sum, next, off); + sum = csum_and_memcpy((to += v.iov_len) - v.iov_len, + v.iov_base, v.iov_len, + sum, off); off += v.iov_len; }) ) @@ -1412,17 +1448,15 @@ bool csum_and_copy_from_iter_full(void *addr, size_t bytes, __wsum *csum, 0; }), ({ char *p = kmap_atomic(v.bv_page); - next = csum_partial_copy_nocheck(p + v.bv_offset, - (to += v.bv_len) - v.bv_len, - v.bv_len, 0); + sum = csum_and_memcpy((to += v.bv_len) - v.bv_len, + p + v.bv_offset, v.bv_len, + sum, off); kunmap_atomic(p); - sum = csum_block_add(sum, next, off); off += v.bv_len; }),({ - next = csum_partial_copy_nocheck(v.iov_base, - (to += v.iov_len) - v.iov_len, - v.iov_len, 0); - sum = csum_block_add(sum, next, off); + sum = csum_and_memcpy((to += v.iov_len) - v.iov_len, + v.iov_base, v.iov_len, + sum, off); off += v.iov_len; }) ) @@ -1438,8 +1472,12 @@ size_t csum_and_copy_to_iter(const void *addr, size_t bytes, __wsum *csum, const char *from = addr; __wsum sum, next; size_t off = 0; + + if (unlikely(iov_iter_is_pipe(i))) + return csum_and_copy_to_pipe_iter(addr, bytes, csum, i); + sum = *csum; - if (unlikely(iov_iter_is_pipe(i) || iov_iter_is_discard(i))) { + if (unlikely(iov_iter_is_discard(i))) { WARN_ON(1); /* for now */ return 0; } @@ -1455,17 +1493,15 @@ size_t csum_and_copy_to_iter(const void *addr, size_t bytes, __wsum *csum, err ? v.iov_len : 0; }), ({ char *p = kmap_atomic(v.bv_page); - next = csum_partial_copy_nocheck((from += v.bv_len) - v.bv_len, - p + v.bv_offset, - v.bv_len, 0); + sum = csum_and_memcpy(p + v.bv_offset, + (from += v.bv_len) - v.bv_len, + v.bv_len, sum, off); kunmap_atomic(p); - sum = csum_block_add(sum, next, off); off += v.bv_len; }),({ - next = csum_partial_copy_nocheck((from += v.iov_len) - v.iov_len, - v.iov_base, - v.iov_len, 0); - sum = csum_block_add(sum, next, off); + sum = csum_and_memcpy(v.iov_base, + (from += v.iov_len) - v.iov_len, + v.iov_len, sum, off); off += v.iov_len; }) ) ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: WARNING in csum_and_copy_to_iter 2018-11-25 1:51 ` Al Viro @ 2018-11-26 11:46 ` Slavomir Kaslev 0 siblings, 0 replies; 7+ messages in thread From: Slavomir Kaslev @ 2018-11-26 11:46 UTC (permalink / raw) To: Al Viro Cc: syzbot, davem@davemloft.net, gregkh@linuxfoundation.org, kgraul@linux.ibm.com, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, stranche@codeaurora.org, syzkaller-bugs@googlegroups.com On Sun, Nov 25, 2018 at 3:52 AM Al Viro <viro@zeniv.linux.org.uk> wrote: > > On Sat, Nov 24, 2018 at 09:44:36PM +0000, Al Viro wrote: > > > No point, IMO - the fix isn't hard and bisect hazard created by the whole thing > > is both mild (spurious WARN() in case that used to fail anyway) _and_ won't > > disappear from reverting, obviously. I'll post a fix later tonight... > > FWIW, I think the following ought to work; it's obviously a pair of commits > (introduction of convenience helper/switch to its use + csum_and_copy_to_iter() > for ITER_PIPE), as well as commit message, etc., but I would really appreciate > if folks gave it a look _and_ a beating. Tested the patch in qemu, splice reading from udp and vsock sockets (with https://github.com/skaslev/thru), and it seems to work great. No warnings or suspicious messages in dmesg with kernel config similar to what syzbot is using https://github.com/google/syzkaller/blob/master/docs/linux/kernel_configs.md > Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> > --- > diff --git a/lib/iov_iter.c b/lib/iov_iter.c > index 7ebccb5c1637..621984743268 100644 > --- a/lib/iov_iter.c > +++ b/lib/iov_iter.c > @@ -560,6 +560,44 @@ static size_t copy_pipe_to_iter(const void *addr, size_t bytes, > return bytes; > } > > +static __wsum csum_and_memcpy(void *to, const void *from, size_t len, > + __wsum sum, size_t off) > +{ > + __wsum next = csum_partial_copy_nocheck(from, to, len, 0); > + return csum_block_add(sum, next, off); > +} > + > +static size_t csum_and_copy_to_pipe_iter(const void *addr, size_t bytes, > + __wsum *csum, struct iov_iter *i) > +{ > + struct pipe_inode_info *pipe = i->pipe; > + size_t n, r; > + size_t off = 0; > + __wsum sum = *csum; > + int idx; > + > + if (!sanity(i)) > + return 0; > + > + bytes = n = push_pipe(i, bytes, &idx, &r); > + if (unlikely(!n)) > + return 0; > + for ( ; n; idx = next_idx(idx, pipe), r = 0) { > + size_t chunk = min_t(size_t, n, PAGE_SIZE - r); > + char *p = kmap_atomic(pipe->bufs[idx].page); > + sum = csum_and_memcpy(p + r, addr, chunk, sum, off); > + kunmap_atomic(p); > + i->idx = idx; > + i->iov_offset = r + chunk; > + n -= chunk; > + off += chunk; > + addr += chunk; > + } > + i->count -= bytes; > + *csum = sum; > + return bytes; > +} > + > size_t _copy_to_iter(const void *addr, size_t bytes, struct iov_iter *i) > { > const char *from = addr; > @@ -1368,17 +1406,15 @@ size_t csum_and_copy_from_iter(void *addr, size_t bytes, __wsum *csum, > err ? v.iov_len : 0; > }), ({ > char *p = kmap_atomic(v.bv_page); > - next = csum_partial_copy_nocheck(p + v.bv_offset, > - (to += v.bv_len) - v.bv_len, > - v.bv_len, 0); > + sum = csum_and_memcpy((to += v.bv_len) - v.bv_len, > + p + v.bv_offset, v.bv_len, > + sum, off); > kunmap_atomic(p); > - sum = csum_block_add(sum, next, off); > off += v.bv_len; > }),({ > - next = csum_partial_copy_nocheck(v.iov_base, > - (to += v.iov_len) - v.iov_len, > - v.iov_len, 0); > - sum = csum_block_add(sum, next, off); > + sum = csum_and_memcpy((to += v.iov_len) - v.iov_len, > + v.iov_base, v.iov_len, > + sum, off); > off += v.iov_len; > }) > ) > @@ -1412,17 +1448,15 @@ bool csum_and_copy_from_iter_full(void *addr, size_t bytes, __wsum *csum, > 0; > }), ({ > char *p = kmap_atomic(v.bv_page); > - next = csum_partial_copy_nocheck(p + v.bv_offset, > - (to += v.bv_len) - v.bv_len, > - v.bv_len, 0); > + sum = csum_and_memcpy((to += v.bv_len) - v.bv_len, > + p + v.bv_offset, v.bv_len, > + sum, off); > kunmap_atomic(p); > - sum = csum_block_add(sum, next, off); > off += v.bv_len; > }),({ > - next = csum_partial_copy_nocheck(v.iov_base, > - (to += v.iov_len) - v.iov_len, > - v.iov_len, 0); > - sum = csum_block_add(sum, next, off); > + sum = csum_and_memcpy((to += v.iov_len) - v.iov_len, > + v.iov_base, v.iov_len, > + sum, off); > off += v.iov_len; > }) > ) > @@ -1438,8 +1472,12 @@ size_t csum_and_copy_to_iter(const void *addr, size_t bytes, __wsum *csum, > const char *from = addr; > __wsum sum, next; > size_t off = 0; > + > + if (unlikely(iov_iter_is_pipe(i))) > + return csum_and_copy_to_pipe_iter(addr, bytes, csum, i); > + > sum = *csum; > - if (unlikely(iov_iter_is_pipe(i) || iov_iter_is_discard(i))) { > + if (unlikely(iov_iter_is_discard(i))) { > WARN_ON(1); /* for now */ > return 0; > } > @@ -1455,17 +1493,15 @@ size_t csum_and_copy_to_iter(const void *addr, size_t bytes, __wsum *csum, > err ? v.iov_len : 0; > }), ({ > char *p = kmap_atomic(v.bv_page); > - next = csum_partial_copy_nocheck((from += v.bv_len) - v.bv_len, > - p + v.bv_offset, > - v.bv_len, 0); > + sum = csum_and_memcpy(p + v.bv_offset, > + (from += v.bv_len) - v.bv_len, > + v.bv_len, sum, off); > kunmap_atomic(p); > - sum = csum_block_add(sum, next, off); > off += v.bv_len; > }),({ > - next = csum_partial_copy_nocheck((from += v.iov_len) - v.iov_len, > - v.iov_base, > - v.iov_len, 0); > - sum = csum_block_add(sum, next, off); > + sum = csum_and_memcpy(v.iov_base, > + (from += v.iov_len) - v.iov_len, > + v.iov_len, sum, off); > off += v.iov_len; > }) > ) ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [syzbot] 2018-11-24 19:40 WARNING in csum_and_copy_to_iter syzbot 2018-11-24 20:03 ` Al Viro @ 2023-11-24 10:30 ` syzbot 1 sibling, 0 replies; 7+ messages in thread From: syzbot @ 2023-11-24 10:30 UTC (permalink / raw) To: linux-kernel, syzkaller-bugs For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: Author: nogikh@google.com The issue has not been happening for >1800 days. #syz invalid ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-11-24 10:30 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2018-11-24 19:40 WARNING in csum_and_copy_to_iter syzbot 2018-11-24 20:03 ` Al Viro 2018-11-24 21:20 ` Slavomir Kaslev 2018-11-24 21:44 ` Al Viro 2018-11-25 1:51 ` Al Viro 2018-11-26 11:46 ` Slavomir Kaslev 2023-11-24 10:30 ` [syzbot] syzbot
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).