[PATCH AUTOSEL 5.17 20/21] block: Do not call folio_next() on an unreferenced folio

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>,
	"Darrick J . Wong" <djwong@kernel.org>,
	Brian Foster <bfoster@redhat.com>,
	Sasha Levin <sashal@kernel.org>,
	axboe@kernel.dk, linux-block@vger.kernel.org
Subject: [PATCH AUTOSEL 5.17 20/21] block: Do not call folio_next() on an unreferenced folio
Date: Tue, 10 May 2022 11:43:39 -0400	[thread overview]
Message-ID: <20220510154340.153400-20-sashal@kernel.org> (raw)
In-Reply-To: <20220510154340.153400-1-sashal@kernel.org>

From: "Matthew Wilcox (Oracle)" <willy@infradead.org>

[ Upstream commit 170f37d6aa6ad4582eefd7459015de79e244536e ]

It is unsafe to call folio_next() on a folio unless you hold a reference
on it that prevents it from being split or freed.  After returning
from the iterator, iomap calls folio_end_writeback() which may drop
the last reference to the page, or allow the page to be split.  If that
happens, the iterator will not advance far enough through the bio_vec,
leading to assertion failures like the BUG() in folio_end_writeback()
that checks we're not trying to end writeback on a page not currently
under writeback.  Other assertion failures were also seen, but they're
all explained by this one bug.

Fix the bug by remembering where the next folio starts before returning
from the iterator.  There are other ways of fixing this bug, but this
seems the simplest.

Reported-by: Darrick J. Wong <djwong@kernel.org>
Tested-by: Darrick J. Wong <djwong@kernel.org>
Reported-by: Brian Foster <bfoster@redhat.com>
Tested-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 include/linux/bio.h | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/linux/bio.h b/include/linux/bio.h
index 117d7f248ac9..2ca54c084d5a 100644
--- a/include/linux/bio.h
+++ b/include/linux/bio.h
@@ -272,6 +272,7 @@ struct folio_iter {
 	size_t offset;
 	size_t length;
 	/* private: for use by the iterator */
+	struct folio *_next;
 	size_t _seg_count;
 	int _i;
 };
@@ -286,6 +287,7 @@ static inline void bio_first_folio(struct folio_iter *fi, struct bio *bio,
 			PAGE_SIZE * (bvec->bv_page - &fi->folio->page);
 	fi->_seg_count = bvec->bv_len;
 	fi->length = min(folio_size(fi->folio) - fi->offset, fi->_seg_count);
+	fi->_next = folio_next(fi->folio);
 	fi->_i = i;
 }
 
@@ -293,9 +295,10 @@ static inline void bio_next_folio(struct folio_iter *fi, struct bio *bio)
 {
 	fi->_seg_count -= fi->length;
 	if (fi->_seg_count) {
-		fi->folio = folio_next(fi->folio);
+		fi->folio = fi->_next;
 		fi->offset = 0;
 		fi->length = min(folio_size(fi->folio), fi->_seg_count);
+		fi->_next = folio_next(fi->folio);
 	} else if (fi->_i + 1 < bio->bi_vcnt) {
 		bio_first_folio(fi, bio, fi->_i + 1);
 	} else {
-- 
2.35.1

next prev parent reply	other threads:[~2022-05-10 15:46 UTC|newest]

Thread overview: 25+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-10 15:43 [PATCH AUTOSEL 5.17 01/21] hwmon: (asus_wmi_sensors) Fix CROSSHAIR VI HERO name Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 02/21] hwmon: (f71882fg) Fix negative temperature Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 03/21] RDMA/irdma: Fix deadlock in irdma_cleanup_cm_core() Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 04/21] iommu: arm-smmu: disable large page mappings for Nvidia arm-smmu Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 05/21] ASoC: max98090: Reject invalid values in custom control put() Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 06/21] ASoC: max98090: Generate notifications on changes for custom control Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 07/21] ASoC: ops: Validate input values in snd_soc_put_volsw_range() Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 08/21] s390: disable -Warray-bounds Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 09/21] ASoC: SOF: Fix NULL pointer exception in sof_pci_probe callback Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 10/21] io_uring: assign non-fixed early for async work Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 11/21] net: emaclite: Don't advertise 1000BASE-T and do auto negotiation Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 12/21] net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 13/21] secure_seq: use the 64 bits of the siphash for port offset calculation Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 14/21] tcp: use different parts of the port_offset for index and offset Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 15/21] tcp: resalt the secret every 10 seconds Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 16/21] tcp: add small random increments to the source port Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 17/21] tcp: dynamically allocate the perturb table used by source ports Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 18/21] tcp: increase source port perturb table to 2^16 Sasha Levin
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 19/21] tcp: drop the hash_32() part from the index calculation Sasha Levin
2022-05-10 15:43 ` Sasha Levin [this message]
2022-05-10 17:29   ` [PATCH AUTOSEL 5.17 20/21] block: Do not call folio_next() on an unreferenced folio Matthew Wilcox
2022-05-10 15:43 ` [PATCH AUTOSEL 5.17 21/21] Revert "parisc: Fix patch code locking and flushing" Sasha Levin
2022-05-10 15:49   ` Helge Deller
2022-05-14 16:24     ` Sasha Levin
2022-05-14 16:47       ` John David Anglin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:117d7f248ac dfblob:2ca54c084d5 )
 OR (
bs:"[PATCH AUTOSEL 5.17 20/21] block: Do not call folio_next() on an unreferenced folio" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220510154340.153400-20-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=axboe@kernel.dk \
    --cc=bfoster@redhat.com \
    --cc=djwong@kernel.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=willy@infradead.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox