From patchwork Thu Nov 3 21:33:28 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 15216 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:7300:a40e:b0:83:7221:86ba with SMTP id ck14csp1127272dyb; Thu, 3 Nov 2022 14:36:57 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5Rkdp9CftXqkkm630hYRKEDPagBLu+gn6YXNzhPjD2fXhVyUCHASA0AJIHtOAj4+7wDoXL X-Received: by 2002:a63:2a08:0:b0:46a:e2a8:4ead with SMTP id q8-20020a632a08000000b0046ae2a84eadmr28308292pgq.132.1667511417690; Thu, 03 Nov 2022 14:36:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667511417; cv=none; d=google.com; s=arc-20160816; b=nJ546jRuX7/68iEmsOfsJlQcYfNfC7RgquT8A2iwcrEO6Jwp8KEin3qFALEmkIPosX dxj1Bpn4Y2/PiazpDFBKjZJgtdAGrjjqteXm2Df8LjJaTRJKMk3YiN2sOEPq0ikIgFEL JxoQIBFP2yHYlvaizjBC4POlFzqDsiDYS2GZihuzOu4Mo5l5ugknrjZuIGFWccijom6T sV+AmJH9E/nHHcvkwwATTaN72QohtXRqPqLhOOFnx1zvelQ00E4icI6ACT9kGMj0vRRR wXBABXLh2vpBYvFHWmnfbR57bIuU9c5aAPBeiRhcGgiy0Gb9ssl5isq6MBUe8QCSXF5p KtgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:message-id:date:cc:to:from:subject:organization :dkim-signature; bh=meSbCtcdhls8TiywckooFQyX4UhcYRP/sFZKWlTa6GQ=; b=OBjqmCDX4xvRwAcwt7km1d1kxkeQwzLeJyBr/ZzpMkAySchhRR2q7G8WJddBMnMa/C ICbFy8Amr0CIZbpYjx2wpQM9ZyOz2PANgdE/3gaZasQnB8C8ZnMUqZawOmuWVpfgFGFo 6uu0DrjOOPX96TrcDNnxFu3KTTzQhjonZ8ME6XiW4ksKoiqFCDeYl6IMofFu6fBs6kbt I11d3fkzyMNkAaNn6KSVdj0B5Ai6yMTOv3gmwcbUy2saFx3A455jF62A5NjTZ/BJBPqG C43HvpLyRG0EjALtBnq4a7CZ/VWWLbGkKbQxLO6aieNX2ZoeX6twdrwd0Xs5W1hohDur mTKw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hYPxxuR9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s2-20020a056a00178200b0056beba0b31dsi2453021pfg.8.2022.11.03.14.36.45; Thu, 03 Nov 2022 14:36:57 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=hYPxxuR9; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229496AbiKCVe3 (ORCPT + 99 others); Thu, 3 Nov 2022 17:34:29 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229579AbiKCVe1 (ORCPT ); Thu, 3 Nov 2022 17:34:27 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 22B696415 for ; Thu, 3 Nov 2022 14:33:34 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1667511213; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=meSbCtcdhls8TiywckooFQyX4UhcYRP/sFZKWlTa6GQ=; b=hYPxxuR9WK1MbsZ2N7oqQOTSDofUQo3HTxRmzAxiC0Iebn65qWORi6/h+EKcr8+Rmm/HTn 0ro8sGe9G5u9eH0dxhe6lagIACjA9u01SzwANwgLSHmxU+VKWJfKpSpOtmPfmdb3lQkVhD 9l6KQB8IkFsSU34CtuNtc2nST83Fa58= Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-608-EbztDGetOYmouMU7AEhUXw-1; Thu, 03 Nov 2022 17:33:30 -0400 X-MC-Unique: EbztDGetOYmouMU7AEhUXw-1 Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CD7503C0D183; Thu, 3 Nov 2022 21:33:29 +0000 (UTC) Received: from warthog.procyon.org.uk (unknown [10.33.37.22]) by smtp.corp.redhat.com (Postfix) with ESMTP id E94A8112131B; Thu, 3 Nov 2022 21:33:28 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH] netfs: Fix missing xas_retry() calls in xarray iteration From: David Howells To: willy@infradead.org Cc: George Law , Jeff Layton , linux-cachefs@redhat.com, linux-fsdevel@vger.kernel.org, dhowells@redhat.com, linux-kernel@vger.kernel.org Date: Thu, 03 Nov 2022 21:33:28 +0000 Message-ID: <166751120808.117671.15797010154703575921.stgit@warthog.procyon.org.uk> User-Agent: StGit/1.5 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.1 on 10.11.54.3 X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1748512452291186269?= X-GMAIL-MSGID: =?utf-8?q?1748512452291186269?= netfslib has a number of places in which it performs iteration of an xarray whilst being under the RCU read lock. It *should* call xas_retry() as the first thing inside of the loop and do "continue" if it returns true in case the xarray walker passed out a special value indicating that the walk needs to be redone from the root[*]. Fix this by adding the missing retry checks. [*] I wonder if this should be done inside xas_find(), xas_next_node() and suchlike, but I'm told that's not an simple change to effect. This can cause an oops like that below. Note the faulting address - this is an internal value (|0x2) returned from xarray. BUG: kernel NULL pointer dereference, address: 0000000000000402 ... RIP: 0010:netfs_rreq_unlock+0xef/0x380 [netfs] ... Call Trace: netfs_rreq_assess+0xa6/0x240 [netfs] netfs_readpage+0x173/0x3b0 [netfs] ? init_wait_var_entry+0x50/0x50 filemap_read_page+0x33/0xf0 filemap_get_pages+0x2f2/0x3f0 filemap_read+0xaa/0x320 ? do_filp_open+0xb2/0x150 ? rmqueue+0x3be/0xe10 ceph_read_iter+0x1fe/0x680 [ceph] ? new_sync_read+0x115/0x1a0 new_sync_read+0x115/0x1a0 vfs_read+0xf3/0x180 ksys_read+0x5f/0xe0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Fixes: 3d3c95046742 ("netfs: Provide readahead and readpage netfs helpers") Reported-by: George Law Signed-off-by: David Howells Reviewed-by: Jeff Layton cc: Matthew Wilcox cc: linux-cachefs@redhat.com cc: linux-fsdevel@vger.kernel.org --- fs/netfs/buffered_read.c | 9 +++++++-- fs/netfs/io.c | 3 +++ 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/fs/netfs/buffered_read.c b/fs/netfs/buffered_read.c index 0ce535852151..baf668fb4315 100644 --- a/fs/netfs/buffered_read.c +++ b/fs/netfs/buffered_read.c @@ -46,10 +46,15 @@ void netfs_rreq_unlock_folios(struct netfs_io_request *rreq) rcu_read_lock(); xas_for_each(&xas, folio, last_page) { - unsigned int pgpos = (folio_index(folio) - start_page) * PAGE_SIZE; - unsigned int pgend = pgpos + folio_size(folio); + unsigned int pgpos, pgend; bool pg_failed = false; + if (xas_retry(&xas, folio)) + continue; + + pgpos = (folio_index(folio) - start_page) * PAGE_SIZE; + pgend = pgpos + folio_size(folio); + for (;;) { if (!subreq) { pg_failed = true; diff --git a/fs/netfs/io.c b/fs/netfs/io.c index 428925899282..e374767d1b68 100644 --- a/fs/netfs/io.c +++ b/fs/netfs/io.c @@ -121,6 +121,9 @@ static void netfs_rreq_unmark_after_write(struct netfs_io_request *rreq, XA_STATE(xas, &rreq->mapping->i_pages, subreq->start / PAGE_SIZE); xas_for_each(&xas, folio, (subreq->start + subreq->len - 1) / PAGE_SIZE) { + if (xas_retry(&xas, folio)) + continue; + /* We might have multiple writes from the same huge * folio, but we mustn't unlock a folio more than once. */