Linux-Fsdevel Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
To: syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk
Cc: syzbot <syzbot+61acc40a49a3e46e25ea@syzkaller.appspotmail.com>,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: splice: infinite busy loop lockup bug
Date: Fri, 7 Aug 2020 19:35:08 +0900	[thread overview]
Message-ID: <29de15ff-15e9-5c52-cf87-e0ebdfa1a001@I-love.SAKURA.ne.jp> (raw)
In-Reply-To: <00000000000084b59f05abe928ee@google.com>

syzbot is reporting hung task at pipe_release() [1], for for_each_bvec() from
iterate_bvec() from iterate_all_kinds() from iov_iter_alignment() from
ext4_unaligned_io() from ext4_dio_write_iter() from ext4_file_write_iter() from
call_write_iter() from do_iter_readv_writev() from do_iter_write() from
vfs_iter_write() from iter_file_splice_write() falls into infinite busy loop
with pipe->mutex held.

The reason of falling into infinite busy loop is that iter_file_splice_write()
for some reason generates "struct bio_vec" entry with .bv_len=0 and .bv_offset=0
while for_each_bvec() cannot handle .bv_len == 0.

--- a/fs/splice.c
+++ b/fs/splice.c
@@ -747,6 +747,14 @@ iter_file_splice_write(struct pipe_inode_info *pipe, struct file *out,
 		}
 
 		iov_iter_bvec(&from, WRITE, array, n, sd.total_len - left);
+		if (!strncmp(current->comm, "syz-executor", 12)) {
+			int i;
+			printk("Starting vfs_write_iter from.type=%d from.iov_offset=%zu from.count=%zu n=%u sd.total_len=%zu left=%zu\n",
+			       from.type, from.iov_offset, from.count, n, sd.total_len, left);
+			for (i = 0; i < n; i++)
+				printk("  array[%u]: bv_page=%px bv_len=%u bv_offset=%u\n",
+				       i, array[i].bv_page, array[i].bv_len, array[i].bv_offset);
+		}
 		ret = vfs_iter_write(out, &from, &sd.pos, 0);
 		if (ret <= 0)
 			break;

When splice() from pipe to file works.

[   31.704915][ T6552] Starting vfs_write_iter from.type=17 from.iov_offset=0 from.count=4096 n=1 sd.total_len=65504 left=61408
[   31.709098][ T6552]   array[0]: bv_page=ffffea000870a7c0 bv_len=4096 bv_offset=0

When splice() from pipe to file falls into infinite busy loop.

[   31.717178][ T6553] Starting vfs_write_iter from.type=17 from.iov_offset=0 from.count=4096 n=2 sd.total_len=65504 left=61408
[   31.720983][ T6553]   array[0]: bv_page=ffffea0008706680 bv_len=0 bv_offset=0
[   31.723565][ T6553]   array[1]: bv_page=ffffea00086f4e80 bv_len=4096 bv_offset=0

Is it normal behavior that an empty page is linked to pipe's array?
If yes, don't we need to skip empty pages when iter_file_splice_write() fills in "struct bio_vec *array" ?

[1] https://syzkaller.appspot.com/bug?id=2ccac875e85dc852911a0b5b788ada82dc0a081e


  reply	other threads:[~2020-08-07 10:35 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-02 18:26 INFO: task hung in pipe_release (2) syzbot
2020-08-07 10:35 ` Tetsuo Handa [this message]
2020-08-07 12:27   ` splice: infinite busy loop lockup bug Al Viro
2020-08-07 12:34     ` Tetsuo Handa
2020-09-01  0:51       ` Qian Cai
2020-09-01  1:09         ` Al Viro
2020-09-01  1:47           ` Qian Cai
2020-09-01  3:32           ` Qian Cai
2020-09-01  4:07             ` Al Viro
2020-09-01  1:10         ` Ming Lei
2020-09-01 14:22           ` Qian Cai
2020-08-07 12:38     ` Al Viro
2020-08-07 13:41       ` Ming Lei
2020-08-07 14:11         ` Matthew Wilcox
2020-08-07 15:11           ` Tetsuo Handa
2020-08-09  2:31           ` Ming Lei
2020-08-09  2:49             ` Ming Lei
2020-08-07 14:17         ` Tetsuo Handa
2020-08-13  3:57 ` INFO: task hung in pipe_release (2) syzbot

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=29de15ff-15e9-5c52-cf87-e0ebdfa1a001@I-love.SAKURA.ne.jp \
    --to=penguin-kernel@i-love.sakura.ne.jp \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+61acc40a49a3e46e25ea@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    --subject='Re: splice: infinite busy loop lockup bug' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).