LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Nick Piggin <nickpiggin@yahoo.com.au>
To: Alexey Dobriyan <adobriyan@gmail.com>,
	"Kevin Coffman" <kwc@citi.umich.edu>
Cc: Andrew Morton <akpm@linux-foundation.org>, linux-kernel@vger.kernel.org
Subject: Re: 2.6.24-sha1: RIP  [<ffffffff802596c8>] iov_iter_advance+0x38/0x70
Date: Tue, 26 Feb 2008 14:46:56 +1100	[thread overview]
Message-ID: <200802261446.57109.nickpiggin@yahoo.com.au> (raw)
In-Reply-To: <20080219220106.GB1756@martell.zuzino.mipt.ru>

[-- Attachment #1: Type: text/plain, Size: 759 bytes --]

On Wednesday 20 February 2008 09:01, Alexey Dobriyan wrote:
> On Tue, Feb 19, 2008 at 11:47:11PM +0300,  wrote:

> > > Are you reproducing it simply by running the
> > > ftest03 binary directly from the shell? How many times between oopses?
> > > It is multi-process but no threads, so races should be minimal down
> > > this path -- can you get an strace of the failing process?
>
> Speaking of multi-proceseness, changing MAXCHILD to 1, nchild to 1,
> AFAICS, generates one child which oopses the very same way (in parallel
> with generic LTP) But, lowering MAXIOVCNT to 8 generates no oops.

Thanks, I was able to reproduce quite easily with these settings.
I think I have the correct patch now (at least it isn't triggerable
any more here).

Thanks,
Nick

[-- Attachment #2: iov-iter-fix.patch --]
[-- Type: text/x-diff, Size: 780 bytes --]

diff --git a/mm/filemap.c b/mm/filemap.c
index 5c74b68..2650073 100644
--- a/mm/filemap.c
+++ b/mm/filemap.c
@@ -1750,14 +1750,18 @@ static void __iov_iter_advance_iov(struct iov_iter *i, size_t bytes)
 	} else {
 		const struct iovec *iov = i->iov;
 		size_t base = i->iov_offset;
+		size_t copied = 0;
 
 		/*
 		 * The !iov->iov_len check ensures we skip over unlikely
-		 * zero-length segments.
+		 * zero-length segments (without overruning the iovec).
 		 */
-		while (bytes || !iov->iov_len) {
-			int copy = min(bytes, iov->iov_len - base);
+		while (copied < bytes ||
+				unlikely(!iov->iov_len && copied < i->count)) {
+			int copy;
 
+			copy = min(bytes, iov->iov_len - base);
+			copied += copy;
 			bytes -= copy;
 			base += copy;
 			if (iov->iov_len == base) {

  reply	other threads:[~2008-02-26  3:47 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-02-10 14:00 Alexey Dobriyan
2008-02-10 17:46 ` Alexey Dobriyan
2008-02-12 22:04 ` Andrew Morton
2008-02-12 22:27   ` Alexey Dobriyan
2008-02-13  0:17     ` Nick Piggin
2008-02-13  4:42       ` Nick Piggin
2008-02-19 20:47         ` Alexey Dobriyan
2008-02-19 22:01           ` Alexey Dobriyan
2008-02-26  3:46             ` Nick Piggin [this message]
2008-02-27 17:41               ` Kevin Coffman
2008-03-03  4:38                 ` Nick Piggin
2008-03-03 13:30                   ` Kevin Coffman
2008-03-03 16:41                     ` Nick Piggin
2008-02-19  1:20     ` Nick Piggin
2008-02-19 19:22       ` Kevin Coffman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200802261446.57109.nickpiggin@yahoo.com.au \
    --to=nickpiggin@yahoo.com.au \
    --cc=adobriyan@gmail.com \
    --cc=akpm@linux-foundation.org \
    --cc=kwc@citi.umich.edu \
    --cc=linux-kernel@vger.kernel.org \
    --subject='Re: 2.6.24-sha1: RIP  [<ffffffff802596c8>] iov_iter_advance+0x38/0x70' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).