Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp2187412pxa; Fri, 7 Aug 2020 05:28:49 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxPhmypJpIHB1yKPnG4iZi0inCTD+u7BTNTT82j2xtkIBIi6OCGwLdGRiQSCTDqyc/Dinez X-Received: by 2002:a17:906:2681:: with SMTP id t1mr8810224ejc.350.1596803329070; Fri, 07 Aug 2020 05:28:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1596803329; cv=none; d=google.com; s=arc-20160816; b=BWiPnfmEm+/zACTmjBZOpUAbXisPEFfn9SLl5zvQdhFMZu8Yeh+v7q1tFPeBmsB2FS 1X+ZBUWrN5xt39ZBs1zzXRj8UpfEjtWXhpHaYj8dVj4sE1FHGU5N3itckRzkSWy+op/X 5AfSxd0+AJ/Au+8w6Mgu1C9zT+UkVifq+rHVrBeSNtSfw6IT6vZnaasAH1CSe9HTSMGl 92Fkr06qjYyXhomp7lEtZybmAnvCCJ9FZP6esJTTiJTLMW20zjsBqBXHN3Rw1UXC5sNH frX70txHkZcggbo30IF39lFWJ1nLPudEClGvMDk/T6mBfrww7N2YwiGfdCkQ7E1GpLFO W8xA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=hbjUfo22hwjbQGjshAe0kNEQ34g/bY/qPiSOXn8dMJ4=; b=oUNJXh7NqW34glA/EUN3mkEj7srMSOwHRjRmuVOSRC+QZtXf512XegWT2nwO/zy4W3 HS2dizwU1LNAx/aSYDaRJf/8SOgKV0ATNC3NA03Kdm3LTdfkZ9A3KepXflj5bpfa8ymf kaCGGt8iz4XdXdpbN/o5PtY1N7HHlZuWGNGo0jaCSlg7o+78t3b/iEbyOh3TR1v6452X 1IDspT6QdVfpaZtsa/TWo4wdAreSriO9r3aGiZ3cesQioq0iOlOfvgQMGphF0wrPWgfp 8DJtVaxIfgnpQUToNw1sKkvz+qPS2DgzBnfmaxyv7nP0Wo5VM0NHQGbCjgO1YgvqjSmd jPBA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n25si5588799ejg.497.2020.08.07.05.28.25; Fri, 07 Aug 2020 05:28:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728453AbgHGM1o (ORCPT + 99 others); Fri, 7 Aug 2020 08:27:44 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55000 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727783AbgHGM1m (ORCPT ); Fri, 7 Aug 2020 08:27:42 -0400 Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [IPv6:2002:c35c:fd02::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D8FDFC061574; Fri, 7 Aug 2020 05:27:41 -0700 (PDT) Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1k41T5-00B8RX-QH; Fri, 07 Aug 2020 12:27:27 +0000 Date: Fri, 7 Aug 2020 13:27:27 +0100 From: Al Viro To: Tetsuo Handa Cc: syzkaller-bugs@googlegroups.com, syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Ming Lei Subject: Re: splice: infinite busy loop lockup bug Message-ID: <20200807122727.GR1236603@ZenIV.linux.org.uk> References: <00000000000084b59f05abe928ee@google.com> <29de15ff-15e9-5c52-cf87-e0ebdfa1a001@I-love.SAKURA.ne.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <29de15ff-15e9-5c52-cf87-e0ebdfa1a001@I-love.SAKURA.ne.jp> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 07, 2020 at 07:35:08PM +0900, Tetsuo Handa wrote: > syzbot is reporting hung task at pipe_release() [1], for for_each_bvec() from > iterate_bvec() from iterate_all_kinds() from iov_iter_alignment() from > ext4_unaligned_io() from ext4_dio_write_iter() from ext4_file_write_iter() from > call_write_iter() from do_iter_readv_writev() from do_iter_write() from > vfs_iter_write() from iter_file_splice_write() falls into infinite busy loop > with pipe->mutex held. > > The reason of falling into infinite busy loop is that iter_file_splice_write() > for some reason generates "struct bio_vec" entry with .bv_len=0 and .bv_offset=0 > while for_each_bvec() cannot handle .bv_len == 0. broken in 1bdc76aea115 "iov_iter: use bvec iterator to implement iterate_bvec()", unless I'm misreading it... Zero-length segments are not disallowed; it's not all that hard to filter them out in iter_file_splice_write(), but the intent had always been to have iterate_all_kinds() et.al. able to cope with those. How are these pipe_buffers with ->len == 0 generated in that reproducer, BTW? There might be something else fishy going on...