Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp1444705pxk; Mon, 31 Aug 2020 21:10:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyidfGp57+m11oGxJy5lerkEVSWCd40/u9yth1uBup6Cee8HCMXKBRkQAtM0MZPY86Srv4N X-Received: by 2002:a17:906:e087:: with SMTP id gh7mr3710097ejb.322.1598933400153; Mon, 31 Aug 2020 21:10:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598933400; cv=none; d=google.com; s=arc-20160816; b=O9sx/NNcJYQ1ZZuaRUqlkQwa5rOa6cXy1ab03FBM8pRf/z8oMJtWKVdIFmbNSW+RnV X10n+d1T7cICEUtHyXntfzLVlfIWw7o5H9cgN8fiCBfOM+2KXgwSki2NWlXHL/gPbSru ARVLGFNDdEU64sZJFqMxDf3lK/0+mKeexvd2o2vq0j3rOS8hMe7iz4898iBPmO0pd0AV jVkssJiK+Miy/UYm7YAMA7a5oo92343SA+2/g+2JwZpabmMgVoink50Rz6lTxQ+56Msz eZm0fcgZ73uQ4h7AUt+KRtZRm8h/4gycy5RrhirTluwg/UpdmVdjf61dfn9NN2yfqjK5 S+1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=D85pWgNEe2I8r7t2I7j68h6FJKqaNaXJODyUbHvX94w=; b=l9iZHBQgmOAAs4lcjE4TOcobs5SZ+1weFY0swv3R5w5+ry6pAeN6KkCop66h1rL8qK dfJAHC/Znn4v2x0QC4CpfiAW7RvIqX25NeQJ67Klqj1T72dpUKsHBS+YIva57B4kCHtp 2HwUzJF/ucF0ma3QQLlj6rK3t7nzKZzF4POxb6Rzq7KXr622GY40hgWqMyqwHetOngog jFwuxY+l0btfNe2MSFK4i7iyjTPXoQn6P7OW8bNzl7bJxedJIREnn1mHYYR3xF/p+kTI WQ2hMHBODe2EmNpRU7IWUV/PC3CWI8aPGOgIF4enHa5xEUwB18AY7QeLFSnMj+xfqlXH apPg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id 40si6130948edr.35.2020.08.31.21.09.36; Mon, 31 Aug 2020 21:10:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726105AbgIAEIt (ORCPT + 99 others); Tue, 1 Sep 2020 00:08:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725930AbgIAEIC (ORCPT ); Tue, 1 Sep 2020 00:08:02 -0400 Received: from ZenIV.linux.org.uk (zeniv.linux.org.uk [IPv6:2002:c35c:fd02::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E29A5C0612FE; Mon, 31 Aug 2020 21:08:01 -0700 (PDT) Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92.3 #3 (Red Hat Linux)) id 1kCxaL-008SmC-D3; Tue, 01 Sep 2020 04:07:53 +0000 Date: Tue, 1 Sep 2020 05:07:53 +0100 From: Al Viro To: Qian Cai Cc: Tetsuo Handa , syzkaller-bugs@googlegroups.com, syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, tom.leiming@gmail.com, paulmck@kernel.org Subject: Re: splice: infinite busy loop lockup bug Message-ID: <20200901040753.GF1236603@ZenIV.linux.org.uk> References: <00000000000084b59f05abe928ee@google.com> <29de15ff-15e9-5c52-cf87-e0ebdfa1a001@I-love.SAKURA.ne.jp> <20200807122727.GR1236603@ZenIV.linux.org.uk> <20200901005131.GA3300@lca.pw> <20200901010928.GC1236603@ZenIV.linux.org.uk> <20200901033227.GA10262@lca.pw> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200901033227.GA10262@lca.pw> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Aug 31, 2020 at 11:32:28PM -0400, Qian Cai wrote: > I used a new debug patch but not sure how to capture without > printk_ratelimited() because the call sites are large, if (!strcmp(current->comm, "bugger")) printk(KERN_ERR.... and call the binary you are running ./bugger... And I'd slap such printk into the beginning of iterate_iovec() as well, if not into the entry of iov_iter_copy_from_user_atomic(). That BS value of n must've come from somewhere; it should expand to 'bytes'. What we have in the beginning is const struct iovec *iov; struct iovec v; size_t skip = i->iov_offset; size_t left; size_t wanted = bytes; iov = i->iov; __v.iov_len = min(bytes, iov->iov_len - skip); if (likely(__v.iov_len)) { __v.iov_base = iov->iov_base + skip; left = copyin((p += v.iov_len) - v.iov_len, v.iov_base, v.iov_len); __v.iov_len -= left; skip += __v.iov_len; bytes -= __v.iov_len; } else { left = 0; } and something leaves you with bytes bumped to 22476968. What was in that first iovec? Incidentally, what's in 'wanted'? And... Timestamps don't look like that crap has come from generic_perform_write() - it's about 4 seconds later. While we are at it, there are other users of iterate_all_kinds(), and some of them can very well get large sizes; they are not copying anything (iov_iter_advance(), for starters). There that kind of values would be just fine; are you sure those printks came from iov_iter_copy_from_user_atomic()?