Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp696514pxb; Sat, 21 Aug 2021 15:49:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx4hc7i/MzhoeQvXi6HO+Ue2/QoHbhmggcZ/8emR+XMnzTjnw8GjVF7Xp54b5qDVRaOgNg2 X-Received: by 2002:a17:906:1901:: with SMTP id a1mr28334137eje.129.1629586141691; Sat, 21 Aug 2021 15:49:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629586141; cv=none; d=google.com; s=arc-20160816; b=Nz1hGvgkxaxaDCNXyprK4ACwmjceIC9EiEz0lR3LuCn3IkrG/fp88NmtgbZiR8Ntld GAmYW+Wmhg0/tuEs5Ze3v/9kBU6kG1zE5Kk0j49Ty339aKMVX0UfxNe9NqhBISXqgHjm oIlOvWU0+f9pGDMae80E2ZP+k8Kc/RMG8XnQuQYPJsIxX9aFYvRD6EYrzckTXna/n9qz 7kTROndj4j3lK9pTaX5JcneO8ZUuhbTwKOcdgCA5EKrcGJyFuK0vQARdvqPzASeSM8eT Vb+Uxgl60dpI8wsxSoIeW3kf1dXf9wXbB/sbJrW0mvewGiRgQ7FtmqILPFdMxQF06E0x 1haw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=484QQGoUCQhmVV3DyT3yKd5NWbJESZ5TAV60cqkk79g=; b=y0PVayyysmQqVpqcGicN9YmrDtylwTaAnmiVL2DTaKAFrA7691IUsR9W3+E98ugTgs PsVCN4CLRsYmo5uC9ws/rUIl+piNhLxj7wUIMykm8GJQV3j6+ljWDPzTD5+lRCFOvjR8 nt2/92z5C06GtFP8s0zRFutO9JOrq9Y5QMwGr4sk9kiLqMH+rPTpofiesz8AyF1alJ3u zfd2xra10aepV+RNBiIlq5PKGq9uOp/eGjHHqAeEk2LEU2vxYFTlLCAEmgTk2tiH9s1y 325NxbQOJm/ESf/ihS0WmEavEO6m6XQLmpaNda1eD78gOtnL81pWzLHidL4Nh2R7oyRM s59g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z5si10056358eja.692.2021.08.21.15.48.24; Sat, 21 Aug 2021 15:49:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230492AbhHUW0K (ORCPT + 99 others); Sat, 21 Aug 2021 18:26:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35594 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229927AbhHUW0J (ORCPT ); Sat, 21 Aug 2021 18:26:09 -0400 Received: from zeniv-ca.linux.org.uk (zeniv-ca.linux.org.uk [IPv6:2607:5300:60:148a::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 86B9DC061575; Sat, 21 Aug 2021 15:25:29 -0700 (PDT) Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1mHZQW-00EmiE-6B; Sat, 21 Aug 2021 22:25:20 +0000 Date: Sat, 21 Aug 2021 22:25:20 +0000 From: Al Viro To: Pavel Begunkov Cc: Jens Axboe , io-uring@vger.kernel.org, linux-fsdevel , Palash Oswal , Sudip Mukherjee , linux-kernel@vger.kernel.org, syzbot+9671693590ef5aad8953@syzkaller.appspotmail.com Subject: Re: [PATCH v2 0/2] iter revert problems Message-ID: References: <3eaf5365-586d-700b-0277-e0889bfeb05d@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3eaf5365-586d-700b-0277-e0889bfeb05d@gmail.com> Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Aug 21, 2021 at 03:24:28PM +0100, Pavel Begunkov wrote: > On 8/12/21 9:40 PM, Pavel Begunkov wrote: > > For the bug description see 2/2. As mentioned there the current problems > > is because of generic_write_checks(), but there was also a similar case > > fixed in 5.12, which should have been triggerable by normal > > write(2)/read(2) and others. > > > > It may be better to enforce reexpands as a long term solution, but for > > now this patchset is quickier and easier to backport. > > We need to do something with this, hopefully soon. I still don't like that approach ;-/ If anything, I would rather do something like this, and to hell with one extra word on stack in several functions; at least that way the semantics is easy to describe. Signed-off-by: Al Viro --- diff --git a/fs/io_uring.c b/fs/io_uring.c index d94fb5835a20..5501f8b3af3b 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -3420,6 +3420,7 @@ static int io_write(struct io_kiocb *req, unsigned int issue_flags) } else { copy_iov: /* some cases will consume bytes even on error returns */ + iov_iter_reexpand(iter, iter->count + iter->truncated); iov_iter_revert(iter, io_size - iov_iter_count(iter)); ret = io_setup_async_rw(req, iovec, inline_vecs, iter, false); return ret ?: -EAGAIN; diff --git a/include/linux/uio.h b/include/linux/uio.h index 82c3c3e819e0..5265024e8b90 100644 --- a/include/linux/uio.h +++ b/include/linux/uio.h @@ -47,6 +47,7 @@ struct iov_iter { }; loff_t xarray_start; }; + size_t truncated; }; static inline enum iter_type iov_iter_type(const struct iov_iter *i) @@ -254,8 +255,10 @@ static inline void iov_iter_truncate(struct iov_iter *i, u64 count) * conversion in assignement is by definition greater than all * values of size_t, including old i->count. */ - if (i->count > count) + if (i->count > count) { + i->truncated += i->count - count; i->count = count; + } } /* @@ -264,6 +267,7 @@ static inline void iov_iter_truncate(struct iov_iter *i, u64 count) */ static inline void iov_iter_reexpand(struct iov_iter *i, size_t count) { + i->truncated -= count - i->count; i->count = count; }