Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2371050pxb; Sat, 28 Aug 2021 12:37:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw4pcQWkmaJcmPDpkyKIhFzNsxqOcH3Dt8xUbIAnQI6sCrmFVLSmppTwYwANHs115UQHovk X-Received: by 2002:a17:906:9be1:: with SMTP id de33mr16674561ejc.180.1630179434253; Sat, 28 Aug 2021 12:37:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1630179434; cv=none; d=google.com; s=arc-20160816; b=nqv05l/gIr7xFQoOWS5htYG3O2xREv6eqFaX4yeaq89YOuWtc57rwRS0tkjJCa7vnd wV5mFW822s2lNOypIVzpxxTvjk/PbI3jxNrYY/tjzmQTwx+Psc3ZKzzxcFAl9kcElp6/ bGeQvkHhTVzuAUqE2tL4hHOUyfOtXdw2MDg6lwmwei00JCKFs67cE9StyJrdv+q/gFFA 4k49XKsln7hJ5z4oyRkWaIcQjTcCotM7TDtKv9rFDGoZ1GSJWyynHHHxyDZvuQoxJlrS ALhu85GOtMTeA5bRfYTgkXHmoEeTIT9waGbUYNC5LXrDygVo2u5gz9DBXj8r4lpb42zV aN1g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=BufyFRhkRaK070TVpXaKxMse1rnxiqLd8zSCxFsPCQQ=; b=SwkDllDHp73EhTTieINvrHgWvIMWQpxEzq8jpczg0xunqT6Ecm6SUBDui+nYtm5kVK wgU2cbcQ0/JiEEvtWSvkDmRgea/McSFlRWx8EgfiTJU7arxFBc8p/5VFGxFsfzDVT9kI 83W7f+XXB7uGWgA7RAOpFoI8y/Sb5Vf8S2VcwCPTuDltUbP5OGuHii20KeujOzurMiT7 ROhpPsMMEawdYaQVcGDA+40W2B8g1KIuZZTgAMdFZWlPhYDcYv4tjrbcISZ8aJG9Goim IqVDyu0vg3trqktmuT4VAvdH+cR/j9H/iYyyPCrWWRPaDY3ymiXpoQpHP+PoJ9cVkj+I sAqA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h22si9885129edt.53.2021.08.28.12.36.49; Sat, 28 Aug 2021 12:37:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231789AbhH1Tdg (ORCPT + 99 others); Sat, 28 Aug 2021 15:33:36 -0400 Received: from zeniv-ca.linux.org.uk ([142.44.231.140]:33570 "EHLO zeniv-ca.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231258AbhH1Tdf (ORCPT ); Sat, 28 Aug 2021 15:33:35 -0400 Received: from viro by zeniv-ca.linux.org.uk with local (Exim 4.94.2 #2 (Red Hat Linux)) id 1mK401-00GsRY-Fl; Sat, 28 Aug 2021 19:28:17 +0000 Date: Sat, 28 Aug 2021 19:28:17 +0000 From: Al Viro To: Linus Torvalds Cc: Andreas Gruenbacher , Christoph Hellwig , "Darrick J. Wong" , Jan Kara , Matthew Wilcox , cluster-devel , linux-fsdevel , Linux Kernel Mailing List , ocfs2-devel@oss.oracle.com, Josef Bacik , Catalin Marinas , Will Deacon Subject: [RFC][arm64] possible infinite loop in btrfs search_ioctl() Message-ID: References: <20210827164926.1726765-1-agruenba@redhat.com> <20210827164926.1726765-6-agruenba@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org AFAICS, a48b73eca4ce "btrfs: fix potential deadlock in the search ioctl" has introduced a bug at least on arm64. Relevant bits: in search_ioctl() we have while (1) { ret = fault_in_pages_writeable(ubuf + sk_offset, *buf_size - sk_offset); if (ret) break; ret = btrfs_search_forward(root, &key, path, sk->min_transid); if (ret != 0) { if (ret > 0) ret = 0; goto err; } ret = copy_to_sk(path, &key, sk, buf_size, ubuf, &sk_offset, &num_found); btrfs_release_path(path); if (ret) break; } and in copy_to_sk() - sh.objectid = key->objectid; sh.offset = key->offset; sh.type = key->type; sh.len = item_len; sh.transid = found_transid; /* * Copy search result header. If we fault then loop again so we * can fault in the pages and -EFAULT there if there's a * problem. Otherwise we'll fault and then copy the buffer in * properly this next time through */ if (copy_to_user_nofault(ubuf + *sk_offset, &sh, sizeof(sh))) { ret = 0; goto out; } with sk_offset left unchanged if the very first copy_to_user_nofault() fails. Now, consider a situation on arm64 where ubuf points to the beginning of page, ubuf[0] can be accessed, but ubuf[16] can not (possible with MTE, AFAICS). We do fault_in_pages_writeable(), which succeeds. When we get to copy_to_user_nofault() we fail as soon as it gets past the first 16 bytes. And we repeat everything from scratch, with no progress made, since short copies are treated as "discard and repeat" here. Am I misreading what's going on there?