Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp806166rwb; Tue, 29 Nov 2022 05:43:36 -0800 (PST) X-Google-Smtp-Source: AA0mqf4AEQrKYS85irvi8wVxTmC1W2UXb9DlHzmpfR7ZLi2+QFzRt5FG1SuToub+a05fV3FkfZ2e X-Received: by 2002:a05:6402:5517:b0:461:c563:defa with SMTP id fi23-20020a056402551700b00461c563defamr51101693edb.72.1669729416336; Tue, 29 Nov 2022 05:43:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669729416; cv=none; d=google.com; s=arc-20160816; b=Tv3QSdv+uybmF2C6/IPQLOMHoAU+HNaU6yLfbb8jsjGn132DIe+IZawuuh1kKIngdu xW32YjxPevtrpPDCWmaKd1qGaKW5NTjhOSX1CNyP3ICYW7FCUnz0+YX3CAcdb68oD1ZP vlwZa68wYu4WDO6Sj388RbhzY1wBtCG5J+hiO/+HISGah6PXDEhwnk+zin/alYd77FQy vgqkReHRyHT2unkdkZ17tLpGXeD8SuiH/arXWFJZImLWUlQaeZfkK2AokK2RbWcLPsfp mhsUWm6hXZxhFy2fsv1Z8BEQWiTEgpLYhdvdElLFDvUqf/s0JAjTC027Ie3LXd9WTKcj 8z1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=ovEN2R1RcoyCmUvaJNV3bgGf54R1/0A9UQvs6JwGjy0=; b=cr1p+vu6l9JYY4hsa8hYoDjimkDb17WPqt6o2L3B9Gfv0IM/BE6TKdavvvDNacLR3g 7UT9jKlv1gTr3h5SxNY8LUr77Y386JwkAgeEZ3UY8vP7QP0ElgAwTP6EaVKWKO2ouzWc 1cUmn2Iv+ecCuBkCCL8Um4rVR8S6x4+7LeZgP/kKmBQH7Fa18N16Y9CE5FL8DfDugvj+ qDxNLtEOfjun27c3ten1T5qeFqPGU27+b+AmpwXOA1Q3O82hzuOeS8Ul42wvjHMsLZAm CxxJbVAS5hg9gDT+QK+6UIr9Yok8SZgRrBJvZ35vzKvNDLB4SPXJnNxSstykcIXTa4o6 mzXA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=VCDjRvvI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id t3-20020aa7db03000000b0046b1f708941si4950156eds.556.2022.11.29.05.43.15; Tue, 29 Nov 2022 05:43:36 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.org.uk header.s=zeniv-20220401 header.b=VCDjRvvI; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=zeniv.linux.org.uk Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233706AbiK2NRj (ORCPT + 84 others); Tue, 29 Nov 2022 08:17:39 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229773AbiK2NRN (ORCPT ); Tue, 29 Nov 2022 08:17:13 -0500 Received: from zeniv.linux.org.uk (zeniv.linux.org.uk [IPv6:2a03:a000:7:0:5054:ff:fe1c:15ff]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3DA6D61740; Tue, 29 Nov 2022 05:16:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=linux.org.uk; s=zeniv-20220401; h=Sender:In-Reply-To:Content-Type: MIME-Version:References:Message-ID:Subject:Cc:To:From:Date:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description; bh=ovEN2R1RcoyCmUvaJNV3bgGf54R1/0A9UQvs6JwGjy0=; b=VCDjRvvIL7hZ+3BDLMLNcVcDOc Q/TG09qk+hX2Yc7iYpjtjKWpMAg6QuT66/lUBVoOgG1SJddV/G3hF7s1W3QcWtNWasGbt2RHhhpoB 2dyBRVPwMKFCZomSisy7eREG1MqGSg9E5wAaNvorozi/v7wJuurqY5oAp+kcCiZvLzKgXyODWVMOE Paf9Dp++B5UFZoPw2Lj5us3iPTL7KTVYS6Nf1ORGgDX2ZHkGnIehszlSxGGBNSGJ7DcrEBcC+K3IO DnL/vPlipbptC4Ti4ZCqKulpGHMOshczri78Z0Ozt/hpiLeITr8taocWAF8cNJDgO6DmR45cLA1LJ 0LJ14MBg==; Received: from viro by zeniv.linux.org.uk with local (Exim 4.96 #2 (Red Hat Linux)) id 1p00TM-007fjC-25; Tue, 29 Nov 2022 13:16:28 +0000 Date: Tue, 29 Nov 2022 13:16:28 +0000 From: Al Viro To: Hillf Danton Cc: syzbot , akpm@linux-foundation.org, dan.j.williams@intel.com, hch@lst.de, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, willy@infradead.org Subject: Re: [syzbot] WARNING in iov_iter_revert (3) Message-ID: References: <000000000000519d0205ee4ba094@google.com> <000000000000f5ecad05ee8fccf0@google.com> <20221129090831.6281-1-hdanton@sina.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Sender: Al Viro X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_EF,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 29, 2022 at 12:20:39PM +0000, Al Viro wrote: > ->direct_IO() should return the amount of data actually copied to userland; > if that's how much it has consumed from iterator - great, iov_iter_revert(i, 0) > is a no-op. If it has consumed more, the caller will take care of that. > If it has consumed say 4Kb of data from iterator, but claims that it has > managed to store 12Kb into that, it's broken and should be fixed. > > If it wants to do revert on its own, for whatever reason, it is welcome - nothing > will break, as long as you do *not* return the value greater than the amount you > ended up taking from iterator. However, I don't understand the reason why ntfs3 > wants to bother (and appears to get it wrong, at that); the current rules are > such that caller will take care of revert. Looking at ntfs3, WTF does it bother with zeroing on short reads (?) in the first place? Anyway, immediate bug there is the assumption that blockdev_direct_IO() won't consume more than its return value; it bloody well might. *IF* you want that logics on reads (again, I'm not at all sure what is it doing there), you want this: } else if (vbo < valid && valid < end) { size_t consumed = iter_count - iov_iter_count(iter); size_t valid_bytes = valid - vbo; iov_iter_revert(iter, consumed - valid_bytes); iov_iter_zero(ret - valid_bytes, iter); } This iov_iter_zero() would better not be an attempt to overwrite some data that shouldn't have been copied to userland; if that's what it is, it's an infoleak - another thread might have observed the data copied there before that zeroing. Oh, and if (end > valid && !S_ISBLK(inode->i_mode)) { several lines above is obvious bollocks - if inode is a block device, we won't be going anywhere near any NTFS address_space_operations or ntfs_direct_IO(). Seriously, what's going on with zeroing there?