Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp32528667rwd; Fri, 7 Jul 2023 15:57:28 -0700 (PDT) X-Google-Smtp-Source: APBJJlE5yYA71eqQkYxDKyNaCwCBAmufnQUSUiI0LfgVBJ6f5Ku4ACthAVwbSUleo9LlohTifZ7a X-Received: by 2002:a92:cd02:0:b0:341:e2aa:3552 with SMTP id z2-20020a92cd02000000b00341e2aa3552mr5833454iln.4.1688770647895; Fri, 07 Jul 2023 15:57:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1688770647; cv=none; d=google.com; s=arc-20160816; b=lp869zTAAz1hDfclI83kcsi25YZHrSyAhwJFTQE2SzB1o/cK4CkxMHPJ9z3L0pIQ/Z aVcayCFJp3+q5VFQ8LB8Ns1NR0UQoFWEAfOsKoQKM4JxMcYcp91AX19KdZYD7yUhuiT8 h48zc67h/SiB77ZipjbrI39ZjbYT7RjUrrBCOIT/lr1crqVO0O2f/utBRridYDXevxBI +FXfggwwayG8jHeSid9WFhahsFl0vrhaFapYJrMgfms6LTMweHiB9GOL2ylXfnt/bRGD tY+tktmRJQjEYubXkU7g6B4in6SCrdMaehSghZ6N0bricLR/MZyOz6bDxpg2l6+1lgkx r/5g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=izLe8qwE6x7arPHj7fvYd48QI08baWmkxU0wU/Sbges=; fh=KdABePaQFJCLB5j7q6a1t6FguMq3bIzCL1VaDUjgeTI=; b=Z9AicQsu22HIUzLna+iMub1R12NCZ4OVUNChd99OetvOveEybBsM+2NOyqLPGAAG0W jLJNtL0jHykqNoGMRRNlv2io0DG6BPZxatJ0mue/eJuKxqfG9oQR9Y2hs2hf3SeuAdR0 oh6UCu+5/1EwbZx3KYf2UwRsX0clsZuKgjnZVv2A/EP4fl0pbsmqTJdGAav7u8Qo66b2 GgE7fFg5OuU9InRjZw8NwXqvA6jzzmYnYuTwe4gl8GlukBgNypPLxJ8LXp+oBBnmKgYN JOObAHqXqisHtpS6aaiiFBdw6G+hxmEJvS8QXqCTLht1YFWTrFdg83i2wkwxCGpN9xnk 9Wlw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nabijaczleweli.xyz header.s=202305 header.b=o3aiF2y+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u31-20020a63471f000000b0055337508370si4486412pga.889.2023.07.07.15.57.16; Fri, 07 Jul 2023 15:57:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@nabijaczleweli.xyz header.s=202305 header.b=o3aiF2y+; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nabijaczleweli.xyz Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231953AbjGGWlb (ORCPT + 99 others); Fri, 7 Jul 2023 18:41:31 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55434 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231150AbjGGWlZ (ORCPT ); Fri, 7 Jul 2023 18:41:25 -0400 Received: from tarta.nabijaczleweli.xyz (unknown [139.28.40.42]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id C03BA2125; Fri, 7 Jul 2023 15:41:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nabijaczleweli.xyz; s=202305; t=1688769679; bh=66EhCKrke0Iq+SSG8cBd23leIIdYLwkKIKEa7Istidg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=o3aiF2y+Yl6hlfV/jPFar6UUEqQgWGw/iRe+ArZwJ6vtaFSUKwCxBDdwaFl6kLbyl 3mNX4/6CkWHZavdr5g/znKItp0AzTuedDP7ttPemunAzy9+Uv+f12r+nRNVAXTCLZN kKqQgb0m1pbMq8OG6nUQdSOw/Hx/vjxg/oVckApRo3+Tkr9XacGirc9T5SyDlXI6cF uYTiYRzTDeZ9juNfr5+sntqzCod9Mtx3oWzVoxmhJ6rGaex7sI99sahVBR5oJeWiM2 Id05lpKHrsnHffzfrkiTI2v3dlubdzmuATLOmviXlxgVugSgG4+lOaOS0qo9d+zPPR 2dGaccIx5ooSg== Received: from tarta.nabijaczleweli.xyz (unknown [192.168.1.250]) by tarta.nabijaczleweli.xyz (Postfix) with ESMTPSA id 9B0DA207E; Sat, 8 Jul 2023 00:41:19 +0200 (CEST) Date: Sat, 8 Jul 2023 00:41:18 +0200 From: Ahelenia =?utf-8?Q?Ziemia=C5=84ska?= To: Linus Torvalds Cc: Christian Brauner , Jens Axboe , David Howells , Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: Pending splice(file -> FIFO) excludes all other FIFO operations forever (was: ... always blocks read(FIFO), regardless of O_NONBLOCK on read side?) Message-ID: References: <20230626-vorverlegen-setzen-c7f96e10df34@brauner> <4sdy3yn462gdvubecjp4u7wj7hl5aah4kgsxslxlyqfnv67i72@euauz57cr3ex> <20230626-fazit-campen-d54e428aa4d6@brauner> <20230707-konsens-ruckartig-211a4fb24e27@brauner> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="rwikc4e2rdpqmnxf" Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20230517 X-Spam-Status: No, score=-1.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,PDS_RDNS_DYNAMIC_FP, RDNS_DYNAMIC,SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --rwikc4e2rdpqmnxf Content-Type: multipart/mixed; boundary="3mjbekeuyt4r3h3w" Content-Disposition: inline --3mjbekeuyt4r3h3w Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 07, 2023 at 12:10:36PM -0700, Linus Torvalds wrote: > On Fri, 7 Jul 2023 at 10:21, Christian Brauner wrote: > > Forgot to say, fwiw, I've been running this through the LTP splice, > > pipe, and ipc tests without issues. A hanging reader can be signaled > > away cleanly with this. > NOTE! NOTE! NOTE! Once more, this "feels right to me", and I'd argue > that the basic approach is fairly straightfoward. The patch is also > not horrendous. It all makes a fair amount of sense. BUT! I haven't > tested this, and like the previous patch, I really would want people > to think about this a lot. >=20 > Comments? Jens? I applied the patch upthread + this diff to 4f6b6c2b2f86b7878a770736bf478d8= a263ff0bc; during test setup I got a null deref (building defconfig minus graphics). Reproducible, full BUG dump attached; trace of [ 149.878931] [ 149.879533] ? __die+0x1e/0x60 [ 149.880309] ? page_fault_oops+0x17c/0x470 [ 149.881313] ? search_module_extables+0x14/0x50 [ 149.882422] ? exc_page_fault+0x67/0x150 [ 149.883397] ? asm_exc_page_fault+0x26/0x30 [ 149.884426] ? __pfx_pipe_to_null+0x10/0x10 [ 149.885451] ? splice_from_pipe_next+0x129/0x150 [ 149.886580] __splice_from_pipe+0x39/0x1c0 [ 149.887594] ? __pfx_pipe_to_null+0x10/0x10 [ 149.888615] ? __pfx_pipe_to_null+0x10/0x10 [ 149.889635] splice_from_pipe+0x5c/0x90 [ 149.890579] do_splice+0x35c/0x840 [ 149.891407] __do_splice+0x1eb/0x210 [ 149.892176] __x64_sys_splice+0xad/0x120 [ 149.893019] do_syscall_64+0x3e/0x90 [ 149.893798] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 $ scripts/faddr2line vmlinux splice_from_pipe_next+0x129 splice_from_pipe_next+0x129/0x150: pipe_buf_release at include/linux/pipe_fs_i.h:221 (inlined by) eat_empty_buffer at fs/splice.c:594 (inlined by) splice_from_pipe_next at fs/splice.c:640 I gamed this down to=20 echo c | grep c >/dev/null where grep is ii grep 3.8-5 amd64 GNU grep, egrep and fgrep and strace of the same invocation (on the host) ends with newfstatat(1, "", {st_mode=3DS_IFCHR|0666, st_rdev=3Dmakedev(0x1, 0x3), .= =2E.}, AT_EMPTY_PATH) =3D 0 newfstatat(AT_FDCWD, "/dev/null", {st_mode=3DS_IFCHR|0666, st_rdev=3Dmake= dev(0x1, 0x3), ...}, 0) =3D 0 newfstatat(0, "", {st_mode=3DS_IFIFO|0600, st_size=3D0, ...}, AT_EMPTY_PA= TH) =3D 0 lseek(0, 0, SEEK_CUR) =3D -1 ESPIPE (Illegal seek) read(0, "c\n", 98304) =3D 2 splice(0, NULL, 1, NULL, 98304, SPLICE_F_MOVE) =3D 0 close(1) =3D 0 close(2) =3D 0 exit_group(0) =3D ? +++ exited with 0 +++ And can also reproduce it with echo | { read -r _; exec ./wr; } > /dev/null (where ./wr is "while (splice(0, 0, 1, 0, 128 * 1024 * 1024, 0) > 0) {}"). However: echo | ./wr > /dev/null does NOT crash. Besides that, this doesn't solve the original issue, inasmuch as ./v > fifo & head fifo & echo zupa > fifo (where ./v splices from an empty pty to stdout; v.c attached) echo still sleeps until ./v dies, though it also succumbs to ^C now. "OTOH, on 4f6b6c2b2f86b7878a770736bf478d8a263ff0bc, "timeout 10 ./v > fifo &" (then lines 2 and 3 as above) does kill ./v -> unblock echo -> head copies "zupa", i.e. life resumes as normal after the splicer went away. With the patches, echo zupa is stuck forever (until you signal it)! This is kinda worse. --3mjbekeuyt4r3h3w Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename=BUG [ 149.843966] BUG: kernel NULL pointer dereference, address: 0000000000000008 [ 149.845820] #PF: supervisor read access in kernel mode [ 149.847190] #PF: error_code(0x0000) - not-present page [ 149.848540] PGD 0 P4D 0 [ 149.849231] Oops: 0000 [#1] PREEMPT SMP PTI [ 149.850345] CPU: 0 PID: 230 Comm: grep Not tainted 6.4.0-12317-gabf530ed3e36-dirty #3 [ 149.852411] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014 [ 149.854900] RIP: 0010:splice_from_pipe_next+0x129/0x150 [ 149.856328] Code: ff c6 45 38 00 eb af 5b b8 00 fe ff ff 5d 41 5c 41 5d c3 cc cc cc cc 48 8b 46 10 41 83 c5 01 48 89 df 48 c7 46 10 00 00 00 00 <48> 8b 40 08 e8 ce a5 9a [ 149.861118] RSP: 0018:ffffb2ed40347d70 EFLAGS: 00010202 [ 149.862488] RAX: 0000000000000000 RBX: ffff8c06c1d9a0c0 RCX: 0000000000000000 [ 149.864357] RDX: 0000000000000005 RSI: ffff8c06c8c98028 RDI: ffff8c06c1d9a0c0 [ 149.866217] RBP: ffffb2ed40347de0 R08: 0000000000000001 R09: ffffffffaa428db0 [ 149.868088] R10: 0000000000018000 R11: 0000000000000000 R12: ffff8c06c2625580 [ 149.869950] R13: 0000000000000002 R14: ffff8c06c1d9a0c0 R15: ffffb2ed40347de0 [ 149.871828] FS: 00007fa5a6b3e740(0000) GS:ffff8c06dd800000(0000) knlGS:0000000000000000 [ 149.873937] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 149.875459] CR2: 0000000000000008 CR3: 000000000269a000 CR4: 00000000000006f0 [ 149.877327] Call Trace: [ 149.878931] [ 149.879533] ? __die+0x1e/0x60 [ 149.880309] ? page_fault_oops+0x17c/0x470 [ 149.881313] ? search_module_extables+0x14/0x50 [ 149.882422] ? exc_page_fault+0x67/0x150 [ 149.883397] ? asm_exc_page_fault+0x26/0x30 [ 149.884426] ? __pfx_pipe_to_null+0x10/0x10 [ 149.885451] ? splice_from_pipe_next+0x129/0x150 [ 149.886580] __splice_from_pipe+0x39/0x1c0 [ 149.887594] ? __pfx_pipe_to_null+0x10/0x10 [ 149.888615] ? __pfx_pipe_to_null+0x10/0x10 [ 149.889635] splice_from_pipe+0x5c/0x90 [ 149.890579] do_splice+0x35c/0x840 [ 149.891407] __do_splice+0x1eb/0x210 [ 149.892176] __x64_sys_splice+0xad/0x120 [ 149.893019] do_syscall_64+0x3e/0x90 [ 149.893798] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 149.894881] RIP: 0033:0x7fa5a6c49dd3 [ 149.895682] Code: 64 89 02 48 c7 c0 ff ff ff ff eb b9 66 2e 0f 1f 84 00 00 00 00 00 90 80 3d 11 18 0d 00 00 49 89 ca 74 14 b8 13 01 00 00 0f 05 <48> 3d 00 f0 ff ff 77 74 [ 149.899538] RSP: 002b:00007ffc83d77768 EFLAGS: 00000202 ORIG_RAX: 0000000000000113 [ 149.901116] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fa5a6c49dd3 [ 149.902602] RDX: 0000000000000001 RSI: 0000000000000000 RDI: 0000000000000000 [ 149.904048] RBP: 0000564d8aaeb000 R08: 0000000000018000 R09: 0000000000000001 [ 149.905439] R10: 0000000000000000 R11: 0000000000000202 R12: 000000000000000a [ 149.906832] R13: 0000564d8aaeb010 R14: 0000564d8aaeb000 R15: 0000000000000000 [ 149.908239] [ 149.908692] Modules linked in: [ 149.909326] CR2: 0000000000000008 [ 149.910050] ---[ end trace 0000000000000000 ]--- [ 149.910986] RIP: 0010:splice_from_pipe_next+0x129/0x150 [ 149.912063] Code: ff c6 45 38 00 eb af 5b b8 00 fe ff ff 5d 41 5c 41 5d c3 cc cc cc cc 48 8b 46 10 41 83 c5 01 48 89 df 48 c7 46 10 00 00 00 00 <48> 8b 40 08 e8 ce a5 9a [ 149.915639] RSP: 0018:ffffb2ed40347d70 EFLAGS: 00010202 [ 149.916589] RAX: 0000000000000000 RBX: ffff8c06c1d9a0c0 RCX: 0000000000000000 [ 149.917877] RDX: 0000000000000005 RSI: ffff8c06c8c98028 RDI: ffff8c06c1d9a0c0 [ 149.919172] RBP: ffffb2ed40347de0 R08: 0000000000000001 R09: ffffffffaa428db0 [ 149.920457] R10: 0000000000018000 R11: 0000000000000000 R12: ffff8c06c2625580 [ 149.921737] R13: 0000000000000002 R14: ffff8c06c1d9a0c0 R15: ffffb2ed40347de0 [ 149.923021] FS: 00007fa5a6b3e740(0000) GS:ffff8c06dd800000(0000) knlGS:0000000000000000 [ 149.924481] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 149.925529] CR2: 0000000000000008 CR3: 000000000269a000 CR4: 00000000000006f0 --3mjbekeuyt4r3h3w Content-Type: text/x-csrc; charset=us-ascii Content-Disposition: attachment; filename="v.c" #define _GNU_SOURCE #include #include #include int main() { int pt = posix_openpt(O_RDWR); grantpt(pt); unlockpt(pt); int cl = open(ptsname(pt), O_RDONLY); for(;;) splice(cl, 0, 1, 0, 128 * 1024 * 1024, 0); // sendfile(1, 0, 0, 128 * 1024 * 1024); } --3mjbekeuyt4r3h3w-- --rwikc4e2rdpqmnxf Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEEfWlHToQCjFzAxEFjvP0LAY0mWPEFAmSolIsACgkQvP0LAY0m WPFR2xAAutKJ8LrQOMyNIQvL/bVuVfel3GVUngaZO3QgZpJ8oriEHS4fVgSNwZA2 +HE3JUrJWJoJs/36pJFGOSZWl4t51DWlKdgcpOK6I8qmmjxv8prVZLO7GIwybmLW Wn6Tr0tiWYnz1C1qs1ub6kENccWnkxMg0v8zhzoGz2lcGXYGBWqdlOV+hdO4Mmte pMs8XIrValG8/u3sIvTToniKNaq9yz8w+ZuxkFPvIYxr9sWSF1O+D/4IGFWxHWbk 2LkGc0Q/U7nVA/Zhbnbh3LEao63+tlUcDIiaXcAuMKa9cMhILrJ1XB6hcKQWNd40 cJ+sjwRfCGHDO7FhRULETd0Du45faun0nlEdgCDVIcMwfimkHzfcJLUev+k1E5QE fC7QzwGHE9L1megok4N7e7oxQhHtE7zPFim+6/uYsT8TeGCIz34ujKAKfQyB4yj9 n7c3xe3V8rH9Gse91g9jcm4PWlp7cNIkhVHsl+lQj5aLrTsQUm+wyq/hfkCrBnt7 f2b/85afkFOVtb6O9GZcESz+FFN6A6bk/jCLYW3xBqiQxSHGCf4Vm6TqemFVWa2G FQZNua3R8alqRwfGFMCG4yGMrVQOvWozD41UTsgbXxp8hCYrRB6HGBAw7mCzmhp9 zlUZRgfexQUSUF8u0Em+5I8p+9oh1/dfxbLQozGdJ/1GSfGF4aU= =7vhL -----END PGP SIGNATURE----- --rwikc4e2rdpqmnxf--