mirror of
https://github.com/torvalds/linux.git
synced 2026-05-05 23:05:25 -04:00
4481f7f2b3
Fix the resetting of the subrequest iterator in netfs_retry_write_stream()
to use the iterator-reset function as the iterator may have been shortened
by a previous retry. In such a case, the amount of data to be written by
the subrequest is not "subreq->len" but "subreq->len -
subreq->transferred".
Without this, KASAN may see an error in iov_iter_revert():
BUG: KASAN: slab-out-of-bounds in iov_iter_revert lib/iov_iter.c:633 [inline]
BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611
Read of size 4 at addr ffff88802912a0b8 by task kworker/u32:7/1147
CPU: 1 UID: 0 PID: 1147 Comm: kworker/u32:7 Not tainted 6.15.0-rc6-syzkaller-00052-g9f35e33144ae #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014
Workqueue: events_unbound netfs_write_collection_worker
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:408 [inline]
print_report+0xc3/0x670 mm/kasan/report.c:521
kasan_report+0xe0/0x110 mm/kasan/report.c:634
iov_iter_revert lib/iov_iter.c:633 [inline]
iov_iter_revert+0x443/0x5a0 lib/iov_iter.c:611
netfs_retry_write_stream fs/netfs/write_retry.c:44 [inline]
netfs_retry_writes+0x166d/0x1a50 fs/netfs/write_retry.c:231
netfs_collect_write_results fs/netfs/write_collect.c:352 [inline]
netfs_write_collection_worker+0x23fd/0x3830 fs/netfs/write_collect.c:374
process_one_work+0x9cf/0x1b70 kernel/workqueue.c:3238
process_scheduled_works kernel/workqueue.c:3319 [inline]
worker_thread+0x6c8/0xf10 kernel/workqueue.c:3400
kthread+0x3c2/0x780 kernel/kthread.c:464
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:153
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
</TASK>
Fixes: cd0277ed0c ("netfs: Use new folio_queue data type and iterator instead of xarray iter")
Reported-by: syzbot+25b83a6f2c702075fcbc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=25b83a6f2c702075fcbc
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://lore.kernel.org/20250519090707.2848510-2-dhowells@redhat.com
Tested-by: syzbot+25b83a6f2c702075fcbc@syzkaller.appspotmail.com
cc: Paulo Alcantara <pc@manguebit.com>
cc: netfs@lists.linux.dev
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
236 lines
6.4 KiB
C
236 lines
6.4 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/* Network filesystem write retrying.
|
|
*
|
|
* Copyright (C) 2024 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*/
|
|
|
|
#include <linux/fs.h>
|
|
#include <linux/mm.h>
|
|
#include <linux/pagemap.h>
|
|
#include <linux/slab.h>
|
|
#include "internal.h"
|
|
|
|
/*
|
|
* Perform retries on the streams that need it.
|
|
*/
|
|
static void netfs_retry_write_stream(struct netfs_io_request *wreq,
|
|
struct netfs_io_stream *stream)
|
|
{
|
|
struct list_head *next;
|
|
|
|
_enter("R=%x[%x:]", wreq->debug_id, stream->stream_nr);
|
|
|
|
if (list_empty(&stream->subrequests))
|
|
return;
|
|
|
|
if (stream->source == NETFS_UPLOAD_TO_SERVER &&
|
|
wreq->netfs_ops->retry_request)
|
|
wreq->netfs_ops->retry_request(wreq, stream);
|
|
|
|
if (unlikely(stream->failed))
|
|
return;
|
|
|
|
/* If there's no renegotiation to do, just resend each failed subreq. */
|
|
if (!stream->prepare_write) {
|
|
struct netfs_io_subrequest *subreq;
|
|
|
|
list_for_each_entry(subreq, &stream->subrequests, rreq_link) {
|
|
if (test_bit(NETFS_SREQ_FAILED, &subreq->flags))
|
|
break;
|
|
if (__test_and_clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags)) {
|
|
struct iov_iter source;
|
|
|
|
netfs_reset_iter(subreq);
|
|
source = subreq->io_iter;
|
|
netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
|
|
netfs_reissue_write(stream, subreq, &source);
|
|
}
|
|
}
|
|
return;
|
|
}
|
|
|
|
next = stream->subrequests.next;
|
|
|
|
do {
|
|
struct netfs_io_subrequest *subreq = NULL, *from, *to, *tmp;
|
|
struct iov_iter source;
|
|
unsigned long long start, len;
|
|
size_t part;
|
|
bool boundary = false;
|
|
|
|
/* Go through the stream and find the next span of contiguous
|
|
* data that we then rejig (cifs, for example, needs the wsize
|
|
* renegotiating) and reissue.
|
|
*/
|
|
from = list_entry(next, struct netfs_io_subrequest, rreq_link);
|
|
to = from;
|
|
start = from->start + from->transferred;
|
|
len = from->len - from->transferred;
|
|
|
|
if (test_bit(NETFS_SREQ_FAILED, &from->flags) ||
|
|
!test_bit(NETFS_SREQ_NEED_RETRY, &from->flags))
|
|
return;
|
|
|
|
list_for_each_continue(next, &stream->subrequests) {
|
|
subreq = list_entry(next, struct netfs_io_subrequest, rreq_link);
|
|
if (subreq->start + subreq->transferred != start + len ||
|
|
test_bit(NETFS_SREQ_BOUNDARY, &subreq->flags) ||
|
|
!test_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags))
|
|
break;
|
|
to = subreq;
|
|
len += to->len;
|
|
}
|
|
|
|
/* Determine the set of buffers we're going to use. Each
|
|
* subreq gets a subset of a single overall contiguous buffer.
|
|
*/
|
|
netfs_reset_iter(from);
|
|
source = from->io_iter;
|
|
source.count = len;
|
|
|
|
/* Work through the sublist. */
|
|
subreq = from;
|
|
list_for_each_entry_from(subreq, &stream->subrequests, rreq_link) {
|
|
if (!len)
|
|
break;
|
|
|
|
subreq->start = start;
|
|
subreq->len = len;
|
|
__clear_bit(NETFS_SREQ_NEED_RETRY, &subreq->flags);
|
|
subreq->retry_count++;
|
|
trace_netfs_sreq(subreq, netfs_sreq_trace_retry);
|
|
|
|
/* Renegotiate max_len (wsize) */
|
|
stream->sreq_max_len = len;
|
|
stream->prepare_write(subreq);
|
|
|
|
part = umin(len, stream->sreq_max_len);
|
|
if (unlikely(stream->sreq_max_segs))
|
|
part = netfs_limit_iter(&source, 0, part, stream->sreq_max_segs);
|
|
subreq->len = part;
|
|
subreq->transferred = 0;
|
|
len -= part;
|
|
start += part;
|
|
if (len && subreq == to &&
|
|
__test_and_clear_bit(NETFS_SREQ_BOUNDARY, &to->flags))
|
|
boundary = true;
|
|
|
|
netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
|
|
netfs_reissue_write(stream, subreq, &source);
|
|
if (subreq == to)
|
|
break;
|
|
}
|
|
|
|
/* If we managed to use fewer subreqs, we can discard the
|
|
* excess; if we used the same number, then we're done.
|
|
*/
|
|
if (!len) {
|
|
if (subreq == to)
|
|
continue;
|
|
list_for_each_entry_safe_from(subreq, tmp,
|
|
&stream->subrequests, rreq_link) {
|
|
trace_netfs_sreq(subreq, netfs_sreq_trace_discard);
|
|
list_del(&subreq->rreq_link);
|
|
netfs_put_subrequest(subreq, false, netfs_sreq_trace_put_done);
|
|
if (subreq == to)
|
|
break;
|
|
}
|
|
continue;
|
|
}
|
|
|
|
/* We ran out of subrequests, so we need to allocate some more
|
|
* and insert them after.
|
|
*/
|
|
do {
|
|
subreq = netfs_alloc_subrequest(wreq);
|
|
subreq->source = to->source;
|
|
subreq->start = start;
|
|
subreq->debug_index = atomic_inc_return(&wreq->subreq_counter);
|
|
subreq->stream_nr = to->stream_nr;
|
|
subreq->retry_count = 1;
|
|
|
|
trace_netfs_sreq_ref(wreq->debug_id, subreq->debug_index,
|
|
refcount_read(&subreq->ref),
|
|
netfs_sreq_trace_new);
|
|
netfs_get_subrequest(subreq, netfs_sreq_trace_get_resubmit);
|
|
|
|
list_add(&subreq->rreq_link, &to->rreq_link);
|
|
to = list_next_entry(to, rreq_link);
|
|
trace_netfs_sreq(subreq, netfs_sreq_trace_retry);
|
|
|
|
stream->sreq_max_len = len;
|
|
stream->sreq_max_segs = INT_MAX;
|
|
switch (stream->source) {
|
|
case NETFS_UPLOAD_TO_SERVER:
|
|
netfs_stat(&netfs_n_wh_upload);
|
|
stream->sreq_max_len = umin(len, wreq->wsize);
|
|
break;
|
|
case NETFS_WRITE_TO_CACHE:
|
|
netfs_stat(&netfs_n_wh_write);
|
|
break;
|
|
default:
|
|
WARN_ON_ONCE(1);
|
|
}
|
|
|
|
stream->prepare_write(subreq);
|
|
|
|
part = umin(len, stream->sreq_max_len);
|
|
subreq->len = subreq->transferred + part;
|
|
len -= part;
|
|
start += part;
|
|
if (!len && boundary) {
|
|
__set_bit(NETFS_SREQ_BOUNDARY, &to->flags);
|
|
boundary = false;
|
|
}
|
|
|
|
netfs_reissue_write(stream, subreq, &source);
|
|
if (!len)
|
|
break;
|
|
|
|
} while (len);
|
|
|
|
} while (!list_is_head(next, &stream->subrequests));
|
|
}
|
|
|
|
/*
|
|
* Perform retries on the streams that need it. If we're doing content
|
|
* encryption and the server copy changed due to a third-party write, we may
|
|
* need to do an RMW cycle and also rewrite the data to the cache.
|
|
*/
|
|
void netfs_retry_writes(struct netfs_io_request *wreq)
|
|
{
|
|
struct netfs_io_subrequest *subreq;
|
|
struct netfs_io_stream *stream;
|
|
int s;
|
|
|
|
netfs_stat(&netfs_n_wh_retry_write_req);
|
|
|
|
/* Wait for all outstanding I/O to quiesce before performing retries as
|
|
* we may need to renegotiate the I/O sizes.
|
|
*/
|
|
for (s = 0; s < NR_IO_STREAMS; s++) {
|
|
stream = &wreq->io_streams[s];
|
|
if (!stream->active)
|
|
continue;
|
|
|
|
list_for_each_entry(subreq, &stream->subrequests, rreq_link) {
|
|
wait_on_bit(&subreq->flags, NETFS_SREQ_IN_PROGRESS,
|
|
TASK_UNINTERRUPTIBLE);
|
|
}
|
|
}
|
|
|
|
// TODO: Enc: Fetch changed partial pages
|
|
// TODO: Enc: Reencrypt content if needed.
|
|
// TODO: Enc: Wind back transferred point.
|
|
// TODO: Enc: Mark cache pages for retry.
|
|
|
|
for (s = 0; s < NR_IO_STREAMS; s++) {
|
|
stream = &wreq->io_streams[s];
|
|
if (stream->need_retry) {
|
|
stream->need_retry = false;
|
|
netfs_retry_write_stream(wreq, stream);
|
|
}
|
|
}
|
|
}
|