From patchwork Wed Oct  5 16:07:21 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Al Viro <viro@ZenIV.linux.org.uk>
X-Patchwork-Id: 9485661
X-Mozilla-Keys: nonjunk
Return-Path: <linux-xfs-owner@vger.kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on sandeen.net
X-Spam-Level: 
X-Spam-Status: No, score=-7.0 required=5.0 tests=BAYES_00,
	HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_HI,
	RP_MATCHES_RCVD autolearn=ham autolearn_force=no version=3.4.0
X-Spam-HP: BAYES_00=-1.9,HEADER_FROM_DIFFERENT_DOMAINS=0.001,
	RCVD_IN_DNSWL_HI=-5,RP_MATCHES_RCVD=-0.1
X-Original-To: sandeen@sandeen.net
Delivered-To: sandeen@sandeen.net
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by sandeen.net (Postfix) with ESMTP id 100451738C8
	for <sandeen@sandeen.net>; Wed,  5 Oct 2016 11:06:48 -0500 (CDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753975AbcJEQH0 (ORCPT <rfc822;sandeen@sandeen.net>);
	Wed, 5 Oct 2016 12:07:26 -0400
Received: from zeniv.linux.org.uk ([195.92.253.2]:40194 "EHLO
	ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753290AbcJEQHZ (ORCPT
	<rfc822;linux-xfs@vger.kernel.org>); Wed, 5 Oct 2016 12:07:25 -0400
Received: from viro by ZenIV.linux.org.uk with local (Exim 4.86_2 #1 (Red
	Hat Linux)) id 1broj3-0001ne-3Q; Wed, 05 Oct 2016 16:07:21 +0000
Date: Wed, 5 Oct 2016 17:07:21 +0100
From: Al Viro <viro@ZenIV.linux.org.uk>
To: CAI Qian <caiqian@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>,
	Dave Chinner <david@fromorbit.com>,
	linux-xfs <linux-xfs@vger.kernel.org>,
	Jens Axboe <axboe@kernel.dk>, Nick Piggin <npiggin@gmail.com>,
	linux-fsdevel@vger.kernel.org
Subject: Re: [RFC][CFT] splice_read reworked
Message-ID: <20161005160720.GD19539@ZenIV.linux.org.uk>
References: 
 <CA+55aFxrqCng2Qxasc9pyMrKUGFjo==fEaFT1vkH9Lncte3RgQ@mail.gmail.com>
	<19064316.41568.1475503587628.JavaMail.zimbra@redhat.com>
	<37510012.118174.1475526739119.JavaMail.zimbra@redhat.com>
	<20161003203539.GW19539@ZenIV.linux.org.uk>
	<1209071853.342152.1475587775353.JavaMail.zimbra@redhat.com>
	<20161004142805.GX19539@ZenIV.linux.org.uk>
	<307867218.381779.1475598088901.JavaMail.zimbra@redhat.com>
	<20161004201232.GA19539@ZenIV.linux.org.uk>
	<2021832942.615635.1475677846489.JavaMail.zimbra@redhat.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <2021832942.615635.1475677846489.JavaMail.zimbra@redhat.com>
User-Agent: Mutt/1.7.0 (2016-08-17)
Sender: linux-xfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-xfs.vger.kernel.org>
X-Mailing-List: linux-xfs@vger.kernel.org

On Wed, Oct 05, 2016 at 10:30:46AM -0400, CAI Qian wrote:

> [  856.537452] idx = 0, offset = 12
> [  856.541066] curbuf = 0, nrbufs = 1, buffers = 1
					^^^^^^^^^^^^

Lovely - that's pretty much guaranteed to make sanity() spew false
positives.
        int delta = (pipe->curbuf + pipe->nrbufs - idx) & (pipe->buffers - 1);
        if (i->iov_offset) {
                struct pipe_buffer *p;
                if (unlikely(delta != 1) || unlikely(!pipe->nrbufs))
                        goto Bad;       // must be at the last buffer...
and at the last buffer it is - idx == (curbuf + nrbufs - 1) % pipe->buffers.
The test would've done the right thing if pipe->buffers had been at least 2,
but...  OK, the patch below ought to fix those; could you check if anything
remains with it?
---
To unsubscribe from this list: send the line "unsubscribe linux-xfs" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/lib/iov_iter.c b/lib/iov_iter.c
index c97d661..0ce3411 100644
--- a/lib/iov_iter.c
+++ b/lib/iov_iter.c
@@ -298,21 +298,32 @@ static bool sanity(const struct iov_iter *i)
 {
 	struct pipe_inode_info *pipe = i->pipe;
 	int idx = i->idx;
-	int delta = (pipe->curbuf + pipe->nrbufs - idx) & (pipe->buffers - 1);
+	int next = pipe->curbuf + pipe->nrbufs;
 	if (i->iov_offset) {
 		struct pipe_buffer *p;
-		if (unlikely(delta != 1) || unlikely(!pipe->nrbufs))
+		if (unlikely(!pipe->nrbufs))
+			goto Bad;	// pipe must be non-empty
+		if (unlikely(idx != ((next - 1) & (pipe->buffers - 1))))
 			goto Bad;	// must be at the last buffer...
 
 		p = &pipe->bufs[idx];
 		if (unlikely(p->offset + p->len != i->iov_offset))
 			goto Bad;	// ... at the end of segment
 	} else {
-		if (delta)
+		if (idx != (next & (pipe->buffers - 1)))
 			goto Bad;	// must be right after the last buffer
 	}
 	return true;
 Bad:
+	printk(KERN_ERR "idx = %d, offset = %zd\n", i->idx, i->iov_offset);
+	printk(KERN_ERR "curbuf = %d, nrbufs = %d, buffers = %d\n",
+			pipe->curbuf, pipe->nrbufs, pipe->buffers);
+	for (idx = 0; idx < pipe->buffers; idx++)
+		printk(KERN_ERR "[%p %p %d %d]\n",
+			pipe->bufs[idx].ops,
+			pipe->bufs[idx].page,
+			pipe->bufs[idx].offset,
+			pipe->bufs[idx].len);
 	WARN_ON(1);
 	return false;
 }