linux/fs/cifs
David Howells 71562809e4 cifs: Fix memory leak in direct I/O
When __cifs_readv() and __cifs_writev() extract pages from a user-backed
iterator into a BVEC-type iterator, they set ->bv_need_unpin to note
whether they need to unpin the pages later.  However, in both cases they
examine the BVEC-type iterator and not the source iterator - and so
bv_need_unpin doesn't get set and the pages are leaked.

I think this may be responsible for the generic/208 xfstest failing
occasionally with:

	WARNING: CPU: 0 PID: 3064 at mm/gup.c:218 try_grab_page+0x65/0x100
	RIP: 0010:try_grab_page+0x65/0x100
	follow_page_pte+0x1a7/0x570
	__get_user_pages+0x1a2/0x650
	__gup_longterm_locked+0xdc/0xb50
	internal_get_user_pages_fast+0x17f/0x310
	pin_user_pages_fast+0x46/0x60
	iov_iter_extract_pages+0xc9/0x510
	? __kmalloc_large_node+0xb1/0x120
	? __kmalloc_node+0xbe/0x130
	netfs_extract_user_iter+0xbf/0x200 [netfs]
	__cifs_writev+0x150/0x330 [cifs]
	vfs_write+0x2a8/0x3c0
	ksys_pwrite64+0x65/0xa0

with the page refcount going negative.  This is less unlikely than it seems
because the page is being pinned, not simply got, and so the refcount
increased by 1024 each time, and so only needs to be called around ~2097152
for the refcount to go negative.

Further, the test program (aio-dio-invalidate-failure) uses a 32MiB static
buffer and all the PTEs covering it refer to the same page because it's
never written to.

The warning in try_grab_page():

	if (WARN_ON_ONCE(folio_ref_count(folio) <= 0))
		return -ENOMEM;

then trips and prevents us ever using the page again for DIO at least.

Fixes: d08089f649 ("cifs: Change the I/O paths to use an iterator rather than a page list")
Reported-by: Murphy Zhou <jencce.kernel@gmail.com>
Link: https://lore.kernel.org/r/CAH2r5mvaTsJ---n=265a4zqRA7pP+o4MJ36WCQUS6oPrOij8cw@mail.gmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Paulo Alcantara (SUSE) <pc@manguebit.com>
cc: Shyam Prasad N <nspmangalore@gmail.com>
cc: Rohith Surabattula <rohiths.msft@gmail.com>
cc: Jeff Layton <jlayton@kernel.org>
cc: linux-cifs@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
2023-03-01 18:18:25 -06:00
..
asn1.c
cached_dir.c cifs: return a single-use cfid if we did not get a lease 2023-02-20 11:48:48 -06:00
cached_dir.h cifs: drop the lease for cached directories on rmdir or rename 2022-10-19 17:57:41 -05:00
cifs_debug.c cifs: print last update time for interface list 2023-02-20 11:48:47 -06:00
cifs_debug.h smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
cifs_dfs_ref.c cifs: use origin fullpath for automounts 2022-12-19 08:03:12 -06:00
cifs_fs_sb.h
cifs_ioctl.h cifs: minor cleanup of some headers 2022-12-12 13:08:06 -06:00
cifs_spnego_negtokeninit.asn1
cifs_spnego.c cred: Do not default to init_cred in prepare_kernel_cred() 2022-11-01 10:04:52 -07:00
cifs_spnego.h cifs: Replace remaining 1-element arrays 2023-02-20 11:48:48 -06:00
cifs_swn.c smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
cifs_swn.h
cifs_unicode.c
cifs_unicode.h
cifs_uniupr.h
cifsacl.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
cifsacl.h
cifsencrypt.c cifs: Change the I/O paths to use an iterator rather than a page list 2023-02-20 18:36:02 -06:00
cifsfs.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
cifsfs.h 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
cifsglob.h 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
cifspdu.h cifs: Replace remaining 1-element arrays 2023-02-20 11:48:48 -06:00
cifsproto.h cifs: prevent data race in cifs_reconnect_tcon() 2023-03-01 18:18:25 -06:00
cifsroot.c cifs: move from strlcpy with unused retval to strscpy 2022-08-19 11:02:26 -05:00
cifssmb.c cifs: prevent data race in cifs_reconnect_tcon() 2023-03-01 18:18:25 -06:00
connect.c cifs: reuse cifs_match_ipaddr for comparison of dstaddr too 2023-03-01 18:18:24 -06:00
dfs_cache.c cifs: remove unused function 2023-01-18 14:49:51 -06:00
dfs_cache.h cifs: remove unused function 2023-01-18 14:49:51 -06:00
dfs.c cifs: protect access of TCP_Server_Info::{dstaddr,hostname} 2023-01-04 09:06:53 -06:00
dfs.h cifs: use origin fullpath for automounts 2022-12-19 08:03:12 -06:00
dir.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
dns_resolve.c cifs: set resolved ip in sockaddr 2022-12-19 08:03:11 -06:00
dns_resolve.h cifs: set resolved ip in sockaddr 2022-12-19 08:03:11 -06:00
export.c
file.c cifs: Fix memory leak in direct I/O 2023-03-01 18:18:25 -06:00
fs_context.c cifs: share dfs connections and supers 2022-12-19 08:03:12 -06:00
fs_context.h cifs: share dfs connections and supers 2022-12-19 08:03:12 -06:00
fscache.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
fscache.h cifs: Change the I/O paths to use an iterator rather than a page list 2023-02-20 18:36:02 -06:00
inode.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
ioctl.c cifs: Fix wrong return value checking when GETFLAGS 2022-11-16 00:21:04 -06:00
Kconfig cifs: Change the I/O paths to use an iterator rather than a page list 2023-02-20 18:36:02 -06:00
link.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
Makefile cifs: get rid of mount options string parsing 2022-12-19 08:03:11 -06:00
misc.c cifs: prevent data race in cifs_reconnect_tcon() 2023-03-01 18:18:25 -06:00
netlink.c genetlink: start to validate reserved header bytes 2022-08-29 12:47:15 +01:00
netlink.h
netmisc.c cifs: remove unused server parameter from calc_smb_size() 2022-08-17 18:07:13 -05:00
nterr.c
nterr.h
ntlmssp.h cifs: Replace zero-length arrays with flexible-array members 2023-02-20 11:48:47 -06:00
readdir.c cifs: Replace remaining 1-element arrays 2023-02-20 11:48:48 -06:00
rfc1002pdu.h
sess.c cifs: get rid of dns resolve worker 2023-02-20 17:25:43 -06:00
smb1ops.c cifs: Fix uninitialized memory reads for oparms.mode 2023-02-20 11:48:48 -06:00
smb2file.c 46 fs/cifs (smb3 client) changesets, 37 in fs/cifs and 9 for related helper functions and cleanup outside from Dave Howells and Willy 2023-02-22 17:12:44 -08:00
smb2glob.h smb3: move defines for ioctl protocol header and SMB2 sizes to smbfs_common 2022-03-26 23:09:20 -05:00
smb2inode.c cifs: improve checking of DFS links over STATUS_OBJECT_NAME_INVALID 2023-03-01 18:18:25 -06:00
smb2maperror.c
smb2misc.c smb3: Replace smb2pdu 1-element arrays with flex-arrays 2023-02-20 17:25:43 -06:00
smb2ops.c cifs: improve checking of DFS links over STATUS_OBJECT_NAME_INVALID 2023-03-01 18:18:25 -06:00
smb2pdu.c cifs: prevent data race in cifs_reconnect_tcon() 2023-03-01 18:18:25 -06:00
smb2pdu.h smb3: Replace smb2pdu 1-element arrays with flex-arrays 2023-02-20 17:25:43 -06:00
smb2proto.h cifs: Parse owner/group for stat in smb311 posix extensions 2022-12-08 09:51:53 -06:00
smb2status.h
smb2transport.c cifs: avoid unnecessary iteration of tcp sessions 2022-11-04 23:34:40 -05:00
smbdirect.c cifs: Fix an uninitialised variable 2023-03-01 18:17:36 -06:00
smbdirect.h cifs: Build the RDMA SGE list directly from an iterator 2023-02-20 18:36:02 -06:00
smbencrypt.c
smberr.h
trace.c
trace.h smb3: add dynamic trace points for tree disconnect 2022-10-05 01:31:18 -05:00
transport.c cifs: use the least loaded channel for sending requests 2023-02-21 01:24:48 -06:00
unc.c
winucase.c
xattr.c fs: port xattr to mnt_idmap 2023-01-19 09:24:28 +01:00