[SRU][J:azure][PATCH 1/1] netfs: Fix missing xas_retry() calls in xarray iteration

Fri Feb 14 22:38:22 UTC 2025

From: David Howells <dhowells at redhat.com>

BugLink: https://bugs.launchpad.net/bugs/2098534

netfslib has a number of places in which it performs iteration of an xarray
whilst being under the RCU read lock.  It *should* call xas_retry() as the
first thing inside of the loop and do "continue" if it returns true in case
the xarray walker passed out a special value indicating that the walk needs
to be redone from the root[*].

Fix this by adding the missing retry checks.

[*] I wonder if this should be done inside xas_find(), xas_next_node() and
    suchlike, but I'm told that's not an simple change to effect.

This can cause an oops like that below.  Note the faulting address - this
is an internal value (|0x2) returned from xarray.

BUG: kernel NULL pointer dereference, address: 0000000000000402
...
RIP: 0010:netfs_rreq_unlock+0xef/0x380 [netfs]
...
Call Trace:
 netfs_rreq_assess+0xa6/0x240 [netfs]
 netfs_readpage+0x173/0x3b0 [netfs]
 ? init_wait_var_entry+0x50/0x50
 filemap_read_page+0x33/0xf0
 filemap_get_pages+0x2f2/0x3f0
 filemap_read+0xaa/0x320
 ? do_filp_open+0xb2/0x150
 ? rmqueue+0x3be/0xe10
 ceph_read_iter+0x1fe/0x680 [ceph]
 ? new_sync_read+0x115/0x1a0
 new_sync_read+0x115/0x1a0
 vfs_read+0xf3/0x180
 ksys_read+0x5f/0xe0
 do_syscall_64+0x38/0x90
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Changes:
========
ver #2)
 - Changed an unsigned int to a size_t to reduce the likelihood of an
   overflow as per Willy's suggestion.
 - Added an additional patch to fix the maths.

Fixes: 3d3c95046742 ("netfs: Provide readahead and readpage netfs helpers")
Reported-by: George Law <glaw at redhat.com>
Signed-off-by: David Howells <dhowells at redhat.com>
Reviewed-by: Jeff Layton <jlayton at kernel.org>
Reviewed-by: Jingbo Xu <jefflexu at linux.alibaba.com>
cc: Matthew Wilcox <willy at infradead.org>
cc: linux-cachefs at redhat.com
cc: linux-fsdevel at vger.kernel.org
Link: https://lore.kernel.org/r/166749229733.107206.17482609105741691452.stgit@warthog.procyon.org.uk/ # v1
Link: https://lore.kernel.org/r/166757987929.950645.12595273010425381286.stgit@warthog.procyon.org.uk/ # v2
(backported from commit 7e043a80b5dae5c2d2cf84031501de7827fd6c00)
[vpeixoto: a manual backport was necessary, as commit 16211268fcb3
("netfs: Split fs/netfs/read_helper.c") is not present in the J:azure
tree, and because 78525c74d9e7 ("netfs, 9p, afs, ceph: Use folios"),
also missing, introduced the usage of folios in netfs. I made the
adjustment from folios->pages and applied the fix to the relevant,
pre-split functions in read_helper.c]
Signed-off-by: Vinicius Peixoto <vinicius.peixoto at canonical.com>
---
 fs/netfs/read_helper.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/fs/netfs/read_helper.c b/fs/netfs/read_helper.c
index 242f8bcb34a4..fd0b6618e8bb 100644
--- a/fs/netfs/read_helper.c
+++ b/fs/netfs/read_helper.c
@@ -248,6 +248,9 @@ static void netfs_rreq_unmark_after_write(struct netfs_read_request *rreq,
 		XA_STATE(xas, &rreq->mapping->i_pages, subreq->start / PAGE_SIZE);
 
 		xas_for_each(&xas, page, (subreq->start + subreq->len - 1) / PAGE_SIZE) {
+			if (xas_retry(&xas, page))
+				continue;
+
 			/* We might have multiple writes from the same huge
 			 * page, but we mustn't unlock a page more than once.
 			 */
@@ -399,10 +402,15 @@ static void netfs_rreq_unlock(struct netfs_read_request *rreq)
 
 	rcu_read_lock();
 	xas_for_each(&xas, page, last_page) {
-		unsigned int pgpos = (page->index - start_page) * PAGE_SIZE;
-		unsigned int pgend = pgpos + thp_size(page);
+		unsigned int pgpos, pgend;
 		bool pg_failed = false;
 
+		if (xas_retry(&xas, page))
+			continue;
+
+		pgpos = (page->index - start_page) * PAGE_SIZE;
+		pgend = pgpos + thp_size(page);
+
 		for (;;) {
 			if (!subreq) {
 				pg_failed = true;
-- 
2.43.0


