From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 33DE0C61CE8 for ; Mon, 9 Jun 2025 18:29:03 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 766DE6B007B; Mon, 9 Jun 2025 14:29:02 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 6F0A46B0089; Mon, 9 Jun 2025 14:29:02 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 5DF3A6B008A; Mon, 9 Jun 2025 14:29:02 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 375FE6B007B for ; Mon, 9 Jun 2025 14:29:02 -0400 (EDT) Received: from smtpin07.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay02.hostedemail.com (Postfix) with ESMTP id 75525120BF2 for ; Mon, 9 Jun 2025 18:29:01 +0000 (UTC) X-FDA: 83536698882.07.1EF3801 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.223.131]) by imf05.hostedemail.com (Postfix) with ESMTP id E91C8100003 for ; Mon, 9 Jun 2025 18:28:58 +0000 (UTC) Authentication-Results: imf05.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=p0eTnMvB; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=dyXKUd4B; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=pN4duz4w; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=VA8ZTEAR; spf=pass (imf05.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1749493739; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Vk21obR3rGzVFeoYj3lWx3wONivKGACTaCAsMFKpPBc=; b=RX9VQMUB4ViVmLBCtcNufDjtzE4EgWZRKZxf+2C4gH8vKC/8VoQMIJTqvL6+XCrKTzZ+mA OzFKv+GWBR0qKurQqQRySLERmz1UwfackUrG395iht0ncGDJTfPdq2GvquNxINiBstlbTp sdL97S/DfInAFZ+MQ/QKBNgsET1EcFI= ARC-Authentication-Results: i=1; imf05.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=p0eTnMvB; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=dyXKUd4B; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=pN4duz4w; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=VA8ZTEAR; spf=pass (imf05.hostedemail.com: domain of vbabka@suse.cz designates 195.135.223.131 as permitted sender) smtp.mailfrom=vbabka@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1749493739; a=rsa-sha256; cv=none; b=FZeZENcQSI9Vg9ZotBWY3hN3E+TnifhmK6FcSYx6GYUWico+/2uculYAcB6+pXohYXubIz I3OFelopp0F837Ua30sOt+QejHUjWElJs+efg3IL15FUrCsEdYBkinDQTsFdi84yxnnaU8 exl4Qs/r2WlgDBrVxd6u1NkrF+csWY0= Received: from imap1.dmz-prg2.suse.org (imap1.dmz-prg2.suse.org [IPv6:2a07:de40:b281:104:10:150:64:97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id D45BF1F46E; Mon, 9 Jun 2025 18:28:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1749493737; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Vk21obR3rGzVFeoYj3lWx3wONivKGACTaCAsMFKpPBc=; b=p0eTnMvBSXQYwXqZpbNeQC8G/EqDbx3+xglPqNHGGzHYRHmdCLhAY2BfHyiaGaWBBCTQwe 7HWUjoLftHC3yuH5CvU4cltbInalmFKTJuXAW5wyt/S+4webJl9S//1RhMkcrTKZdYIXa4 iGdIz22uBe2/yiD6W7sYc0WCaEzWNSA= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1749493737; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Vk21obR3rGzVFeoYj3lWx3wONivKGACTaCAsMFKpPBc=; b=dyXKUd4BeoErH1cyfTQoVexBpEAbb9qGWE/TpFoSIECfm1iZ2AUNR2XLwy3zgBrMTyUbxC ZLe2J5nxFDTvwdDA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1749493736; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Vk21obR3rGzVFeoYj3lWx3wONivKGACTaCAsMFKpPBc=; b=pN4duz4woPE/ppLyyDdNxXYyGf2g3V0rE269SgAjC0NCIZbgr+sONrwqz+A6reZibIBGBX s3+yanoSBm/lJE04cvnoXZq1rstOc1hIlNT1XHxdObpHWekWj4dJI9wUjVMvi13LgC546S TXWTRseY68gUPyB9IeERuxysB0yrGuo= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1749493736; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Vk21obR3rGzVFeoYj3lWx3wONivKGACTaCAsMFKpPBc=; b=VA8ZTEARQF7lhLb3H8o8yGNht9hRcdo1RL1/METHRpOlUEZUz/gPA4Bl4V+nBKzQZIuDDO FKMbpmP1D5I2BMAg== Received: from imap1.dmz-prg2.suse.org (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by imap1.dmz-prg2.suse.org (Postfix) with ESMTPS id B3F7713A1D; Mon, 9 Jun 2025 18:28:56 +0000 (UTC) Received: from dovecot-director2.suse.de ([2a07:de40:b281:106:10:150:64:167]) by imap1.dmz-prg2.suse.org with ESMTPSA id 0ZisKugnR2g6MgAAD6G6ig (envelope-from ); Mon, 09 Jun 2025 18:28:56 +0000 Message-ID: <13d5ecd9-3e9f-4593-b300-9141941a29cb@suse.cz> Date: Mon, 9 Jun 2025 20:28:56 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [syzbot] [rcu?] [bcachefs?] BUG: unable to handle kernel NULL pointer dereference in rcu_core (3) Content-Language: en-US To: Uladzislau Rezki , Kent Overstreet , "Paul E. McKenney" Cc: syzbot , akpm@linux-foundation.org, josh@joshtriplett.org, linux-bcachefs@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, rcu@vger.kernel.org, syzkaller-bugs@googlegroups.com References: <67a2b20a.050a0220.50516.0003.GAE@google.com> <9694d40a-072e-47c2-a950-3b258bbe04f5@paulmck-laptop> From: Vlastimil Babka In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Action: no action X-Rspam-User: X-Rspamd-Queue-Id: E91C8100003 X-Rspamd-Server: rspam09 X-Stat-Signature: xkaqbjmy3fxbwc3no8tp736ukxf9ywbg X-HE-Tag: 1749493738-336818 X-HE-Meta: U2FsdGVkX1/VgUKigoIBjjBcdfOM7s74yG9tBJm0+f2QswN1qrkaN1Bv6G2nXBhrLRcxIwVPagS3+t9Qi3j3Na3cSTYyTT09zDK4hG/O0METOpv2fMEkI+Q+qV9KKXhlcTNJcAOXx42bnrXYAPnE3oMgxzdqXOH5Paelvds/IRLiyUAO//cLxapwflHloQ7em1Dau0VXZjWjJ+SOHGG51unkFWdC44pfkJSkaEBITeXRCN9ELK2V4DWHx5Hfod/MGB/qx1NfFzX7MTv2GXAV//3RhtJhgdefdlJd935/XL87oKFdGv/CVIH/9ZH9iRmYAYJDmwllMy0DYHhBeMoMZ6EM7MKA5NlfvacJOE3lhFrbmmpItAYMmaeYCm6Lqwuh07t6W4hIjUcTbWYUgvd++EmqlDfIHOJT+tVN1FjUCgay5JnlJuGXNGiwMqUjM0KoMJeskigysL6Y+t0MrpPLrlRxuNLiVJyLwCIq67q2LVikiBhEtLYIdKLQxA0pvQ8cSnj5iHviDy1jLUeyGWd54KAsUJbQDEuY6cxrnehVgpNxTgJtPmKQpwoBBJqfC7Gl5ZNA81StnAVwqV/03VWDCMipUa5d2MxNRocayQTC1jFrHrzTBaIrZBlTIWAlmJrFsNfmEtCMRRbUFr53q0RypdZJRhaDbTzV0VymHSIU3RxoX0WSmGSS5NNZljUz2TaFH8giK4HAOE8dY6X+w40kFIXqbziOsKqhDcT4MxOvvZLxVjtPUq/FJUIc2pMHGrw2fkTjKs5YujWOQvGD+1FIfjS2EKJT1R7qknO0jszNwDPa/1auBnT1ls2ugImg4iOFFvE1WeXEVBgqD5dCLkmH0m8LKr/MVCamClZVizGAjfTakdo9IPpaEyYUaXZdZ8PTyIE6dWuBepF65+vZuyaqBVxv8l8ud8vGmg2YAr2G14+mmUuEZ4Cj5ab0pZ8lYooybrxFcFj3jG62V7RGmPM ILM4YQlD /RcmCC+O7ZRXZRV7iGV36EPXI0u3ZmJrk19a0yvar2Eqn6cnuEoKLPsgHUOPDbGWrKQdE2sORMZG/qQeSLhQsfkldN+1j9/xbQN5C2BxLQq1Aw9vbwtA5ExQtqikJ9+y0QHS4YsUATGdxhCKShCRxm7jKIRhS0IDdkMdyNRbiT4fybtqP3q+TEpKcfI/G5rmBpJ2s3YeWQB5N0eOFQD88lKF8y1aPY+e7z1/ucNpC9B8YjOoSRvxsmfZ7nxsKpmF7eZlGW6Dp55pdAbI+SbppudXxiQhG5LcuqBZYRayQqoCSMbn6UcngmspU0CEAsTeEgobAVTvHTSkeEN1Nl3Iy21ZmKn7vIE5ibf5OlRiQX8P19ZVAekxYBAHhaFIwoXWc1h6874Y2NKGfKruFK499jJmtfEbaf5M4z1ARntn3oQlsc/IE/Ayi4HUaLsrv6jC6R7KosgW61xRNqtAMfQTEotahBaXTmTrVAlC9 X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On 6/8/25 20:23, Uladzislau Rezki wrote: > On Sun, Jun 08, 2025 at 11:26:28AM -0400, Kent Overstreet wrote: >> >> I don't think it's that - syzbot's .config already has that enabled. >> KASAN, too. >> >> And the only place we do call_rcu() is from rcu_pending.c, where we've >> got a rearming rcu callback - but we track whether it's outstanding, and >> we do all relevant operations with a lock held. >> >> And we only use rcu_pending.c with SRCU, not regular RCU. >> >> We do use kfree_rcu() in a few places (all boring, I expect), but that >> doesn't (generally?) use the rcu callback list. >> > Right, kvfree_rcu() does not intersect with regular callbacks, it has > its own path. You mean do to the batching? Maybe the batching should be disabled with CONFIG_DEBUG_OBJECTS_RCU_HEAD=y if it prevents it from detecting issues? Otherwise we now have kvfree_rcu_cb() so the special handling of kvfree_rcu() is gone in in the non-batching case. > It looks like the problem is here: > > > f = rhp->func; > debug_rcu_head_callback(rhp); > WRITE_ONCE(rhp->func, (rcu_callback_t)0L); > f(rhp); > > > we do not check if callback, "f", is a NULL. If it is, the kernel bug > is triggered right away. For example: > > call_rcu(&rh, NULL); > > @Paul, do you think it makes sense to narrow callers which apparently > pass NULL as a callback? To me it seems the case of this bug. But we > do not know the source. > > It would give at least a stack-trace of caller which passes a NULL. Right, AFAIU this kind of check is now possible, previously NULL was being interpreted as a valid __is_kvfree_rcu_offset() (i.e. rcu_head at offset 0). > -- > Uladzislau Rezki >