From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3C701C38142 for ; Mon, 23 Jan 2023 17:18:17 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C836C6B0074; Mon, 23 Jan 2023 12:18:16 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id C33E76B0075; Mon, 23 Jan 2023 12:18:16 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AFB866B0078; Mon, 23 Jan 2023 12:18:16 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0015.hostedemail.com [216.40.44.15]) by kanga.kvack.org (Postfix) with ESMTP id A26866B0074 for ; Mon, 23 Jan 2023 12:18:16 -0500 (EST) Received: from smtpin29.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 431AAC19E5 for ; Mon, 23 Jan 2023 17:18:16 +0000 (UTC) X-FDA: 80386722192.29.ACCE7C1 Received: from smtp-out2.suse.de (smtp-out2.suse.de [195.135.220.29]) by imf08.hostedemail.com (Postfix) with ESMTP id 143DB16001F for ; Mon, 23 Jan 2023 17:18:12 +0000 (UTC) Authentication-Results: imf08.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=PWd2EWaE; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=sV0pQZO+; spf=pass (imf08.hostedemail.com: domain of jack@suse.cz designates 195.135.220.29 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1674494293; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=RCsZoF8K5x/BHYzYzNwgB5+MVCHaBtUXtLrBn1pBPvk=; b=AMI/P6qQ4Kpu08YLGU+EPhmFtkuXoWOp6XtYyEP6g2vmvHmNfBKqADVFofY/pdKSl6AVCa ccNiU1iELe9CZSsDM+iwrGAiELUdPc/X9D4jt+CEYfcVJ+na8efzbjRX9RKjfPjGJWhoE4 /iFkeVTaklROKiELvLiDnsngKKsw480= ARC-Authentication-Results: i=1; imf08.hostedemail.com; dkim=pass header.d=suse.cz header.s=susede2_rsa header.b=PWd2EWaE; dkim=pass header.d=suse.cz header.s=susede2_ed25519 header.b=sV0pQZO+; spf=pass (imf08.hostedemail.com: domain of jack@suse.cz designates 195.135.220.29 as permitted sender) smtp.mailfrom=jack@suse.cz; dmarc=none ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1674494293; a=rsa-sha256; cv=none; b=7nR9LFMGy8Qu0jB3m76h8VSjHwkUFwwjE74mQ3fvM7/QApRb5vA6Fn5Xzna6N+IkT7csN1 NrLaywNfdg38EqtHpPOqBy5cZYYzseF0ooi7yizFOtdtMZa563QTOaQ5DLvio2AWu/wcx3 7RxTkyu/JMPM6+rrnMoe0DauoKBBzXQ= Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by smtp-out2.suse.de (Postfix) with ESMTPS id E2AC71F749; Mon, 23 Jan 2023 17:18:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1674494291; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=RCsZoF8K5x/BHYzYzNwgB5+MVCHaBtUXtLrBn1pBPvk=; b=PWd2EWaEzn5YeSQwfyVFeATvYcS0q+VjyGr9dVgBSxAMBakjoHIxImRXDTrAbR+OBzUhXM 6duV6bQ3VBvGupta3by0Dx81pHaSIreAQN38wIdv0a30nZvzPzt7qcWxIz7oZU0zuPORjM AcmoEwsBJZiBaS3KCjOLh914MLZGRtI= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1674494291; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=RCsZoF8K5x/BHYzYzNwgB5+MVCHaBtUXtLrBn1pBPvk=; b=sV0pQZO+Fgy4DIMVu1d2rX9zsppc9uYA4iT9J+y+phoyAjzSkpKmVCB1l1OUZ2qu53Vkls dc0AwcBMAXPkQUAg== Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de [192.168.254.74]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-521) server-digest SHA512) (No client certificate requested) by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id C9E3F1357F; Mon, 23 Jan 2023 17:18:11 +0000 (UTC) Received: from dovecot-director2.suse.de ([192.168.254.65]) by imap2.suse-dmz.suse.de with ESMTPSA id L5ZEMVPBzmNLFgAAMHmgww (envelope-from ); Mon, 23 Jan 2023 17:18:11 +0000 Received: by quack3.suse.cz (Postfix, from userid 1000) id E3B5CA06B5; Mon, 23 Jan 2023 18:18:10 +0100 (CET) Date: Mon, 23 Jan 2023 18:18:10 +0100 From: Jan Kara To: Christoph Hellwig Cc: syzbot , akpm@linux-foundation.org, jack@suse.com, jack@suse.cz, linkinjeon@gmail.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, willy@infradead.org Subject: Re: [syzbot] [udf?] BUG: unable to handle kernel NULL pointer dereference in __writepage Message-ID: <20230123171810.mgzdqaeqjdjmvb3y@quack3> References: <0000000000003198a505f0076823@google.com> <0000000000009cfc1705f2a07641@google.com> <20230123073609.GA31134@lst.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230123073609.GA31134@lst.de> X-Rspam-User: X-Rspamd-Server: rspam03 X-Stat-Signature: isbc9ab4rwtuz769y345ziieiuj1bpwd X-Rspamd-Queue-Id: 143DB16001F X-HE-Tag: 1674494292-549036 X-HE-Meta: U2FsdGVkX198cgvz4x3AXm6TyjPf3mkI/I/pdFa9OG9FM9vEfZCsdeoqAYIqTPZcZtN+/RUOa3Y5yRUMohGfitn6dmrb008qE798dbIXRJ1BMEnjSfxV0brtxN2cqpwzzFpMGXETSD0xV/GcrQGks6T6or5Sd10Mm9uy1KHSOT0gjCsxW3R4OPo25poQDUfvkSgLLRwoMvAbYGJXY4folrjNWj540ZA0pky2tfaT69NoTlRc4NNWC7mhBgXvOkBuB7xy240xMs02AtDuEPENrupmmpze4Ql3ultidstxhV6ZImq4/Ri1pWNnbzlVfJ5ZJI6eYDvPaHD/X3BkTi43pWssnsHyuY0fhx625PdY6V215ZFRZ/udbOLKmLU6SsK/m61bBwXQVaAqdAkicO+cl++B7nNOS29X28p/W4m15o9VDnkhKtVgOgkWdC71NA8j88pkLbd9Ma6Hryw4zKkdLYlLfGLMooZRMpfh4/HpdpNrX2EDD1X7fmm9jBndxdyF5d+1wd3nvDpeJ9gxFtU0VTuQBUlAhtnCRoySuQMaCVUj2FUSnB1xLmwdf/XozuyMgSZVy71EkUX9+IVRFHBA5fLQsEGet7GDawQ7JiYfl3zof8ZmqUHsej8Lni+v40sgvAWSTI6RiRFnRf9DQjjGg87xzA0TUoRxf/qhTTVMNf8SHr53SoKJWiVeZz5/z9mZcrQGQZe9Xh62KGm/FljQSdd+wunZpJRLFWgE001CCnYO45tVbgqXb3uoysbQzMyRJrLa4HkqYk4Z+DjLlyqUf6rtYAP8X0o2Q+tQoCJNh/x47u61NI3WZ+MdVli9l6T+se7XjMP+cy2tlpGMm9BWqEU1MHH90zqCmAJBCsf0hIbLb9Q3vKjsaSkR4KUJ+b5mSIUpk89kZkSsyfoemcc1LhjM2gqSdeqXd02G1SatmCQ9FURbEkNCxhUk0n5hHBsuB2s2IVkgQrtVQJ/O3kJ UaetD7fQ yU/oRH9SR6v+Y+HSWt/4GTyJFK67WT3duXUh0Xnv70mDKAZhkyimZUfJOKclbCLi0+809+k4rWwNc9m289Gh0h7HAbAqNuU0w7tuWt9W0taqP5nsh8V57oeE9WNCNKZyOq0G+RwgN8M/7bKh8h60wFBgYzrsMK3QooXOw89Me+x3IqKIyb82JguEIkbWS10yl5Ct8S6gtcLzzj5fDJm47qwDsnCtKZeyyiTN1HUFhvBsjszCzATeWbp9SLruPCDj/TilCD624e4aT/ZuNkC2CjykQkfU24fio9159iJWtZ6a/DNrP3lSzY2gF1OgUHcq1E2eOQtlrUaDSCwe0FqsvOHZw6rMAJrWGrCbCn02xsvCnPbYjJ5/bbZPGX1YIkXQqviaruD98n9mI6APdow/2oXvMvtSuudMoRW9hT7w4hnKL36DoCynOkNUU6u9K0ig+IzWxqYTvDCttGkNGwp7Qac9C7OE0HDEHK9zN+GzFruUEkcgpKCq7pXFCocmY9ttDxu62E3L6KXl06P0= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On Mon 23-01-23 08:36:09, Christoph Hellwig wrote: > I looked into this and got really confused. We should never end > up in generic_writepages if ->writepages is set, which this patch > obviously does. > > Then I took a closer look at udf, and it seems to switch a_aops around > at run time, and it seems like we're hitting just that case, and the > patch just seems to narrow down that window. > > I suspect the right fix is to remove this runtime switching of aops, > and just do conditionals inside the methods. Interestingly for me it crashes like: [ 338.085616] general protection fault, probably for non-canonical address 0x40 00000000002068: 0000 [#1] PREEMPT SMP PTI [ 338.086959] CPU: 4 PID: 31292 Comm: syz-repro11 Not tainted 6.1.0-xen+ #705 [ 338.087941] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1 .14.0-0-g155821a-rebuilt.opensuse.org 04/01/2014 [ 338.089470] RIP: 0010:bio_associate_blkg_from_css+0x31d/0x860 [ 338.092626] RSP: 0018:ffffc90003bb7958 EFLAGS: 00010202 [ 338.093274] RAX: 0000000000000001 RBX: 4000000000002030 RCX: 000000005d6692ad [ 338.094149] RDX: 0000000092c5763f RSI: ffffffff81eb2e65 RDI: ffffffff81ec3d71 [ 338.095023] RBP: ffff888100c98cc0 R08: 0000000000000001 R09: 0000000000020022 [ 338.095953] R10: 0000000000000000 R11: ffff888108da2fe8 R12: ffffffff831db0e0 [ 338.096884] R13: ffff888100c98cc0 R14: ffffea0004692380 R15: ffffffff831da338 [ 338.097760] FS: 00007f9c59cc0700(0000) GS:ffff888fffd00000(0000) knlGS:00000 00000000000 [ 338.098755] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 338.102194] Call Trace: [ 338.102496] [ 338.102757] ? bio_associate_blkg_from_css+0x2d2/0x860 [ 338.103390] bio_associate_blkg+0x68/0x130 [ 338.103955] ? bio_associate_blkg+0x9/0x130 [ 338.104538] bio_init+0x7f/0xd0 [ 338.104926] bio_alloc_bioset+0x1f5/0x320 [ 338.106364] __mpage_writepage+0x4dc/0x780 [ 338.110045] write_cache_pages+0x113/0x470 [ 338.111635] mpage_writepages+0x5b/0xb0 [ 338.112854] do_writepages+0xd3/0x1a0 [ 338.113782] filemap_fdatawrite_wbc+0x84/0xb0 [ 338.114793] __filemap_fdatawrite_range+0x58/0x80 [ 338.115374] udf_expand_file_adinicb+0xfa/0x420 [udf] [ 338.116109] udf_file_write_iter+0x1a9/0x1d0 [udf] which is actually inside: bio_associate_blkg_from_css+0x31d/0x860: __ref_is_percpu at include/linux/percpu-refcount.h:174 (inlined by) percpu_ref_get_many at include/linux/percpu-refcount.h:204 (inlined by) percpu_ref_get at include/linux/percpu-refcount.h:222 (inlined by) blkg_get at block/blk-cgroup.h:322 (inlined by) bio_associate_blkg_from_css at block/blk-cgroup.c:1938 so bdev_get_queue(bio->bi_bdev)->root_blkg is bogus (0x4000000000002030). Likely the request_queue is already dead. Not sure how this could be caused by any problem in UDF. Anyway, I tend to agree with you that switching aops is hairy and we should probably get rid of it in UDF. But this particular crash seems to be related to something else... Honza -- Jan Kara SUSE Labs, CR