From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id BA369C021AD for ; Tue, 18 Feb 2025 17:47:36 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 5021D280171; Tue, 18 Feb 2025 12:47:36 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 4B1C2280170; Tue, 18 Feb 2025 12:47:36 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 37D05280171; Tue, 18 Feb 2025 12:47:36 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 1CC73280170 for ; Tue, 18 Feb 2025 12:47:36 -0500 (EST) Received: from smtpin09.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id D2F2680399 for ; Tue, 18 Feb 2025 17:47:35 +0000 (UTC) X-FDA: 83133797670.09.41E1761 Received: from mail-lj1-f177.google.com (mail-lj1-f177.google.com [209.85.208.177]) by imf16.hostedemail.com (Postfix) with ESMTP id C06EC180012 for ; Tue, 18 Feb 2025 17:47:33 +0000 (UTC) Authentication-Results: imf16.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=SwOPVpKC; spf=pass (imf16.hostedemail.com: domain of ryncsn@gmail.com designates 209.85.208.177 as permitted sender) smtp.mailfrom=ryncsn@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1739900853; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=SgckB2Y+yFM1/cblCDJaHeqi/9gqi+M3MJs4Dx3/ZyQ=; b=IQ+ZXXnAE8OM6GfiN7cqPkViJHzb1vis9UTc7yHw9TiNuAHKoR6/IJwMN+3C7rXr6FuOSA OaPobE4xBTgK6+1FNj+Onsi4Mbg+hXdxXZ4qwuJPj0rNjNIqDwTQ1L3VcjAZw2sTi2df7q craRNMSzihvdD8ZEGItO0K6p+lwUhlg= ARC-Authentication-Results: i=1; imf16.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=SwOPVpKC; spf=pass (imf16.hostedemail.com: domain of ryncsn@gmail.com designates 209.85.208.177 as permitted sender) smtp.mailfrom=ryncsn@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1739900853; a=rsa-sha256; cv=none; b=BmkL+KjN5kkbFlGrw3aBA5pAWAoblymloXzSMsjkzV2YfZUO3UgTi9+ndbp3tN/Xfp+Kl5 wIJjIjqXxLJ2rDaLcJI9FKOtLPo+436Khpyy3vYyJT5wYXsC0rgdi2CPWMMTdcbRtrsGCJ /iMKtywnZZJGLPkp2kljsqUMijAIxl0= Received: by mail-lj1-f177.google.com with SMTP id 38308e7fff4ca-30761be8fcfso56182111fa.0 for ; Tue, 18 Feb 2025 09:47:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1739900852; x=1740505652; darn=kvack.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=SgckB2Y+yFM1/cblCDJaHeqi/9gqi+M3MJs4Dx3/ZyQ=; b=SwOPVpKCou4ng6U0kADB2r+WKi6l+yuEOGqP1EptzlE9Lu+Dflx0+b7lHZnGvapLE5 0o+hzxgy8j3c/8FLM4Gqal7kQsqzUbexw49VNUvcIpFmSm902HXvzBuTS0YRHxSSwkzk gAhgglOQxDIjEZ1o4rPJqPGv/dKhsCpHSb1XIzgwz0gYsnHJ9lhk/eEa4Q8cpo8lEt60 /mAIcyhKxnioibBzpSvLclm8KKDpKufuvEopD+01r71XEA2IS9uTbmeT4iWcqfDnbd1y IlhWPN/zc1E8czbPxsy9T1/yCNCsPM1LR25glvXlTswoQNSJ4ESenO2bWuT0SdBSUqyS hSGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1739900852; x=1740505652; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=SgckB2Y+yFM1/cblCDJaHeqi/9gqi+M3MJs4Dx3/ZyQ=; b=qHt5uO89huZwKYC3EvrfSsFJWnepYqvuRPGv7cZWn6ebLWT8PPb7G9ffwQXpSLL6iz YbVsP/JN0Ceeax4Ye3bzG0jKuuqqt3r16v18caeFSkCXbC8cMLnoX5yjCpqBDVgW4hjj FAvytvu0lSUP+NBC/7Ed+c6k8rX0Cuoj9PksYZO6dPX2KcW1uSZlLtUhtIB7PT7y8E4M 5xapfDhopwa4HT/GUXzjcimK4IdnPe80gH7RyEH1Qa1Gtiyr3zAbUHic/zFgCYDmexLn xZYPkkC7r6Mi6xKnVluRJluLJbXefynPnlUhyhSM+IWUKRk4tue0Yiq+4GHaXo1EiOPu VSEQ== X-Forwarded-Encrypted: i=1; AJvYcCVZV2sgTh5y08JNgEfZ/PZqgx6ZWsftIFefvf5jBYiRPpXgNM4kj6ctb1Qp9NdoP7tHvIzVurPQ8A==@kvack.org X-Gm-Message-State: AOJu0YyT91fHf/EnKxqjMo7ztFMnE8x/8s9miENPmnEYv8FhCBWTmHbO EqqCsgkgRT9NeW3LPGK3pGsM47UqQZ4vz7BU89JwYf3J7JpKqCLKlX7wHEXFHsmuyBCV2vtYuje Aci2koLMlaxoW0k2kK7aXiF2aWTk= X-Gm-Gg: ASbGncuPId5u0pigDRxj9tD7mQwLsXxrT4WbOBmR52wDfZbEr2STbNyrxMeMU73lUpa 8SUn+d8JkMNVBPaArLv5pjzF2h9DBAcH6DjGR2gEVVm3dn4/9gSuAU1P3NvMKfhga8KyEtbNa X-Google-Smtp-Source: AGHT+IHq/+Flge0nazq0vz/7JiaP9G0o2HZQu1xUqjJ5gAVNRbeMxPiT7XoLBi8SBAhbJkRs+UP75P9CcVKPEeWqI6A= X-Received: by 2002:a2e:9bd4:0:b0:308:e521:592 with SMTP id 38308e7fff4ca-30927b197b0mr40755971fa.30.1739900851498; Tue, 18 Feb 2025 09:47:31 -0800 (PST) MIME-Version: 1.0 References: <675d01e9.050a0220.37aaf.00be.GAE@google.com> <67af8747.050a0220.21dd3.004c.GAE@google.com> <20250214152358.7ba29d10229e2155c0899774@linux-foundation.org> <751557A5-5417-497D-95FF-62E7CFCCDC59@gmail.com> In-Reply-To: From: Kairui Song Date: Wed, 19 Feb 2025 01:47:15 +0800 X-Gm-Features: AWEUYZne6vkVYNKAQZIOMXWQLp3S4-ZOtZ2RIvqWz_-G9DsbT4hQkyWbr8MtolQ Message-ID: Subject: Re: [syzbot] [mm?] [bcachefs?] WARNING in lock_list_lru_of_memcg To: Alan Huang Cc: Andrew Morton , kent.overstreet@linux.dev, syzbot , linux-bcachefs@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Rspamd-Server: rspam04 X-Rspamd-Queue-Id: C06EC180012 X-Stat-Signature: gs9mafefbc4wpagzm6d13ikmp9kj7drs X-Rspam-User: X-HE-Tag: 1739900853-274196 X-HE-Meta: U2FsdGVkX1+l67FlB6OoLeaGWnOBUe9EtiJ0BAe/rhbBTg4ezjBhPLy5x6dgOjAxj8ocQ+rh1aWTVD87xQiJO0VDXTgV1Fx/aD8lYOxc6+iUtShJlkQCxn83sK4xIJwKtNdlJmjyBBFwhWQUqi1dGD1tIIX4aMXIAHPwz+L1im0aClQ+O4wmW37Gu2NVI5IJziwfBu1SSag6R6uVFtCi5sbW/r61EJ/yzD0gc7sbNYC5hKYpqXY568bjO3Ne55pcxEd4R2g3ZgKtMnkSlSui7kKM5ICInZbSFi21HsqEhiTG1R+2F2JzOi7WoXxTrzxVMEVwxwj8X60A2COr9t08Xofm2KLMcj7yB2ez+uc0m4INS1vd4D+pGy6eBXKXa8C40r9t7WTL6Q2VMV5IOdWMyumFRSDbwTBWr8vfxH2Kzs0ett+glBW/TAmwmkNIKZKmTR87yxZVQ6w3+Ok7PM6MoMgmJL69Xelx3u1C3DGc5vplif3uFSZBMqt0kjoatiPIJCIeMQ5QQU4mp/zYuNxt2FHixSIxrOWB8PG+lh1s9QtijG/BMfPC9i7wxMEppHiFWLmSh06aZZlgIFojO/89tACsyi1SZlmIPQfS1wQwzlzjpPqHweL2NJsZCMWhh4sywUnsWbxTimd9jxA4sh45zk3Uy9jIDXWgRGqpy6Xpk3oBZB4vd+lVu5ej8TKLZha7tj/gvwXpN227sUTaNRS1MHofG3UwiCPGvdKhviSCsO35oQEgCyIjUM1+NfPiQLzcKjs1vLpZhkxbCjXGp9f4b40y+75yruOyyvwSnNJQY6/bYxJF0nXfDhTMRwgTC95n2tpc1AJxgLFXVGyW8VdX0FEplAPFCAdXA+uZ8luz1pioQ8XpYdf/r4dVmiTCHvFpW6zU/7+RnXPYL6WUfIETN41XtlE+rifSy0ARHGH2jT/7MwKX8rgJjVTcvHfcbEhnO5do1csIeJPmLYN+MSo DZD8WkLI SyOumbNGd8zMvfYysU+s5kEaNtCYWZScbRgWScPumwzx/kgXljzhBhwX+W9bVdVxx3r8EYGOw4GZzb8v9aLNIJjlK/sDClo2ATs4jeOY/D0Sf97kQjTUuf79Ue0bMa6TnvRyUbgfsYhkM0I2t5gMSRB2igKOuMYs3x+OqExzmS4zimRyeHw5DVEia4Fks2ewWYDFosmOcLQyZMQjTq4T7504M7az2qVJwV6xLXfzMhbkHhCLahPi1FGT2uuKyi4AnWAewujMtQYfi8NIM0BVVQu3z5G4eyCpLACYSnZGD6g3lQlB+Z175BsFUd7uVv9Hw0OhE82TJzV7zns0grJwVtSl/ha/JBEJr13So7pTSjTkgQjxSg+a4bY85EvaIMgL7bKUf0HScHxsuYmShuWr67oG27zqB/znvPhxmiqE85j7evKyLY8pKhvYv4nDpS9KcrfPBoqOAfoCo84b9bWboK+ehAGJibuKNitEtaFpmbOGdDrNFC7IBDDJdVfvoDVdn66bApeiHGl8or4K/2MMmI/Xb2pFNivbCap80WmIqMo73VkfOuAy/pCp6DLZcX8Iym8pJuJN6pZtaTK6+iDLW9JgYzUoscXIvAYvWAq+ZFjKeW0+qoPjIypEtxH4GGpTfOEMKMwXMFLpOMQhgjV9at7ambs4hDrYBBznJ5oEwVymUmkSjrgGd3s42KaMlUeQKfKFGpO0e5MSEfa2AEumMA7+KN7ok/zb4Mq0paaBZ/htlSTW1vva+PKs3/fza0yM/d9qqnOnt4vSEbZCftdVLpQWTcViF0V6xxq9lMosbnsIE+6KlPWMvQFl6ubHnsh1DRAGL/G+bldHswa6PZ6M55b0CrjbCkUhVKUWJpCC1ppZPgZoLkM1gekGmno6ue38x29bm5+v2ALDl5QIOe3EO2DblaHgwa4AC3HwSVpPV6sex7HMgzASpibVRmsdvN1JFdp11vJw+Ru0V8GebZQzQMjsPzUsb nO0EzoUu WiwaUmLyyophJkXafF0QBI1+/EfqCONGqq6QS/cjetGYPUoLuybnZT5Aj7xKdeEM0Zs4fMdPZK9I8J0IsTGArhZsxY/zLlDdwRwXVyH858o= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Tue, Feb 18, 2025 at 8:17=E2=80=AFPM Alan Huang w= rote: > > On Feb 18, 2025, at 19:40, Kairui Song wrote: > > > > On Tue, Feb 18, 2025 at 2:09=E2=80=AFAM Alan Huang wrote: > >> > >> On Feb 18, 2025, at 01:12, Kairui Song wrote: > >>> > >>> On Mon, Feb 17, 2025 at 12:13=E2=80=AFAM Kairui Song wrote: > >>>> > >>>> On Sat, Feb 15, 2025 at 7:24=E2=80=AFAM Andrew Morton wrote: > >>>>> > >>>>> On Fri, 14 Feb 2025 10:11:19 -0800 syzbot wrote: > >>>>> > >>>>>> syzbot has found a reproducer for the following issue on: > >>>>> > >>>>> Thanks. I doubt if bcachefs is implicated in this? > >>>>> > >>>>>> HEAD commit: 128c8f96eb86 Merge tag 'drm-fixes-2025-02-14' of h= ttps://g.. > >>>>>> git tree: upstream > >>>>>> console output: https://syzkaller.appspot.com/x/log.txt?x=3D148019= a4580000 > >>>>>> kernel config: https://syzkaller.appspot.com/x/.config?x=3Dc776e5= 55cfbdb82d > >>>>>> dashboard link: https://syzkaller.appspot.com/bug?extid=3D38a0cbd2= 67eff2d286ff > >>>>>> compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils = for Debian) 2.40 > >>>>>> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=3D1232= 8bf8580000 > >>>>>> > >>>>>> Downloadable assets: > >>>>>> disk image (non-bootable): https://storage.googleapis.com/syzbot-a= ssets/7feb34a89c2a/non_bootable_disk-128c8f96.raw.xz > >>>>>> vmlinux: https://storage.googleapis.com/syzbot-assets/a97f78ac821e= /vmlinux-128c8f96.xz > >>>>>> kernel image: https://storage.googleapis.com/syzbot-assets/f451cf1= 6fc9f/bzImage-128c8f96.xz > >>>>>> mounted in repro: https://storage.googleapis.com/syzbot-assets/a7d= a783f97cf/mount_3.gz > >>>>>> > >>>>>> IMPORTANT: if you fix the issue, please add the following tag to t= he commit: > >>>>>> Reported-by: syzbot+38a0cbd267eff2d286ff@syzkaller.appspotmail.com > >>>>>> > >>>>>> ------------[ cut here ]------------ > >>>>>> WARNING: CPU: 0 PID: 5459 at mm/list_lru.c:96 lock_list_lru_of_mem= cg+0x39e/0x4d0 mm/list_lru.c:96 > >>>>> > >>>>> VM_WARN_ON(!css_is_dying(&memcg->css)); > >>>> > >>>> I'm checking this, when last time this was triggered, it was caused = by > >>>> a list_lru user did not initialize the memcg list_lru properly befor= e > >>>> list_lru reclaim started, and fixed by: > >>>> https://lore.kernel.org/all/20241222122936.67501-1-ryncsn@gmail.com/= T/ > >>>> > >>>> This shouldn't be a big issue, maybe there are leaks that will be > >>>> fixed upon reparenting, and this new added sanity check might be too > >>>> lenient, I'm not 100% sure though. > >>>> > >>>> Unfortunately I couldn't reproduce the issue locally with the > >>>> reproducer yet. will keep the test running and see if it can hit thi= s > >>>> WARN_ON. > >>> > >>> So far I am still unable to trigger this VM_WARN_ON using the > >>> reproducer, and I'm seeing many other random crashes. > >>> > >>> But after I changed the .config a bit adding more debug configs > >>> (SLAB_FREELIST_HARDENED, DEBUG_PAGEALLOC), following crash showed up > >>> and will be triggered immediately after I start the test: > >>> > >>> [ T1242] BUG: unable to handle page fault for address: ffff888054c600= 00 > >>> [ T1242] #PF: supervisor read access in kernel mode > >>> [ T1242] #PF: error_code(0x0000) - not-present page > >>> [ T1242] PGD 19e01067 P4D 19e01067 PUD 19e04067 PMD 7fc5c067 PTE > >>> 800fffffab39f060 > >>> [ T1242] Oops: Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC KASAN PTI > >>> [ T1242] CPU: 1 UID: 0 PID: 1242 Comm: kworker/1:1H Not tainted > >>> 6.14.0-rc2-00185-g128c8f96eb86 #2 > >>> [ T1242] Hardware name: Red Hat KVM/RHEL-AV, BIOS > >>> 1.16.0-4.module+el8.8.0+664+0a3d6c83 04/01/2014 > >>> [ T1242] Workqueue: bcachefs_btree_read_complete btree_node_read_work > >>> [ T1242] RIP: 0010:validate_bset_keys+0xae3/0x14f0 > >>> [ T6058] bcachefs (loop2): empty btree root xattrs > >>> [ T1242] Code: 49 39 df 0f 87 fc 09 00 00 e8 79 54 a8 fd 41 0f b7 c6 > >>> 48 8b 4c 24 68 48 8d 04 c1 4c 29 f8 48 c1 e8 03 89 c1 48 89 de 4c 89 > >>> ff 48 a5 48 8b bc 24 c8 00 00 08 > >>> [ T1242] RSP: 0018:ffffc900070a72c0 EFLAGS: 00010206 > >>> [ T1242] RAX: 000000000000ec0f RBX: ffff888054c20110 RCX: 00000000000= 06c31 > >>> [ T1242] RDX: 0000000000000000 RSI: ffff888054c60000 RDI: ffff888054c= 5ff90 > >>> [ T1242] RBP: ffffc900070a7570 R08: ffff888065e001af R09: 1ffff1100cb= c0035 > >>> [ T1242] R10: dffffc0000000000 R11: ffffed100cbc0036 R12: ffff888054c= 2009e > >>> [ T1242] R13: dffffc0000000000 R14: 000000000000ec0f R15: ffff888054c= 200a0 > >>> [ T1242] FS: 0000000000000000(0000) GS:ffff88807ea00000(0000) > >>> knlGS:0000000000000000 > >>> [ T1242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > >>> [ T1242] CR2: ffff888054c60000 CR3: 000000006cea6000 CR4: 00000000000= 006f0 > >>> [ T1242] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 00000000000= 00000 > >>> [ T1242] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000= 00400 > >>> [ T1242] Call Trace: > >>> [ T1242] > >>> [ T1242] bch2_btree_node_read_done+0x1d20/0x53a0 > >>> [ T1242] btree_node_read_work+0x54d/0xdc0 > >>> [ T1242] process_scheduled_works+0xaf8/0x17f0 > >>> [ T1242] worker_thread+0x89d/0xd60 > >>> [ T1242] kthread+0x722/0x890 > >>> [ T1242] ret_from_fork+0x4e/0x80 > >>> [ T1242] ret_from_fork_asm+0x1a/0x30 > >>> [ T1242] > >>> [ T1242] Modules linked in: > >>> [ T1242] ---[ end trace 0000000000000000 ]--- > >>> [ T1242] RIP: 0010:validate_bset_keys+0xae3/0x14f0 > >>> [ T1242] Code: 49 39 df 0f 87 fc 09 00 00 e8 79 54 a8 fd 41 0f b7 c6 > >>> 48 8b 4c 24 68 48 8d 04 c1 4c 29 f8 48 c1 e8 03 89 c1 48 89 de 4c 89 > >>> ff 48 a5 48 8b bc 24 c8 00 00 08 > >>> [ T1242] RSP: 0018:ffffc900070a72c0 EFLAGS: 00010206 > >>> [ T1242] RAX: 000000000000ec0f RBX: ffff888054c20110 RCX: 00000000000= 06c31 > >>> [ T1242] RDX: 0000000000000000 RSI: ffff888054c60000 RDI: ffff888054c= 5ff90 > >>> [ T1242] RBP: ffffc900070a7570 R08: ffff888065e001af R09: 1ffff1100cb= c0035 > >>> [ T1242] R10: dffffc0000000000 R11: ffffed100cbc0036 R12: ffff888054c= 2009e > >>> [ T1242] R13: dffffc0000000000 R14: 000000000000ec0f R15: ffff888054c= 200a0 > >>> [ T1242] FS: 0000000000000000(0000) GS:ffff88807ea00000(0000) > >>> knlGS:0000000000000000 > >>> [ T1242] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > >>> [ T1242] CR2: ffff888054c60000 CR3: 000000006cea6000 CR4: 00000000000= 006f0 > >>> [ T1242] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 00000000000= 00000 > >>> [ T1242] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 00000000000= 00400 > >>> [ T1242] Kernel panic - not syncing: Fatal exception > >>> [ T1242] Kernel Offset: disabled > >>> [ T1242] Rebooting in 86400 seconds.. > >>> > >>> It's caused by the memmove_u64s_down in validate_bset_keys of > >>> fs/bcachefs/btree_io.c: > >>> -> memmove_u64s_down(k, bkey_p_next(k), (u64 *) vstruct_end(i) - (u64= *) k); > >> > >> > >> Might need this. > >> > >> diff --git a/fs/bcachefs/btree_io.c b/fs/bcachefs/btree_io.c > >> index e71b278672b6..fb53174cb735 100644 > >> --- a/fs/bcachefs/btree_io.c > >> +++ b/fs/bcachefs/btree_io.c > >> @@ -997,7 +997,7 @@ static int validate_bset_keys(struct bch_fs *c, st= ruct btree *b, > >> } > >> got_good_key: > >> le16_add_cpu(&i->u64s, -next_good_key); > >> - memmove_u64s_down(k, bkey_p_next(k), (u64 *) vstruct_e= nd(i) - (u64 *) k); > >> + memmove_u64s_down(k, bkey_p_next(k), (u64 *) vstruct_e= nd(i) - (u64 *) bkey_p_next(k)); > >> set_btree_node_need_rewrite(b); > >> } > >> fsck_err: > >> > > > > Thanks, but this didn't fix everything. I think the problem is more > > complex, syzbot seems to be trying to mount damaged bcachefs (on > > purpose I think), so the vstruct_end(i) is already returning an offset > > that is out of border. > > Could you try this (I need to go out now): > > diff --git a/fs/bcachefs/btree_io.c b/fs/bcachefs/btree_io.c > index e71b278672b6..80a0094be356 100644 > --- a/fs/bcachefs/btree_io.c > +++ b/fs/bcachefs/btree_io.c > @@ -997,7 +997,7 @@ static int validate_bset_keys(struct bch_fs *c, struc= t btree *b, > } > got_good_key: > le16_add_cpu(&i->u64s, -next_good_key); > - memmove_u64s_down(k, bkey_p_next(k), (u64 *) vstruct_end(= i) - (u64 *) k); > + memmove_u64s_down(k, (u64 *) k + next_good_key, (u64 *) v= struct_end(i) - (u64 *) k); > set_btree_node_need_rewrite(b); > } > fsck_err: > > > > > I retriggered it and print some more debug info: i->_data is > > ffff88806d5c00a0, i->u64s is 60928, and the faulting address is > > ffff88806d600000. > Hi Alan This didn't help either. If I wasn't very wrong about this, the problem is that the content of the `struct bset` is corrupted (not exactly sure how this happens, but should be related to the damaged bcachefs image from syzbot), so calculations based on that won't be helpful. If I add a print before the memmove_u64s_down, like this: pr_err("DEBUG: k: 0x%lx - 0x%lx, len %ld", (unsigned long)k, (unsigned long)bkey_p_next(k), bkey_p_next(k) - k); pr_err("DEBUG: i: 0x%lx - 0x%lx, len %ld", (unsigned long)i->start, (unsigned long)vstruct_end(i), i->u64s); pr_err("DEBUG: next_good_key * 8: %ld, k + next_good_key: 0x%lx", next_good_key * sizeof(u64*), (u64 *) k + next_good_key); le16_add_cpu(&i->u64s, -next_good_key); pr_err("DEBUG: copying 0x%lx from 0x%lx, len %ld", k, (u64 *) k + next_good_key, (u64 *) vstruct_end(i) - (u64 *) k); memmove_u64s_down(k, (u64 *) k + next_good_key, (u64 *) vstruct_end(i) - (u64 *) k); Then I got: [ 57.100623][ T1222] bcachefs: validate_bset_keys() DEBUG: k: 0xffff88806f2200a0 - 0xffff88806f220110, len 2 [ 57.101323][ T1222] bcachefs: validate_bset_keys() DEBUG: i: 0xffff88806f2200a0 - 0xffff88806f2970a0, len 60928 [ 57.101990][ T1222] bcachefs: validate_bset_keys() DEBUG: next_good_key * 8: 3976, k + next_good_key: 0xffff88806f221028 [ 57.102712][ T1222] bcachefs: validate_bset_keys() DEBUG: copying 0xffff88806f2200a0 from 0xffff88806f221028, len 60431 [ 57.103437][ T1222] BUG: unable to handle page fault for address: ffff88806f260000 `struct bset i` spawns an invalid area.