From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4640FC5B552 for ; Tue, 10 Jun 2025 12:33:28 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id BF6C26B0089; Tue, 10 Jun 2025 08:33:27 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BCDD56B008A; Tue, 10 Jun 2025 08:33:27 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AE42F6B008C; Tue, 10 Jun 2025 08:33:27 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0012.hostedemail.com [216.40.44.12]) by kanga.kvack.org (Postfix) with ESMTP id 8F6B66B0089 for ; Tue, 10 Jun 2025 08:33:27 -0400 (EDT) Received: from smtpin02.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id 06967801D9 for ; Tue, 10 Jun 2025 12:33:27 +0000 (UTC) X-FDA: 83539431654.02.4E82CC0 Received: from mail-lf1-f45.google.com (mail-lf1-f45.google.com [209.85.167.45]) by imf19.hostedemail.com (Postfix) with ESMTP id 0344C1A000E for ; Tue, 10 Jun 2025 12:33:24 +0000 (UTC) Authentication-Results: imf19.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=XogXfKxo; spf=pass (imf19.hostedemail.com: domain of urezki@gmail.com designates 209.85.167.45 as permitted sender) smtp.mailfrom=urezki@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1749558805; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=JWtbQxxWt3t96n29V0cwm8P5yIMhIJ19w8iPYjVrbYI=; b=rgUNcZfxnvbAHw5MRvKEkQxTA6OZzEyngOyNV2+zKlUviQToM2l99xXePW0qmKyLvTjtGr 304U8G2hF74qHn1tyYBak/8VR3i7RbLMlSu4jb1X7r9Vl12QVYIADgMHfzcUCQ/4ME8n/Z xVwr2oSfBWML0fAiZFFAf+M/G1FHlmo= ARC-Authentication-Results: i=1; imf19.hostedemail.com; dkim=pass header.d=gmail.com header.s=20230601 header.b=XogXfKxo; spf=pass (imf19.hostedemail.com: domain of urezki@gmail.com designates 209.85.167.45 as permitted sender) smtp.mailfrom=urezki@gmail.com; dmarc=pass (policy=none) header.from=gmail.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1749558805; a=rsa-sha256; cv=none; b=4UAoHbIXthkcxH7U+LJK+Vc5AarLDR4Kc8EjSxCQ9bhYsfhb14V1e0rXugiEhynBEPPxxy s7sDS87YE43VyOoBgPwfYU6F+1OWie298zrOxwEwSlUli+m4dNtF0c50VjH2xKBLVOL6E/ yspayuwRXUdQ5jHpXgSrHh4BrxB9MBQ= Received: by mail-lf1-f45.google.com with SMTP id 2adb3069b0e04-54b09cb06b0so6020034e87.1 for ; Tue, 10 Jun 2025 05:33:24 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1749558803; x=1750163603; darn=kvack.org; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:date:from:from:to:cc:subject:date:message-id:reply-to; bh=JWtbQxxWt3t96n29V0cwm8P5yIMhIJ19w8iPYjVrbYI=; b=XogXfKxoHOdrKHwWHzkvLr6JDenRR70B/xjR9UkWrGbKuPaWaLJYC+7Cl7B1/1V3gE Zzx5Qh2Ai/50Hlk+jdrL4DEWQLpXKS/Km3YM1FXX4jpSurlWReg60ScmvTjI3V6HPLe/ YfI2qMcqDFxU0mc048styHIl4Pds3i5TVO/xTN/HE/uQ/iIFQEB4UFgfoBqiOVd8A0vz ZUcFy9xscCc4/q8XXa67DvBDXuyliqSgd0QVDRU8smyZyrJDjNAtGnsQpN9f8NhdoAO+ ekE/GsEcuJBvNgB+K7qKosaCJX35PWJu/1Q1MBgGbpWymvdyfRtQ5Z1k1kWAiRMWHy54 n/uw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749558803; x=1750163603; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:date:from:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=JWtbQxxWt3t96n29V0cwm8P5yIMhIJ19w8iPYjVrbYI=; b=rHZhjyWurElEjZ02b5R+a8Ce6HHFIjr3BmnowWbSFvRY1divX/sxYny694VCD+Dky2 ny+mG/S1wT+ysdv9OWaMncXpAOYyAiIXOnNzaKUDePLNpVQxgVTEWqDPrR3jZkF+NCF/ 0RuKEZQrbvTLfbwVEZ8bSpdIdkb+f3UzhKqOWzcq//ZTB9gm1nt0+2GVEVEVdgdyBt7d ENDmNzKdow2l82TdED3W7XlSunpDwPk1Qggx3zNXdljdB7E1ny+YcBiC6qYCTFsp9uOx fqOgJObYdBEO/m9zEFdSMMOPvw0KJNrBIBuMIvktchqmCugkgqW/xiVM57Vr5+nssiZc oWNw== X-Forwarded-Encrypted: i=1; AJvYcCWqGuL4nU9CqAs6mxi9jv+VcR2FK5ohK2el/d11cADkiy+gJo8gALkK/Zj2gwKYMh3FhZbbVMvWUg==@kvack.org X-Gm-Message-State: AOJu0Yw+EpHzjT890B+Us1qlVtAjtL623BtF52NfS5ez/iDm/YzF6dVd 3K0afAWRBcTBLHW/SbmB2vu6istYbiLp6D3PCIyXZrCEfxP6T64LKV+D X-Gm-Gg: ASbGncsxiae2R0amJ3Zz5M5X8w+Q6BekMWG7303GMa7A94LxWe8h74vDTWWfz6LDgMH jjK0eDfykezZOqGHyCUu+Il0UG189OkbOxRJ1TQkT2Tbt5NHZ4CN9PAdcIA4ll4qLTEJ/xgMkrG lOfbC4yNJ7feN3uJOX3MjKFnHbMX2pKWI9sbwK+qc18PC80Y1LVUh/Rf6ySRYUEwTMnelABdqkB PawD9lUzig3FHMa58nIiHPcOM6rGWibVKwfzSupnZhf6hruK2P2hQAKOtiWQYIklOMg7l7rH5F3 hvxSgSvsw7QS7/G4r1uWOglcZCM/JcJsYwyYlbXReRUJuKkdqEOisd09ISNhAOYppdF5hyaOBtM ZrKHVcscz1tk= X-Google-Smtp-Source: AGHT+IGYxkHiIYIMoG1nj2TlsPmj/lNMnhDMR0HjbK7qS54Nga9uPN1rp4w8RNZdGM/yYk6KU7FAwA== X-Received: by 2002:a05:6512:3d86:b0:553:2fb1:cfe5 with SMTP id 2adb3069b0e04-55366bd40fdmr4720338e87.12.1749558802750; Tue, 10 Jun 2025 05:33:22 -0700 (PDT) Received: from pc636 (host-95-203-1-180.mobileonline.telia.com. [95.203.1.180]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-32ae1b0cd98sm15742681fa.8.2025.06.10.05.33.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Jun 2025 05:33:22 -0700 (PDT) From: Uladzislau Rezki X-Google-Original-From: Uladzislau Rezki Date: Tue, 10 Jun 2025 14:33:19 +0200 To: Vlastimil Babka Cc: Uladzislau Rezki , Kent Overstreet , "Paul E. McKenney" , syzbot , akpm@linux-foundation.org, josh@joshtriplett.org, linux-bcachefs@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, rcu@vger.kernel.org, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] [rcu?] [bcachefs?] BUG: unable to handle kernel NULL pointer dereference in rcu_core (3) Message-ID: References: <67a2b20a.050a0220.50516.0003.GAE@google.com> <9694d40a-072e-47c2-a950-3b258bbe04f5@paulmck-laptop> <13d5ecd9-3e9f-4593-b300-9141941a29cb@suse.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <13d5ecd9-3e9f-4593-b300-9141941a29cb@suse.cz> X-Rspam-User: X-Rspamd-Queue-Id: 0344C1A000E X-Rspamd-Server: rspam09 X-Stat-Signature: yaq4n6f81ekck1jjjpe8gtd7h1b9om3j X-HE-Tag: 1749558804-919776 X-HE-Meta: U2FsdGVkX1/vWQEnCytV3eASEUbu3dpa0rH13X+z3/kSMXEHJ3xOgGiEKQjLBy7TlSdpyh2C83uRbcIld18qVio85rHxbOfw9gDX/pt/T1tzgT8lo9Jy5PJJdkqbnouEaKpx674KCUbdWWIlpFXhfCpsZJNLeXGzWnN1BqlP60evkcpMNSZGBOrtqHubxsbGPn+cY73rbLPWtj5zvlBsqaDhghdMeK4Id7EOgIJbqXzXKQMEROY3c2AxL3e/+Xr4oiUWMgmgzqXpyTFhC7d+uKcGPepgXZXzqoQDJXgevLBCXcVqBVbwr051mX7HbMb0hc6zczTRtibFvMiwChVcNKCDSXLoOUNA1VpFp/tD+Pn1PuRemidvdmFljnResWKJe401YJeu57Q/OyrvMVG67u4O1NrW9pIU2UYbs3HFLFTFTkXinKsE3ssNlQ0Q2PTcznYG8SWgFU1cNsbhA9dDLa6b0mPeqCr+kkdDIpD/CnoEnGlG2kNGwiKVODyfKhTDNOSe4z1EkwHjYIbCVteoPm3K4SI9BVnq2OCxD9icWjgvKp/e7LmSxiMG8RGrlfbsrBg2nAQig6AssHg486kwzfyM0sml9tt/06BfnCvzrEBCTle89Hp6uNCyMfdSy4pHugPfasZbvzohgmj+HHJQg6lIumLcaIz+PmgfPpHigZDQ81FZxpKxYU5nyB5eBiSYCiyplYhWKUZluXWkOvK1t6u5L4eFBqz+TfNcO3s+ODxQvK2iJJXNSVFX5EBMfZ0qpUJ8W/flEedDJV2jPjSZ0ZMtMws5uXKXjVVBF0B7Wgs9XGTDaBPgsmQMPnBaCGyqs7sSvpTyDU8neBGE5uf6Y3EiG4zz0KftSHdzlJG+FSUSD2XpvsrPIHyO+lCSJk4eZO9UeyW5C84suWP5j0yPeu1fz537L2mLvl0vkKWjzjPtbt+dzjc3QiSW7M3ouGq/sLYNvLa36Z5o5USt6Yj +X0sJ7Fa 4QyaKdDNReh7cVh45dQL6QqV1JhHrc8lgGK6IN4JcX7DbzDA9yRAcqXheOvUp8mckhNNwCpGCo01yefGWc6minjP80yBgMYFI15BO07l0yBmOCtHFCmrqGaxmpuX59MyYgQ5HXj4VulI4KjNfMkRIisOpBa0I6BM2pwdN81C81jjkYtGw/KnyA3Qw9wJenDyMU/aZHWwns+pMbzbRZ1dbzJgWnstJJgVhv8BTKHnsqgUl0Xaupu2Uag0dLbmK+1XQ8QNnBVwm04HDvTD7u3W388HxpFdupTM9dPxgwkLPCE3GWhULMHQUo07yqfLTZ7F+vjacaA1f1d3b6HAHspsrzmqZOw60F2m1Gx5861/b62Nfb0p+iacKN7g6+86T6+nJGg8zOzOEFqill1genpAkZWf7v4QDNd3oghXt/o9jll+KqB0jOhniZbnduToxbe2BsZM4bmlKlVTsGon1t6WK8dd3gyXYPe3/53EikYX73fbjyP5TZh5y0OiIlZ7JAUs2ZeQU214WCXc+Reod/pSBsdrKKt2EYqpLRZ5p2pIV+ykHS3cpD48UX/DyjSX855m8+Jt3GYLWazrb+cI= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: On Mon, Jun 09, 2025 at 08:28:56PM +0200, Vlastimil Babka wrote: > On 6/8/25 20:23, Uladzislau Rezki wrote: > > On Sun, Jun 08, 2025 at 11:26:28AM -0400, Kent Overstreet wrote: > >> > >> I don't think it's that - syzbot's .config already has that enabled. > >> KASAN, too. > >> > >> And the only place we do call_rcu() is from rcu_pending.c, where we've > >> got a rearming rcu callback - but we track whether it's outstanding, and > >> we do all relevant operations with a lock held. > >> > >> And we only use rcu_pending.c with SRCU, not regular RCU. > >> > >> We do use kfree_rcu() in a few places (all boring, I expect), but that > >> doesn't (generally?) use the rcu callback list. > >> > > Right, kvfree_rcu() does not intersect with regular callbacks, it has > > its own path. > > You mean do to the batching? Maybe the batching should be disabled with > CONFIG_DEBUG_OBJECTS_RCU_HEAD=y if it prevents it from detecting issues? > Otherwise we now have kvfree_rcu_cb() so the special handling of > kvfree_rcu() is gone in in the non-batching case. > Not really. I meant that in a call_rcu() API there is no any check if a passed callback which is executed after GP is NULL. If so, we get the bug about about dereferencing of NULL pointer. Since it is invoked by the rcu_core() context, we can not identify the caller in order to blame someone :) As for batching, we have a support of CONFIG_DEBUG_OBJECTS_RCU_HEAD. It helps to identify double-freeing and probably leaking. > > It looks like the problem is here: > > > > > > f = rhp->func; > > debug_rcu_head_callback(rhp); > > WRITE_ONCE(rhp->func, (rcu_callback_t)0L); > > f(rhp); > > > > > > we do not check if callback, "f", is a NULL. If it is, the kernel bug > > is triggered right away. For example: > > > > call_rcu(&rh, NULL); > > > > @Paul, do you think it makes sense to narrow callers which apparently > > pass NULL as a callback? To me it seems the case of this bug. But we > > do not know the source. > > > > It would give at least a stack-trace of caller which passes a NULL. > > Right, AFAIU this kind of check is now possible, previously NULL was being > interpreted as a valid __is_kvfree_rcu_offset() (i.e. rcu_head at offset 0). > > > -- > > Uladzislau Rezki > > >