Syzbot reported a general protection fault in the function
blk_mq_clear_rq_mapping() in the file block/blk-mq.c.
The issue is that the variable drv_tags is NULL, and this
originates from the struct blk_mq_tag_set. The dashboard link for this
issue is :
syzkaller.appspot.com/bug?id=c3ce4caa4fc58c156d4903984131cdfa38eee354
This patch fixes the above bug, but there is another syzbot bug which is
related to this and getting triggered after the call to
blk_mq_clear_rq_mapping(). As a result, I cannot determine if the issue
is really solved. The link to other issue:
syzkaller.appspot.com/bug?id=7643cea70f1d0ce15f5f4bc39488918837ad4233
Please provide feedback/suggestions on the same.
Signed-off-by: Gautam Menghani <[email protected]>
---
block/blk-mq.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/block/blk-mq.c b/block/blk-mq.c
index 93d9d60980fb..c1dd1b78b95c 100644
--- a/block/blk-mq.c
+++ b/block/blk-mq.c
@@ -3092,7 +3092,8 @@ void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
}
}
- blk_mq_clear_rq_mapping(drv_tags, tags);
+ if (drv_tags)
+ blk_mq_clear_rq_mapping(drv_tags, tags);
while (!list_empty(&tags->page_list)) {
page = list_first_entry(&tags->page_list, struct page, lru);
--
2.34.1
On 7/17/22 03:22, Gautam Menghani wrote:
> Syzbot reported a general protection fault in the function
> blk_mq_clear_rq_mapping() in the file block/blk-mq.c.
> The issue is that the variable drv_tags is NULL, and this
> originates from the struct blk_mq_tag_set. The dashboard link for this
> issue is :
> syzkaller.appspot.com/bug?id=c3ce4caa4fc58c156d4903984131cdfa38eee354
>
> This patch fixes the above bug, but there is another syzbot bug which is
> related to this and getting triggered after the call to
> blk_mq_clear_rq_mapping(). As a result, I cannot determine if the issue
> is really solved. The link to other issue:
> syzkaller.appspot.com/bug?id=7643cea70f1d0ce15f5f4bc39488918837ad4233
>
> Please provide feedback/suggestions on the same.
>
> Signed-off-by: Gautam Menghani <[email protected]>
> ---
> block/blk-mq.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/block/blk-mq.c b/block/blk-mq.c
> index 93d9d60980fb..c1dd1b78b95c 100644
> --- a/block/blk-mq.c
> +++ b/block/blk-mq.c
> @@ -3092,7 +3092,8 @@ void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
> }
> }
>
> - blk_mq_clear_rq_mapping(drv_tags, tags);
> + if (drv_tags)
> + blk_mq_clear_rq_mapping(drv_tags, tags);
>
> while (!list_empty(&tags->page_list)) {
> page = list_first_entry(&tags->page_list, struct page, lru);
I don't see how drv_tags could be NULL without triggering a race
condition. Please take a look at the nbd driver to see whether the root
cause is perhaps in that driver instead of in the block layer core.
Thanks,
Bart.
On Sun, Jul 17, 2022 at 07:49:12AM -0700, Bart Van Assche wrote:
> On 7/17/22 03:22, Gautam Menghani wrote:
> > Syzbot reported a general protection fault in the function
> > blk_mq_clear_rq_mapping() in the file block/blk-mq.c.
> > The issue is that the variable drv_tags is NULL, and this
> > originates from the struct blk_mq_tag_set. The dashboard link for this
> > issue is :
> > syzkaller.appspot.com/bug?id=c3ce4caa4fc58c156d4903984131cdfa38eee354
> >
> > This patch fixes the above bug, but there is another syzbot bug which is
> > related to this and getting triggered after the call to
> > blk_mq_clear_rq_mapping(). As a result, I cannot determine if the issue
> > is really solved. The link to other issue:
> > syzkaller.appspot.com/bug?id=7643cea70f1d0ce15f5f4bc39488918837ad4233
> >
> > Please provide feedback/suggestions on the same.
> >
> > Signed-off-by: Gautam Menghani <[email protected]>
> > ---
> > block/blk-mq.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/block/blk-mq.c b/block/blk-mq.c
> > index 93d9d60980fb..c1dd1b78b95c 100644
> > --- a/block/blk-mq.c
> > +++ b/block/blk-mq.c
> > @@ -3092,7 +3092,8 @@ void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
> > }
> > }
> > - blk_mq_clear_rq_mapping(drv_tags, tags);
> > + if (drv_tags)
> > + blk_mq_clear_rq_mapping(drv_tags, tags);
> > while (!list_empty(&tags->page_list)) {
> > page = list_first_entry(&tags->page_list, struct page, lru);
>
> I don't see how drv_tags could be NULL without triggering a race condition.
> Please take a look at the nbd driver to see whether the root cause is
> perhaps in that driver instead of in the block layer core.
Yes, this might very well be the case. Thank you for the feedback.
>
> Thanks,
>
> Bart.
Thanks,
Gautam