Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1093607imm;
        Fri, 8 Jun 2018 09:54:43 -0700 (PDT)
X-Google-Smtp-Source: ADUXVKKkips+7/BMpRBROI1iJDsYpfot7lcHKhjzh1mvt9q7QCjg8IrwnG6467PCFrEHbpYsc22s
X-Received: by 2002:a65:504d:: with SMTP id k13-v6mr5872926pgo.38.1528476883749;
        Fri, 08 Jun 2018 09:54:43 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1528476883; cv=none;
        d=google.com; s=arc-20160816;
        b=J++45Ma471hpgkEnUzCrQ2MadC2Hk7Yfv+4QBk9ZgiRHu8ZTXziVq6l5P60yy8yvHb
         yZKuRwecGp3DfIhjL7Maq0CO6dSSRWuHowDTlxYo4yJ0Nz6nL/v/WVvE3iRB9U8kienL
         +qJ96jTQG4DuZgNzTauaGi6Re3vrFVflrGwyqRY4h7g4f99r/INeqM+4MB7iTySDDyZr
         sGiEcT/Ppqw9Abok98YG3Yoi8Bvn7B5pkm6Lyb06A/q2MvOf+TTB9DxOB0mmKYh+hXbu
         w0bkjg2+2tK7lF2unPQ+/PnsEhXQayav064c8Hlway2GTahD8KsvMIRdji+URzBXZqBj
         opDg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature
         :arc-authentication-results;
        bh=blZ+U1B8o54hRbPDbq8BTxqJ9y6gWINQElWz38jY2QU=;
        b=fAiD9k/7X6Pir47pFA7M2LvdhkfLbmUhs4ex3OjT904fmySnLVTuRzX7YA0ly/c3vR
         lzCCZZLMJdSBDqk+HudNGn1qds0wkc6Y/0dGl3ydRM+P8z1UL+HziWzzebC8d66BblxC
         Y8rISzuvX6t8y7Oeza514Zb6++xhI4ZHtyCDflz4os8khajfPgmWka5+TOTseJiZU9Ta
         XdKpsARSZZ7ffmIPzB8Xi1pWJYJbKoJjx1uZLZHwS1VQPz1Fz6uljq1ce23OyLVIrFR8
         DQKGnkrQRLr6hL91BCwaeD/xip0F/q5Uw/UkrTNrRYIXXwES8QIZavftuY6+sGT4Mfsu
         1Y7w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ItF0NdQO;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p7-v6si23322539pgf.58.2018.06.08.09.54.29;
        Fri, 08 Jun 2018 09:54:43 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@google.com header.s=20161025 header.b=ItF0NdQO;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752775AbeFHQyC (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Fri, 8 Jun 2018 12:54:02 -0400
Received: from mail-pl0-f68.google.com ([209.85.160.68]:35674 "EHLO
        mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752428AbeFHQx7 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 8 Jun 2018 12:53:59 -0400
Received: by mail-pl0-f68.google.com with SMTP id k1-v6so226965plt.2
        for <linux-kernel@vger.kernel.org>; Fri, 08 Jun 2018 09:53:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20161025;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=blZ+U1B8o54hRbPDbq8BTxqJ9y6gWINQElWz38jY2QU=;
        b=ItF0NdQOseQGADZXh13s8RM4nKjYqaRES/+ReCCFE7px4F+5++tn29lqkQZC5zH7Qe
         Eg/5n6q2vwWuwav+cy2iTqPpVamdVWQ7oOwYaJpkWYIgQg8kzy1dtD1zym7tgq6N31kV
         bxdUS/uTx1JmycXIhvFYgMyr5nMI8rA0Bl+doiyVPmzlvJL11nuI7fmfmbQ18pzJaakU
         4oTICxRvikEpSvjB55YyMUL+e6o9vWWBLbUdNAFj2Je8zRnT4EufBWhQHd5AdHADCPqU
         VNyjl2EHvOO+pofDPRno6SZoWPLmrh0nwueIHuGEzb1WAWKrkSxTeTcRBCcZsR5DGsdl
         9NFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=blZ+U1B8o54hRbPDbq8BTxqJ9y6gWINQElWz38jY2QU=;
        b=WTJprco8eEbs2x/ZLx1oiVxvgUKn1Ft3ErAgetX3gKq7so+ykzfzQHUq7x8tvSouHl
         wZ32FcT9x796SNN/54tepjO0Xm62mne6O3CjJC50vP7Y7G7exbv54h7netQ5MZbS++wO
         lfGLwX7PQwdKbqJrnwTZwiHXs3DDVDBDiytdVNJHHHSKyUKOhcPgOxfG9iKm2aHdjBuS
         SGtbOcKmFRCyCUgTiH0OVeFwXjMbx+gM9Ya7c5wFJbDfXiXbPiLvg5ym5jseveTgVnJF
         fYHaN2NIa5rXmb+DQvmhziT5H9BbqGVpbgBQq4jR3AInWVysbUenAZ9y0KHJba2F6UAH
         LmLA==
X-Gm-Message-State: APt69E0cXPDx7/wQpya2mtCEFP4Xgz3op1F4+I0icj5NSaqhqFjTPFd/
        FvHhhoxdQH7oACxedz72y0LZltBw1+5pU5+uAJNfAQ==
X-Received: by 2002:a17:902:bb81:: with SMTP id m1-v6mr7430483pls.117.1528476839086;
 Fri, 08 Jun 2018 09:53:59 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a17:90a:d42:0:0:0:0 with HTTP; Fri, 8 Jun 2018 09:53:38
 -0700 (PDT)
In-Reply-To: <CACT4Y+bBfwpcP2h0URpqwiNMQ5SFJdPDHThUu2xetmrxgC+3BQ@mail.gmail.com>
References: <95865cab-e12f-d45b-b6e3-465b624862ba@i-love.sakura.ne.jp>
 <CACT4Y+byRRtCA9B9bPG9mjrf3UY3OsGeBsoh8dZ0T+V6tKpTHg@mail.gmail.com>
 <201806080231.w582VIRn021009@www262.sakura.ne.jp> <CACT4Y+Y7Mj1JngLst1aRHDhURXQMn-eTjyPFjDdGAT0ZV-dHrw@mail.gmail.com>
 <CACT4Y+bBfwpcP2h0URpqwiNMQ5SFJdPDHThUu2xetmrxgC+3BQ@mail.gmail.com>
From:   Dmitry Vyukov <dvyukov@google.com>
Date:   Fri, 8 Jun 2018 18:53:38 +0200
Message-ID: <CACT4Y+bHDWDapwOonO1EpR6TiRa=qf9nSDtHArq75yCGuHf=gg@mail.gmail.com>
Subject: Re: general protection fault in wb_workfn (2)
To:     Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc:     Jens Axboe <axboe@kernel.dk>, Jan Kara <jack@suse.cz>,
        syzbot <syzbot+4a7438e774b21ddd8eca@syzkaller.appspotmail.com>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        linux-fsdevel <linux-fsdevel@vger.kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Al Viro <viro@zeniv.linux.org.uk>, Tejun Heo <tj@kernel.org>,
        Dave Chinner <david@fromorbit.com>,
        linux-block@vger.kernel.org,
        Linus Torvalds <torvalds@linux-foundation.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Fri, Jun 8, 2018 at 5:16 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
>> On Fri, Jun 8, 2018 at 4:31 AM, Tetsuo Handa
>> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>> Dmitry Vyukov wrote:
>>>> On Tue, Jun 5, 2018 at 3:45 PM, Tetsuo Handa
>>>> <penguin-kernel@i-love.sakura.ne.jp> wrote:
>>>> > Dmitry, can you assign VM resources for a git tree for this bug? This bug wants to fight
>>>> > against https://github.com/google/syzkaller/blob/master/docs/syzbot.md#no-custom-patches ...
>>>>
>>>> Hi Tetsuo,
>>>>
>>>> Most of the reasons for not doing it still stand. A syzkaller instance
>>>> will produce not just this bug, it will produce hundreds of different
>>>> bugs. Then the question is: what to do with these bugs? Report all to
>>>> mailing lists?
>>>
>>> Is it possible to add linux-next.git tree as a target for fuzzing? If yes,
>>> we can try debug patches easily, in addition to find bugs earlier than now.
>>
>> syzbot tested linux-next and mmotm initially, but they were removed at
>> the request of kernel developers. See:
>> https://groups.google.com/d/msg/syzkaller/0H0LHW_ayR8/dsK5qGB_AQAJ
>> and:
>> https://groups.google.com/d/msg/syzkaller-bugs/FeAgni6Atlk/U0JGoR0AAwAJ
>> Indeed, linux-next produces around 50 assorted one-off unexplainable
>> bug reports.
>>
>>
>>>> I think the solution here is just to run syzkaller instance locally.
>>>> It's just a program anybody can run it on any kernel with any custom
>>>> patches. Moreover for local instance it's also possible to limit set
>>>> of tested syscalls to increase probability of hitting this bug and at
>>>> the same time filter out most of other bugs.
>>>
>>> If this bug is reproducible with VM resources individual developer can afford...
>>>
>>> Since my Linux development environment is VMware guests on a Windows PC, I can't
>>> run VM instance which needs KVM acceleration. Also, due to security policy, I can't
>>> utilize external VM resources available on the Internet, as well as I can't use ssh
>>> and git protocols. Speak of this bug, even with a lot of VM instances, syzbot can
>>> reproduce this bug only once or twice per a day. Thus, the question for me boils
>>> down to, whether I can reproduce this bug using one VMware guest instance with 4GB
>>> of memory. Effectively, I don't have access to environments for running syzkaller
>>> instance...
>>
>> Well, I don't know what to say, it does require some resources.
>>
>>>> Do we have any idea about the guilty subsystem? You mentioned
>>>> bdi_unregister, why? What would be the set of syscalls to concentrate
>>>> on?
>>>> I will do a custom run when I get around to it, if nobody else beats me to it.
>>>
>>> Because bdi_unregister() does "bdi->dev = NULL;" which wb_workfn() is hitting
>>> NULL pointer dereference.
>>
>> Right, wb_workfn is not a generic function, it's fs-specific function.
>>
>> Trying to reproduce this locally now.
>
>
> No luck so far.
>
> Trying to look from a different angle: is it possible that bdi->dev is
> not set yet, rather then already reset?


I was able to reproduce this once locally running syz-crush utility
replaying one of the crash logs. Now running with Tetsuo's patch.

I can say we hunting a very subtle race condition with short
inconsistency window, perhaps few instructions.