Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp885879ybi;
        Wed, 19 Jun 2019 09:29:54 -0700 (PDT)
X-Google-Smtp-Source: APXvYqz9lcUoxgvubZKwAgtSmV+wP9b8NfsdfbAZhncUt+IL3XiWnGFeX1kLWxhNRg3ug97y4mN9
X-Received: by 2002:a17:90a:21d0:: with SMTP id q74mr12244888pjc.12.1560961793908;
        Wed, 19 Jun 2019 09:29:53 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560961793; cv=none;
        d=google.com; s=arc-20160816;
        b=gt/mgefMmhvSxIzaWfCVrieKWqhTSpzgiGwezYVC5KtT6AN9G1xzLTubkgHYxojHlH
         eksU4yUF5Axr1crqkH6jJN/BjvALZfE/aTWv7Pf05ux2muGf+7XJPNLWsZV6y8BasM2I
         k0/cAsta0r6xxcrJUq3j2tZh0aN9Mrgy/z/zKwwl4xX72hka25h+EjwbKnZer1PTF7U5
         j00PKeU3WhLUZVjFfzJ3KxeVxvNeF1H44ZX7h0EqCRs8oiefqWEfTu+D5K9FUplC2rqo
         Tj8AIafL+h8vlOoVGWLor9mRXXUcs+6MUvNF9iT0nYyVyxMuc+1tYlzpcpkRL3BS/0nD
         HAVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=W34uJKCnQIbQqefQA6BnNGo57jPceBZ3PT9l6HY92gU=;
        b=OFMtKwC5nLPakkDFCF391aclywPtG7yrGFSBVm7fxqYnnHZQ3fLseoIXECpRvdtbOp
         k92AVM1bFPoHy5NlH/cPZLTXd3LHwlmLhsczOX+xiTWLWbynvJy6YOdpbbZsKKxX1eUI
         dNn4J3gfNYosOrilSCvbpJE8XwayiC08Koaw4LPYTcGAal443pApAxhZ2nhrlZpADmWC
         9BQW//8r973URx3z6IqED+HbhHvZ+aqDTVcflFDNd8K+nHMOcnUnqU+1nK4Pp/hLN6wd
         7LfX2EKVhvLEdNeE7xlY+DhRyhGMA5dAYb8/Ta30945BytnfmfwHqXeJWh8e+QKEedld
         J9aQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f32si1767202pje.70.2019.06.19.09.29.38;
        Wed, 19 Jun 2019 09:29:53 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730056AbfFSQ2F (ORCPT <rfc822;radocaj.bane@gmail.com>
        + 99 others); Wed, 19 Jun 2019 12:28:05 -0400
Received: from zeniv.linux.org.uk ([195.92.253.2]:38566 "EHLO
        ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726251AbfFSQ2F (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 19 Jun 2019 12:28:05 -0400
Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92 #3 (Red Hat Linux))
        id 1hddRK-0005y4-90; Wed, 19 Jun 2019 16:28:02 +0000
Date:   Wed, 19 Jun 2019 17:28:02 +0100
From:   Al Viro <viro@zeniv.linux.org.uk>
To:     Vicente Bergas <vicencb@gmail.com>
Cc:     linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
        Catalin Marinas <catalin.marinas@arm.com>,
        Will Deacon <will.deacon@arm.com>
Subject: Re: d_lookup: Unable to handle kernel paging request
Message-ID: <20190619162802.GF17978@ZenIV.linux.org.uk>
References: <23950bcb-81b0-4e07-8dc8-8740eb53d7fd@gmail.com>
 <20190522135331.GM17978@ZenIV.linux.org.uk>
 <bdc8b245-afca-4662-99e2-a082f25fc927@gmail.com>
 <20190522162945.GN17978@ZenIV.linux.org.uk>
 <10192e43-c21d-44e4-915d-bf77a50c22c4@gmail.com>
 <20190618183548.GB17978@ZenIV.linux.org.uk>
 <bf2b3aa6-bda1-43f1-9a01-e4ad3df81c0b@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <bf2b3aa6-bda1-43f1-9a01-e4ad3df81c0b@gmail.com>
User-Agent: Mutt/1.11.3 (2019-02-01)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[arm64 maintainers Cc'd; I'm not adding a Cc to moderated list,
sorry]

On Wed, Jun 19, 2019 at 02:42:16PM +0200, Vicente Bergas wrote:

> Hi Al,
> i have been running the distro-provided kernel the last few weeks
> and had no issues at all.
> https://archlinuxarm.org/packages/aarch64/linux-aarch64
> It is from the v5.1 branch and is compiled with gcc 8.3.
> 
> IIRC, i also tested
> https://archlinuxarm.org/packages/aarch64/linux-aarch64-rc
> v5.2-rc1 and v5.2-rc2 (which at that time where compiled with
> gcc 8.2) with no issues.
> 
> This week tested v5.2-rc4 and v5.2-rc5 from archlinuxarm but
> there are regressions unrelated to d_lookup.
> 
> At this point i was convinced it was a gcc 9.1 issue and had
> nothing to do with the kernel, but anyways i gave your patch a try.
> The tested kernel is v5.2-rc5-224-gbed3c0d84e7e and
> it has been compiled with gcc 8.3.
> The sentinel you put there has triggered!
> So, it is not a gcc 9.1 issue.
> 
> In any case, i have no idea if those addresses are arm64-specific
> in any way.

Cute...  So *all* of those are in dentry_hashtable itself.  IOW, we have
these two values (1<<24 and (1<<24)|(0x88L<<40)) cropping up in
dentry_hashtable[...].first on that config.

That, at least, removes the possibility of corrupted forward pointer in
the middle of a chain, with several pointers traversed before we run
into something unmapped - the crap is in the very beginning.

I don't get it.  The only things modifying these pointers should be:

static void ___d_drop(struct dentry *dentry)
{
        struct hlist_bl_head *b;
        /*
         * Hashed dentries are normally on the dentry hashtable,
         * with the exception of those newly allocated by
         * d_obtain_root, which are always IS_ROOT:
         */
        if (unlikely(IS_ROOT(dentry)))
                b = &dentry->d_sb->s_roots;
        else   
                b = d_hash(dentry->d_name.hash);

        hlist_bl_lock(b);
        __hlist_bl_del(&dentry->d_hash);
        hlist_bl_unlock(b);
}

and

static void __d_rehash(struct dentry *entry)
{
        struct hlist_bl_head *b = d_hash(entry->d_name.hash);

        hlist_bl_lock(b);
        hlist_bl_add_head_rcu(&entry->d_hash, b);
        hlist_bl_unlock(b);
}

The latter sets that pointer to (unsigned long)&entry->d_hash | LIST_BL_LOCKMASK),
having dereferenced entry->d_hash prior to that.  It can't be the source of those
values, or we would've oopsed right there.

The former...  __hlist_bl_del() does
        /* pprev may be `first`, so be careful not to lose the lock bit */
        WRITE_ONCE(*pprev,
                   (struct hlist_bl_node *)
                        ((unsigned long)next |
                         ((unsigned long)*pprev & LIST_BL_LOCKMASK)));
        if (next)
                next->pprev = pprev;
so to end up with that garbage in the list head we'd have to had next
the same bogus pointer (modulo bit 0, possibly).  And since it's non-NULL,
we would've immediately oopsed on trying to set next->pprev.

There shouldn't be any pointers to hashtable elements other than ->d_hash.pprev
of various dentries.  And ->d_hash is not a part of anon unions in struct
dentry, so it can't be mistaken access through the aliasing member.

Of course, there's always a possibility of something stomping on random places
in memory and shitting those values all over, with the hashtable being the
hottest place on the loads where it happens...  Hell knows...

What's your config, BTW?  SMP and DEBUG_SPINLOCK, specifically...