Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1210729pxu;
        Wed, 6 Jan 2021 16:01:00 -0800 (PST)
X-Google-Smtp-Source: ABdhPJxkJ/hwx3mgz+G/u24vIU21fC+gv7wAZ93Ags6odsN3/F2LKkCyESMQgeKIMSi7zR6VE2D+
X-Received: by 2002:a17:906:8058:: with SMTP id x24mr4369850ejw.262.1609977660669;
        Wed, 06 Jan 2021 16:01:00 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1609977660; cv=none;
        d=google.com; s=arc-20160816;
        b=lmf9wO/WdBYpJgpShyv/2Olqw9f+KRfFExVBDpTsEEUh/SA6VSGSR+VzaDJi3jU2Ww
         I5ljZ3wkpVnnidqYgiGHBhMe2leng8yi84TAC+JW1isyFOU+O6dtIoRJtUAqXI5L2Q1v
         9R/LT+gO8Ep3v7QCWRbqHAz+XF1ghArwb/E5BtgJ6CVFQXxRSZc1DjCmoNI3HA1gnNEP
         dbUmm/HEVGB7eVvRxXljHQ0vG9XJ5+V4bfJPETmzsDw+d9Xv1MVyi44s9bq5IGZqKzPE
         KUVM5dJ2QEK7r1hiA+zmHdXt9m5uMjWgi8zwPGE9FC0tCkM8O+j44FAiSXMwAHG/relu
         coBg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id:dkim-signature;
        bh=nHM/zNarT82wu+x4lgAdGC2mHx8Guijmtu+f0YBziZs=;
        b=vba5R3X9AcfN9ZVs3V35r91MhGzJewRKv7ej2vx2r4OXWz/3XWdK1PTm1teNtpDeft
         LwlNgLrXX0ip1ywp7JxNeg+sBocfegRx7qQltG+Tc9t/E34T0Gpy/86PFgnABk8GjLpS
         8+spyeZwPsvBWQ+bT5grlW7D+rudlSiwJDafECqwLN4eghBSh+JSWZgPp2yOgkIwouDM
         1i0L+QcAbfakig2UoA2T6Xa2X5BgP2nLOCThYgaKCV1/kiM3YOZspe6ZUdhSxw9LfqAG
         IKmk8dEccB2iRytMZtt25W0qBkPbI6hgnBaISpXOvI5D4oTXLY1waAJgGPcXxBFCpiiH
         t6xQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ozlabs-ru.20150623.gappssmtp.com header.s=20150623 header.b=NA3F+XKm;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b10si1416586ejj.171.2021.01.06.16.00.36;
        Wed, 06 Jan 2021 16:01:00 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ozlabs-ru.20150623.gappssmtp.com header.s=20150623 header.b=NA3F+XKm;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727806AbhAFX73 (ORCPT <rfc822;linuxmindflow@gmail.com>
        + 99 others); Wed, 6 Jan 2021 18:59:29 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33278 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726918AbhAFX72 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 6 Jan 2021 18:59:28 -0500
Received: from mail-pj1-x1036.google.com (mail-pj1-x1036.google.com [IPv6:2607:f8b0:4864:20::1036])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 00A55C06136C
        for <linux-kernel@vger.kernel.org>; Wed,  6 Jan 2021 15:58:47 -0800 (PST)
Received: by mail-pj1-x1036.google.com with SMTP id w1so3186703pjc.0
        for <linux-kernel@vger.kernel.org>; Wed, 06 Jan 2021 15:58:47 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ozlabs-ru.20150623.gappssmtp.com; s=20150623;
        h=message-id:date:mime-version:user-agent:subject:content-language:to
         :cc:references:from:in-reply-to:content-transfer-encoding;
        bh=nHM/zNarT82wu+x4lgAdGC2mHx8Guijmtu+f0YBziZs=;
        b=NA3F+XKmnhNi6kzCESfIdsxKS2uZOsStA6v3UFprwRKw/OhFhOWV573G2OwOoRXJ9G
         jpkX1PlTe24W+T6jmj/B9TdYvsqrmput3qZCO1iiRFiYVl8Nq5JykFYmHdH7fIBlGNO9
         CjocitqQhG0jlGmIOTyGy0VGw5YZXa0E2JaYi54EB7YUp+23q3wIVe/ioL3JnNDIXwMW
         0tLRdb8hjdQgj4wze3oBgV1PFShLjU29t90MrOXd5ZFilZTglcaLd7kxppWvJXysCH8b
         CB9pxhKFB7fm4Sue3R5jjV3cX9ZHnG2ftbIES6aCsKS/kx9wrVNWV088nQ8W8BXgVKsT
         hGgw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:message-id:date:mime-version:user-agent:subject
         :content-language:to:cc:references:from:in-reply-to
         :content-transfer-encoding;
        bh=nHM/zNarT82wu+x4lgAdGC2mHx8Guijmtu+f0YBziZs=;
        b=Eu9877YYiey12AY64ARvXgkIYANQPxVxww+tFeJf4l8Y3u0+LQIRVFcSdEqTOY4cW6
         Q6ra2h+VQFzXs1wxpZxU7E41PK3TnoIlqzTJrSXK0F6WQyxVB/OnKaVLmA6tZvN7Vt2+
         oqXf4Xm0J6LNjh6IvqOf+w4ck5SUiUYgrjgqTr+tyzbvAFK2oExPbwHNTKbUJY5gWzIM
         7sEuwJYIQYG8wgByJD7OcvxSbhdH2gM+dQQteL1+CwksCjLsln2EVpiETpAOWaHkwhpe
         AK88XSLCYiVlFv7J30VqgiCdn53rTnBwcSsofESXYh9trXUIxvMuSe+5lOum5vVRvCpL
         50ow==
X-Gm-Message-State: AOAM533yLU+0UPVKw4+a5lTU+a9M+zQ204UMTS9HAw90AKyeLjRheuWY
        UHAQ6LZ5k7cALe//UWhkddptVkh8jt5S84WX
X-Received: by 2002:a17:90a:1706:: with SMTP id z6mr1080632pjd.0.1609977526924;
        Wed, 06 Jan 2021 15:58:46 -0800 (PST)
Received: from [192.168.10.153] (124-171-107-241.dyn.iinet.net.au. [124.171.107.241])
        by smtp.gmail.com with UTF8SMTPSA id d6sm3384801pfo.199.2021.01.06.15.58.42
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Wed, 06 Jan 2021 15:58:46 -0800 (PST)
Message-ID: <5e6716a6-0314-8360-4fb6-5c959022a24c@ozlabs.ru>
Date:   Thu, 7 Jan 2021 10:58:39 +1100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:85.0) Gecko/20100101
 Thunderbird/85.0
Subject: Re: [RFC PATCH kernel] block: initialize block_device::bd_bdi for
 bdev_cache
Content-Language: en-US
To:     Jan Kara <jack@suse.cz>
Cc:     Christoph Hellwig <hch@lst.de>,
        Alexander Viro <viro@zeniv.linux.org.uk>,
        Hannes Reinecke <hare@suse.de>, Jens Axboe <axboe@kernel.dk>,
        Tejun Heo <tj@kernel.org>, linux-block@vger.kernel.org,
        linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org
References: <20210106092900.26595-1-aik@ozlabs.ru>
 <20210106104106.GA29271@quack2.suse.cz>
From:   Alexey Kardashevskiy <aik@ozlabs.ru>
In-Reply-To: <20210106104106.GA29271@quack2.suse.cz>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 06/01/2021 21:41, Jan Kara wrote:
> On Wed 06-01-21 20:29:00, Alexey Kardashevskiy wrote:
>> This is a workaround to fix a null derefence crash:
>>
>> [c00000000b01f840] c00000000b01f880 (unreliable)
>> [c00000000b01f880] c000000000769a3c bdev_evict_inode+0x21c/0x370
>> [c00000000b01f8c0] c00000000070bacc evict+0x11c/0x230
>> [c00000000b01f900] c00000000070c138 iput+0x2a8/0x4a0
>> [c00000000b01f970] c0000000006ff030 dentry_unlink_inode+0x220/0x250
>> [c00000000b01f9b0] c0000000007001c0 __dentry_kill+0x190/0x320
>> [c00000000b01fa00] c000000000701fb8 dput+0x5e8/0x860
>> [c00000000b01fa80] c000000000705848 shrink_dcache_for_umount+0x58/0x100
>> [c00000000b01fb00] c0000000006cf864 generic_shutdown_super+0x54/0x200
>> [c00000000b01fb80] c0000000006cfd48 kill_anon_super+0x38/0x60
>> [c00000000b01fbc0] c0000000006d12cc deactivate_locked_super+0xbc/0x110
>> [c00000000b01fbf0] c0000000006d13bc deactivate_super+0x9c/0xc0
>> [c00000000b01fc20] c00000000071a340 cleanup_mnt+0x1b0/0x250
>> [c00000000b01fc80] c000000000278fa8 task_work_run+0xf8/0x180
>> [c00000000b01fcd0] c00000000002b4ac do_notify_resume+0x4dc/0x5d0
>> [c00000000b01fda0] c00000000004ba0c syscall_exit_prepare+0x28c/0x370
>> [c00000000b01fe10] c00000000000e06c system_call_common+0xfc/0x27c
>> --- Exception: c00 (System Call) at 0000000010034890
>>
>> Is this fixed properly already somewhere? Thanks,
>>
>> Fixes: e6cb53827ed6 ("block: initialize struct block_device in bdev_alloc")
> 
> I don't think it's fixed anywhere and I've seen the syzbot report and I was
> wondering how this can happen when bdev_alloc() initializes bdev->bd_bdi
> and it also wasn't clear to me whether bd_bdi is really the only field that
> is problematic - if we can get to bdev_evict_inode() without going through
> bdev_alloc(), we are probably missing initialization of other fields in
> that place as well...
> 
> But now I've realized that probably the inode is a root inode for bdev
> superblock which is allocated by VFS through new_inode() and thus doesn't
> undergo the initialization in bdev_alloc(). 

yup, this is the case.

> And AFAICT the root inode on
> bdev superblock can get only to bdev_evict_inode() and bdev_free_inode().
> Looking at bdev_evict_inode() the only thing that's used there from struct
> block_device is really bd_bdi. bdev_free_inode() will also access
> bdev->bd_stats and bdev->bd_meta_info. So we need to at least initialize
> these to NULL as well.

These are all NULL.

> IMO the most logical place for all these
> initializations is in bdev_alloc_inode()...


This works. We can also check for NULL where it crashes. But I do not 
know the code to make an informed decision...

> 
> 								Honza
> 
>> ---
>>   fs/block_dev.c | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/fs/block_dev.c b/fs/block_dev.c
>> index 3e5b02f6606c..86fdc28d565e 100644
>> --- a/fs/block_dev.c
>> +++ b/fs/block_dev.c
>> @@ -792,8 +792,10 @@ static void bdev_free_inode(struct inode *inode)
>>   static void init_once(void *data)
>>   {
>>   	struct bdev_inode *ei = data;
>> +	struct block_device *bdev = &ei->bdev;
>>   
>>   	inode_init_once(&ei->vfs_inode);
>> +	bdev->bd_bdi = &noop_backing_dev_info;
>>   }
>>   
>>   static void bdev_evict_inode(struct inode *inode)
>> -- 
>> 2.17.1
>>

-- 
Alexey