Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3759666pxj; Tue, 15 Jun 2021 08:04:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJx/0RlMP/QhDu+/e4kyOWboiR8UZJ7Q+g/oUfLYyJ2xIMlyVwc2RzQ7FjSNA2IWF2ucY4Q+ X-Received: by 2002:a05:6602:2c47:: with SMTP id x7mr18831131iov.26.1623769498731; Tue, 15 Jun 2021 08:04:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623769498; cv=none; d=google.com; s=arc-20160816; b=clkGc+5OP5amRS917QvKV6oqUMtAIzllJe9hnqJe506oQnnMbdzfPUJ1hY6Q6ScHau J7SXIgvEBvRhxorZNFF/VjLbIEQ9iUrnvZUGb8wKiFN+lax9mowU4dgsa6cHVkl5UwoC ajy/cNbZJD2IBa9Gz5M1nasZqNZ8VsLFFIwqPoe8WKCVJwahVDD21JnZcRw+kkhXNWgk VOJUCJVKgowE1ojWb1GA7bMU1yXWKyC+6+UdaIoVQxWp2SkJ3jP/mf2jEWIYj8JuV1FR NhqWb2NGnkRUrLJl6rGjpcn1jldeEXiQ7atKqtq+xa+jOagP9e97DyauCJ/1nXDFu5NZ I57A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:references:in-reply-to:subject:cc:to:dkim-signature :dkim-signature:from; bh=a6xyx21xxnuOeb+VMJL8CvX9khm7B/T5rgexDM0SXxE=; b=b8FONnYgXjViNmkrJZ3kYXr037N/1ToGyDlT5jiFeakJx11jKUCZUWXTfQOygrN0oB dRPj2KhEuKEE0dRfpEfq4EJHqYkfgdiaNfijSxbHrrlWzX/GFCUryDrY4ne/eHIuEsSd kHqo72uAoMDBsHUr9feLff23cr0bqDyaLgRHeLmLtdRgISe89V/Sb3a9PIB8hWat/mi5 Uw+hOoNyG6UwXiFL4DdpaKDI9tfcygoaXP3tebnx9BCvbMmRGuV4Wi1wOvRXBzpqGVLg OiYSpHAvj9VQOYhS/UcAzoffUOzoY37rt75APRIShOFCK5HG+TdzSNUEfQauQEOp9k0N kUhA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b="M/0YttZr"; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id a13si19434613ilk.93.2021.06.15.08.04.42; Tue, 15 Jun 2021 08:04:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linutronix.de header.s=2020 header.b="M/0YttZr"; dkim=neutral (no key) header.i=@linutronix.de header.s=2020e; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=linutronix.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230462AbhFOPFl (ORCPT + 99 others); Tue, 15 Jun 2021 11:05:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48112 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229937AbhFOPFk (ORCPT ); Tue, 15 Jun 2021 11:05:40 -0400 Received: from galois.linutronix.de (Galois.linutronix.de [IPv6:2a0a:51c0:0:12e:550::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7AE72C061574; Tue, 15 Jun 2021 08:03:36 -0700 (PDT) From: Thomas Gleixner DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020; t=1623769415; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=a6xyx21xxnuOeb+VMJL8CvX9khm7B/T5rgexDM0SXxE=; b=M/0YttZrgRntJFJx1PMbhnmci98YhVhQHFYf8aXnDl3J6tGeu82dpLeeW5sQO9Qb2tDRfw FoBIINP9lOL8pEEu1YbVYr6Clok1bnp1GOD74gOHT6S3SireYTNNnOthrYEqQFWTY+gLsZ LQb90bJ/aJt++SOLHNJDUSdqCwUKXq/rQ+lOr1C5jLvCGi6F88su/np1sxc8EHhOV9xFZz rgMcEIeiRFNB/kpnRSySnfz8ckUAp2liKLLsoIh4hmAKKHTKAWggNdDqUZ/01EHt2DUcvd z0QVpOvV2bfhk5GaPt7FeGl8sb2/348yxT5aY5CYDgikJAz00YJPp0GNN6HCqw== DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=linutronix.de; s=2020e; t=1623769415; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=a6xyx21xxnuOeb+VMJL8CvX9khm7B/T5rgexDM0SXxE=; b=V7fbDvQxi8F2jVjr4FBt71Sb5eAodQQissDqayoWj3maSKWkjkuU8L9qdLg/vCWmQHyUO6 6aHLgS1NzEJXzMCA== To: Matthew Wilcox , David Mozes Cc: "linux-fsdevel\@vger.kernel.org" , Ingo Molnar , Peter Zijlstra , Darren Hart , linux-kernel@vger.kernel.org Subject: Re: futex/call -to plist_for_each_entry_safe with head=NULL In-Reply-To: References: Date: Tue, 15 Jun 2021 17:03:34 +0200 Message-ID: <87k0mvgoft.ffs@nanos.tec.linutronix.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Jun 13 2021 at 21:04, Matthew Wilcox wrote: > On Sun, Jun 13, 2021 at 12:24:52PM +0000, David Mozes wrote: >> Hi *, >> Under a very high load of io traffic, we got the below=C2=A0 BUG trace. >> We can see that: >> plist_for_each_entry_safe(this, next,=C2=A0&hb1->chain, list) { >> =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0 if (match_futex (&this->key, &key1)) >> =C2=A0 >> were called with hb1 =3D NULL at futex_wake_up function. >> And there is no protection on the code regarding such a scenario. >> =C2=A0 >> The NULL can=C2=A0 be geting from: >> hb1 =3D hash_futex(&key1); Definitely not. >> =C2=A0 >> How can we protect against such a situation? > > Can you reproduce it without loading proprietary modules? > > Your analysis doesn't quite make sense: > > hb1 =3D hash_futex(&key1); > hb2 =3D hash_futex(&key2); > > retry_private: > double_lock_hb(hb1, hb2); > > If hb1 were NULL, then the oops would come earlier, in double_lock_hb(). Sure, but hash_futex() _cannot_ return a NULL pointer ever. >> =C2=A0 >> =C2=A0 >> This happened in kernel=C2=A0 4.19.149 running on Azure vm 4.19.149 is almost 50 versions behind the latest 4.19.194 stable. The other question is whether this happens with an less dead kernel as well. Thanks, tglx