Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp248713rwb; Fri, 18 Nov 2022 00:29:31 -0800 (PST) X-Google-Smtp-Source: AA0mqf4WxNipxSWnkyMpd0cJTSzcPm2C9hiAHr80GKw2KaMjKEDvCvzeCG2GnTFoxvaHFV9PN28B X-Received: by 2002:a17:906:b794:b0:7ae:6450:c620 with SMTP id dt20-20020a170906b79400b007ae6450c620mr5110396ejb.270.1668760171293; Fri, 18 Nov 2022 00:29:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1668760171; cv=none; d=google.com; s=arc-20160816; b=ceVfBCC6WB0TKj3jMzL0kMx4vptVuMbnD355Ik49IiOvXwKcScIG/Kxzb8XPlfpSu/ /v2MAA4/WavrNK5H+QWK4SZMb+mO9zMlrwmn90OWrhJ1jFb4f5h2BRPPCpTXiG7iId02 4sknhd/ydKMkBOCe8i9kKhyLGcT/rfb/Vz1zBo+7MxUBruKl0wkMBsg9TeT0f1lHIy6p nYoGHRLjlz6oXg7S/TuiywGH3wu3f+aBx5EYojxg/Sr2oF8Mkmp2yP1ZmKBRoqK521RD TvAPZDErP41cNygeoS0K6suiA32X1p7HJqdgQ7T3P2BfN7igC/p12n89QYocWpRbkzvB JfhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:cc:references:to :subject; bh=ku247klMOzx+OKceaRd3elm6JZbnnLJnajWhqcLx1gM=; b=n18PREhGBGKC8U0w9OqbqDWDCnTrGvPBjrw0/xeMuKVD6wNVC5xm52n03qZoYdLl25 oY1MRIOTOjodjwYyhls1xERBtXvj2WlSRdpTaVR8uI4S5KL8m8NUjPTU7x/zQ37TXnVU BF3ksIY9Pu4erdFwRZ8rx6rShacL4c0L4BlrGDI29ci5FL5R43pdpMY43ZYQJPYaLWE+ HbfJAY9Nc1tq7aaEPPrQxLBVOFdy1ZPLzcIwvhI3jIkVUb8WMcV/ND8OSmnpA/bIhsAR 0hsHyewrFZ18LSbsRxsuWZbGE8TwThwbYtt+50mixu02s1Ihr1jHsLaCz0aWyTkVajhY cP+A== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ds2-20020a0564021cc200b00461891a8138si2686665edb.446.2022.11.18.00.29.09; Fri, 18 Nov 2022 00:29:31 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240996AbiKRHzH (ORCPT + 90 others); Fri, 18 Nov 2022 02:55:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57922 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229743AbiKRHzF (ORCPT ); Fri, 18 Nov 2022 02:55:05 -0500 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 646658C08D; Thu, 17 Nov 2022 23:54:57 -0800 (PST) Received: from dggpemm500021.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4ND8FP1PrxzRpMB; Fri, 18 Nov 2022 15:54:33 +0800 (CST) Received: from dggpemm100009.china.huawei.com (7.185.36.113) by dggpemm500021.china.huawei.com (7.185.36.109) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 18 Nov 2022 15:54:55 +0800 Received: from [10.174.179.24] (10.174.179.24) by dggpemm100009.china.huawei.com (7.185.36.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Fri, 18 Nov 2022 15:54:55 +0800 Subject: Re: [PATCH] fs/buffer: fix a NULL pointer dereference in drop_buffers() To: Matthew Wilcox References: <20221109095018.4108726-1-liushixin2@huawei.com> CC: Alexander Viro , , From: Liu Shixin Message-ID: Date: Fri, 18 Nov 2022 15:54:54 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset="windows-1252" Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.179.24] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemm100009.china.huawei.com (7.185.36.113) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022/11/18 13:30, Matthew Wilcox wrote: > On Wed, Nov 09, 2022 at 05:50:18PM +0800, Liu Shixin wrote: >> syzbot found a null-ptr-deref by KASAN: >> >> BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline] >> BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] >> BUG: KASAN: null-ptr-deref in buffer_busy fs/buffer.c:2856 [inline] >> BUG: KASAN: null-ptr-deref in drop_buffers+0x61/0x2f0 fs/buffer.c:2868 >> Read of size 4 at addr 0000000000000060 by task syz-executor.5/24786 >> >> CPU: 0 PID: 24786 Comm: syz-executor.5 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0 >> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022 >> Call Trace: >> >> __dump_stack lib/dump_stack.c:88 [inline] >> dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106 >> print_report+0xf1/0x220 mm/kasan/report.c:436 >> kasan_report+0xfb/0x130 mm/kasan/report.c:495 >> kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189 >> instrument_atomic_read include/linux/instrumented.h:71 [inline] >> atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline] >> buffer_busy fs/buffer.c:2856 [inline] >> drop_buffers+0x61/0x2f0 fs/buffer.c:2868 >> try_to_free_buffers+0x2b1/0x640 fs/buffer.c:2898 >> [...] >> >> We use folio_has_private() to decide whether call filemap_release_folio(), >> which may call try_to_free_buffers() then. folio_has_private() return true >> for both PG_private and PG_private_2. We should only call try_to_free_buffers() >> for case PG_private. So we should recheck PG_private in try_to_free_buffers(). >> >> Reported-by: syzbot+fbdb4ec578ebdcfb9ed2@syzkaller.appspotmail.com >> Fixes: 266cf658efcf ("FS-Cache: Recruit a page flags for cache management") > but this can only happen for a filesystem which uses both bufferheads > and PG_private_2. afaik there aren't any of those in the tree. so > this bug can't actually happen. > > if you have your own filesystem that does, you need to submit it. This null-ptr-deref is found by syzbot, not by my own filesystem. I review the related code and found no other possible cause. There are lock protection all the place calling try_to_free_buffers(). So I only thought of this one possibility. I'm also trying to reproduce the problem but haven't been successful. If this can't actually happen, maybe I'm missing something when review the code. I'll keep trying to see if I can reproduce the problem. Thanks, Liu Shixin . > > > . >