Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp248713rwb;
        Fri, 18 Nov 2022 00:29:31 -0800 (PST)
X-Google-Smtp-Source: AA0mqf4WxNipxSWnkyMpd0cJTSzcPm2C9hiAHr80GKw2KaMjKEDvCvzeCG2GnTFoxvaHFV9PN28B
X-Received: by 2002:a17:906:b794:b0:7ae:6450:c620 with SMTP id dt20-20020a170906b79400b007ae6450c620mr5110396ejb.270.1668760171293;
        Fri, 18 Nov 2022 00:29:31 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1668760171; cv=none;
        d=google.com; s=arc-20160816;
        b=ceVfBCC6WB0TKj3jMzL0kMx4vptVuMbnD355Ik49IiOvXwKcScIG/Kxzb8XPlfpSu/
         /v2MAA4/WavrNK5H+QWK4SZMb+mO9zMlrwmn90OWrhJ1jFb4f5h2BRPPCpTXiG7iId02
         4sknhd/ydKMkBOCe8i9kKhyLGcT/rfb/Vz1zBo+7MxUBruKl0wkMBsg9TeT0f1lHIy6p
         nYoGHRLjlz6oXg7S/TuiywGH3wu3f+aBx5EYojxg/Sr2oF8Mkmp2yP1ZmKBRoqK521RD
         TvAPZDErP41cNygeoS0K6suiA32X1p7HJqdgQ7T3P2BfN7igC/p12n89QYocWpRbkzvB
         JfhA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to
         :mime-version:user-agent:date:message-id:from:cc:references:to
         :subject;
        bh=ku247klMOzx+OKceaRd3elm6JZbnnLJnajWhqcLx1gM=;
        b=n18PREhGBGKC8U0w9OqbqDWDCnTrGvPBjrw0/xeMuKVD6wNVC5xm52n03qZoYdLl25
         oY1MRIOTOjodjwYyhls1xERBtXvj2WlSRdpTaVR8uI4S5KL8m8NUjPTU7x/zQ37TXnVU
         BF3ksIY9Pu4erdFwRZ8rx6rShacL4c0L4BlrGDI29ci5FL5R43pdpMY43ZYQJPYaLWE+
         HbfJAY9Nc1tq7aaEPPrQxLBVOFdy1ZPLzcIwvhI3jIkVUb8WMcV/ND8OSmnpA/bIhsAR
         0hsHyewrFZ18LSbsRxsuWZbGE8TwThwbYtt+50mixu02s1Ihr1jHsLaCz0aWyTkVajhY
         cP+A==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id ds2-20020a0564021cc200b00461891a8138si2686665edb.446.2022.11.18.00.29.09;
        Fri, 18 Nov 2022 00:29:31 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S240996AbiKRHzH (ORCPT <rfc822;tarbal@gmail.com> + 90 others);
        Fri, 18 Nov 2022 02:55:07 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57922 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229743AbiKRHzF (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 18 Nov 2022 02:55:05 -0500
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 646658C08D;
        Thu, 17 Nov 2022 23:54:57 -0800 (PST)
Received: from dggpemm500021.china.huawei.com (unknown [172.30.72.56])
        by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4ND8FP1PrxzRpMB;
        Fri, 18 Nov 2022 15:54:33 +0800 (CST)
Received: from dggpemm100009.china.huawei.com (7.185.36.113) by
 dggpemm500021.china.huawei.com (7.185.36.109) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.31; Fri, 18 Nov 2022 15:54:55 +0800
Received: from [10.174.179.24] (10.174.179.24) by
 dggpemm100009.china.huawei.com (7.185.36.113) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id
 15.1.2375.31; Fri, 18 Nov 2022 15:54:55 +0800
Subject: Re: [PATCH] fs/buffer: fix a NULL pointer dereference in
 drop_buffers()
To:     Matthew Wilcox <willy@infradead.org>
References: <20221109095018.4108726-1-liushixin2@huawei.com>
 <Y3cYd6u9wT/ZTHbe@casper.infradead.org>
CC:     Alexander Viro <viro@zeniv.linux.org.uk>,
        <linux-fsdevel@vger.kernel.org>, <linux-kernel@vger.kernel.org>
From:   Liu Shixin <liushixin2@huawei.com>
Message-ID: <ba12f39a-4b43-7297-f1fa-b4eb0bbd79a8@huawei.com>
Date:   Fri, 18 Nov 2022 15:54:54 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101
 Thunderbird/45.7.1
MIME-Version: 1.0
In-Reply-To: <Y3cYd6u9wT/ZTHbe@casper.infradead.org>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.174.179.24]
X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To
 dggpemm100009.china.huawei.com (7.185.36.113)
X-CFilter-Loop: Reflected
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS autolearn=ham
        autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org



On 2022/11/18 13:30, Matthew Wilcox wrote:
> On Wed, Nov 09, 2022 at 05:50:18PM +0800, Liu Shixin wrote:
>> syzbot found a null-ptr-deref by KASAN:
>>
>>  BUG: KASAN: null-ptr-deref in instrument_atomic_read include/linux/instrumented.h:71 [inline]
>>  BUG: KASAN: null-ptr-deref in atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
>>  BUG: KASAN: null-ptr-deref in buffer_busy fs/buffer.c:2856 [inline]
>>  BUG: KASAN: null-ptr-deref in drop_buffers+0x61/0x2f0 fs/buffer.c:2868
>>  Read of size 4 at addr 0000000000000060 by task syz-executor.5/24786
>>
>>  CPU: 0 PID: 24786 Comm: syz-executor.5 Not tainted 6.0.0-syzkaller-09589-g55be6084c8e0 #0
>>  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022
>>  Call Trace:
>>   <TASK>
>>   __dump_stack lib/dump_stack.c:88 [inline]
>>   dump_stack_lvl+0x1e3/0x2cb lib/dump_stack.c:106
>>   print_report+0xf1/0x220 mm/kasan/report.c:436
>>   kasan_report+0xfb/0x130 mm/kasan/report.c:495
>>   kasan_check_range+0x2a7/0x2e0 mm/kasan/generic.c:189
>>   instrument_atomic_read include/linux/instrumented.h:71 [inline]
>>   atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
>>   buffer_busy fs/buffer.c:2856 [inline]
>>   drop_buffers+0x61/0x2f0 fs/buffer.c:2868
>>   try_to_free_buffers+0x2b1/0x640 fs/buffer.c:2898
>> [...]
>>
>> We use folio_has_private() to decide whether call filemap_release_folio(),
>> which may call try_to_free_buffers() then. folio_has_private() return true
>> for both PG_private and PG_private_2. We should only call try_to_free_buffers()
>> for case PG_private. So we should recheck PG_private in try_to_free_buffers().
>>
>> Reported-by: syzbot+fbdb4ec578ebdcfb9ed2@syzkaller.appspotmail.com
>> Fixes: 266cf658efcf ("FS-Cache: Recruit a page flags for cache management")
> but this can only happen for a filesystem which uses both bufferheads
> and PG_private_2.  afaik there aren't any of those in the tree.  so
> this bug can't actually happen.
>
> if you have your own filesystem that does, you need to submit it.
This null-ptr-deref is found by syzbot, not by my own filesystem. I review the related code and
found no other possible cause. There are lock protection all the place calling try_to_free_buffers().
So I only thought of this one possibility. I'm also trying to reproduce the problem but haven't
been successful.

If this can't actually happen, maybe I'm missing something when review the code. I'll keep trying
to see if I can reproduce the problem.

Thanks,
Liu Shixin
.

>
>
> .
>