Received: by 2002:a05:6358:700f:b0:131:369:b2a3 with SMTP id 15csp3569777rwo; Fri, 4 Aug 2023 06:59:02 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGwT/g8IJANcf8j3Txn2R12tZT1oHoS/VIEVb92W/YxhkNLyPm6jYfk5h/T9wrQ/sGIhldb X-Received: by 2002:a17:902:ea0d:b0:1bb:b30e:4364 with SMTP id s13-20020a170902ea0d00b001bbb30e4364mr1941051plg.39.1691157542243; Fri, 04 Aug 2023 06:59:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691157542; cv=none; d=google.com; s=arc-20160816; b=l+6xe6hox0e2AbPs6AJt+4/sYnbmZm8Fg5oXArloZly9KIf6hL2HT2JgWzH3HsJY3W GRj9ckx4HvehcxHvrmGWrqy6f5aH8yyOGV524zJquYxITQvwi2Z8rL1n/VYsoZQZY0/B C+TE8r/mkAknL8hxDwTusl5Dd+p9T9hVEWfLsQ8GMbcUb3045ZE8xHf2vE5cp3Q4uST3 yGX5bu5Oq/Ixmnm2O8vjtmSpe6ujrlbTPQI+0ZowvVKtrA08tycm5TvZIxciawRtNuhv Czbz8Z9C17BtPSC0u4JF/PJ4AoFGzMoNmRxnyhsXzdGPEg6NJTodj36GT+gw4q5GRSiG ZyNg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=aEyZNw2VWCiNcoHFbjQmxjchjbxbY7aRy9EQr+/04j8=; fh=tLnd68RsZcliNKFYfkHqa0WJfUfQTbQJ6N6gdi2/JJU=; b=eXTTW1GbPI6aXfq29GQ5+XsovNBTzdl8IAG+AgqpS5N7eAwyWPT+Z1Xlhp0xHiA265 SWG0i0w07D2eaUgpQxUvD53QXYcMgaub5zalNfMfI2n3dMApQl91J68oEm0iRH8Xnm52 T5JseRfc2E7SoVW9xAEi7PPkMUSLh2eTQuk/PBO9Y+KYaV5V7wCOA5Pj8Qn2zmGcInHQ 0bekfZ5W4ELDavNKNOtfvOyFL/uvKJ+MIFxCxjXw0944IbgdFrVKLKaSP9Yzd4+rQgKT V0xjJ7nGfSeGKouPFRS8i1+ejZ5DW6jGKyQ4zWh86pIdu/9PUCmDeVXii3JdRoWGidGd 9uGA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Xmt9Nmuj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p15-20020a170902e74f00b001bc552f1443si120381plf.423.2023.08.04.06.58.47; Fri, 04 Aug 2023 06:59:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Xmt9Nmuj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229591AbjHDNYG (ORCPT + 99 others); Fri, 4 Aug 2023 09:24:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33988 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229891AbjHDNWp (ORCPT ); Fri, 4 Aug 2023 09:22:45 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7DEB059FA; Fri, 4 Aug 2023 06:21:19 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id D0BDD61FD0; Fri, 4 Aug 2023 13:20:50 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 9DD21C433C8; Fri, 4 Aug 2023 13:20:48 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1691155250; bh=FNQzWR1EmyB4sM/Ep/jQ04mYJeLIQNADZPFxaAXkUng=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Xmt9NmujMlPq+o5h/h45BzLQAIy0cHS+35NvEwOwHGDVMuUBzFEb9cCEXbjxcA8mu tc+VxynSlto+VfAbHaqJg81/bfDni6MNogtJ/4ZHzlHkKLSyzX5lBamnAQE3fix7Gl OgPzOPYt19jlQ7rip7qovbyV99I6MIldSnvx/BMZeSPsq6ILFsFj9s3iVFO5MCzP2y 4OtHn7qEt42+D/NATXIjWTNLMPZBtSteJuhjueGo0bfIuxghyskcZ3SB4SYNbLut3t QjIqQhemLCgxo52TdtePBlFfppKiSHnA6pVXHOn0lyRT8Ski0V4oKM+tmXJ7GpK2GL iFTkgx7TJeZZg== Date: Fri, 4 Aug 2023 15:20:45 +0200 From: Christian Brauner To: Christoph Hellwig Cc: syzbot , jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk Subject: Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in test_bdev_super_fc Message-ID: <20230804-abstieg-behilflich-eda2ce9c2c0f@brauner> References: <00000000000058d58e06020c1cab@google.com> <20230804101408.GA23274@lst.de> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20230804101408.GA23274@lst.de> X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 04, 2023 at 12:14:08PM +0200, Christoph Hellwig wrote: > FYI, I can reproduce this trivially locally, but even after spending a > significant time with the trace I'm still puzzled at what is going > on. I've started trying to make sense of the lockdep report about > returning to userspace with s_umount held, originall locked in > get_tree_bdev and am still missing how it could happen. So in the old scheme: s = alloc_super() -> down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING); and assume you're not finding an old one immediately afterwards you'd -> spin_lock(&sb_lock) static int set_bdev_super(struct super_block *s, void *data) { s->s_bdev = data; s->s_dev = s->s_bdev->bd_dev; s->s_bdi = bdi_get(s->s_bdev->bd_disk->bdi); if (bdev_stable_writes(s->s_bdev)) s->s_iflags |= SB_I_STABLE_WRITES; return 0; } -> spin_unlock(&sb_lock) in the new scheme you're doing: s = alloc_super() -> down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING); and assume you're not finding an old one immediately afterwards you'd up_write(&s->s_umount); error = setup_bdev_super(s, fc->sb_flags, fc); -> spin_lock(&sb_lock); sb->s_bdev = bdev; sb->s_bdi = bdi_get(bdev->bd_disk->bdi); if (bdev_stable_writes(bdev)) sb->s_iflags |= SB_I_STABLE_WRITES; -> spin_unlock(&sb_lock); down_write(&s->s_umount); Which looks like the lock ordering here is changed?