Received: by 2002:a05:6358:700f:b0:131:369:b2a3 with SMTP id 15csp3660825rwo; Fri, 4 Aug 2023 08:04:35 -0700 (PDT) X-Google-Smtp-Source: AGHT+IE772lRCz9DTAGSpbcXXJYO4WhsqN1dR01aGPzebQUZrI+XAFqiMATyzHBlf2kAj77fSxxk X-Received: by 2002:a2e:88d6:0:b0:2b9:cb50:7043 with SMTP id a22-20020a2e88d6000000b002b9cb507043mr1626394ljk.2.1691161475033; Fri, 04 Aug 2023 08:04:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691161475; cv=none; d=google.com; s=arc-20160816; b=PxDZ6McNhLIi++q9cz1q4vWFrdrXkSY6OMMB+xmr/OJu3mT7lwD6h8P3x+vJzTgOcL yJc3KbBktv6UQNCwa9WZAEkzUvhxOBnk0VujdvcxUG14yVO3c4ach/OirvxeP1lyYJ/3 +mwwwbxU/qYRYTW+xcEGgJLOrNHdg0VhN0g9XX9bwGoL4kXSMlW55EonNfmKfJYaBwPl j9G/Sqm2VkRxuiE98V2vrhJdqq7glIWSTnYFdu+NA2C7nwcnP8s18dTVm6OotAOimIdV HZ9YpspUyjvYxJiJr+Ts0BPcxQsPzTa9vwMyyOWAA3b+m+1iUD5hhAH54N5ESX6oKifL 8y9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=eacgny0rYBeZ8KZ31Otz8oNowHb6P5GtSbpYAiPPc8U=; fh=JGWotMPRkrWG+uNOILB1/xF23LuGgXHhzIBBu6/dTko=; b=IjGm3l/8KaPlKrs/HSJfHGSS8xjgwDGbGiAItyofam1XENEIJvXLu3D+Bd3oOfKvpe B5BqCirgWl6NyUd+RgPS/ER0Z+vz7ncIZbxnVbFx+LfTzrGpg5lW4aUgjPDU894i+A9b vfSqOFDayiE+kHBLz6K/p6KC72t7j1RQSgilFasdVl3bcW3FTfN4E7seb2snQm6dz7S0 Vjd3yYfQhHOf2RdvUKlgCXWjbTy+Dj6vmf+tq4SnSthaG5b3hQ5RK9gBbN1eGHojnPvj FY89zhXvQzyWW59qe+fEUhppPcoL2gROOnwhfbcYL6K1lLsreYAmymNz7IPCT8UHOAky j7KQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pw28-20020a17090720bc00b0098882d02831si1655531ejb.710.2023.08.04.08.03.55; Fri, 04 Aug 2023 08:04:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231475AbjHDOCK (ORCPT + 99 others); Fri, 4 Aug 2023 10:02:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37596 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231515AbjHDOCF (ORCPT ); Fri, 4 Aug 2023 10:02:05 -0400 Received: from verein.lst.de (verein.lst.de [213.95.11.211]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8CBC4171D; Fri, 4 Aug 2023 07:02:04 -0700 (PDT) Received: by verein.lst.de (Postfix, from userid 2407) id 523FC68AA6; Fri, 4 Aug 2023 16:02:01 +0200 (CEST) Date: Fri, 4 Aug 2023 16:02:01 +0200 From: Christoph Hellwig To: Christian Brauner Cc: Christoph Hellwig , syzbot , jack@suse.cz, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk Subject: Re: [syzbot] [fs?] KASAN: slab-use-after-free Read in test_bdev_super_fc Message-ID: <20230804140201.GA27600@lst.de> References: <00000000000058d58e06020c1cab@google.com> <20230804101408.GA23274@lst.de> <20230804-abstieg-behilflich-eda2ce9c2c0f@brauner> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230804-abstieg-behilflich-eda2ce9c2c0f@brauner> User-Agent: Mutt/1.5.17 (2007-11-01) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Aug 04, 2023 at 03:20:45PM +0200, Christian Brauner wrote: > On Fri, Aug 04, 2023 at 12:14:08PM +0200, Christoph Hellwig wrote: > > FYI, I can reproduce this trivially locally, but even after spending a > > significant time with the trace I'm still puzzled at what is going > > on. I've started trying to make sense of the lockdep report about > > returning to userspace with s_umount held, originall locked in > > get_tree_bdev and am still missing how it could happen. > > So in the old scheme: > > s = alloc_super() > -> down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING); > > and assume you're not finding an old one immediately afterwards you'd > > -> spin_lock(&sb_lock) > > static int set_bdev_super(struct super_block *s, void *data) > { > s->s_bdev = data; > s->s_dev = s->s_bdev->bd_dev; > s->s_bdi = bdi_get(s->s_bdev->bd_disk->bdi); > > if (bdev_stable_writes(s->s_bdev)) > s->s_iflags |= SB_I_STABLE_WRITES; > return 0; > } > > -> spin_unlock(&sb_lock) > > in the new scheme you're doing: > > s = alloc_super() > -> down_write_nested(&s->s_umount, SINGLE_DEPTH_NESTING); > > and assume you're not finding an old one immediately afterwards you'd > > up_write(&s->s_umount); > > error = setup_bdev_super(s, fc->sb_flags, fc); > -> spin_lock(&sb_lock); > sb->s_bdev = bdev; > sb->s_bdi = bdi_get(bdev->bd_disk->bdi); > if (bdev_stable_writes(bdev)) > sb->s_iflags |= SB_I_STABLE_WRITES; > -> spin_unlock(&sb_lock); > > down_write(&s->s_umount); > > Which looks like the lock ordering here is changed? Yes, that none only should be safe, but more importantly should not lead to a return to userspace with s_umount held. Anyway, debugging a regression in mainline right now so I'm taking a break from this one.