From patchwork Mon Dec 16 20:41:22 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 13910514 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6F859E77180 for ; Mon, 16 Dec 2024 20:45:38 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id E713C8D0006; Mon, 16 Dec 2024 15:45:37 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id DF81A8D0001; Mon, 16 Dec 2024 15:45:37 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id C234F8D0006; Mon, 16 Dec 2024 15:45:37 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 6AD098D0001 for ; Mon, 16 Dec 2024 15:45:37 -0500 (EST) Received: from smtpin13.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay04.hostedemail.com (Postfix) with ESMTP id 30C121A0127 for ; Mon, 16 Dec 2024 20:45:37 +0000 (UTC) X-FDA: 82902001980.13.3F20517 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf09.hostedemail.com (Postfix) with ESMTP id 22A19140018 for ; Mon, 16 Dec 2024 20:45:14 +0000 (UTC) Authentication-Results: imf09.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=VDwHQU62; spf=pass (imf09.hostedemail.com: domain of dhowells@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=dhowells@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1734381922; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=Oo1wq8deJtNt2OQQxJVQAHf3OBjfRH+YniUEyQHkJfs=; b=YmVswYWJXMBmGA8DVKSkevzZah0j8pjPcClZCMqcEGDrJ9fTdSAs4GcDBr3LcsZocbS9K4 q2PUuwVq3nTaoU84LownGp3FORxrzM7fDwCva+YikS/K6jBC2KhWILMXj+kzXj+wbTt1jn oBXY4xExKdRRtDy/TDtSmuq0LM3nK4M= ARC-Authentication-Results: i=1; imf09.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=VDwHQU62; spf=pass (imf09.hostedemail.com: domain of dhowells@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=dhowells@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1734381922; a=rsa-sha256; cv=none; b=FxgFi95FfMxPGPJi/hnKgc9GT9AXSy9LAXyrISZASig09M0Bso/yG6lEgjc6edQPqTht80 X0V0xyPSjdmTe9zB4Cd61RJllRAOehpEeJeNY86JxHASzF7uBP9KO6Qe6nTAonRxr072kV 2Q8T2hXYPjA3+eOj5E54bDRto1chHcc= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1734381934; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Oo1wq8deJtNt2OQQxJVQAHf3OBjfRH+YniUEyQHkJfs=; b=VDwHQU6255+nhMSZivKrf+aewrX0JXWZp1/8g6TFDuXlXrOWuIimVOftxoUYobE+I0I48E MnoWgWfLdoKYd4pfQSrKZ9n0DnI376t6o0+Z4uumhPVRgMVIInF4+w4h9Kdj4AlLet23eV sKjhw0EzHwsx+f2o6g2XdEUnFhOWydw= Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-465-XuzHjsQvNUyN5PcUdS5A8w-1; Mon, 16 Dec 2024 15:45:31 -0500 X-MC-Unique: XuzHjsQvNUyN5PcUdS5A8w-1 X-Mimecast-MFC-AGG-ID: XuzHjsQvNUyN5PcUdS5A8w Received: from mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id A8C74195608E; Mon, 16 Dec 2024 20:45:28 +0000 (UTC) Received: from warthog.procyon.org.com (unknown [10.42.28.48]) by mx-prod-int-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 9BF4B19560A2; Mon, 16 Dec 2024 20:45:22 +0000 (UTC) From: David Howells To: Christian Brauner , Steve French , Matthew Wilcox Cc: David Howells , Jeff Layton , Gao Xiang , Dominique Martinet , Marc Dionne , Paulo Alcantara , Shyam Prasad N , Tom Talpey , Eric Van Hensbergen , Ilya Dryomov , netfs@lists.linux.dev, linux-afs@lists.infradead.org, linux-cifs@vger.kernel.org, linux-nfs@vger.kernel.org, ceph-devel@vger.kernel.org, v9fs@lists.linux.dev, linux-erofs@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+af5c06208fa71bf31b16@syzkaller.appspotmail.com, Chang Yu Subject: [PATCH v5 32/32] netfs: Report on NULL folioq in netfs_writeback_unlock_folios() Date: Mon, 16 Dec 2024 20:41:22 +0000 Message-ID: <20241216204124.3752367-33-dhowells@redhat.com> In-Reply-To: <20241216204124.3752367-1-dhowells@redhat.com> References: <20241216204124.3752367-1-dhowells@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.15 X-Rspamd-Queue-Id: 22A19140018 X-Stat-Signature: zgbc9sr9miukdo6kcn8hcdbnkqbhxn4u X-Rspam-User: X-Rspamd-Server: rspam11 X-HE-Tag: 1734381914-605507 X-HE-Meta: U2FsdGVkX193fBBI01/aYo4095w35kirH1foHlduWUlIV+TTxlT2JOiUShKZxLskqtCjfbmvHoFkV/Txvwl8EoxgKRLZ+M9zypM4ev2FT0lgPn8df2l93U46t7ruo1uepnb+JaC9dHfAU+mQmt/qfePy+4ThJMAMpjBHvGBIX77PxNj0ROdC8CrIcscu9fKGLec6AH96+txHN+4IaCR12Y+zktP17de76KZVorcTryf0yl6F0TgoxXchb2cubIIpBJbPZnlgrDA+d+yJrh9m3hZ7knAzPaxpkDJcghweZ+3AnaPcj4DMrfirDNXAgy0dZ7x6OShHr1wbibunCjh2gUsudeHEQJaPj2byGuRHqW8HVsnQrUbvJqDN+wZEu80DWpp72xBBLsVe4SY0zShupwCuxXxm/JxxeGqdRhpoMU5VLfssEV7UzFS7XMRKvBzWpYCjYPtfschh+7V77HKBJsaZ7kLlwDXBrv+zARjhHFh/3zs97JbKg/3F8HicZAIz3HUjRkraqhDKqMBSa6QGxYRX578b1qN4moWGbQSLxnD00uqL9pxDkJS0ZSIFGwk6uCRnQ3jHygNiC+99rchDnipB3MQ7GoITRXTnqYLZ9cYUPsDlCeRO1B5/+/TLqlHoYvIgJntctXLqcMmK5jP0vqeNrXeDB52VcH6F1UIvdADH6UQf4wdprICKpwwKDoCBfCjef3tx8oVt1ayII7EgThlpGyeRLv5aXwrQ8vTkB6ei2IVtgheJqA8SzDGHTpPusl3PK+5kD4RV6g3F1+MPJSUuxLTjY6mDB+3Qr5jyn8weeHr3FswjMBN6kb4Mr8EwWjyzKAiSIDJWgNar5X4xE+/IHCF1EL6Kz5raPeuOdlRN+ljiD03ydWZqy/8Jha2HCIJ6lFD3iMLNa08ep4j+ITqmAy3zsnXXGV3G0zDXYYAmixxzBgwwdnu4MGOInNRFPJVyz9iTdBAq6dJmLrP 7m8FxdUr xCVyWHUIiobbWy0q5ex0o0Xwt1mQjLU+1AHQpapaSeZuzkUICF9tjuj88k1WX0/f/fPW8dCR4/b4fhqrx0HcqW4Sz4qNmZTJ3pAqzIeGybjcFVy9D0V8+lvmCqV/izpv6j1qRGNJ9qfr2csxcH3JkBo8D8Jc5doJ7//W0+ZJeT3UH5/jSQ29dN9gx0QYQhoTD9rAGG22/Ri8UYSSLS9mKBFIaIQmrVzdmxY+dqE5eEmE2BaApGUXG4dTvWPPwKXjmiIg2k17WVJCAMHl+oliufK97JseiI60LX80X55TB4KTHBnT5ABwxTpjPrD6Ro245OtwyU8uZDh5FaL5x1pyA9DRSALx6546/a4aWagbR2hnLdZv3A+P4Fh/X9sEWWkY7wki3Swm7Afpt0v3x9Zst+us9piek3XC5RnDaB3oHEaOz4UugKSXjoh/J3ywydj6qOrYFBBSOdlB44qE7KqDV5rTneAVeuQVpCz0qFjJtp61ubwChq9kqzp+KFTuFxNaRQ6fjprg4gur8J6CqL2xeq7rZjyG9JSaJvaqO7xs/gKIQF9bjdat2NKbAg1reuivCF0FNBrd+VZ483QdEAIjABPs7RIy194cmSA82Bij2BhMxF35oBCqeZZ+bqKYNj7N5paPFWUfDozqK4Tk5dPvj4v2QdV1PjERazVFC X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: It seems that it's possible to get to netfs_writeback_unlock_folios() with an empty rolling buffer during buffered writes. This should not be possible as the rolling buffer is initialised as the write request is set up and thereafter maintains at least one folio_queue struct therein until it gets destroyed. This allows lockless addition and removal of folio_queue structs in the buffer because, unlike with a ring buffer, the producer and consumer each only need to look at and alter one pointer into the buffer. Now, the rolling buffer is only used for buffered I/O operations as netfs_collect_write_results() should only call netfs_writeback_unlock_folios() if the request is of origin type NETFS_WRITEBACK, NETFS_WRITETHROUGH or NETFS_PGPRIV2_COPY_TO_CACHE. So it would seem that one of the following occurred: (1) I/O started before the request was fully initialised, (2) the origin got switched mid-flow or (3) the request has already been freed and this is a UAF error. I think the last is the most likely. Make netfs_writeback_unlock_folios() report information about the request and subrequests if folioq is seen to be NULL to try and help debug this, throw a warning and return. Note that this does not try to fix the problem. Reported-by: syzbot+af5c06208fa71bf31b16@syzkaller.appspotmail.com Link: https://syzkaller.appspot.com/bug?extid=af5c06208fa71bf31b16 Signed-off-by: David Howells cc: Chang Yu Link: https://lore.kernel.org/r/ZxshMEW4U7MTgQYa@gmail.com/ cc: Jeff Layton cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org --- fs/netfs/write_collect.c | 34 ++++++++++++++++++++++++++++++++++ 1 file changed, 34 insertions(+) diff --git a/fs/netfs/write_collect.c b/fs/netfs/write_collect.c index 1b7f53d01b8d..294f67795f79 100644 --- a/fs/netfs/write_collect.c +++ b/fs/netfs/write_collect.c @@ -21,6 +21,34 @@ #define NEED_RETRY 0x10 /* A front op requests retrying */ #define SAW_FAILURE 0x20 /* One stream or hit a permanent failure */ +static void netfs_dump_request(const struct netfs_io_request *rreq) +{ + pr_err("Request R=%08x r=%d fl=%lx or=%x e=%ld\n", + rreq->debug_id, refcount_read(&rreq->ref), rreq->flags, + rreq->origin, rreq->error); + pr_err(" st=%llx tsl=%zx/%llx/%llx\n", + rreq->start, rreq->transferred, rreq->submitted, rreq->len); + pr_err(" cci=%llx/%llx/%llx\n", + rreq->cleaned_to, rreq->collected_to, atomic64_read(&rreq->issued_to)); + pr_err(" iw=%pSR\n", rreq->netfs_ops->issue_write); + for (int i = 0; i < NR_IO_STREAMS; i++) { + const struct netfs_io_subrequest *sreq; + const struct netfs_io_stream *s = &rreq->io_streams[i]; + + pr_err(" str[%x] s=%x e=%d acnf=%u,%u,%u,%u\n", + s->stream_nr, s->source, s->error, + s->avail, s->active, s->need_retry, s->failed); + pr_err(" str[%x] ct=%llx t=%zx\n", + s->stream_nr, s->collected_to, s->transferred); + list_for_each_entry(sreq, &s->subrequests, rreq_link) { + pr_err(" sreq[%x:%x] sc=%u s=%llx t=%zx/%zx r=%d f=%lx\n", + sreq->stream_nr, sreq->debug_index, sreq->source, + sreq->start, sreq->transferred, sreq->len, + refcount_read(&sreq->ref), sreq->flags); + } + } +} + /* * Successful completion of write of a folio to the server and/or cache. Note * that we are not allowed to lock the folio here on pain of deadlocking with @@ -87,6 +115,12 @@ static void netfs_writeback_unlock_folios(struct netfs_io_request *wreq, unsigned long long collected_to = wreq->collected_to; unsigned int slot = wreq->buffer.first_tail_slot; + if (WARN_ON_ONCE(!folioq)) { + pr_err("[!] Writeback unlock found empty rolling buffer!\n"); + netfs_dump_request(wreq); + return; + } + if (wreq->origin == NETFS_PGPRIV2_COPY_TO_CACHE) { if (netfs_pgpriv2_unlock_copied_folios(wreq)) *notes |= MADE_PROGRESS;