From: Dominique Martinet <asmadeus@codewreck.org>
To: Matthew Wilcox <willy@infradead.org>
Cc: syzbot <syzbot+c0dc46208750f063d0e0@syzkaller.appspotmail.com>,
v9fs@lists.linux.dev, dhowells@redhat.com, jlayton@kernel.org,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
netfs@lists.linux.dev, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [netfs?] kernel BUG in folio_unlock (3)
Date: Fri, 21 Feb 2025 07:05:46 +0900 [thread overview]
Message-ID: <Z7enOheevlbS1xpH@codewreck.org> (raw)
In-Reply-To: <Z7dVOaTWTVCojNzr@casper.infradead.org>
Matthew Wilcox wrote on Thu, Feb 20, 2025 at 04:15:53PM +0000:
> On Thu, Feb 20, 2025 at 08:00:24AM -0800, syzbot wrote:
> > ------------[ cut here ]------------
> > kernel BUG at mm/filemap.c:1499!
>
> Tried to unlock a folio that wasn't locked.
>
> The entire log is interesting:
>
> https://syzkaller.appspot.com/x/log.txt?x=12af2fdf980000
>
> It injects a failure which hits p9_tag_alloc() (so adding the 9p people
> to the cc)
9p is calling iov_iter_revert() in p9_client_write() on failure, but at
this point of the failure copy_from_iter_full (which advanced the iter)
wasn't called yet because the format processing happens after
allocation...
This was changed by Al Viro in 2015 so it's a "fairly old" bug, but it's
a bug on 9p side alright - thanks for the cc
Now to figure out how to decide if we want to revert or not... I
honestly don't have any bright idea, but I don't know the iov API well
at all -- perhaps it's possible to copy without advancing and only
advance the iov if IO worked?
--
Dominique Martinet | Asmadeus
next prev parent reply other threads:[~2025-02-21 2:51 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-02-20 16:00 [syzbot] [netfs?] kernel BUG in folio_unlock (3) syzbot
2025-02-20 16:15 ` Matthew Wilcox
2025-02-20 22:05 ` Dominique Martinet [this message]
2025-02-21 23:35 ` Hillf Danton
2025-02-21 23:58 ` syzbot
2025-02-26 8:41 ` David Howells
2025-05-31 23:20 ` [f2fs-dev] " syzbot
2025-05-31 23:20 ` syzbot
2025-06-01 0:26 ` [f2fs-dev] " Matthew Wilcox
2025-06-01 0:26 ` Matthew Wilcox
2025-06-11 14:08 ` [f2fs-dev] " Aleksandr Nogikh via Linux-f2fs-devel
2025-06-11 14:08 ` Aleksandr Nogikh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z7enOheevlbS1xpH@codewreck.org \
--to=asmadeus@codewreck.org \
--cc=dhowells@redhat.com \
--cc=jlayton@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netfs@lists.linux.dev \
--cc=syzbot+c0dc46208750f063d0e0@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=v9fs@lists.linux.dev \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.