Re: [syzbot] [block?] general protection fault in bio_first_folio

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Matthew Wilcox <willy@infradead.org>
To: syzbot <syzbot+8b23309d5788a79d3eea@syzkaller.appspotmail.com>
Cc: axboe@kernel.dk, linux-block@vger.kernel.org,
	linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [block?] general protection fault in bio_first_folio
Date: Sat, 16 Dec 2023 05:53:14 +0000	[thread overview]
Message-ID: <ZX07SsSqIQ2TYwEi@casper.infradead.org> (raw)
In-Reply-To: <0000000000006c14cd060c99ac12@google.com>

On Fri, Dec 15, 2023 at 09:20:22PM -0800, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:

Good bot.

> commit 1b151e2435fc3a9b10c8946c6aebe9f3e1938c55
> Author: Matthew Wilcox (Oracle) <willy@infradead.org>
> Date:   Mon Aug 14 14:41:00 2023 +0000
> 
>     block: Remove special-casing of compound pages
> 
> bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=152f8a8ee80000
> final oops:     https://syzkaller.appspot.com/x/report.txt?x=172f8a8ee80000
> console output: https://syzkaller.appspot.com/x/log.txt?x=132f8a8ee80000
> 
> general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]

I _think_ what's happened here is that __bio_release_pages() was called
with a zero-length bio.

> CPU: 0 PID: 5059 Comm: syz-executor696 Not tainted 6.7.0-rc5-next-20231212-syzkaller #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
> RIP: 0010:_compound_head include/linux/page-flags.h:247 [inline]
> RIP: 0010:bio_first_folio+0xcb/0x5c0 include/linux/bio.h:289

... bio_first_folio() doesn't handle it well, whereas
bio_for_each_segment_all() did.

> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.

#syz test git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next abb240f7a2bd

diff --git a/include/linux/bio.h b/include/linux/bio.h
index ec4db73e5f4e..1518f1201ddd 100644
--- a/include/linux/bio.h
+++ b/include/linux/bio.h
@@ -286,6 +286,11 @@ static inline void bio_first_folio(struct folio_iter *fi, struct bio *bio,
 {
 	struct bio_vec *bvec = bio_first_bvec_all(bio) + i;
 
+	if (i >= bio->bi_vcnt) {
+		fi->folio = NULL;
+		return;
+	}
+
 	fi->folio = page_folio(bvec->bv_page);
 	fi->offset = bvec->bv_offset +
 			PAGE_SIZE * (bvec->bv_page - &fi->folio->page);
@@ -303,10 +308,8 @@ static inline void bio_next_folio(struct folio_iter *fi, struct bio *bio)
 		fi->offset = 0;
 		fi->length = min(folio_size(fi->folio), fi->_seg_count);
 		fi->_next = folio_next(fi->folio);
-	} else if (fi->_i + 1 < bio->bi_vcnt) {
-		bio_first_folio(fi, bio, fi->_i + 1);
 	} else {
-		fi->folio = NULL;
+		bio_first_folio(fi, bio, fi->_i + 1);
 	}
 }

next prev parent reply	other threads:[~2023-12-16  5:53 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-12-16  5:20 [syzbot] [block?] general protection fault in bio_first_folio syzbot
2023-12-16  5:53 ` Matthew Wilcox [this message]
2023-12-16  7:01   ` syzbot
2023-12-16  6:22 ` [syzbot] " syzbot
2023-12-16  7:00 ` Hillf Danton
2023-12-16  8:11   ` syzbot
2023-12-16  7:29 ` syzbot
     [not found] <tencent_5FFF86C0D2F7065549A1AEC8EEEDCC9EE706@qq.com>
2023-12-16  7:29 ` syzbot
     [not found] <tencent_F3CD8D809237DDE95DB69927CFA68DBF2507@qq.com>
2023-12-16  9:19 ` syzbot

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:ec4db73e5f4 dfblob:1518f1201dd )
 OR (
bs:"Re: [syzbot] [block?] general protection fault in bio_first_folio" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZX07SsSqIQ2TYwEi@casper.infradead.org \
    --to=willy@infradead.org \
    --cc=axboe@kernel.dk \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=syzbot+8b23309d5788a79d3eea@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.