bug in bcachefs -> bio_copy_data_iter

public inbox for linux-bcachefs@vger.kernel.org
 help / color / mirror / Atom feed

From: Kent Overstreet <kent.overstreet@gmail.com>
To: hch@lst.de
Cc: ming.lei@redhat.com, colyli@suse.de, linux-bcachefs@vger.kernel.org
Subject: bug in bcachefs -> bio_copy_data_iter
Date: Tue, 9 Nov 2021 17:04:30 -0500	[thread overview]
Message-ID: <YYrwbksSPdtITbEs@moria.home.lan> (raw)

Hey Christoph, got a strange one.

I've got a user that's reporting a bug where we deref a bad ptr in bio_copy_data
-> memcpy, and reverting your patch "block: rewrite bio_copy_data_iter to use
bvec_kmap_local and memcpy_to_bvec" seems to make it go away.

I haven't figured out what's different yet between the two versions (your patch
looks like it should be functionally equivalent), but clearly I'm missing
something... wonder if there might be some relation to the bug you guys hit in
bcache with bvec_virt.

Any ideas?

[  395.978225] BUG: unable to handle page fault for address: ffff9b0b8e600000
[  395.979503] #PF: supervisor read access in kernel mode
[  395.980720] #PF: error_code(0x0000) - not-present page
[  395.981953] PGD 182c01067 P4D 182c01067 PUD 182c05067 PMD 26df23067 PTE 800ffffdb19ff060
[  395.983227] Oops: 0000 [#1] SMP DEBUG_PAGEALLOC NOPTI
[  395.984422] CPU: 3 PID: 10 Comm: kworker/u8:1 Not tainted 5.15.1-00987-g97f33a3143f5 #5
[  395.985700] Hardware name: MSI MS-7982/B150M PRO-VDH (MS-7982), BIOS 3.H0 07/10/2018
[  395.986939] Workqueue: writeback wb_workfn (flush-bcachefs-2)
[  395.988196] RIP: 0010:memcpy_erms (arch/x86/lib/memcpy_64.S:55)
[ 395.989495] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
All code
========
   0:	cc                   	int3
   1:	cc                   	int3
   2:	cc                   	int3
   3:	cc                   	int3
   4:	eb 1e                	jmp    0x24
   6:	0f 1f 00             	nopl   (%rax)
   9:	48 89 f8             	mov    %rdi,%rax
   c:	48 89 d1             	mov    %rdx,%rcx
   f:	48 c1 e9 03          	shr    $0x3,%rcx
  13:	83 e2 07             	and    $0x7,%edx
  16:	f3 48 a5             	rep movsq %ds:(%rsi),%es:(%rdi)
  19:	89 d1                	mov    %edx,%ecx
  1b:	f3 a4                	rep movsb %ds:(%rsi),%es:(%rdi)
  1d:	c3                   	ret
  1e:	66 0f 1f 44 00 00    	nopw   0x0(%rax,%rax,1)
  24:	48 89 f8             	mov    %rdi,%rax
  27:	48 89 d1             	mov    %rdx,%rcx
  2a:*	f3 a4                	rep movsb %ds:(%rsi),%es:(%rdi)		<-- trapping instruction
  2c:	c3                   	ret
  2d:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
  34:	48 89 f8             	mov    %rdi,%rax
  37:	48 83 fa 20          	cmp    $0x20,%rdx
  3b:	72 7e                	jb     0xbb
  3d:	40 38 fe             	cmp    %dil,%sil

Code starting with the faulting instruction
===========================================
   0:	f3 a4                	rep movsb %ds:(%rsi),%es:(%rdi)
   2:	c3                   	ret
   3:	0f 1f 80 00 00 00 00 	nopl   0x0(%rax)
   a:	48 89 f8             	mov    %rdi,%rax
   d:	48 83 fa 20          	cmp    $0x20,%rdx
  11:	72 7e                	jb     0x91
  13:	40 38 fe             	cmp    %dil,%sil
[  395.990872] RSP: 0018:ffffad9b800ab760 EFLAGS: 00010286
[  395.992275] RAX: ffff9b0b1b21c000 RBX: 0000000000000200 RCX: 0000000000000e00
[  395.993705] RDX: 0000000000001000 RSI: ffff9b0b8e600000 RDI: ffff9b0b1b21c200
[  395.995042] RBP: ffff9b0a4306c300 R08: 0000000000000e00 R09: 0000000000001000
[  395.996436] R10: 0000000000000200 R11: 0000000000000200 R12: ffff9b0b44b54030
[  395.997880] R13: ffffad9b800ab7a0 R14: ffffad9b800ab7b8 R15: 0000000000001000
[  395.999307] FS:  0000000000000000(0000) GS:ffff9b0ba4f80000(0000) knlGS:0000000000000000
[  396.000697] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  396.002065] CR2: ffff9b0b8e600000 CR3: 0000000182210004 CR4: 00000000003706e0
[  396.003544] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  396.004997] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  396.006414] Call Trace:
[  396.007814] bio_copy_data_iter (./include/linux/bio.h:158 block/bio.c:1297)
[  396.009208] bio_copy_data (block/bio.c:1317)
[  396.010536] __bch2_write (fs/bcachefs/io.c:969 fs/bcachefs/io.c:1150)
[  396.011920] ? bch2_writepage_do_io (./include/linux/closure.h:229 fs/bcachefs/fs-io.c:1103)
[  396.013293] bch2_writepage_do_io (./include/linux/closure.h:229 fs/bcachefs/fs-io.c:1103)
[  396.014801] __bch2_writepage (fs/bcachefs/fs-io.c:1246)
[  396.016232] ? __mod_memcg_lruvec_state (mm/memcontrol.c:681)
[  396.017649] write_cache_pages (mm/page-writeback.c:2255)
[  396.019106] ? bch2_page_reservation_get.constprop.0 (fs/bcachefs/fs-io.c:1141)
[  396.020546] bch2_writepages (fs/bcachefs/fs-io.c:1283)
[  396.022013] ? update_load_avg (kernel/sched/fair.c:3619 kernel/sched/fair.c:3856)
[  396.023473] do_writepages (mm/page-writeback.c:2364)
[  396.024943] ? enqueue_task_fair (kernel/sched/fair.c:5626)
[  396.026408] ? psi_task_change (kernel/sched/psi.c:755 kernel/sched/psi.c:817)
[  396.027864] __writeback_single_inode (fs/fs-writeback.c:1616)
[  396.029287] writeback_sb_inodes (fs/fs-writeback.c:1883)
[  396.030724] __writeback_inodes_wb (fs/fs-writeback.c:1951)
[  396.032194] wb_writeback (fs/fs-writeback.c:2055)
[  396.033679] wb_workfn (fs/fs-writeback.c:2209 fs/fs-writeback.c:2237)
[  396.035115] ? __schedule (kernel/sched/core.c:6295)
[  396.036607] process_one_work (kernel/workqueue.c:2297)
[  396.038075] worker_thread (./include/linux/list.h:282 kernel/workqueue.c:2445)
[  396.039552] ? rescuer_thread (kernel/workqueue.c:2387)
[  396.041035] kthread (kernel/kthread.c:319)
[  396.042535] ? set_kthread_struct (kernel/kthread.c:272)
[  396.043967] ret_from_fork (arch/x86/entry/entry_64.S:295)

next             reply	other threads:[~2021-11-09 22:04 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-11-09 22:04 Kent Overstreet [this message]
2021-11-10 12:02 ` bug in bcachefs -> bio_copy_data_iter Coly Li
2022-04-23 17:31   ` Christoph Hellwig
2022-05-07 18:28     ` Kent Overstreet
2022-05-08  7:41       ` Coly Li

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YYrwbksSPdtITbEs@moria.home.lan \
    --to=kent.overstreet@gmail.com \
    --cc=colyli@suse.de \
    --cc=hch@lst.de \
    --cc=linux-bcachefs@vger.kernel.org \
    --cc=ming.lei@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox