From: John Ogness <john.ogness@linutronix.de>
To: Petr Mladek <pmladek@suse.com>
Cc: Joanne Koong <joannelkoong@gmail.com>,
syzbot <syzbot+3686758660f980b402dc@syzkaller.appspotmail.com>,
"amurray@thegoodpenguin.co.uk" <amurray@thegoodpenguin.co.uk>,
brauner@kernel.org, chao@kernel.org, djwong@kernel.org,
jaegeuk@kernel.org, linux-f2fs-devel@lists.sourceforge.net,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-xfs@vger.kernel.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [iomap?] kernel BUG in folio_end_read (2)
Date: Thu, 06 Nov 2025 12:42:21 +0106 [thread overview]
Message-ID: <87tsz7iea2.fsf@jogness.linutronix.de> (raw)
In-Reply-To: <87bjlgqmk5.fsf@jogness.linutronix.de>
On 2025-11-05, John Ogness <john.ogness@linutronix.de> wrote:
>> Another question is whether this is the only problem caused the patch.
>
> This comparison is quite special. It caught my attention while combing
> through the code.
The reason that this comparison is special is because it is the only one
that does not take wrapping into account. I did it that way originally
because it is AND with a wrap check. But this is an ugly special
case. It should use the same wrap check as the other 3 cases in
nbcon.c. If it had, the bug would not have happened.
I always considered these wrap checks to be non-obvious and
error-prone. So what if we create a nice helper function to simplify and
unify the wrap checks? Something like this:
diff --git a/kernel/printk/printk_ringbuffer.c b/kernel/printk/printk_ringbuffer.c
index 839f504db6d30..8499ee642c31d 100644
--- a/kernel/printk/printk_ringbuffer.c
+++ b/kernel/printk/printk_ringbuffer.c
@@ -390,6 +390,17 @@ static unsigned int to_blk_size(unsigned int size)
return size;
}
+/*
+ * Check if @lpos1 is before @lpos2. This takes ringbuffer wrapping
+ * into account. If @lpos1 is more than a full wrap before @lpos2,
+ * it is considered to be after @lpos2.
+ */
+static bool lpos1_before_lpos2(struct prb_data_ring *data_ring,
+ unsigned long lpos1, unsigned long lpos2)
+{
+ return lpos2 - lpos1 - 1 < DATA_SIZE(data_ring);
+}
+
/*
* Sanity checker for reserve size. The ringbuffer code assumes that a data
* block does not exceed the maximum possible size that could fit within the
@@ -577,7 +588,7 @@ static bool data_make_reusable(struct printk_ringbuffer *rb,
unsigned long id;
/* Loop until @lpos_begin has advanced to or beyond @lpos_end. */
- while ((lpos_end - lpos_begin) - 1 < DATA_SIZE(data_ring)) {
+ while (lpos1_before_lpos2(data_ring, lpos_begin, lpos_end)) {
blk = to_block(data_ring, lpos_begin);
/*
@@ -668,7 +679,7 @@ static bool data_push_tail(struct printk_ringbuffer *rb, unsigned long lpos)
* sees the new tail lpos, any descriptor states that transitioned to
* the reusable state must already be visible.
*/
- while ((lpos - tail_lpos) - 1 < DATA_SIZE(data_ring)) {
+ while (lpos1_before_lpos2(data_ring, tail_lpos, lpos)) {
/*
* Make all descriptors reusable that are associated with
* data blocks before @lpos.
@@ -1149,7 +1160,7 @@ static char *data_realloc(struct printk_ringbuffer *rb, unsigned int size,
next_lpos = get_next_lpos(data_ring, blk_lpos->begin, size);
/* If the data block does not increase, there is nothing to do. */
- if (head_lpos - next_lpos < DATA_SIZE(data_ring)) {
+ if (!lpos1_before_lpos2(data_ring, head_lpos, next_lpos)) {
if (wrapped)
blk = to_block(data_ring, 0);
else
@@ -1262,7 +1273,7 @@ static const char *get_data(struct prb_data_ring *data_ring,
/* Regular data block: @begin less than @next and in same wrap. */
if (!is_blk_wrapped(data_ring, blk_lpos->begin, blk_lpos->next) &&
- blk_lpos->begin < blk_lpos->next) {
+ lpos1_before_lpos2(data_ring, blk_lpos->begin, blk_lpos->next)) {
db = to_block(data_ring, blk_lpos->begin);
*data_size = blk_lpos->next - blk_lpos->begin;
This change also fixes the issue. Thoughts?
John
next prev parent reply other threads:[~2025-11-06 11:36 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <68cc0578.050a0220.28a605.0006.GAE@google.com>
2025-11-01 2:11 ` [syzbot] [iomap?] kernel BUG in folio_end_read (2) syzbot
2025-11-03 16:58 ` Joanne Koong
2025-11-04 2:43 ` syzbot
2025-11-04 17:45 ` Joanne Koong
2025-11-04 18:25 ` Petr Mladek
2025-11-05 14:54 ` John Ogness
2025-11-05 16:49 ` Petr Mladek
2025-11-05 19:58 ` John Ogness
2025-11-06 11:36 ` John Ogness [this message]
2025-11-06 16:22 ` Petr Mladek
2025-11-06 18:58 ` John Ogness
2025-11-06 19:36 ` John Ogness
2025-11-07 11:48 ` Petr Mladek
2025-11-07 13:41 ` John Ogness
2025-11-02 5:39 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87tsz7iea2.fsf@jogness.linutronix.de \
--to=john.ogness@linutronix.de \
--cc=amurray@thegoodpenguin.co.uk \
--cc=brauner@kernel.org \
--cc=chao@kernel.org \
--cc=djwong@kernel.org \
--cc=jaegeuk@kernel.org \
--cc=joannelkoong@gmail.com \
--cc=linux-f2fs-devel@lists.sourceforge.net \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=pmladek@suse.com \
--cc=syzbot+3686758660f980b402dc@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).