[PATCH] netfs: Add a check for NULL folioq in netfs_writeback_unlock

netfs.lists.linux.dev archive mirror
 help / color / mirror / Atom feed

* [PATCH] netfs: Add a check for NULL folioq in netfs_writeback_unlock_folios
@ 2024-10-25  4:40 Chang Yu
  2024-10-25  8:05 ` David Howells
  0 siblings, 1 reply; 4+ messages in thread
From: Chang Yu @ 2024-10-25  4:40 UTC (permalink / raw)
  To: dhowells
  Cc: jlayton, netfs, linux-fsdevel, linux-kernel,
	syzbot+af5c06208fa71bf31b16, skhan

syzkaller reported a null-pointer dereference bug
(https://syzkaller.appspot.com/bug?extid=af5c06208fa71bf31b16) in
netfs_writeback_unlock_folios caused by passing a NULL folioq to
folioq_folio. Fix by adding a check before entering the loop.

Signed-off-by: Chang Yu <marcus.yu.56@gmail.com>
Reported-by: syzbot+af5c06208fa71bf31b16@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=af5c06208fa71bf31b16
Fixes: cd0277ed0c18 ("netfs: Use new folio_queue data type and iterator instead of xarray iter")
---
 fs/netfs/write_collect.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/netfs/write_collect.c b/fs/netfs/write_collect.c
index 1d438be2e1b4..23d46a409ff2 100644
--- a/fs/netfs/write_collect.c
+++ b/fs/netfs/write_collect.c
@@ -98,7 +98,7 @@ static void netfs_writeback_unlock_folios(struct netfs_io_request *wreq,
 		slot = 0;
 	}
 
-	for (;;) {
+	while (folioq) {
 		struct folio *folio;
 		struct netfs_folio *finfo;
 		unsigned long long fpos, fend;
-- 
2.47.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] netfs: Add a check for NULL folioq in netfs_writeback_unlock_folios
  2024-10-25  4:40 [PATCH] netfs: Add a check for NULL folioq in netfs_writeback_unlock_folios Chang Yu
@ 2024-10-25  8:05 ` David Howells
  2024-10-26  1:01   ` Chang Yu
  2024-10-31 14:06   ` David Howells
  0 siblings, 2 replies; 4+ messages in thread
From: David Howells @ 2024-10-25  8:05 UTC (permalink / raw)
  To: Chang Yu
  Cc: dhowells, jlayton, netfs, linux-fsdevel, linux-kernel,
	syzbot+af5c06208fa71bf31b16, skhan

Chang Yu <marcus.yu.56@gmail.com> wrote:

> syzkaller reported a null-pointer dereference bug
> (https://syzkaller.appspot.com/bug?extid=af5c06208fa71bf31b16) in
> netfs_writeback_unlock_folios caused by passing a NULL folioq to
> folioq_folio. Fix by adding a check before entering the loop.

And, of course, the preceding:

	if (slot >= folioq_nr_slots(folioq)) {

doesn't oops because it doesn't actually dereference folioq.

However... if we get into this function, there absolutely *should* be at least
one folioq in the rolling buffer.  Part of the rolling buffer's method of
operation involves keeping at least one folioq around at all times so that we
don't need to use locks to add/remove from the queue.

Either the rolling buffer wasn't initialised yet (and it should be initialised
for all write requests by netfs_create_write_req()) or it has been destroyed
already.

Either way, your patch is, unfortunately, just covering up the symptoms rather
than fixing the root cause.  I suggest instead that we patch the function to
detect the empty rolling buffer up front, dump some information about the bad
request and return.

David

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] netfs: Add a check for NULL folioq in netfs_writeback_unlock_folios
  2024-10-25  8:05 ` David Howells
@ 2024-10-26  1:01   ` Chang Yu
  2024-10-31 14:06   ` David Howells
  1 sibling, 0 replies; 4+ messages in thread
From: Chang Yu @ 2024-10-26  1:01 UTC (permalink / raw)
  To: David Howells
  Cc: Chang Yu, jlayton, netfs, linux-fsdevel, linux-kernel,
	syzbot+af5c06208fa71bf31b16, skhan

On Fri, Oct 25, 2024 at 09:05:53AM +0100, David Howells wrote:
> Chang Yu <marcus.yu.56@gmail.com> wrote:
> 
> > syzkaller reported a null-pointer dereference bug
> > (https://syzkaller.appspot.com/bug?extid=af5c06208fa71bf31b16) in
> > netfs_writeback_unlock_folios caused by passing a NULL folioq to
> > folioq_folio. Fix by adding a check before entering the loop.
> 
> And, of course, the preceding:
> 
> 	if (slot >= folioq_nr_slots(folioq)) {
> 
> doesn't oops because it doesn't actually dereference folioq.
> 
> However... if we get into this function, there absolutely *should* be at least
> one folioq in the rolling buffer.  Part of the rolling buffer's method of
> operation involves keeping at least one folioq around at all times so that we
> don't need to use locks to add/remove from the queue.
> 
> Either the rolling buffer wasn't initialised yet (and it should be initialised
> for all write requests by netfs_create_write_req()) or it has been destroyed
> already.
> 
> Either way, your patch is, unfortunately, just covering up the symptoms rather
> than fixing the root cause.  I suggest instead that we patch the function to
> detect the empty rolling buffer up front, dump some information about the bad
> request and return.
> 
> David
> 
I see. This might be a stupid question, but is it ever possible that we have
exactly one folioq and at the same time

        slot >= folioq_nr_slots(folioq)

is true? Then I imagine netfs_delete_buffer_head would return NULL and
cause the bug to trigger as well?

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] netfs: Add a check for NULL folioq in netfs_writeback_unlock_folios
  2024-10-25  8:05 ` David Howells
  2024-10-26  1:01   ` Chang Yu
@ 2024-10-31 14:06   ` David Howells
  1 sibling, 0 replies; 4+ messages in thread
From: David Howells @ 2024-10-31 14:06 UTC (permalink / raw)
  To: Chang Yu
  Cc: dhowells, jlayton, netfs, linux-fsdevel, linux-kernel,
	syzbot+af5c06208fa71bf31b16, skhan

Chang Yu <marcus.yu.56@gmail.com> wrote:

> I see. This might be a stupid question, but is it ever possible that we have
> exactly one folioq and at the same time
> 
>         slot >= folioq_nr_slots(folioq)
> 
> is true? Then I imagine netfs_delete_buffer_head would return NULL and
> cause the bug to trigger as well?

Whilst it is possible for "slot >= folioq_nr_slots(folioq)" to be true on what
is currently the last folioq, wreq->cleaned_to suggests that there must be
still-locked folios in the queue:

		unsigned long long clean_to = min(wreq->collected_to, wreq->contiguity);
		if (wreq->cleaned_to < clean_to)
			netfs_writeback_unlock_folios(wreq, clean_to, &notes);

David


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2024-10-31 14:06 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-25  4:40 [PATCH] netfs: Add a check for NULL folioq in netfs_writeback_unlock_folios Chang Yu
2024-10-25  8:05 ` David Howells
2024-10-26  1:01   ` Chang Yu
2024-10-31 14:06   ` David Howells

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).