Re: [syzbot] [nilfs?] general protection fault in touch_buffer

From: Ryusuke Konishi
Date: Fri Nov 01 2024 - 20:12:58 EST

Next message: Hillf Danton: "Re: [BUG] -next lockdep invalid wait context"
Previous message: Samuel Holland: "[PATCH 11/11] riscv: dts: starfive: jh7100: Use physical memory ranges for DMA"
Next in thread: syzbot: "Re: [syzbot] [nilfs?] general protection fault in touch_buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The cause of this problem seems to be that bh->b_bdev is not set when
touch_buffer() is called (it is set later by the calling functions).

This causes a general protection fault when the trace point
trace_block_touch_buffer() in touch_buffer() references
bh->b_bdev->bd_dev.

touch_buffer() mark the folio owned by the buffer as accessed by
calling folio_mark_accessed(), but nilfs_grab_buffer(), the only
caller of __nilfs_get_folio_block(), acquires the folio through
filemap_grab_folio(), which sets the folio as accessed by specifying
the FGP_ACCESSED flag, so there is not need to call touch_buffer() in
the first place.

Once I have confirmed that there is not problem, including the past
history, I will turn this into a formal bug fix patch.

Ryusuke Konishi

#syz test

diff --git a/fs/nilfs2/page.c b/fs/nilfs2/page.c
index 10def4b55995..296dbf9cca22 100644
--- a/fs/nilfs2/page.c
+++ b/fs/nilfs2/page.c
@@ -39,7 +39,6 @@ static struct buffer_head *__nilfs_get_folio_block(struct folio *folio,
first_block = (unsigned long)index << (PAGE_SHIFT - blkbits);
bh = get_nth_bh(bh, block - first_block);

- touch_buffer(bh);
wait_on_buffer(bh);
return bh;
}
--
2.43.0

Next message: Hillf Danton: "Re: [BUG] -next lockdep invalid wait context"
Previous message: Samuel Holland: "[PATCH 11/11] riscv: dts: starfive: jh7100: Use physical memory ranges for DMA"
Next in thread: syzbot: "Re: [syzbot] [nilfs?] general protection fault in touch_buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]