On Thu, 2 Jul 2020 at 19:40, Qian Cai <cai@xxxxxx> wrote: > > On Mon, Jun 29, 2020 at 09:39:45PM +0200, Christoph Hellwig wrote: > > Split out a __submit_bio_noacct helper for the actual de-recursion > > algorithm, and simplify the loop by using a continue when we can't > > enter the queue for a bio. > > > > Signed-off-by: Christoph Hellwig <hch@xxxxxx> Kernel BUG: on arm64 and x86_64 devices running linux next-rc3-next-20200702 with KASAN config enabled. While running mkfs -t ext4. metadata: git branch: master git repo: https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git git commit: d37d57041350dff35dd17cbdf9aef4011acada38 git describe: next-20200702 make_kernelversion: 5.8.0-rc3 kernel-config: https://builds.tuxbuild.com/DnjQHvYrx586eUoFxtYZxQ/kernel.config steps to reproduce: # mkfs -t ext4 /dev/disk/by-id/ata-SanDisk_SDSSDA120G_165193445014 BUG: KASAN: stack-out-of-bounds in bio_alloc_bioset+0x28c/0x2c8 [ 59.398307] Read of size 8 at addr ffff0009084277e0 by task mkfs.ext4/417 [ 59.405121] [ 59.406644] CPU: 5 PID: 417 Comm: mkfs.ext4 Not tainted 5.8.0-rc3-next-20200702 #1 [ 59.414248] Hardware name: ARM Juno development board (r2) (DT) [ 59.420195] Call trace: [ 59.422683] dump_backtrace+0x0/0x2b8 [ 59.426386] show_stack+0x18/0x28 [ 59.429741] dump_stack+0xec/0x144 [ 59.433183] print_address_description.isra.0+0x6c/0x448 [ 59.438531] kasan_report+0x134/0x200 [ 59.442226] __asan_load8+0x9c/0xd8 [ 59.445751] bio_alloc_bioset+0x28c/0x2c8 [ 59.449796] bio_clone_fast+0x28/0x98 [ 59.453492] bio_split+0x64/0x138 [ 59.456842] __blk_queue_split+0x534/0x698 [ 59.460979] blk_mq_submit_bio+0x10c/0x680 [ 59.465118] submit_bio_noacct+0x57c/0x640 [ 59.469253] submit_bio+0xc0/0x358 [ 59.472688] submit_bio_wait+0xc0/0x110 [ 59.476561] blkdev_issue_discard+0xd0/0x138 [ 59.480877] blk_ioctl_discard+0x1b8/0x238 [ 59.485008] blkdev_common_ioctl+0x594/0xd38 [ 59.489312] blkdev_ioctl+0x130/0x578 [ 59.493010] block_ioctl+0x78/0x98 [ 59.496453] ksys_ioctl+0xb8/0xf8 [ 59.499808] __arm64_sys_ioctl+0x44/0x60 [ 59.503781] el0_svc_common.constprop.0+0xa4/0x1e0 [ 59.508615] do_el0_svc+0x38/0xa0 [ 59.511967] el0_sync_handler+0x98/0x1a8 [ 59.515922] el0_sync+0x158/0x180 [ 59.519255] [ 59.520761] The buggy address belongs to the page: [ 59.525590] page:fffffe00240109c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 59.533895] flags: 0x2ffff00000000000() [ 59.537779] raw: 2ffff00000000000 0000000000000000 fffffe00240109c8 0000000000000000 [ 59.545575] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 59.553352] page dumped because: kasan: bad access detected [ 59.558947] [ 59.560463] addr ffff0009084277e0 is located in stack of task mkfs.ext4/417 at offset 48 in frame: [ 59.569475] submit_bio_noacct+0x0/0x640 [ 59.573423] [ 59.574930] this frame has 2 objects: [ 59.578624] [32, 48) 'bio_list' [ 59.578644] [64, 96) 'bio_list_on_stack' [ 59.581889] [ 59.587412] Memory state around the buggy address: [ 59.592243] ffff000908427680: 00 00 00 f2 00 00 00 f2 f2 f2 00 00 00 00 00 f3 [ 59.599510] ffff000908427700: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 59.606777] >ffff000908427780: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00 [ 59.614031] ^ [ 59.620427] ffff000908427800: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 [ 59.627694] ffff000908427880: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 f3 f3 [ 59.634946] ================================================================== [ 59.642198] Disabling lock debugging due to kernel taint Kernel BUG on x86_64: [ 17.809563] ================================================================== [ 17.816786] BUG: KASAN: stack-out-of-bounds in bio_alloc_bioset+0x31f/0x340 [ 17.823750] Read of size 8 at addr ffff888225f9f450 by task systemd-udevd/361 [ 17.830881] [ 17.832384] CPU: 0 PID: 361 Comm: systemd-udevd Not tainted 5.8.0-rc3-next-20200702 #1 [ 17.840294] Hardware name: Supermicro SYS-5019S-ML/X11SSH-F, BIOS 2.2 05/23/2018 [ 17.847686] Call Trace: [ 17.850143] dump_stack+0x84/0xba [ 17.853462] print_address_description.constprop.0+0x1f/0x210 [ 17.859212] ? _raw_spin_lock_irqsave+0x7c/0xd0 [ 17.859214] ? _raw_write_lock_irqsave+0xd0/0xd0 [ 17.859217] ? bio_alloc_bioset+0x31f/0x340 [ 17.859220] kasan_report.cold+0x37/0x7c [ 17.859222] ? bio_alloc_bioset+0x31f/0x340 [ 17.859224] __asan_load8+0x86/0xb0 [ 17.859226] bio_alloc_bioset+0x31f/0x340 [ 17.859228] ? bvec_alloc+0x160/0x160 [ 17.859230] ? bio_alloc_bioset+0x253/0x340 [ 17.859232] ? mpage_alloc.isra.0+0x37/0x120 [ 17.859234] ? do_mpage_readpage+0x740/0xd40 [ 17.859236] ? mpage_readahead+0x196/0x280 [ 17.859238] ? blkdev_readahead+0x10/0x20 [ 17.859241] ? read_pages+0x149/0x470 [ 17.859243] ? page_cache_readahead_unbounded+0x2de/0x360 [ 17.859246] ? __do_page_cache_readahead+0x6c/0x80 [ 17.859248] bio_clone_fast+0x14/0x30 [ 17.859250] bio_split+0x64/0x1b0 [ 17.859252] __blk_queue_split+0x417/0x8d0 [ 17.859255] ? __blk_rq_map_sg+0x820/0x820 [ 17.859258] ? kmem_cache_alloc+0xc6/0x4b0 [ 17.859260] ? mempool_alloc_slab+0x12/0x20 [ 17.859262] blk_mq_submit_bio+0x150/0xb90 [ 17.859265] ? blk_mq_try_issue_directly+0xe0/0xe0 [ 17.859267] ? blk_queue_enter+0xea/0x460 [ 17.859269] ? submit_bio_checks+0x4cc/0xa00 [ 17.859272] ? bio_add_page+0x78/0x110 [ 17.859274] submit_bio_noacct+0x5ff/0x6c0 [ 17.859276] ? mpage_alloc.isra.0+0xab/0x120 [ 17.859279] ? blk_queue_enter+0x460/0x460 [ 17.859281] ? do_mpage_readpage+0xc02/0xd40 [ 17.859283] submit_bio+0xb5/0x2e0 [ 17.859286] ? submit_bio_noacct+0x6c0/0x6c0 [ 17.859288] ? __disk_get_part+0x3d/0x50 [ 17.859290] mpage_readahead+0x227/0x280 [ 17.859293] ? do_mpage_readpage+0xd40/0xd40 [ 17.859295] ? bdev_evict_inode+0x130/0x130 [ 17.859297] ? find_get_pages_contig+0x340/0x340 [ 17.859299] blkdev_readahead+0x10/0x20 [ 17.859302] read_pages+0x149/0x470 [ 17.859304] ? lru_cache_add+0xde/0xf0 [ 17.859306] ? read_cache_pages+0x280/0x280 [ 17.859309] ? add_to_page_cache_locked+0x10/0x10 [ 17.859310] ? alloc_pages_current+0x98/0x110 [ 17.859313] page_cache_readahead_unbounded+0x2de/0x360 [ 17.859316] ? read_pages+0x470/0x470 [ 17.859319] ? xas_load+0xee/0x110 [ 17.859321] ? find_get_entry+0xbf/0x250 [ 17.859323] __do_page_cache_readahead+0x6c/0x80 [ 17.859326] force_page_cache_readahead+0xee/0x180 [ 17.859329] page_cache_sync_readahead+0x131/0x140 [ 17.859331] generic_file_buffered_read+0x698/0x1130 [ 17.859334] ? get_page_from_freelist+0x1b13/0x1e60 [ 17.859337] ? pagecache_get_page+0x3a0/0x3a0 [ 17.859340] ? __isolate_free_page+0x210/0x210 [ 17.859342] ? __ia32_sys_mmap_pgoff+0x90/0x90 [ 17.859345] generic_file_read_iter+0x17f/0x1f0 [ 17.859347] ? memory_high_write+0x1c0/0x1c0 [ 17.859349] blkdev_read_iter+0x76/0x90 [ 17.859352] new_sync_read+0x298/0x3c0 [ 17.859354] ? __ia32_sys_llseek+0x230/0x230 [ 17.859357] ? asm_sysvec_apic_timer_interrupt+0x12/0x20 [ 17.859359] ? fsnotify+0x12c/0x5f0 [ 17.859361] ? __vfs_read+0x30/0x90 [ 17.859363] __vfs_read+0x76/0x90 [ 17.859365] vfs_read+0xc8/0x1e0 [ 17.859368] ksys_read+0xc8/0x170 [ 17.859370] ? kernel_write+0xc0/0xc0 [ 17.859372] ? syscall_trace_enter+0x166/0x280 [ 17.859375] __x64_sys_read+0x3e/0x50 [ 17.859377] do_syscall_64+0x43/0x70 [ 17.859379] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 17.859381] RIP: 0033:0x7fe23cf4b56e [ 17.859382] Code: Bad RIP value. [ 17.859383] RSP: 002b:00007fff586583c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000000 [ 17.859386] RAX: ffffffffffffffda RBX: 00005620318bd8a0 RCX: 00007fe23cf4b56e [ 17.859387] RDX: 0000000000040000 RSI: 00007fe23dd56038 RDI: 000000000000000f [ 17.859388] RBP: 0000000000040000 R08: 00007fe23dd56010 R09: 0000000000000000 [ 17.859390] R10: 0000000000000022 R11: 0000000000000246 R12: 0000000000040000 [ 17.859391] R13: 00005620318bd8f0 R14: 00007fe23dd56028 R15: 00007fe23dd56010 [ 17.859392] [ 17.859393] The buggy address belongs to the page: [ 17.859396] page:ffffea000897e7c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 [ 17.859397] flags: 0x200000000000000() [ 17.859400] raw: 0200000000000000 0000000000000000 ffffea000897e7c8 0000000000000000 [ 17.859403] raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 [ 17.859403] page dumped because: kasan: bad access detected [ 17.859404] [ 17.859406] addr ffff888225f9f450 is located in stack of task systemd-udevd/361 at offset 48 in frame: [ 17.859408] submit_bio_noacct+0x0/0x6c0 [ 17.859409] [ 17.859410] this frame has 2 objects: [ 17.859412] [32, 48) 'bio_list' [ 17.859414] [64, 96) 'bio_list_on_stack' [ 17.859414] [ 17.859415] Memory state around the buggy address: [ 17.859417] ffff888225f9f300: f2 00 00 00 f2 00 00 00 f2 f2 f2 00 00 00 00 00 [ 17.859418] ffff888225f9f380: f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 [ 17.859420] >ffff888225f9f400: 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00 [ 17.859421] ^ [ 17.859422] ffff888225f9f480: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [ 17.859424] ffff888225f9f500: 00 00 00 f1 f1 f1 f1 00 00 00 00 f3 f3 f3 f3 00 [ 17.859425] ================================================================== [ 17.859425] Disabling lock debugging due to kernel taint -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel