On Sun, Jul 17, 2022 at 07:49:12AM -0700, Bart Van Assche wrote:
> On 7/17/22 03:22, Gautam Menghani wrote:
> > Syzbot reported a general protection fault in the function
> > blk_mq_clear_rq_mapping() in the file block/blk-mq.c.
> > The issue is that the variable drv_tags is NULL, and this
> > originates from the struct blk_mq_tag_set. The dashboard link for this
> > issue is :
> > syzkaller.appspot.com/bug?id=c3ce4caa4fc58c156d4903984131cdfa38eee354
> >
> > This patch fixes the above bug, but there is another syzbot bug which is
> > related to this and getting triggered after the call to
> > blk_mq_clear_rq_mapping(). As a result, I cannot determine if the issue
> > is really solved. The link to other issue:
> > syzkaller.appspot.com/bug?id=7643cea70f1d0ce15f5f4bc39488918837ad4233
> >
> > Please provide feedback/suggestions on the same.
> >
> > Signed-off-by: Gautam Menghani <gautammenghani201@xxxxxxxxx>
> > ---
> > block/blk-mq.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/block/blk-mq.c b/block/blk-mq.c
> > index 93d9d60980fb..c1dd1b78b95c 100644
> > --- a/block/blk-mq.c
> > +++ b/block/blk-mq.c
> > @@ -3092,7 +3092,8 @@ void blk_mq_free_rqs(struct blk_mq_tag_set *set, struct blk_mq_tags *tags,
> > }
> > }
> > - blk_mq_clear_rq_mapping(drv_tags, tags);
> > + if (drv_tags)
> > + blk_mq_clear_rq_mapping(drv_tags, tags);
> > while (!list_empty(&tags->page_list)) {
> > page = list_first_entry(&tags->page_list, struct page, lru);
>
> I don't see how drv_tags could be NULL without triggering a race condition.
> Please take a look at the nbd driver to see whether the root cause is
> perhaps in that driver instead of in the block layer core.
Yes, this might very well be the case. Thank you for the feedback.
>
> Thanks,
>
> Bart.
Thanks,
Gautam
