On 11/5/22 12:37 AM, David Howells wrote: > netfslib has a number of places in which it performs iteration of an xarray > whilst being under the RCU read lock. It *should* call xas_retry() as the > first thing inside of the loop and do "continue" if it returns true in case > the xarray walker passed out a special value indicating that the walk needs > to be redone from the root[*]. > > Fix this by adding the missing retry checks. > > [*] I wonder if this should be done inside xas_find(), xas_next_node() and > suchlike, but I'm told that's not an simple change to effect. > > This can cause an oops like that below. Note the faulting address - this > is an internal value (|0x2) returned from xarray. > > BUG: kernel NULL pointer dereference, address: 0000000000000402 > ... > RIP: 0010:netfs_rreq_unlock+0xef/0x380 [netfs] > ... > Call Trace: > netfs_rreq_assess+0xa6/0x240 [netfs] > netfs_readpage+0x173/0x3b0 [netfs] > ? init_wait_var_entry+0x50/0x50 > filemap_read_page+0x33/0xf0 > filemap_get_pages+0x2f2/0x3f0 > filemap_read+0xaa/0x320 > ? do_filp_open+0xb2/0x150 > ? rmqueue+0x3be/0xe10 > ceph_read_iter+0x1fe/0x680 [ceph] > ? new_sync_read+0x115/0x1a0 > new_sync_read+0x115/0x1a0 > vfs_read+0xf3/0x180 > ksys_read+0x5f/0xe0 > do_syscall_64+0x38/0x90 > entry_SYSCALL_64_after_hwframe+0x44/0xae > > Fixes: 3d3c95046742 ("netfs: Provide readahead and readpage netfs helpers") > Reported-by: George Law <glaw@xxxxxxxxxx> > Signed-off-by: David Howells <dhowells@xxxxxxxxxx> > Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx> > cc: Matthew Wilcox <willy@xxxxxxxxxxxxx> > cc: linux-cachefs@xxxxxxxxxx > cc: linux-fsdevel@xxxxxxxxxxxxxxx > --- Reviewed-by: Jingbo Xu <jefflexu@xxxxxxxxxxxxxxxxx> -- Thanks, Jingbo