[syzbot] [block?] WARNING in blkdev_put (2)

[syzbot] [block?] WARNING in blkdev_put (2)

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    d2af0fa4bfa4 Add linux-next specific files for 20230220
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=170d2ef0c80000
kernel config:  https://syzkaller.appspot.com/x/.config?x=594e1a56901fd35d
dashboard link: https://syzkaller.appspot.com/bug?extid=2bcc0d79e548c4f62a59
compiler:       gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1227e837480000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=122d8ca0c80000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/83b78c113e8e/disk-d2af0fa4.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/d59f9b2c9091/vmlinux-d2af0fa4.xz
kernel image: https://storage.googleapis.com/syzbot-assets/2726c16c1d3b/bzImage-d2af0fa4.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+2bcc0d79e548c4f62a59@syzkaller.appspotmail.com

------------[ cut here ]------------
WARNING: CPU: 1 PID: 5080 at block/bdev.c:845 blkdev_put+0x6ca/0x770 block/bdev.c:845
Modules linked in:
CPU: 1 PID: 5080 Comm: syz-executor158 Not tainted 6.2.0-rc8-next-20230220-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/21/2023
RIP: 0010:blkdev_put+0x6ca/0x770 block/bdev.c:845
Code: 48 8b 3c 24 e8 b7 7c da fd e9 99 fa ff ff e8 8d 7c da fd e9 cf fb ff ff 4c 89 ff e8 80 7c da fd e9 80 fd ff ff e8 e6 ea 88 fd <0f> 0b e9 ef fc ff ff e8 8a 7c da fd e9 f3 fa ff ff 48 8b 3c 24 e8
RSP: 0018:ffffc90003cefc88 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888144c49600 RCX: 0000000000000000
RDX: ffff88807c2f8000 RSI: ffffffff83fbb8da RDI: 0000000000000005
RBP: ffff888146bc0000 R08: 0000000000000005 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000000 R12: 00000000484e009f
R13: ffff888144c49628 R14: ffff888146bc0460 R15: ffff888144c49ab8
FS:  0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fb645428948 CR3: 000000000c571000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 blkdev_close+0x68/0x80 block/fops.c:507
 __fput+0x27c/0xa90 fs/file_table.c:321
 task_work_run+0x16f/0x270 kernel/task_work.c:179
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xb42/0x2b60 kernel/exit.c:869
 do_group_exit+0xd4/0x2a0 kernel/exit.c:1019
 __do_sys_exit_group kernel/exit.c:1030 [inline]
 __se_sys_exit_group kernel/exit.c:1028 [inline]
 __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:1028
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fb6453e4639
Code: Unable to access opcode bytes at 0x7fb6453e460f.
RSP: 002b:00007ffcfacb3ec8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007fb645458270 RCX: 00007fb6453e4639
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007fb645458270
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this issue, for details see:
https://goo.gl/tpsmEJ#testing-patches

Re: [syzbot] [block?] WARNING in blkdev_put (2)

[Alexander Egorenkov]

Hi,

we are seeing a similar problem on s390x architecture when partitioning
a NVMe disk on linux-next.


  [   70.403015]  nvme0n1: p1
  [   70.403197] ------------[ cut here ]------------
  [   70.403199] WARNING: CPU: 8 PID: 2452 at block/bdev.c:845 blkdev_put+0x280/0x298
  [   70.403207] Modules linked in: nft_fib_inet(E) nft_fib_ipv4(E) nft_fib_ipv6(E) nft_fib(E) nft_reject_inet(E) nf_reject_ipv4(E) nf_reject_ipv6(E) nft_reject(E) nft_ct(E) nft_chain_nat(E) nf_nat(E) nf_conntrack(E) nf_defrag_ipv6(E) nf_defrag_ipv4(E) ip_set(E) nf_tables(E) nfnetlink(E) sunrpc(E) binfmt_misc(E) uvdevice(E) s390_trng(E) eadm_sch(E) vfio_ccw(E) mdev(E) vfio_iommu_type1(E) vfio(E) sch_fq_codel(E) ip6_tables(E) ip_tables(E) x_tables(E) configfs(E) dm_service_time(E) ghash_s390(E) prng(E) chacha_s390(E) libchacha(E) aes_s390(E) des_s390(E) libdes(E) sha3_512_s390(E) sha3_256_s390(E) sha512_s390(E) sha256_s390(E) nvme(E) sha1_s390(E) sha_common(E) nvme_core(E) zfcp(E) scsi_transport_fc(E) dm_mirror(E) dm_region_hash(E) dm_log(E) scsi_dh_rdac(E) scsi_dh_emc(E) scsi_dh_alua(E) pkey(E) zcrypt(E) rng_core(E) dm_multipath(E) autofs4(E)
  [   70.403247] CPU: 8 PID: 2452 Comm: fdisk Tainted: G            E      6.3.0-20230228.rc0.git67.058f4df42121.300.fc37.s390x+next #1
  [   70.403249] Hardware name: IBM 3931 A01 701 (LPAR)
  [   70.403251] Krnl PSW : 0704d00180000000 00000000800cc56c (blkdev_put+0x284/0x298)
  [   70.403254]            R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:1 PM:0 RI:0 EA:3
  [   70.403257] Krnl GPRS: 00000000858a9720 00000000ffffffff 0000000000000009 000000008102d600
  [   70.403259]            0000000080a6c454 0000000000000000 0000000000000000 0000000082023c00
  [   70.403260]            000000009f3a49f8 000000009f3a4800 00000000484e109f 0000000082023c00
  [   70.403262]            00000000b0932100 000003ffa56c3b18 00000000800cc32a 00000380036b3cd8
  [   70.403268] Krnl Code: 00000000800cc55e: c0e5fffffbd9      brasl   %r14,00000000800cbd10
                            00000000800cc564: a7f4ffaa          brc     15,00000000800cc4b8
                           #00000000800cc568: af000000          mc      0,0
                           >00000000800cc56c: a7f4ff68          brc     15,00000000800cc43c
                            00000000800cc570: b9040023          lgr     %r2,%r3
                            00000000800cc574: c0e5002a2d96      brasl   %r14,00000000806120a0
                            00000000800cc57a: a7f4ff58          brc     15,00000000800cc42a
                            00000000800cc57e: 0707              bcr     0,%r7
  [   70.403319] Call Trace:
  [   70.403321]  [<00000000800cc56c>] blkdev_put+0x284/0x298
  [   70.403325]  [<00000000800cd4da>] blkdev_close+0x32/0x48
  [   70.403328]  [<000000007fcee9ce>] __fput+0x96/0x290
  [   70.403332]  [<000000007fa1dfe0>] task_work_run+0x88/0xe0
  [   70.403337]  [<000000007fa9e5a0>] exit_to_user_mode_prepare+0x1a0/0x1a8
  [   70.403340]  [<0000000080625996>] __do_syscall+0x11e/0x200
  [   70.403345]  [<0000000080635162>] system_call+0x82/0xb0
  [   70.403349] Last Breaking-Event-Address:
  [   70.403350]  [<00000000800cc436>] blkdev_put+0x14e/0x298
  [   70.403353] Kernel panic - not syncing: kernel: panic_on_warn set ...
  [   70.403354] CPU: 8 PID: 2452 Comm: fdisk Tainted: G            E      6.3.0-20230228.rc0.git67.058f4df42121.300.fc37.s390x+next #1
  [   70.403357] Hardware name: IBM 3931 A01 701 (LPAR)
  [   70.403357] Call Trace:
  [   70.403358]  [<000000008062559a>] dump_stack_lvl+0x62/0x80
  [   70.403360]  [<0000000080613eb0>] panic+0x118/0x300
  [   70.403364]  [<000000007f9f3a40>] check_panic_on_warn+0x70/0x88
  [   70.403367]  [<000000007f9f3ce8>] __warn+0x108/0x150
  [   70.403369]  [<00000000805e8d76>] report_bug+0x18e/0x1e8
  [   70.403371]  [<000000007f9a11a4>] monitor_event_exception+0x44/0x80
  [   70.403374]  [<0000000080625798>] __do_pgm_check+0xf0/0x1b0
  [   70.403375]  [<00000000806352ec>] pgm_check_handler+0x11c/0x170
  [   70.403377]  [<00000000800cc56c>] blkdev_put+0x284/0x298
  [   70.403380]  [<00000000800cd4da>] blkdev_close+0x32/0x48
  [   70.403382]  [<000000007fcee9ce>] __fput+0x96/0x290
  [   70.403384]  [<000000007fa1dfe0>] task_work_run+0x88/0xe0
  [   70.403386]  [<000000007fa9e5a0>] exit_to_user_mode_prepare+0x1a0/0x1a8
  [   70.403388]  [<0000000080625996>] __do_syscall+0x11e/0x200
  [   70.403390]  [<0000000080635162>] system_call+0x82/0xb0

The problem appeared about a week ago.

Regards
Alex

Re: [syzbot] [block?] WARNING in blkdev_put (2)

[Julian Ruess]

On Thu, 2023-03-02 at 20:33 +0100, Alexander Egorenkov wrote:
> 
> Hi,
> 
> we are seeing a similar problem on s390x architecture when
> partitioning
> a NVMe disk on linux-next.
> 
> 
>   [   70.403015]  nvme0n1: p1
>   [   70.403197] ------------[ cut here ]------------
>   [   70.403199] WARNING: CPU: 8 PID: 2452 at block/bdev.c:845
> blkdev_put+0x280/0x298

...

> The problem appeared about a week ago.
> 
> Regards
> Alex

Hi all,

I bisected this to:

commit e5cfefa97bccf956ea0bb6464c1f6c84fd7a8d9f                       
Author: Yu Kuai <yukuai3@huawei.com>                                  
Date:   Fri Feb 17 10:22:00 2023 +0800                                
                                                                                      
    block: fix scan partition for exclusively open device again       
                                                                                      
    As explained in commit 36369f46e917 ("block: Do not reread
partition table        
    on exclusively open device"), reread partition on the device that
is              
    exclusively opened by someone else is problematic.                
                                                                                      
    This patch will make sure partition scan will only be proceed if
current          
    thread open the device exclusively, or the device is not opened   
    exclusively, and in the later case, other scanners and exclusive
openers          
    will be blocked temporarily until partition scan is done.         
                                                                                      
    Fixes: 10c70d95c0f2 ("block: remove the bd_openers checks in
blk_drop_partitions")
    Cc: <stable@vger.kernel.org>                                      
    Suggested-by: Jan Kara <jack@suse.cz>                             
    Signed-off-by: Yu Kuai <yukuai3@huawei.com>                       
    Reviewed-by: Christoph Hellwig <hch@lst.de>                       
    Link:
https://lore.kernel.org/r/20230217022200.3092987-3-yukuai1@huaweicloud.com
 
    Signed-off-by: Jens Axboe <axboe@kernel.dk>   



Regards
Julian

-- 
Julian Ruess
Linux on IBM Z Development
IBM Deutschland Research & Development GmbH
Dept 1419, Schoenaicher Str. 220, 71032 Boeblingen,
Vorsitzender des Aufsichtsrats: Gregor Pillen, Geschäftsführung: David
Faller
Sitz der Gesellschaft: Böblingen, Registergericht: Amtsgericht
Stuttgart, HRB 243294
IBM Data Privacy Statement - https://www.ibm.com/privacy

Re: [syzbot] [block?] WARNING in blkdev_put (2)

[Yu Kuai]

Hi,

在 2023/03/06 23:00, Julian Ruess 写道:
> On Thu, 2023-03-02 at 20:33 +0100, Alexander Egorenkov wrote:
>>
>> Hi,
>>
>> we are seeing a similar problem on s390x architecture when
>> partitioning
>> a NVMe disk on linux-next.
>>
>>
>>    [   70.403015]  nvme0n1: p1
>>    [   70.403197] ------------[ cut here ]------------
>>    [   70.403199] WARNING: CPU: 8 PID: 2452 at block/bdev.c:845
>> blkdev_put+0x280/0x298
> 
> ...
> 
>> The problem appeared about a week ago.
>>
>> Regards
>> Alex
> 
> Hi all,
> 
> I bisected this to:
> 
> commit e5cfefa97bccf956ea0bb6464c1f6c84fd7a8d9f
> Author: Yu Kuai <yukuai3@huawei.com>
> Date:   Fri Feb 17 10:22:00 2023 +0800
>                                                                                        
>      block: fix scan partition for exclusively open device again

Yes, thanks for the report, I figure out that I made a mistake here.

Following patch should fix this problem:

diff --git a/block/genhd.c b/block/genhd.c
index 3ee5577e1586..02d9cfb9e077 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -385,7 +385,7 @@ int disk_scan_partitions(struct gendisk *disk, 
fmode_t mode)
         if (IS_ERR(bdev))
                 ret =  PTR_ERR(bdev);
         else
-               blkdev_put(bdev, mode);
+               blkdev_put(bdev, mode & ~FMODE_EXCL);

Thanks,
Kuai
>                                                                                        
>      As explained in commit 36369f46e917 ("block: Do not reread
> partition table
>      on exclusively open device"), reread partition on the device that
> is
>      exclusively opened by someone else is problematic.
>                                                                                        
>      This patch will make sure partition scan will only be proceed if
> current
>      thread open the device exclusively, or the device is not opened
>      exclusively, and in the later case, other scanners and exclusive
> openers
>      will be blocked temporarily until partition scan is done.
>                                                                                        
>      Fixes: 10c70d95c0f2 ("block: remove the bd_openers checks in
> blk_drop_partitions")
>      Cc: <stable@vger.kernel.org>
>      Suggested-by: Jan Kara <jack@suse.cz>
>      Signed-off-by: Yu Kuai <yukuai3@huawei.com>
>      Reviewed-by: Christoph Hellwig <hch@lst.de>
>      Link:
> https://lore.kernel.org/r/20230217022200.3092987-3-yukuai1@huaweicloud.com
>   
>      Signed-off-by: Jens Axboe <axboe@kernel.dk>
> 
> 
> 
> Regards
> Julian
> 

Re: [syzbot] [block?] WARNING in blkdev_put (2)

[Julian Ruess]

On Tue, 2023-03-07 at 09:42 +0800, Yu Kuai wrote:
> Hi,
> 
> 在 2023/03/06 23:00, Julian Ruess 写道:
> > On Thu, 2023-03-02 at 20:33 +0100, Alexander Egorenkov wrote:
> > > 
> > > Hi,
> > > 
> > > we are seeing a similar problem on s390x architecture when
> > > partitioning
> > > a NVMe disk on linux-next.
> > > 
> > > 
> > >    [   70.403015]  nvme0n1: p1
> > >    [   70.403197] ------------[ cut here ]------------
> > >    [   70.403199] WARNING: CPU: 8 PID: 2452 at block/bdev.c:845
> > > blkdev_put+0x280/0x298
> > 
> > ...
> > 
> > > The problem appeared about a week ago.
> > > 
> > > Regards
> > > Alex
> > 
> > Hi all,
> > 
> > I bisected this to:
> > 
> > commit e5cfefa97bccf956ea0bb6464c1f6c84fd7a8d9f
> > Author: Yu Kuai <yukuai3@huawei.com>
> > Date:   Fri Feb 17 10:22:00 2023 +0800
> >                                                                    
> >                     
> >      block: fix scan partition for exclusively open device again
> 
> Yes, thanks for the report, I figure out that I made a mistake here.
> 
> Following patch should fix this problem:
> 
> diff --git a/block/genhd.c b/block/genhd.c
> index 3ee5577e1586..02d9cfb9e077 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -385,7 +385,7 @@ int disk_scan_partitions(struct gendisk *disk, 
> fmode_t mode)
>          if (IS_ERR(bdev))
>                  ret =  PTR_ERR(bdev);
>          else
> -               blkdev_put(bdev, mode);
> +               blkdev_put(bdev, mode & ~FMODE_EXCL);
> 
> Thanks,
> Kuai
> >                                                                    
> >                     
> >      As explained in commit 36369f46e917 ("block: Do not reread
> > partition table
> >      on exclusively open device"), reread partition on the device
> > that
> > is
> >      exclusively opened by someone else is problematic.
> >                                                                    
> >                     
> >      This patch will make sure partition scan will only be proceed
> > if
> > current
> >      thread open the device exclusively, or the device is not
> > opened
> >      exclusively, and in the later case, other scanners and
> > exclusive
> > openers
> >      will be blocked temporarily until partition scan is done.
> >                                                                    
> >                     
> >      Fixes: 10c70d95c0f2 ("block: remove the bd_openers checks in
> > blk_drop_partitions")
> >      Cc: <stable@vger.kernel.org>
> >      Suggested-by: Jan Kara <jack@suse.cz>
> >      Signed-off-by: Yu Kuai <yukuai3@huawei.com>
> >      Reviewed-by: Christoph Hellwig <hch@lst.de>
> >      Link:
> > https://lore.kernel.org/r/20230217022200.3092987-3-yukuai1@huaweicloud.com
> >   
> >      Signed-off-by: Jens Axboe <axboe@kernel.dk>
> > 
> > 
> > 
> > Regards
> > Julian
> > 
> 

This patch works for me. Thanks!
@Jens Axboe: Will this be part of the next 6.3-rc?

Regards
Julian

[PATCH] block: fix wrong mode for blkdev_put() from disk_scan_partitions()

[Yu Kuai]

From: Yu Kuai <yukuai3@huawei.com>

If disk_scan_partitions() is called with 'FMODE_EXCL',
blkdev_get_by_dev() will be called without 'FMODE_EXCL', however, follow
blkdev_put() is still called with 'FMODE_EXCL', which will cause
'bd_holders' counter to leak.

Fix the problem by using the right mode for blkdev_put().

Reported-by: syzbot+2bcc0d79e548c4f62a59@syzkaller.appspotmail.com
Link: https://lore.kernel.org/lkml/f9649d501bc8c3444769418f6c26263555d9d3be.camel@linux.ibm.com/T/
Tested-by: Julian Ruess <julianr@linux.ibm.com>
Fixes: e5cfefa97bcc ("block: fix scan partition for exclusively open device again")
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
---
 block/genhd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/block/genhd.c b/block/genhd.c
index 3ee5577e1586..02d9cfb9e077 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -385,7 +385,7 @@ int disk_scan_partitions(struct gendisk *disk, fmode_t mode)
 	if (IS_ERR(bdev))
 		ret =  PTR_ERR(bdev);
 	else
-		blkdev_put(bdev, mode);
+		blkdev_put(bdev, mode & ~FMODE_EXCL);
 
 	if (!(mode & FMODE_EXCL))
 		bd_abort_claiming(disk->part0, disk_scan_partitions);
-- 
2.31.1

Re: [PATCH] block: fix wrong mode for blkdev_put() from disk_scan_partitions()

[Jan Kara]

On Tue 07-03-23 18:55:52, Yu Kuai wrote:
> From: Yu Kuai <yukuai3@huawei.com>
> 
> If disk_scan_partitions() is called with 'FMODE_EXCL',
> blkdev_get_by_dev() will be called without 'FMODE_EXCL', however, follow
> blkdev_put() is still called with 'FMODE_EXCL', which will cause
> 'bd_holders' counter to leak.
> 
> Fix the problem by using the right mode for blkdev_put().
> 
> Reported-by: syzbot+2bcc0d79e548c4f62a59@syzkaller.appspotmail.com
> Link: https://lore.kernel.org/lkml/f9649d501bc8c3444769418f6c26263555d9d3be.camel@linux.ibm.com/T/
> Tested-by: Julian Ruess <julianr@linux.ibm.com>
> Fixes: e5cfefa97bcc ("block: fix scan partition for exclusively open device again")
> Signed-off-by: Yu Kuai <yukuai3@huawei.com>

Thanks for fixing this! Feel free to add:

Reviewed-by: Jan Kara <jack@suse.cz>

								Honza

> ---
>  block/genhd.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/block/genhd.c b/block/genhd.c
> index 3ee5577e1586..02d9cfb9e077 100644
> --- a/block/genhd.c
> +++ b/block/genhd.c
> @@ -385,7 +385,7 @@ int disk_scan_partitions(struct gendisk *disk, fmode_t mode)
>  	if (IS_ERR(bdev))
>  		ret =  PTR_ERR(bdev);
>  	else
> -		blkdev_put(bdev, mode);
> +		blkdev_put(bdev, mode & ~FMODE_EXCL);
>  
>  	if (!(mode & FMODE_EXCL))
>  		bd_abort_claiming(disk->part0, disk_scan_partitions);
> -- 
> 2.31.1
> 
-- 
Jan Kara <jack@suse.com>
SUSE Labs, CR

Re: [PATCH] block: fix wrong mode for blkdev_put() from disk_scan_partitions()

[Jens Axboe]

On Tue, 07 Mar 2023 18:55:52 +0800, Yu Kuai wrote:
> If disk_scan_partitions() is called with 'FMODE_EXCL',
> blkdev_get_by_dev() will be called without 'FMODE_EXCL', however, follow
> blkdev_put() is still called with 'FMODE_EXCL', which will cause
> 'bd_holders' counter to leak.
> 
> Fix the problem by using the right mode for blkdev_put().
> 
> [...]

Applied, thanks!

[1/1] block: fix wrong mode for blkdev_put() from disk_scan_partitions()
      commit: 428913bce1e67ccb4dae317fd0332545bf8c9233

Best regards,
-- 
Jens Axboe